Jump to content

Is my bashbunny broken?


kuyaya
 Share

Recommended Posts

Hi

Yesterday, I wasn't home so I worked with my BB on my laptop. Suddenly when I switched to arming-mode, windows said I need to format the BB before I can use it. This would delete ALL data that was stored on the BB so I didn't do it. Later, when I was back home, I tried to plug it in my PC and I got the same issue, so it's not my laptop's fault. I tried to reset it with this 3 times unplug thing in arming mode, that worked but I still got the same issue. Some sreenshots are attached below. Should I format the BB? I think it would maybe delete the whole system so I couldn't be able to use it anymore. Any solutions?

bb1.png

bb2.png

Link to comment
Share on other sites

9 minutes ago, bunnylover said:

I tried to reset it with this 3 times unplug thing in arming mode, that worked but I still got the same issue

It's four times, on the fourth time you leave it in for five minters.

it's coved in this Documentation page. https://docs.hak5.org/hc/en-us/articles/360023739914-Factory-Reset

And video.

 

Link to comment
Share on other sites

  • kuyaya changed the title to Need to format BashBunny?

I have an update!

I can connect to PuTTY in arming mode (com3 and speed 115200)

So I can use PuTTY but I can't access the BB files with the normal explorer. Can I fix now the BB via PuTTY?

Link to comment
Share on other sites

  • kuyaya changed the title to Is my bashbunny broken?

The ability to fix the udisk (which is what you are having issues with) was made available in firmware 1.2.

 

Version 1.2 Changelog

Features
- ATTACKMODE now accepts a new RO_STORAGE argument
  - Example: "ATTACKMODE RO_STORAGE" will now present the Bash Bunny's storage partition as read only
- QUACK now accepts a new KEYCODE argument
  - Example: "QUACK KEYCODE 00,00,56" will write the '-' character from the numpad row
- A new udisk helper was added
  - A 'udisk' script is now available
    - "udisk mount"
    - "udisk unmount"
    - "udisk reformat"
  - The reformat_udisk command has been merged into the new udisk command
- User configuration file
  - A config.txt is now found on the root of the Bash Bunny's storage partition
  - This config.txt is sourced before payloads are executed, allowing global configurations
  - By default the DUCKY_LANG command is run to set the keyboard to 'us'
  - NOTE: settings in config.txt will be overwritten if a payload decides to do so
  - NOTE: config.txt will currently not survive factory resets or firmware upgrades. This will change in the future

 

While in putty on the BB you would run "udisk reformat".

 

Edited by PoSHMagiC0de
Link to comment
Share on other sites

When I cat version.txt it gave that output: 

root@bunny:~# cat version.txt
1.0_167

Seems like it resetted the whole version from 1.6 to 1.0. Is this a automatic process when you do a factory reset? Otherwise I don't know why the version resetted itself.

Is there a way to update the bunny via PuTTY, since I can't access it via explorer?

Or is it possible to "udisk reformat" the bunny while on version 1.0?

 

Link to comment
Share on other sites

Hmm, at 1.0 I do not know what to do except maybe try reformat_udisk.  It says in the instructions that command was sucked up into the new command.  Else, someone mentioned mounting the udisk by hand to /root/udisk and formatting it with fat32 or something like that.  After that it should be able to mount normally and you can rebuild the directories with that BB tool or by hand if you know the folder layout.

All the partition you see when in arming mode is that udisk partition mounted.

Link to comment
Share on other sites

Hey, I have another idea. Maybe I can get access to the files when I connect the bunny with WinSCP. That's very similar to PuTTY, the difference is that it opens the files (like in windows explorer) instead of a shell. But I had an issue with that. When I tried with hostname "COM3" it gives me the error "host "COM3" doesn't exist." When I do a right-click on the Bunny_Armingmode (left side at the top) and I do "Open in PuTTY" I can login. But only with Hostname COM3. 

What I ask myself is, what is the correct hostname for the bunny?

(basically, my idea was the when I get access to the files, I can run the bunnyupdater or just upgrade the firmware by hand, and then run udisk reformat)

WinSCP.png

Link to comment
Share on other sites

I do not know how some of you end up wiping that partition.   Welp, since you are on 1.0, you will have to rebuild...or reformat that partition.

 

So....once you putty (yelp, putty no scp) into the BB and sign in, make sure you are in the /root folder and type the following.

fdisk -l

See if there is a nandf disk there and it is 2GB.  This is the partition that holds your arming mode stuff.  if it is there, then time for step 2.

mount /dev/nandf /root/udisk

This will mount that partition to the /root/udisk folder.  Take a look inside.  If it has issues mounting then it may need a good formatting which in that case you make sure the udisk is not mounting and format it like below.

#unmount udisk
umount /root/udisk

#format to fat32
mkdosfs -F 32 -I /dev/nandf

 

 

Reboot BB and see if the partition mounts in Arming mode...it should show up blank since it is blank.  Now I believe that BB bunny tool will rebuild that folder and upgrade the BB for you.

 

Advice: When you pull the BB for the flash upgrade, plug it into a dedicated USB power supply to avoid power interruptions.  Also, make sure any cable you use is good.

Link to comment
Share on other sites

You could also make a bash file that looks like the new udisk command and use it to rebuild your nandf.  Below is a copy of the code inside it on my BB.
 

#!/bin/bash

function print_usage() {
        echo "udisk [ mount | unmount | remount | reformat ]"
}

function get_confirmation() {
        read -r -p "[?] Are you sure you want to reformat udisk? All files will be removed [y/N] " confirm
        case "$confirm" in
            [yY][eE][sS]|[yY])
                return 0
                ;;
            *)
                return 1
                ;;
        esac
}

function mount_udisk() {
        mount -o sync /dev/nandf /root/udisk &> /dev/null
        return $?
}

function unmount_udisk() {
        [[ $(mount | grep /dev/nandf) == "" ]] || {
                sync
                umount /dev/nandf &> /dev/null
                return $?
        }
        return 0
}

function reformat_udisk() {
        dd if=/dev/zero of=/dev/nandf  bs=512  count=1 &> /dev/null
        mkfs.vfat -n "BashBunny" /dev/nandf &> /dev/null
}

function copy_files() {
        mkdir -p /root/udisk/loot
        mkdir -p /root/udisk/tools
        cp /root/version.txt  /root/udisk
        cp -rf /usr/local/bunny/udisk/* /root/udisk/ &> /dev/null
}

function do_format() {
        unmount_udisk && {
                reformat_udisk
                mount_udisk && copy_files
                echo "[*] Udisk formatted successfully. The system will now reboot."
        } || {
                echo "[!] Error: Udisk is busy"
        }
}

case $1 in
        "mount")
                mount_udisk && echo "[*] Udisk mounted to /root/udisk" || echo "[!] Error: Udisk could not be mounted"
                ;;
        "unmount" | "umount")
                unmount_udisk && echo "[*] Udisk unmounted" || echo "[!] Error: Udisk is busy, could not unmount"
                ;;
        "remount")
                unmount_udisk && (mount_udisk && echo "[*] Udisk re-mounted to /root/udisk") || {
                        echo "[!] Error: Udisk is busy, could not unmount"
                }
                ;;
        "reformat")
                get_confirmation && do_format && reboot
                ;;
        *)
                print_usage
                ;;
esac

 

Link to comment
Share on other sites

First of all, there is a nandf disk with 2GB. 

mount /dev/nandf /root/udisk gave me that output: 

mount: wrong fs type, bad option, bad superblock on /dev/nandf,
       missing codepage or helper program, or other error

       In some cases useful info is found in syslog - try
       dmesg | tail or so.

When I did "dmesg | tail" it gave me that: 

root@bunny:~# dmesg | tail
[ 4598.080077] CPU Budget: Temperature: 69 Limit state:0 item[1200000,4,-1,0 0]
[ 4598.080099] [ddrfreq] temperature=69 C, ddr freq up
[ 4598.580066] CPU Budget: Temperature: 70 Limit state:1 item[1200000,3,-1,0 0]
[ 4598.580081] [ddrfreq] temperature=70 C, ddr freq up
[ 7076.580073] CPU Budget: Temperature: 69 Limit state:0 item[1200000,4,-1,0 0]
[ 7076.580095] [ddrfreq] temperature=69 C, ddr freq up
[ 7077.080058] CPU Budget: Temperature: 70 Limit state:1 item[1200000,3,-1,0 0]
[ 7077.080076] [ddrfreq] temperature=70 C, ddr freq up
[14808.877211] UDF-fs: warning (device nandf): udf_fill_super: No partition foun                 d (1)
[14843.077254] UDF-fs: warning (device nandf): udf_fill_super: No partition foun                 d (1)

 

Link to comment
Share on other sites

Then recreate that big old script I posted, call it something like rebuilder or something.  winscp it to your /root folder.  chmod a+x it and then run it with rebuilder reformat.

You need to reformat the nandf drive.

Or follow the section by hand in the script that does the formatting and rebuilding.

Edited by PoSHMagiC0de
Link to comment
Share on other sites

I managed to format it to Fat32, but as you said, it is blank. Now, when I run bunnyupdater it gives me an error: 

Hak5 Bash Bunny Updater v1.1

[!] Error: Could not load the Bash Bunny's firmware version.
[?] Please ensure that this Bunnyupdater is on the root of the Bash Bunny's storage partition.
[?] Note: Alternatively, provide a path using the BUNNYPATH environment variable.
[Press enter to exit]

You said:  Now I believe that BB bunny tool will rebuild that folder and upgrade the BB for you.

Did you mean with BB bunny tool the bunnyupdater?

Link to comment
Share on other sites

Does the bashbunny storage come up with a label of BASHBUNNY?  It might not be labelled or the other is you are not launching it from the root of the storage partition of the BB.

 

I do not use the updater but do everything by hand.  To update, I just download the new firmware update and drop it to the root of the storage partition of BB when in arming mode, shut down bunny safely with eject and then plug it back in to a dedicated USB charger and leave it there until done.  When done, it is at newest version and usually will rebuild the folders too.  Never used the updater so it may just look for the BashBunny label or an environment variable pointing to where the BB is.  Can't help you with updater much.

Link to comment
Share on other sites

Solved it by myself. I had a really strange output by the PasswordGrabber payload, so i thought it was maybe not 100% clean. But I had firmware 1.6 so I just ran udisk reformat, and everything worked perfectly, and the label is BashBunny again

@PoSHMagiC0deThanks alot you really helped get to the right solution!

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...