HTA stands for HTML Application, which is a format that allows for the execution of code within a web browser but without the constraints of the browser security model; it is like running a fully trusted application, like the browser itself or MS Word.
In this recipe, we used Metasploit to generate a malicious HTA file and set up a server to host it. Our malicious file contained a reverse shell; a reverse shell is a program that, when executed by the victim, will establish a connection back to the attacker's server (that's why it is called reverse), as opposed to opening a port in the victim to wait for an incoming connection. When this connection is completed, a command execution session (a remote shell) is established.
We arbitrarily picked port 8888 for our server and port 12345 for the exploit listener. In a real-world scenario, maybe port 80 or 443 with proper TLS configuration would be more convenient, as those are the common ports for HTTP communication and the shell exploit would require a more advanced setup, including encrypted communication and maybe the use of another port that doesn't raise alerts when communication is detected by an administrator. SSH port 22 is a good choice.
In this attack, XSS is only the method used to load the malicious file into the victim machine; it also assumes that the attacker will create a convincing social engineering scenario so that the file is accepted and executed.