Jump to content

Help with usb exfiltrator

PsychoKush

By PsychoKush
in Bash Bunny

 Share

Recommended Posts

PsychoKush Newbie

PsychoKush

Posted
Posted

I am trying my first payload, as I just received my bunny. I loaded the simple usb exfiltrator right off the hak5 site. I have the d.cmd, e.cmd, i.vbs, and payload.txt saved into switch 1. When I try it on the same machine, it seems to open payload, and I believe it is initiating the first CMD, but nothing is written to loot. When I manually open the CMD, it will create the folder in loot but nothing is copied. I'm thinking maybe it has something to do with windows 11? Any thoughts?

Link to comment
Share on other sites
dark_pyrro Veteran

dark_pyrro

Posted
Posted

There are multiple things to verify here.

First; what payload are you using (link)? You refer to "simple usb exfiltrator", but I can't find anything on the Hak5 GitHub with that exact name. There is the "simple-usb-extractor" but that payload doesn't use d.cmd or e.cmd (it uses x.cmd and z.cmd). Then we have the "usb_exfiltrator" that uses d.cmd and e.cmd, but it's not named the way you name it in your post above. I just want that to be clarified so that I don't start trying to help you troubleshoot it looking at the wrong payload. So, link to the payload that you are trying to get to run.

 

Link to comment
Share on other sites
PsychoKush Newbie

PsychoKush

Posted
  • Author
Posted
21 hours ago, dark_pyrro said:

There are multiple things to verify here.

First; what payload are you using (link)? You refer to "simple usb exfiltrator", but I can't find anything on the Hak5 GitHub with that exact name. There is the "simple-usb-extractor" but that payload doesn't use d.cmd or e.cmd (it uses x.cmd and z.cmd). Then we have the "usb_exfiltrator" that uses d.cmd and e.cmd, but it's not named the way you name it in your post above. I just want that to be clarified so that I don't start trying to help you troubleshoot it looking at the wrong payload. So, link to the payload that you are trying to get to run.

 

Sorry it seems I got two of them mixed up. I tried both with no luck, but most recently, https://github.com/hak5/bashbunny-payloads/tree/master/payloads/library/exfiltration/usb_exfiltrator

Link to comment
Share on other sites
PsychoKush Newbie

PsychoKush

Posted
  • Author
Posted
On 8/30/2022 at 3:13 AM, dark_pyrro said:

If not solved;
- Did you provide the laZagne.exe file?
- If you did, was it detected and eliminated by AntiVirus?
- Did you remove the REM on any of the lines that do xcopy activity?
- Are you using the correct keyboard target language (if not US)?

I did not find a solution, not sure how I hit that. What is the laZagne.exe file? I didn't remove any lines as I was just testing before I modified it. 

Link to comment
Share on other sites
dark_pyrro Veteran

dark_pyrro

Posted
Posted

Look at the code in e.cmd. The only line that is set to execute is the line that should start laZagne.exe and if that's not present on the Bunny, it will not run. It would probably not run anyway because of the fact that it probably will be stopped by AV/Defender. Moving on in the code.... did you remove the REM of any of the xcopy lines? If not, then nothing will be copied to the loot folder in terms of documents/files.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...