Jump to content

Help with reverse shell payload (base 64 enconding problem)


jm0202

Recommended Posts

Hello Guys

I need help with the a payload to get a reverse shell using the ruber ducky:

I tried to use the powerducky script to get a reverse shell and no luck... I figured it out it was because my victim was an X64 and not a 386 ... So i went ahead and modified my powershell shell script to detect if my victim is X64... now when I run manually my malicious powershell script on my victim and i have a htpps listener in my attacking machine it works perfectly ... now the challenge i have is encoding my powershell script in base 64 so I can ultimately use in my inject.bin....

This is what I used to encode my powershell script:

$Content = Get-Content -Path <path to my file> -Encoding Byte
$Base64 = [system.Convert]::ToBase64String($Content)
$Base64 | Out-File <path to encoded file>

Also tried iconv in Linux:

$Content = Get-Content -Path <path to my file> -Encoding Byte
Encode="`cat $Content | iconv --to-code UTF-16LE | base64 -w 0`"
and then dumping the value of variable encode...

Whenever I tried to execute my payload in my victim (after loading the inject.bin in the ducky) the ducky starts to delivers the base 64 payload... however powershell truncates the payload while processing the base 64 string .. thus not getting a reverse shell....

After trying to run manually the powershell script... powershell -Enc <base64 string> i got the message in my victim that the string is not a valid base 64 string....

Anyone can point me on the command I need to run to convert my powershell script into a valid base 64 string so powershell can execute it?

PS the reverse shell (reflective and web delivered) in powerducky have the same problem... whenever the inject.bin runs in the victim... the base 64 string is truncated in the victim and no reverse shell is sent to the attacking machine...

Thanks

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...