LucasReal1 Posted March 13, 2023 Share Posted March 13, 2023 Hi everyone, First of all, I am completly new here and I thank all your help. I have recently buy the Bush Bunny product and download the upgrades and execute the bunnyupdater app. After reading some manuals and watching some videos I ended up loading different payloads in both switch modes. For some reason, one I switch into one of those modes after loading any payload, in my windows computer, the powershell and terminal opens and close but aftter that nothing else happens and the loot folder that suppose to be with new content, is empty. I don't know if I am missing something else Appreciate all the help and support Link to comment Share on other sites More sharing options...
LucasReal1 Posted March 13, 2023 Author Share Posted March 13, 2023 Btw, the payload that I am trying to use is in recon>--BB-ADV-Recon and the InfoGrabber but doesn't seem to create the folder with the summary of the information about my pc Link to comment Share on other sites More sharing options...
dark_pyrro Posted March 13, 2023 Share Posted March 13, 2023 Is the target PC using some keyboard language/layout other than US? If so, specify DUCKY_LANG with the correct language in the payload (or config.txt). Try to execute relevant parts of the payload manually in order to catch errors that might show. The --B-ADV-Recon probably needs PowerShell to be started with the -ExecutionPolicy Bypass to even execute on most Windows systems. Link to comment Share on other sites More sharing options...
LucasReal1 Posted March 13, 2023 Author Share Posted March 13, 2023 11 minutes ago, dark_pyrro said: Is the target PC using some keyboard language/layout other than US? If so, specify DUCKY_LANG with the correct language in the payload (or config.txt). Try to execute relevant parts of the payload manually in order to catch errors that might show. The --B-ADV-Recon probably needs PowerShell to be started with the -ExecutionPolicy Bypass to even execute on most Windows systems. Thanks for your quick response Yes, after changing in the config.txt DUCKY_LANG us into es (I use spanish keyboard) and adding into the payload the -ExecutionPolicy Bypass between the rest of the parameters, it ended up finishing the script and creating everything in that folder So huge thank you! One last question: it is possible to make (when you change between different payloads in both switches mode) to not show the storage content of the usb? Link to comment Share on other sites More sharing options...
dark_pyrro Posted March 13, 2023 Share Posted March 13, 2023 Not really sure about the exact scenario; if you need to access the Bunny (like in the two mentioned ones that executes PowerShell script files from the Bunny storage), it's difficult not to expose the Bunny internal storage. If you have a payload that doesn't depend on access to the Bunny storage at all, then you can just not use STORAGE as ATTACKMODE. For example, if you just need HID or some other ATTACKMODE. Link to comment Share on other sites More sharing options...
LucasReal1 Posted March 13, 2023 Author Share Posted March 13, 2023 it makes sense I will be trying different payloads and scenarios thanks again Link to comment Share on other sites More sharing options...
LucasReal1 Posted March 15, 2023 Author Share Posted March 15, 2023 I am having a different issues with the same payloads , this time in another computer. Again, all the commands are executing correctly,but at the end of every cmnd in the running window, powershell shows this: Cannot dot-source this command because it was defined in a different language mode. To invoke this command without importing its contents, omit the '.' operator At first, I though it has something to be with the language file again, but it was all good ("DUCKY_LANG es" was set in the config.txt file) and the language of the target is in the same as the text file Any ideas? Link to comment Share on other sites More sharing options...
dark_pyrro Posted March 15, 2023 Share Posted March 15, 2023 Did you rename any of the ps1 files on purpose? None of the previously mentioned payloads has any ps1 file called payload.ps1. That's perhaps not the root cause of the error, I just want to know the background. Link to comment Share on other sites More sharing options...
LucasReal1 Posted March 15, 2023 Author Share Posted March 15, 2023 4 hours ago, dark_pyrro said: Did you rename any of the ps1 files on purpose? None of the previously mentioned payloads has any ps1 file called payload.ps1. That's perhaps not the root cause of the error, I just want to know the background. Not really, just in case I copy the same payload again as it was, and add again the line -ExecutionPolicy Bypass but seems that the error is the same Link to comment Share on other sites More sharing options...
dark_pyrro Posted March 15, 2023 Share Posted March 15, 2023 Have you tried this on some other Windows machine? That error seems policy related and the result of a FullLanguage script executed in an environment/session only allowing ConstrainedLanguage. Link to comment Share on other sites More sharing options...
LucasReal1 Posted March 15, 2023 Author Share Posted March 15, 2023 yes, this time is on another windows machine than the first that I got success, and it is happening with every payload looks like doesnt like the dot (.) character at some point, no clue tbh Link to comment Share on other sites More sharing options...
dark_pyrro Posted March 15, 2023 Share Posted March 15, 2023 No, it's not "dot" related in that term/definition. Could be due to the fact that SRP (Software Restriction Policies), AppLocker or other forms of AWL (Application Whitelisting) is used on the system. Do you know if the Windows PC where it's not working has such restrictions/policies? You could run the following in a PowerShell window: $ExecutionContext.SessionState.LanguageMode If it returns anything else than "FullLanguage", it's restricted when it comes to PowerShell execution. Link to comment Share on other sites More sharing options...
LucasReal1 Posted March 16, 2023 Author Share Posted March 16, 2023 Looks like the result is different than FulLanguage: This means that could be a certain Policy that is blocking the execution of certain codes? In this case, the alternative would be to use payloads that are not using powershell right? Link to comment Share on other sites More sharing options...
dark_pyrro Posted March 16, 2023 Share Posted March 16, 2023 Yes, since PowerShell is restricted in that case. You could probably use PowerShell, but with limitations that comes with running in ConstrainedLanguage mode. I've seen some information about it being possible to load stuff via module import, but not sure how that is restricted or if it has evolved over time so that it has been changed with even more limitations lately. Bottom line; you can't run scripts that require FullLanguage in an environment where it's limited to ConstrainedLanguage. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.