Lucky Strike is awesome. So I wanted to share my findings from experiments I have made.
LUCKY STRIKE, GIRL IN RED
TL:DR – LuckyStrike is an Excel file generator that will create an Excel file with a custom executable payload embedded as a macro. It has other features as well, but I was only interested in the custom EXE file insertion.
The Github for LuckyStrike is here https://github.com/Shellntel/luckystrike
Greetings to
Software I have used :
- Window 10 64bit (running in Virtual Box 5.1.6)
- MS Office 2013 (64bit)
- Metasploit Framework v4.12.27-dev-d2100bf
- Connor EXE generator :) https://astr0baby.wordpress.com/2016/09/23/john-connor-vs-eset-hey-eset-choose-some-other-mascot-not-a-cyborg/
- Debian
- Virtual Box 5.1
So first we need to prepare the LuckyStrike environment… In Windows 10 (64bit) you need to enable this for Power Shell environment:
(Run Windows PowerShell ISE with admin privileges and set the execution policy ; execute it from some directory where you expect to have the LuckyStrike directory)
Set-ExecutionPolicy RemoteSigned
Next we install the LuckyStrike as suggested by the author
iex (new-object net.webclient).downloadstring('https://raw.githubusercontent.com/Shellntel/luckystrike/master/install.ps1')
Accept all options and allow the PSSQLite module installation.
We are ready to start Lucky Strike. Goto the dir where your LuckyStrike is and execute the PowerShell script
./luckystrike.ps1
Next we need to create a payload template to use in our poisoned Excel documents.
Next we add a new payload to the catalogue.
Add the generated EXE via https://astr0baby.wordpress.com/2016/09/23/john-connor-vs-eset-hey-eset-choose-some-other-mascot-not-a-cyborg/
Make sure you type the C: with CAPITAL case, lower case for some reason always failed :)
Select the new payload template to be used for the Excel file and choose the infection method – “Save To Disk”
Now generate the Excel with the selected custom payload.
Poisoned Excel is ready in the luckystrike\payloads directory
Execute it and enjoy the shell ;)
Attached is the video recording of the above
