Skip to content
Browse files

GitBook: [master] 3 pages and 11 assets modified

  • Loading branch information...
mantvydasb authored and gitbook-bot committed Mar 18, 2019
1 parent 18880ed commit 828e8d0dee87bd227459ab92e68636793a4ba195
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
@@ -43,6 +43,7 @@
* [Phishing: OLE + LNK](offensive-security/phishing-with-ms-office/
* [Phishing: Embedded Internet Explorer](offensive-security/phishing-with-ms-office/
* [Phishing: .SLK Excel](offensive-security/phishing-with-ms-office/
* [Inject Macros from a Remote Docx Template](offensive-security/phishing-with-ms-office/
* [Phishing: Embedded HTML Forms](offensive-security/phishing-with-ms-office/
* [Password Spraying Outlook Web Access: Remote Shell](offensive-security/
* [Dump GAL from OWA](offensive-security/
@@ -1,11 +1,5 @@
# AS-REP Roasting

{% hint style="info" %}
{% endhint %}

## Context

AS-REP roasting is a technique that allows retrieving password hashes for users that have `Do not require Kerberos preauthentication` property selected:

@@ -35,7 +29,7 @@ $krb5asrep$spot@offense.local:3171EA207B3A6FDAEE52BA247C20362E$56FE7DC0CABA8CB7D
We need to insert `23` after the `$krb5asrep$` like so:


We can then crack it:
@@ -0,0 +1,73 @@
# Inject Macros from a Remote Docx Template

This lab shows how it is possible to add a macros payload to a docx file indirectly, which has a good chance of evading some AVs/EDRs.

This technique works in the following way:

1. A malicious macro is saved in a Word template .dotm file
2. Benign .docx file is created based on one of the default MS Word Document templates
3. Document from step 2 is saved as .docx
4. Document from step 3 is renamed to .zip
5. Document from step 4 gets unzipped
6. .\word\_rels\settings.xml.rels contains a reference to the template file. That reference gets replaced with a refernce to our malicious macro created in step 1. File can be hosted on a web server \(http\) or webdav \(smb\).
7. File gets zipped back up again and renamed to .docx
8. Done

## Weaponization

Alt+F8 to enter Dev mode where we can edit Macros, select `ThisDocument` and paste in:

{% code-tabs %}
{% code-tabs-item title="Doc3.dotm" %}
Sub Document_Open()
Set objShell = CreateObject("Wscript.Shell")
objShell.Run "calc"
End Sub
{% endcode-tabs-item %}
{% endcode-tabs %}


Create a benign .docx file based on one of the provided templates and save it as .docx:


Rename legit.docx to


Unzip the archive and edit `word_rels\settings.xml.rels`:

{% code-tabs %}
{% code-tabs-item title="word\_rels\\settings.xml.rels" %}
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Relationships xmlns=""><Relationship Id="rId1" Type="" Target="file:///C:\Users\mantvydas\AppData\Roaming\Microsoft\Templates\Polished%20resume,%20designed%20by%20MOO.dotx" TargetMode="External"/></Relationships>
{% endcode-tabs-item %}
{% endcode-tabs %}

Note it has the target template specified here:


Upload the template created previously `` to an SMB server \(note that the file could be hosted on a web server also!\).

Update word\_rels\settings.xml.rels to point to Doc3.dotm:


Zip all the files of `legit` archive and name it back to .docx - we now have a weaponized document:


## References

{% embed url="" %}

0 comments on commit 828e8d0

Please sign in to comment.
You can’t perform that action at this time.