Search

SearchSearch

Windows Scripting Host (WSH) ๐Ÿชค

Nov 15, 20242 min read

Windows Scripting Host (WSH)

Windows scripting host is a built-in Windows administration tool that runs batch files to automate and manage tasks within the operating system.

It is a Windows native engine, cscript.exeย (for command-line scripts) and wscript.exeย (for UI scripts), which are responsible for executing various Microsoft Visual Basic Scripts (VBScript), including vbsย and vbe. For more information about VBScript, please visit here. It is important to note that the VBScript engine on a Windows operating system runs and executes applications with the same level of access and permission as a regular user; therefore, it is useful for the red teamers.

Now letโ€™s write a simpleย VBScript codeย to create a windows message box that shows theย Welcome to THMย message. Make sure to save the following code into a file, for example,ย hello.vbs.

Dim message 
message = "Welcome to THM"
MsgBox message

In the first line, we declared theย messageย variable usingย Dim.ย Then we store a string value ofย Welcome to THMย in theย messageย variable. In the next line, we use the MsgBox function to show the content of the variable. For more information about the MsgBox function, please visit here. Then, we use wscriptย to run and execute the content ofย hello.vbs.ย As a result, A Windows message will pop up withย theย Welcome to THMย message.

Now letโ€™s use the VBScript to run executable files. The following vbs code is to invoke the Windows calculator, proof that we can execute .exe files using the Windows native engine (WSH).

Set shell = WScript.CreateObject("Wscript.Shell")
shell.Run("C:\Windows\System32\calc.exe " & WScript.ScriptFullName),0,True

We create an object of the WScript library usingย CreateObjectย to call the execution payload. Then, we utilize theย Runย method to execute the payload. For this task, we willย run theย Windows calculatorย calc.exe.ย 

To execute the vbs file, we can run it using the wscript as follows,

c:\Windows\System32>wscript c:\Users\thm\Desktop\payload.vbs

We can also run it via cscript as follows,

c:\Windows\System32>cscript.exe c:\Users\thm\Desktop\payload.vbs

As a result, the Windows calculator will appear on the Desktop.

Another trick. If the VBS files are blacklisted, then we can rename the file to .txt file and run it using wscript as follows,

c:\Windows\System32>wscript /e:VBScript c:\Users\thm\Desktop\payload.txt

The result will be as exact as executing the vbs files, which run the calc.exe binary.

Graph View

Backlinks

  • No backlinks found