Answers for Moniker Link (CVE-2024-21413) tryhackme

TryHackMe | Answers for Moniker Link (CVE-2024-21413)

Hello Folks,
In this introductory blog, we will cover the answers for the “Moniker Link (CVE-2024-21413)” room which is a part of the “Cyber Security 101” learning path. This room covers a critical Remote Code Execution (RCE) and credential leak vulnerability in Microsoft Outlook. This vulnerability allows attackers to exploit malicious Moniker Links in emails, leaking NTLM credentials from affected Office versions.

You can access the room by clicking here.

Task 1 Introduction

This task will let you know the learning objectives and prerequisites for understanding the CVE-2024-21413 vulnerability

Q 1.1- What “Severity” rating has the CVE been assigned?

A 1.1- Critical

Task 2 Moniker Link (CVE-2024-21413)

In this task, we will understand the overview of CVE-2024-21413 in which attackers exploited Moniker links by modifying them with special characters to bypass Outlook’s Protected View security feature.

Q 2.1- What Moniker Link type do we use in the hyperlink?

A 2.1- file://

Q 2.2- What is the special character used to bypass Outlook’s “Protected View”?

A 2.2- !

Task 3 Exploitation

Here, we will dive deep into the exploitation part of this vulnerability where an intruder can craft an email containing the Moniker Link designed to bypass the outlook’s security feature and capture the netNTLMv2 hash of the user who clicks on it. Adversaries in this scenario can use Responder for capturing the hashes.

Q 3.1- What is the name of the application that we use on the AttackBox to capture the user’s hash?

A 3.1- Responder

Q 3.2- What type of hash is captured once the hyperlink in the email has been clicked?

A 3.2- netNTLMV2

Task 4 Detection

Now to detect this vulnerability a YARA rule was created which identifies the “file:\” element in Moniker Links. Also, capturing packets via sniffing can reveal SMB requests from victims containing truncated netNTLMv2 hashes.

Click me to proceed onto the next task!

No answer needed

Task 5 Remediation

This section discusses the mitigation steps immediately taken by Microsoft in February’s “Patch Tuesday” and users were also advised to avoid clicking on unsolicited links before previewing it.

Click me to proceed onto the next task.

No answer needed

Task 6 Conclusion

Mischief managed.

No answer needed

You can check out our other blogs here.

Happy Pentesting!!!
Team CyberiumX

Scroll to Top