Help with usb exfiltrator

[PsychoKush]

I am trying my first payload, as I just received my bunny. I loaded the simple usb exfiltrator right off the hak5 site. I have the d.cmd, e.cmd, i.vbs, and payload.txt saved into switch 1. When I try it on the same machine, it seems to open payload, and I believe it is initiating the first CMD, but nothing is written to loot. When I manually open the CMD, it will create the folder in loot but nothing is copied. I'm thinking maybe it has something to do with windows 11? Any thoughts?

[dark_pyrro]

There are multiple things to verify here.

First; what payload are you using (link)? You refer to "simple usb exfiltrator", but I can't find anything on the Hak5 GitHub with that exact name. There is the "simple-usb-extractor" but that payload doesn't use d.cmd or e.cmd (it uses x.cmd and z.cmd). Then we have the "usb_exfiltrator" that uses d.cmd and e.cmd, but it's not named the way you name it in your post above. I just want that to be clarified so that I don't start trying to help you troubleshoot it looking at the wrong payload. So, link to the payload that you are trying to get to run.

 

[PsychoKush]

21 hours ago, dark_pyrro said:

There are multiple things to verify here.

First; what payload are you using (link)? You refer to "simple usb exfiltrator", but I can't find anything on the Hak5 GitHub with that exact name. There is the "simple-usb-extractor" but that payload doesn't use d.cmd or e.cmd (it uses x.cmd and z.cmd). Then we have the "usb_exfiltrator" that uses d.cmd and e.cmd, but it's not named the way you name it in your post above. I just want that to be clarified so that I don't start trying to help you troubleshoot it looking at the wrong payload. So, link to the payload that you are trying to get to run.

 

Sorry it seems I got two of them mixed up. I tried both with no luck, but most recently, https://github.com/hak5/bashbunny-payloads/tree/master/payloads/library/exfiltration/usb_exfiltrator

[dark_pyrro]

OK, did you get it working then, as the first post is (rather mysteriously) marked as the solution?

[dark_pyrro]

If not solved;
- Did you provide the laZagne.exe file?
- If you did, was it detected and eliminated by AntiVirus?
- Did you remove the REM on any of the lines that do xcopy activity?
- Are you using the correct keyboard target language (if not US)?

[PsychoKush]

On 8/30/2022 at 3:13 AM, dark_pyrro said:

If not solved;
- Did you provide the laZagne.exe file?
- If you did, was it detected and eliminated by AntiVirus?
- Did you remove the REM on any of the lines that do xcopy activity?
- Are you using the correct keyboard target language (if not US)?

I did not find a solution, not sure how I hit that. What is the laZagne.exe file? I didn't remove any lines as I was just testing before I modified it. 

[dark_pyrro]

Look at the code in e.cmd. The only line that is set to execute is the line that should start laZagne.exe and if that's not present on the Bunny, it will not run. It would probably not run anyway because of the fact that it probably will be stopped by AV/Defender. Moving on in the code.... did you remove the REM of any of the xcopy lines? If not, then nothing will be copied to the loot folder in terms of documents/files.