A red team operator's story of failure, persistence and success
What you can learn from a red team operator's story of failure, persistence and success.
During a recent red team lab exercise, I needed to gain initial access by phishing a user with an HTML Application (HTA) payload. My initial approach was to generate a payload using msfvenom
from Metasploit. However, despite multiple attempts, the payload did not seem to work. It took me some time to realize that the payload might be getting blocked by the anti-malware solution.
I needed an alternative way to execute code on the target machine without relying on standard payload generation tools or Command and Control (C2) frameworks. My goal was to find a method that would allow me to deliver and execute a reverse shell stealthily. To troubleshoot, I decided to send a simple base64-encoded PowerShell command via the HTA file to fetch a test file from my attacker machine. This small experiment confirmed that the HTA file was indeed executing commands as expected. Seeing a request hit my attacker machine reassured me that I was on the right track.
Follow my journey of 100 Days of Red Team on WhatsApp, Telegram or Discord.
I shifted my focus to executing a reverse shell using a PowerShell one-liner. The challenge, however, was avoiding detection while embedding the payload in the HTA file. That’s when I came across an excellent script that simplified the entire process by Tothi, available here. The script uses the PowerShell reverse shell one-liner by Nikhil Mittal and generates a base64 encoded payload which can then be passed through the -EncodedCommand
parameter in PowerShell.
With the help of this script, I generated a base64 encoded reverse shell payload and embedded it within my HTA file. When executed, the payload successfully bypassed anti-malware solution and granted me a shell on the target machine.
That’s it. Just wanted to put this post as a reminder that default payloads are easily detected and short-cuts most likely do not work while on a red team engagement.
Red Team Notes
- Avoid using default payloads and be not afraid to delve down into manual techniques.
Follow my journey of 100 Days of Red Team on WhatsApp, Telegram or Discord.