Jump to content


Dedicated Members
  • Content Count

  • Joined

  • Last visited

  • Days Won


About PoSHMagiC0de

  • Rank
    Hak5 Ninja

Contact Methods

  • Website URL

Profile Information

  • Gender

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. Welp, it checks to make sure you are in the local administrators group. Now, I can see an issue ensuing in the way I am checking this since I am directly checking the local group, If you are added to Administrators group via another group, it may not see you. You can remark out the check if you want to test for yourself, the code is commented. Anyway, if your name is not in the local administrators group, it will just exit. Also, it checks for a specific version number of Windows. Will run if Win10 or greater or if version 8.1...specifically major version 6.3 it looks like. I was going off of user feedback on the 8.1 part if it worked or not for that version. If both are satisfied, it will create a powershell command to be added to the registry for the diskcleanup task with arguments, etc. It then schedules a schtask for diskcleanup, waits 5 seconds and then removes the registry entry. Similar to the eventviewer bypass in some ways. Very noticable as the script will pause and then return once the 5 secs are up and a black window will pop up briefly before notepad comes up. That is all that encoded script does in the example. I pretty much took someone else's script and cleaned it up to be more portable.
  2. Just retested. It works. You have to be a local admin on the machine first before you run this. It will not warn you or do absolutely anything if you are not. This is not a priv escalation from a unprivileged user to admin. This is to bypass UAC. UAC is that prompt you get when you are on as an admin and need to run something that requires elevated rights so it greys out the screen with that "are you sure" message. It is Windows version of sudo. For automated tasks where keyboard access is not there this is very helpful since you will not be able to click "yes" via code.
  3. Sounds like a simple masquerading NAT rule except for the forwarding part you set the default policy to drop and then set rules to allow your specific IPs through. As long as the outgoing interface is on that 10.10.10.x network, masquerade will assign it the IP of that interface. If you are blocking incoming from that outside interface by default then you will need a rule to allow the status mode of ESTABLISHED,RELATED to get through. Lookup iptables and masquerading or setting up a linux machine as a router with iptables. If you have not played with iptables to that extent. I advise you to spin up a mini network in virtualbox using 1 ubuntu server and 1 ubuntu desktop (no need to max out their resources). Have 1 internal NAT network that has no internet access and place the ubuntu desktop there. Build ubuntu server with 2 interfaces, one is bridged and the other is on the NAT with no internet access. Now you can enable forwarding on the server and use iptables to create rules to pass traffic from the internal nat to the bridged interface. In your ubuntu desktop, make the gateway the IP of the server interface that is on the NAT network. Now you can play with the tables on the server to see if you can get outside access on the desktop vm. If you already know iptables then the above will still help to experiment.
  4. Lol, this isn't a Darren issue. It is MS doing their due diligence and fixing an issue. If you want to get hashes from locked machines, you will need to come up with a new method....not Darren. He has given you the tool to use whatever you come up with. Use it damnit.
  5. Welp, I mentioned awhile back on the correct way to create Powershell payloads/scripts that are easily transportable. That method is to make them as functions. This is a function. When you ran that, it created the function and stored it in memory. To run it, you have to run the function name with the parameters. The file method needs to local location of the ps1 file to be ran. The encoded way needs the powershell commands you want to run encoded as base64 unicode encoded (like if you were going to run the encoded powershell commands with the "powershell /E" way). So, if you are trying to run notepad with this then either have a local ps1 file created with: Start-Process Notepad Or take that command above the encode it to base64 unicode and use it with the encoded method. Welcome to Powershell 101. PS: Forgot to mention you have to be a local admin to begin with. Script will do nothing if you are not. There is no privesc for normal user to admin.
  6. Don't know or remember what I added but ok.
  7. "\$" escapes question mark. "\\" escapes back slash. "\\\$" escapes back slash and question mark.
  8. I do know if the BB comes up as a new device, Windows 10 will attempt to locate drivers for it. This can include looking up on Windows update which can take some time. After the drivers are install if you do the same combo attack again, it should be faster since now the machine as the drivers. There isn't way around this unless you preload the required drives before inserting the BB. HID is is normally fast but I noticed on machines I have not inserted the BB in yet if I use the dual HID Ethernet or ethernet it will take some time to find drivers for it before it is available for use. Can take up to 30sec to a minute depending. If you are not slowing down the ethernet speed so it is not the highest connection, it may take longer since the machine will try and use the BB connection first to retrieve drivers.
  9. Try deleting the reponder folder under "/tools/" on the root of the BB system drive and then try reinstalling the responder.deb tool again by copying to the tools folder on the BB arming mode partition, safely ejecting and reinserting the bunny. File should vanish from the tools folder there an end up install in the tools folder on the BB system drive. See if that works.
  10. The P4wnpi is running raspian also so it is a general arm distro and has all the deps available for meta and stuff in their repo.
  11. Exactly. Anything you cannot do by hand on that machine cannot be magically done by the BB on the machine. Now, if you can remotely hit it with a domain account to run commands then there is a chance you may be able to do it with impacket from the bunny using the psexec module or wmiexec module. Issue you are going to run into in 2020 is two fold though. One, last year we had issued getting the latest impacket installed that supports SMB3. I was going to try it again a different way but then issue 2 comes up....python 2 is deprecated and I do not know if Hak5 has plans to drop python2 also and update to python 3.x. Kali has and has been asking for help to get all their python2 tools updated to python3 and those that have not have been withheld from their repo. @Darren Kitchen @Foxtrot Any plans on deprecating python2 on the BB in the near future for python3 in another firmware update?
  12. Can you run your payload manually from that machine? If not, the BB is not magic. If you can, that is your path to execution. The same manual path you took will be the automated path. Like if you have the ability to open file explorer then file explorer will be your path.
  13. If I intent on doing a proc dump of lsass, I usually use another program or script to do a minidump of lsass so well known malicious bins (like mimikatz) don't have to be loaded on the victim. I copy that off and then use the non-powershell mimikatz to process or pypykatz or any of the other dump file processors out there. If I am on the box, I have high privilege and I intent on using mimikatz, might as well just process the memory in place rather than leave artifacts writing to disk.
  14. ?? The one for BC security worked fine for me. Used it with no parameters. Logged in to full updated Win10 VM as administrator, UAC bypassed, Defender turned all off.
  15. BC Security has forked the Powershell Empire project to their github, updated it and all its modules so their revived version of PSEmpire has a updated copy of the Mimikatz powershell script updated 11-25 of this year that works out the box. Oh, you always have to be admin and UAC has to be bypassed for any version of mimikatz to work.
  • Create New...