Permanent "URL" of image when compressing a .docx file

Pino8891 · February 28, 2024, 2:38pm

Hello everyone!

I’m new around here, hope someone can give me some tips or suggestions about what I am trying to achive.

For a fake phishing campaign, to make our operators more aware of the problem, I need to create a specific .docx file with, inside the document, an image linked to a tracking URL (the link with the WebApp GoPhish is dynamic so I need to insert {{.TrackingURL}} - double click on the image - rotation - link).
This will help me keeping track of who will download and open the attachment of the fake phishing mail.

But everytime I do so it modifies the path adding file:///C:/Users/myuser/Desktop/{{.TrackingURL}}
I found a workaround by modifing the document.xml.rels.
If I do this, start the campaign and download the attachment the tracking works correctly.

Thing is, I cannot use this method because we use Gmail with a customized domain as mail service so an attachment like a .pdf, .docx or .xlsx gets previewed from Drive and it stops the tracker.

My solution would be compressing the file inside a .zip/.rar/.7zip. But as soon you open the .docx on a temp folder or you extract it, the URL of the image changes as above.

Is there any way to force Writer to keep {{.TrackingURL}} as the link of the image?

If you have any tips or suggestions all are appreciated
Thanks in advance!

ajlittoz · February 28, 2024, 2:55pm

Apparently, you’re trying to use Writer to activate a M$O Word-specific feature. Writer is not a drop-in replacement for Word. It is a different application, based on different primitives. Moreover, DOCX is a proprietary format without well-agreed upon public specification. Writer has limited capability to import .docx files and can’t produce fully conforming DOCX files (both because the specification is not fully available and because not all its founding principles have an equivalent).

Use M$O Word.

Pino8891 · February 28, 2024, 3:10pm

Sadly I can’t because in our enviorment we use mostly LibreOffice and only a few of us has MSOffice.
And, for now, GoPhish is only compatibile with .docx or .xlsx files…anyway, I’ve opened a ticket even on their official page on GitHub.
Thank you for your quick and instructive reply!

ajlittoz · February 28, 2024, 3:13pm

Perhaps you can tell the expected result of {{.TrackingURL}} and we could then suggest what to insert to achieve the same effect.

Pino8891 · February 28, 2024, 3:24pm

{{.TrackingURL}} should result into a dynamically generated URL that calls a simple image of a dot. Everytime I launch a new campaign the string changes so I don’t have a static URL to use (this would actually solve the problem).
So in few word is a dynamic URL that calls an image.

To be more specific: when I customize the phishing campaign on GoPhish I need to insert the address of a listening server…for example http://listeningserver.org
{{.TrackingURL}} when called should translate in: http://listeningserver.org/RandomGeneratedString that calls the dot pic.

When the picture gets called from the document it gets tracked from GoPhish.

Hope I was able to explain myself.

mikekaganski · February 28, 2024, 3:51pm

Whose official page on GitHub? If it was about LibreOffice, we don’t use GitHub for development / issue tracking, and only provide that for convenience of those who clones the source code from there.

ajlittoz · February 28, 2024, 4:12pm

I imagine that {{.TrackingURL}} cannot be predicted but remains constant for all “images” in the campaign. If the random URL is not ECC-checked (i.e. does not contain redundant characters with “parity”) according to some GoPhish private algorithm, you can as well create yourself a random URL based on UUID or shaxxx.

Pino8891 · February 29, 2024, 6:55am

@ajlittoz
That could be a solution. I was actually wondering something similar. I will try to see if I’m able to set up something myself!
Thank you for your suggestion!

Pino8891 · February 29, 2024, 7:04am

@mikekaganski
I know, that’s why I was asking if there was a way to “force” Writer to keep a specific parameter of a link for an image.
I can do that by modify the document.xml.rels and not opening the file again. But as soon I compress it the parameter is messed up.
So that’s why my ticket on GitHub (Issue with compressed files · Issue #3106 · gophish/gophish · GitHub) is more related to some modification they made with compressed files that GoPhish “should” handle.

I’m trying to gather as much infos as possible (About Gmail, Writer and GoPhish) to come up with a possible solution.