Initial Foothold Hint
- The target is an Active Directory domain controller, so the standard Active Directory exploitation playbook applies here
- Pay careful attention to the message on the home page of the web site
- There are also very clear hints in the box avatar image, the box name, and the introductory message from the HackTheBox team
- If you're still struggling, consider what might be open about the SMTP server running on
tcp/25
. You might need to relay a message to someone, with a very specific Excel file attached to it (no macros)- There is a web page that contains a list of payload files for Office that should get you pretty close to what you need, but you'll likely need to work through some simple errors to get it to the finish line (all part of the learning process)
- HackTricks probably has a page dedicated to testing this port
- One specific tool requires the
@filename.ext
format to attach a file, so please don't miss the@
sign here, this one killed me for a while 🥲
Privilege Escalation Hint
- Lateral Pivot 1
- This is really just a test of your post-exploit enumeration skill, look at everything — services, ports, processes, files, etc
- In general, once the foothold is established, I like to look for data and configuration files for the application that was exploited (when applicable)
- Look for configuration files, user data, databases, etc
- In general, once the foothold is established, I like to look for data and configuration files for the application that was exploited (when applicable)
- Once you find the internal note from the web dev team, it's pretty clear that we're continuing with the client-side exploitation theme of the box
- It's a two part equation:
- One shortcut file for the client to interact with
- Another file to serve as the exploit
- When serving the exploit file for the client, think about all the ways and all the protocols you might be able to use to serve the file to the user
- It's a two part equation:
- This is really just a test of your post-exploit enumeration skill, look at everything — services, ports, processes, files, etc
- Lateral Pivot 2
- This is where the AD enumeration comes in... time to break out
bloodhound
- Try as I might, I couldn't find any credentials on the box to run
bloodhound-python
, so you'll need to transfer the Bloodhound collector to the box
- Try as I might, I couldn't find any credentials on the box to run
- Once you load the Bloodhound data, use the built-in queries to find an easy win. A quick Google search on your special permissions will lead you to the next pivot.
- This is where the AD enumeration comes in... time to break out
- Owning the Target
- The final stretch is just plain old enumeration of the system
- You should look in a folder that you haven't been able to access yet with a hint in one of the files (read carefully)
Nmap Results
# Nmap 7.94SVN scan initiated Mon Jun 24 13:41:37 2024 as: nmap -Pn -p- --min-rate 2000 -sC -sV -oN nmap-scan.txt 10.129.90.84
Nmap scan report for 10.129.90.84
Host is up (0.017s latency).
Not shown: 65515 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
25/tcp open smtp hMailServer smtpd
| smtp-commands: MAINFRAME, SIZE 20480000, AUTH LOGIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
53/tcp open domain?
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Axlle Development
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-06-24 17:42:53Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: axlle.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: AXLLE
| NetBIOS_Domain_Name: AXLLE
| NetBIOS_Computer_Name: MAINFRAME
| DNS_Domain_Name: axlle.htb
| DNS_Computer_Name: MAINFRAME.axlle.htb
| DNS_Tree_Name: axlle.htb
| Product_Version: 10.0.20348
|_ System_Time: 2024-06-24T17:45:11+00:00
| ssl-cert: Subject: commonName=MAINFRAME.axlle.htb
| Not valid before: 2024-05-19T11:25:03
|_Not valid after: 2024-11-18T11:25:03
|_ssl-date: 2024-06-24T17:45:51+00:00; +12s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
49664/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
54306/tcp open msrpc Microsoft Windows RPC
63807/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
63808/tcp open msrpc Microsoft Windows RPC
64655/tcp open msrpc Microsoft Windows RPC
64669/tcp open msrpc Microsoft Windows RPC
Service Info: Host: MAINFRAME; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2024-06-24T17:45:13
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: mean: 11s, deviation: 0s, median: 11s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Jun 24 13:45:40 2024 -- 1 IP address (1 host up) scanned in 242.62 seconds
💡
Don't miss an opportunity to gather some valuable breadcrumbs from the
nmap
output- On
tcp/389
we see a domain ofaxlle.htb
- On
tcp/3389
we seecommonName=MAINFRAME.axlle.htb
Let's go ahead and get those added to our /etc/hosts
file:
echo -e '10.129.90.84\taxlle.htb mainframe.axlle.htb' | sudo tee -a /etc/hosts
â›”
This box is still active on HackTheBox. Once retired, this article will be published for public access as per HackTheBox's policy on publishing content from their platform.