Copy/Replace file(s) from BB onto target computer

[reurbo]

I'm stuck while working on a prank payload. While the target computer is locked or logged off, I'm trying to find a way or see if it's even possible to copy a single file from the BB onto the target computer either into multiple Users folders or searching for a specific named file and replacing them with the file on the BB.

Since the target computer would be locked or logged out, using the command prompt or powershell scripts is out of the question. I'm thinking that anything done would have to be solely done on the BB side, setup as say the SMB_Exfil payload only in reverse with the BB setting up as an SMB server, copy the file from the BB to an SMB temp folder, pulling the targets IP, and either copying the file over to the target computer or searching for a file name within the target computer from the IP address and replacing it with file.

I'm just thinking out loud since I'd started working on this and using a CMD script to do the job (which works so far, but I'm still testing it), but wanted to see if it was possible to remove the CMD script for this to be accomplished without needing to be logged into the computer.

If it takes learning python to write a script for the BB to be able to do this I'll do it, but I'd rather ask if anyone else thinks or knows it would be possible.

Any thoughts?

[JBNZ]

This sounds unlikely to be possible unless the target host has some type of service listening while locked which accepts files or you have some sweet 0day for the target OS. The key vector for USB attacks while locked is that the locked machine will typically recognise an ethernet interface allowing network-based attacks.