HackTheBox | Axlle

In this walkthrough, I demonstrate how I obtained complete ownership of Axlle on HackTheBox
HackTheBox | Axlle

Initial Foothold Hint

  • The target is an Active Directory domain controller, so the standard Active Directory exploitation playbook applies here
  • Pay careful attention to the message on the home page of the web site
    • There are also very clear hints in the box avatar image, the box name, and the introductory message from the HackTheBox team
  • If you're still struggling, consider what might be open about the SMTP server running on tcp/25. You might need to relay a message to someone, with a very specific Excel file attached to it (no macros)
    • There is a web page that contains a list of payload files for Office that should get you pretty close to what you need, but you'll likely need to work through some simple errors to get it to the finish line (all part of the learning process)
    • HackTricks probably has a page dedicated to testing this port
    • One specific tool requires the @filename.ext format to attach a file, so please don't miss the @ sign here, this one killed me for a while 🥲

Privilege Escalation Hint

  • Lateral Pivot 1
    • This is really just a test of your post-exploit enumeration skill, look at everything — services, ports, processes, files, etc
      • In general, once the foothold is established, I like to look for data and configuration files for the application that was exploited (when applicable)
        • Look for configuration files, user data, databases, etc
    • Once you find the internal note from the web dev team, it's pretty clear that we're continuing with the client-side exploitation theme of the box
      • It's a two part equation:
        • One shortcut file for the client to interact with
        • Another file to serve as the exploit
      • When serving the exploit file for the client, think about all the ways and all the protocols you might be able to use to serve the file to the user
  • Lateral Pivot 2
    • This is where the AD enumeration comes in... time to break out bloodhound
      • Try as I might, I couldn't find any credentials on the box to run bloodhound-python, so you'll need to transfer the Bloodhound collector to the box
    • Once you load the Bloodhound data, use the built-in queries to find an easy win. A quick Google search on your special permissions will lead you to the next pivot.
  • Owning the Target
    • The final stretch is just plain old enumeration of the system
    • You should look in a folder that you haven't been able to access yet with a hint in one of the files (read carefully)

Nmap Results

# Nmap 7.94SVN scan initiated Mon Jun 24 13:41:37 2024 as: nmap -Pn -p- --min-rate 2000 -sC -sV -oN nmap-scan.txt
Nmap scan report for
Host is up (0.017s latency).
Not shown: 65515 filtered tcp ports (no-response)
25/tcp    open  smtp          hMailServer smtpd
| smtp-commands: MAINFRAME, SIZE 20480000, AUTH LOGIN, HELP
53/tcp    open  domain?
80/tcp    open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: Axlle Development
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-06-24 17:42:53Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: axlle.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: AXLLE
|   NetBIOS_Domain_Name: AXLLE
|   NetBIOS_Computer_Name: MAINFRAME
|   DNS_Domain_Name: axlle.htb
|   DNS_Computer_Name: MAINFRAME.axlle.htb
|   DNS_Tree_Name: axlle.htb
|   Product_Version: 10.0.20348
|_  System_Time: 2024-06-24T17:45:11+00:00
| ssl-cert: Subject: commonName=MAINFRAME.axlle.htb
| Not valid before: 2024-05-19T11:25:03
|_Not valid after:  2024-11-18T11:25:03
|_ssl-date: 2024-06-24T17:45:51+00:00; +12s from scanner time.
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf        .NET Message Framing
49664/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
54306/tcp open  msrpc         Microsoft Windows RPC
63807/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
63808/tcp open  msrpc         Microsoft Windows RPC
64655/tcp open  msrpc         Microsoft Windows RPC
64669/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: MAINFRAME; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2024-06-24T17:45:13
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: mean: 11s, deviation: 0s, median: 11s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Jun 24 13:45:40 2024 -- 1 IP address (1 host up) scanned in 242.62 seconds
Don't miss an opportunity to gather some valuable breadcrumbs from the nmap output
  • On tcp/389 we see a domain of axlle.htb
  • On tcp/3389 we see commonName=MAINFRAME.axlle.htb

Let's go ahead and get those added to our /etc/hosts file:

echo -e '\taxlle.htb mainframe.axlle.htb' | sudo tee -a /etc/hosts

This box is still active on HackTheBox. Once retired, this article will be published for public access as per HackTheBox's policy on publishing content from their platform.

Read the full story

Sign up now to read the full story and get access to all posts for Pending Publication tier only.

Already have an account? Sign in
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to 0xBEN.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.