P4wnP1 icon indicating copy to clipboard operation
P4wnP1 copied to clipboard

Published 20 hours ago verified publisher icon RoganDawes

[FIX] Office Opens [FIX]

Open DonaldDucker34 opened this issue 5 years ago • 20 comments
trafficstars

when i enter firestage 1 on my pc office opens. So i thought why dont edit the firestage1 command but i dont know how or is there an fix?

DonaldDucker34 avatar Apr 18 '20 20:04 DonaldDucker34

So here is a FIX for everyone i looked trough the internet and found this :(https://superuser.com/questions/1455857/how-to-disable-office-key-keyboard-shortcut-opening-office-app) when you paste the command "REG ADD HKCU\Software\Classes\ms-officeapp\Shell\Open\Command /t REG_SZ /d rundll32" in the admin command prompt the Hotkey for office isnt working any more 😄

DonaldDucker34 avatar Apr 19 '20 17:04 DonaldDucker34

@DonaldDucker34 How do you go about automating this using ducky script?

furiousduckling avatar Apr 21 '20 22:04 furiousduckling

that is the 'problem' i cant connect to a pc without entering the firestage1 command that means i cant send ducky scripts to a pc

DonaldDucker34 avatar Apr 21 '20 22:04 DonaldDucker34

but i dont know if you could edit the firestage1 command that it first enters the cmd string and then connects the idea is not that bad

DonaldDucker34 avatar Apr 21 '20 22:04 DonaldDucker34

Is it an issue with p4wnP1 and the image? Anyone using the ALOA image getting the issue?

On Tue, 21 Apr 2020, 23:54 Lasse.B, [email protected] wrote:

but i dont know if you could edit the firestage1 command that it first enters the cmd string and then connects the idea is not that bad

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/RoganDawes/P4wnP1/issues/337#issuecomment-617454146, or unsubscribe https://github.com/notifications/unsubscribe-auth/APJDV452GACBIT4MASLJQZ3RNYP3BANCNFSM4MLPZ54Q .

furiousduckling avatar Apr 21 '20 22:04 furiousduckling

Trying to think of a way to stick it on my duckberry without any interaction with the pc itself

furiousduckling avatar Apr 21 '20 23:04 furiousduckling

so i didnt knew what a Duckyberry is but now i do. The duckberry is an bad usb and a rubber ducky then the Duckberry should use the .duck format i think you should look at the .duck scripts from P4wnP1 and make your own for the Duckberry (sry for the english have a good day)

DonaldDucker34 avatar Apr 24 '20 11:04 DonaldDucker34

I made my own but no luck. I'm not getting office open now. Just using default I'm getting the notepad launch and then file explorer opens up around 6 times

On Fri, 24 Apr 2020, 12:36 Lasse.B, [email protected] wrote:

so i didnt knew what a Duckyberry is but now i do. The duckberry is an bad usb and a rubber ducky then the Duckberry should use the .duck format i think you should look at the .duck scripts from P4wnP1 and make your own for the Duckberry

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/RoganDawes/P4wnP1/issues/337#issuecomment-618959363, or unsubscribe https://github.com/notifications/unsubscribe-auth/APJDV43EBWLJMKGRCB4C7FTROF2VRANCNFSM4MLPZ54Q .

furiousduckling avatar Apr 24 '20 11:04 furiousduckling

could you show me that script i think its very interesting to look at something like that

DonaldDucker34 avatar Apr 25 '20 22:04 DonaldDucker34

It's just the default one in p4wnp1 located here : https://github.com/RoganDawes/P4wnP1/blob/master/payloads/hid_keyboard.txt

On Sat, 25 Apr 2020 at 23:11, Lasse.B [email protected] wrote:

could you show me that script i think its very interesting to look at something like that

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/RoganDawes/P4wnP1/issues/337#issuecomment-619447437, or unsubscribe https://github.com/notifications/unsubscribe-auth/APJDV47LF2M3W6Z7TWGW55TRONN2BANCNFSM4MLPZ54Q .

furiousduckling avatar Apr 25 '20 23:04 furiousduckling

if you look in the bottom area of the script it tells the pc to type notepad.exe but why explorer opens is unknown

DonaldDucker34 avatar Apr 26 '20 10:04 DonaldDucker34

is the keyboard language equal to your keyboard language? Its a really common issue

DonaldDucker34 avatar Apr 26 '20 10:04 DonaldDucker34

Yeah,

That is why I am confused

On Sun, 26 Apr 2020 at 11:33, Lasse.B [email protected] wrote:

is the keyboard language equal to your keyboard language? Its a really common issue

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/RoganDawes/P4wnP1/issues/337#issuecomment-619525800, or unsubscribe https://github.com/notifications/unsubscribe-auth/APJDV424XF5QELQPBSGACT3ROQEWNANCNFSM4MLPZ54Q .

furiousduckling avatar Apr 26 '20 10:04 furiousduckling

this is getting really interesting i will look trough Pwnpi and search for a fix :)

DonaldDucker34 avatar Apr 26 '20 13:04 DonaldDucker34

It's just the default one in p4wnp1 located here : https://github.com/RoganDawes/P4wnP1/blob/master/payloads/hid_keyboard.txt On Sat, 25 Apr 2020 at 23:11, Lasse.B @.***> wrote: could you show me that script i think its very interesting to look at something like that — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#337 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/APJDV47LF2M3W6Z7TWGW55TRONN2BANCNFSM4MLPZ54Q .

is it really the exact same? i had a look at the script an nothing seemed wrong it just types win+r to open the execute window and then it types notepad.exe to open the editor last it types "Keyboard is running" but where does it open the explorer? i did a bit research and found that the explorer is opened by the key combination Win+E (GUI e) so i think we should search a bit more 😄

DonaldDucker34 avatar Apr 26 '20 16:04 DonaldDucker34

and what did you actually type to start the script?

DonaldDucker34 avatar Apr 26 '20 16:04 DonaldDucker34

Nothing, the moment I plug the USB in, it would run

On Sun, 26 Apr 2020 at 17:21, Lasse.B [email protected] wrote:

and what did you actually type to start the script?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/RoganDawes/P4wnP1/issues/337#issuecomment-619578891, or unsubscribe https://github.com/notifications/unsubscribe-auth/APJDV43RUPANWFN3WGMD4CDRORNP7ANCNFSM4MLPZ54Q .

furiousduckling avatar Apr 26 '20 17:04 furiousduckling

did you selected the right payload in the setup.cfg? (cd P4wnP1 then nano setup.cfg and on the bottom there are the payloads)

DonaldDucker34 avatar Apr 26 '20 18:04 DonaldDucker34

Yeah, unhashed the hid_keyboard.txt

On Sun, 26 Apr 2020 at 19:20, Lasse.B [email protected] wrote:

did you selected the right payload in the setup.cfg? (cd P4wnP1 then nano setup.cfg and on the bottom there are the payloads)

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/RoganDawes/P4wnP1/issues/337#issuecomment-619599812, or unsubscribe https://github.com/notifications/unsubscribe-auth/APJDV45QCI7OYMUFO556XJTROR3QHANCNFSM4MLPZ54Q .

furiousduckling avatar Apr 26 '20 20:04 furiousduckling

@DonaldDucker34 How do you go about automating this using ducky script?

to this older comment: i think it would be cool if i wrote a script and then i could execute it but i cant execute ducky scripts without connection to a PC but i also cant connect to a PC without the cmd string then i thought about an autorun.inf on a smaller usb stick (2-4gb) but since win10 you cant or windows wont execute autorun.inf because its an security leak. Would it be possible that the rpi runs the ducky script on rpi startup then pwnpi uses its HID capability and sends the cmd string without the remote shell even activated that means i cant enter things in the remote shell but theoretically it should disable the office hotkey and then i could enter FireStage1 to connect to the rpi and get an reverse shell

DonaldDucker34 avatar Apr 27 '20 16:04 DonaldDucker34