PsychoKush Posted August 28, 2022 Posted August 28, 2022 I am trying my first payload, as I just received my bunny. I loaded the simple usb exfiltrator right off the hak5 site. I have the d.cmd, e.cmd, i.vbs, and payload.txt saved into switch 1. When I try it on the same machine, it seems to open payload, and I believe it is initiating the first CMD, but nothing is written to loot. When I manually open the CMD, it will create the folder in loot but nothing is copied. I'm thinking maybe it has something to do with windows 11? Any thoughts?
dark_pyrro Posted August 29, 2022 Posted August 29, 2022 There are multiple things to verify here. First; what payload are you using (link)? You refer to "simple usb exfiltrator", but I can't find anything on the Hak5 GitHub with that exact name. There is the "simple-usb-extractor" but that payload doesn't use d.cmd or e.cmd (it uses x.cmd and z.cmd). Then we have the "usb_exfiltrator" that uses d.cmd and e.cmd, but it's not named the way you name it in your post above. I just want that to be clarified so that I don't start trying to help you troubleshoot it looking at the wrong payload. So, link to the payload that you are trying to get to run.
PsychoKush Posted August 30, 2022 Author Posted August 30, 2022 21 hours ago, dark_pyrro said: There are multiple things to verify here. First; what payload are you using (link)? You refer to "simple usb exfiltrator", but I can't find anything on the Hak5 GitHub with that exact name. There is the "simple-usb-extractor" but that payload doesn't use d.cmd or e.cmd (it uses x.cmd and z.cmd). Then we have the "usb_exfiltrator" that uses d.cmd and e.cmd, but it's not named the way you name it in your post above. I just want that to be clarified so that I don't start trying to help you troubleshoot it looking at the wrong payload. So, link to the payload that you are trying to get to run. Sorry it seems I got two of them mixed up. I tried both with no luck, but most recently, https://github.com/hak5/bashbunny-payloads/tree/master/payloads/library/exfiltration/usb_exfiltrator
dark_pyrro Posted August 30, 2022 Posted August 30, 2022 OK, did you get it working then, as the first post is (rather mysteriously) marked as the solution?
dark_pyrro Posted August 30, 2022 Posted August 30, 2022 If not solved; - Did you provide the laZagne.exe file? - If you did, was it detected and eliminated by AntiVirus? - Did you remove the REM on any of the lines that do xcopy activity? - Are you using the correct keyboard target language (if not US)?
PsychoKush Posted August 31, 2022 Author Posted August 31, 2022 On 8/30/2022 at 3:13 AM, dark_pyrro said: If not solved; - Did you provide the laZagne.exe file? - If you did, was it detected and eliminated by AntiVirus? - Did you remove the REM on any of the lines that do xcopy activity? - Are you using the correct keyboard target language (if not US)? I did not find a solution, not sure how I hit that. What is the laZagne.exe file? I didn't remove any lines as I was just testing before I modified it.
dark_pyrro Posted August 31, 2022 Posted August 31, 2022 Look at the code in e.cmd. The only line that is set to execute is the line that should start laZagne.exe and if that's not present on the Bunny, it will not run. It would probably not run anyway because of the fact that it probably will be stopped by AV/Defender. Moving on in the code.... did you remove the REM of any of the xcopy lines? If not, then nothing will be copied to the loot folder in terms of documents/files.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.