Moniker Link (CVE-2024–21413) | TryHackMe Walkthrough by Mark de Moras

Hey everyone!

This is a writeup to the TryHackMe Moniker Link room, which can be found here. In this TryHackMe write-up, I will first explain the Moniker Link exploit, how it works, and some of its features. I will then provide a walkthrough of the TryHackMe room with the answers to the prompted questions. Have fun!

What is the Moniker Link (CVE-2024–21413) exploit, and how does it work?

The Moniker Link exploit is a vulnerability in the popular email client, Microsoft Outlook. The vulnerability was categorized as Critical, having a CVSS rating of 9.8/10. It works by bypassing Outlook’s Protected View option, a feature that limits us to read access, thus preventing malicious scripts like macros from running on the system. The file:// parameter in the underlying hyperlink attempts to access a specified file share, and the ~ symbol, along with some additional text, permits this exploit to function. An example from TryHackMe is provided below:

At the time of this write-up, it is stated that remote code execution (RCE) is possible, thus explaining the incredibly high severity rating, but there is no proof that RCE is possible.

What “Severity” rating has the CVE been assigned?