Payloads load but it is not saved in loot folder

[LucasReal1]

Hi everyone,

First of all, I am completly new here and I thank all your help.

I have recently buy the Bush Bunny product and download the upgrades and execute the bunnyupdater app. After reading some manuals and watching some videos I ended up loading different payloads in both switch modes.

For some reason, one I switch into one of those modes after loading any payload, in my windows computer, the powershell and terminal opens and close but aftter that nothing else happens and the loot folder that suppose to be with new content, is empty.

I don't know if I am missing something else

 

Appreciate all the help and support

 

[LucasReal1]

Btw, the payload that I am trying to use is in recon>--BB-ADV-Recon and the InfoGrabber

but doesn't seem to create the folder with the summary of the information about my pc

[dark_pyrro]

Is the target PC using some keyboard language/layout other than US? If so, specify DUCKY_LANG with the correct language in the payload (or config.txt).

Try to execute relevant parts of the payload manually in order to catch errors that might show.

The --B-ADV-Recon probably needs PowerShell to be started with the -ExecutionPolicy Bypass to even execute on most Windows systems.

[LucasReal1]

11 minutes ago, dark_pyrro said:

Is the target PC using some keyboard language/layout other than US? If so, specify DUCKY_LANG with the correct language in the payload (or config.txt).

Try to execute relevant parts of the payload manually in order to catch errors that might show.

The --B-ADV-Recon probably needs PowerShell to be started with the -ExecutionPolicy Bypass to even execute on most Windows systems.

Thanks for your quick response

Yes, after changing in the config.txt DUCKY_LANG us into es (I use spanish keyboard) and adding into the payload the -ExecutionPolicy Bypass between the rest of the parameters, it ended up finishing the script and creating everything in that folder

So huge thank you!

 

One last question: it is possible to make (when you change between different payloads in both switches mode) to not show the storage content of the usb?

[dark_pyrro]

Not really sure about the exact scenario; if you need to access the Bunny (like in the two mentioned ones that executes PowerShell script files from the Bunny storage), it's difficult not to expose the Bunny internal storage. If you have a payload that doesn't depend on access to the Bunny storage at all, then you can just not use STORAGE as ATTACKMODE. For example, if you just need HID or some other ATTACKMODE.

[LucasReal1]

it makes sense I will be trying different payloads and scenarios

thanks again

[LucasReal1]

I am having a different issues with the same payloads , this time in another computer.

Again, all the commands are executing correctly,but at the end of every cmnd in the running window, powershell shows this:

Cannot dot-source this command because it was defined in a different language mode. To invoke this command without importing its contents, omit the '.' operator

At first, I though it has something to be with the language file again, but it was all good ("DUCKY_LANG es" was set in the config.txt file) and the language of the target is in the same as the text file

 

 

 

Any ideas?

 

 

[dark_pyrro]

Did you rename any of the ps1 files on purpose? None of the previously mentioned payloads has any ps1 file called payload.ps1. That's perhaps not the root cause of the error, I just want to know the background.

[LucasReal1]

4 hours ago, dark_pyrro said:

Did you rename any of the ps1 files on purpose? None of the previously mentioned payloads has any ps1 file called payload.ps1. That's perhaps not the root cause of the error, I just want to know the background.

Not really, just in case I copy the same payload again as it was, and add again the line -ExecutionPolicy Bypass but seems that the error is the same 

[dark_pyrro]

Have you tried this on some other Windows machine? That error seems policy related and the result of a FullLanguage script executed in an environment/session only allowing ConstrainedLanguage.

[LucasReal1]

yes, this time is on another windows machine than the first that I got success, and it is happening with every payload

looks like doesnt like the dot (.) character at some point, no clue tbh

[dark_pyrro]

No, it's not "dot" related in that term/definition. Could be due to the fact that SRP (Software Restriction Policies), AppLocker or other forms of AWL (Application Whitelisting) is used on the system. Do you know if the Windows PC where it's not working has such restrictions/policies?

You could run the following in a PowerShell window:

$ExecutionContext.SessionState.LanguageMode

If it returns anything else than "FullLanguage", it's restricted when it comes to PowerShell execution.

[LucasReal1]

Looks like the result is different than FulLanguage:

This means that could be a certain Policy that is blocking the execution of certain codes? In this case, the alternative would be to use payloads that are not using powershell right?

[dark_pyrro]

Yes, since PowerShell is restricted in that case.

You could probably use PowerShell, but with limitations that comes with running in ConstrainedLanguage mode. I've seen some information about it being possible to load stuff via module import, but not sure how that is restricted or if it has evolved over time so that it has been changed with even more limitations lately.

Bottom line; you can't run scripts that require FullLanguage in an environment where it's limited to ConstrainedLanguage.