Introduction to Axlle:
In this write-up, we will explore the “Axlle” machine from Hack The Box, categorized as a Hard difficulty challenge. This walkthrough will cover the reconnaissance, exploitation, and privilege escalation steps required to capture the flag.
Objective:
The goal of this walkthrough is to complete the “Axlle” machine from Hack The Box by achieving the following objectives:
User Flag:
Gaining a Foothold via Excel XLL Exploit
- This technique shows how to achieve an initial foothold by delivering a reverse shell through a malicious XLL file in Excel. When the target opens the compromised XLL file, it activates the reverse shell.
Root Flag:
LOLBINs StandaloneRunner Exploit:
- In the
\App Development\kbfiltr\README.md
, it’s noted thatstandalonerunner.exe
is automated to run as a SYSTEM for testing and debugging the driver. - To check directory permissions, use:
icacls "C:\Program Files (x86)\Windows Kits\10\Testing\StandaloneTesting\Internal\x64"
- The folder is writable, but the files inside are not. This means new files can be created, but existing ones can’t be modified.
- Exploitation involves placing a malicious file in the writable directory and using
standalonerunner.exe
to execute commands as SYSTEM.
Enumerating the Machine
Reconnaissance:
Nmap Scan:
Begin with a network scan to identify open ports and running services on the target machine.
nmap -sC -sV -oN nmap_initial.txt 10.10.11.21
Nmap Output:
┌─[darknite@parrot]─[~/Documents/htb/axlle]
└──╼ $nmap -sC -sV 10.10.11.21 -oA initial
Starting Nmap 7.94 SVN ( https://nmap.org ) at 2024-11-15 07:31 EST
Nmap scan report for 10.10.11.21
Host is up (0.19s latency).
Not shown: 987 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
25/tcp open smtp hMailServer smtpd
| smtp-commands: MAINFRAME, SIZE 20480000, AUTH LOGIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Axlle Development
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-11-15 12:32:13Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: axlle.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: axlle.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
Service Info: Host: MAINFRAME; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2024-11-15T12:32:26
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 75.96 seconds
Analysis:
- Port 25 (SMTP): hMailServer smtpd service, supporting commands like AUTH LOGIN, HELO, EHLO, and others, which indicates the presence of an email server.
- Port 53 (DNS): Simple DNS Plus service, handling domain name resolution.
- Port 80 (HTTP): Microsoft IIS 10.0 web server, potentially hosting the “Axlle Development” site. The TRACE method is available, which could pose a security risk.
- Port 88 (Kerberos): Microsoft Windows Kerberos service, used for authentication in Active Directory environments.
- Port 135 (MSRPC): Microsoft Windows RPC service, typically used for inter-process communication and remote management.
- Port 139 (NetBIOS): Microsoft Windows NetBIOS service, used for file sharing and network services.
- Port 389 (LDAP): Microsoft Active Directory LDAP service for directory services, supporting the domain
axlle.htb0.
- Port 445 (Microsoft-DS): Likely related to Microsoft SMB or Active Directory services, though further investigation may be required.
- Port 464 (Kpasswd5): Potential Kerberos password change service.
- Port 593 (RPC-HTTP): Microsoft Windows RPC over HTTP, enabling remote management of Windows systems.
- Port 636 (LDAP over SSL): Encrypted LDAP service (TCP wrapped).
- Port 3268 (LDAP): Active Directory Global Catalog service, supporting queries across the domain.
- Port 3269 (LDAP over SSL): Secure LDAP service for the Global Catalog.
Web Enumeration:
Perform web enumeration to discover potentially exploitable directories and files.
Let’s access the website interface
The software company’s maintenance page highlights issues with emails sent in Excel format, specifying that macros have been disabled. This suggests the initial foothold may be associated with email-based phishing attempts.
XLL Execution on Axlle machine
After extensive testing, we identified a vulnerability in the mail server allowing for XLL execution. The script exploiting the vulnerability is available here
An XLL execution attack exploits XLL (Excel Add-In) files to run malicious code within Microsoft Excel. These XLL files, essentially DLLs tailored for Excel, enable developers to enhance Excel’s functionality with custom features and functions.
Another source for this vulnerability can be accessed here
To proceed, we will begin by creating an dark.c
file with the content shown above
To install x86_64-w64-mingw32-gcc
, start by updating your package manager using sudo apt update
. Then, install the MinGW-w64 toolchain with sudo apt install gcc-mingw-w64-x86-64
.
Finally, confirm the installation by running x86_64-w64-mingw32-gcc --version
to verify that the compiler is correctly set up and operational.
With dark.c
prepared, we will compile it using x86_64-w64-mingw32-gcc
.
Let’s set up our listener.
Sending emails using Swaks
Swaks (Swiss Army Knife for SMTP) is a versatile command-line tool for testing and debugging email servers. It allows users to send custom email messages via SMTP, enabling the simulation of various email scenarios, including authentication, encryption, and content customization. Swaks is commonly used in security testing and troubleshooting email configurations.
Let’s send the compiled dark.xll
to accounts@axlle.htb using Swaks.
Finally, we were able to establish the reverse shell connection.
While exploring the file system, we found a .eml file inside the hMailServer directory.
PS C:\Program Files (x86)\hMailServer\Data\axlle.htb\dallon.matrix\2f> type *
Return-Path: webdevs@axlle.htb
Received: from bumbag (Unknown [192.168.77.153])
by MAINFRAME with ESMTP
; Mon, 1 Jan 2024 06:32:24 -0800
Date: Tue, 02 Jan 2024 01:32:23 +1100
To: dallon.matrix@axlle.htb,calum.scott@axlle.htb,trent.langdon@axlle.htb,dan.kendo@axlle.htb,david.brice@axlle.htb,frankie.rose@axlle.htb,samantha.fade@axlle.htb,jess.adams@axlle.htb,emily.cook@axlle.htb,phoebe.graham@axlle.htb,matt.drew@axlle.htb,xavier.edmund@axlle.htb,baz.humphries@axlle.htb,jacob.greeny@axlle.htb
From: webdevs@axlle.htb
Subject: OSINT Application Testing
Message-Id: <20240102013223.019081@bumbag>
X-Mailer: swaks v20201014.0 jetmore.org/john/code/swaks/
Hi everyone,
The Web Dev group is doing some development to figure out the best way to automate the checking and addition of URLs into the OSINT portal.
We ask that you drop any web shortcuts you have into the C:\inetpub\testing folder so we can test the automation.
Yours in click-worthy URLs,
The Web Dev Team
We came across an email from the Web Dev team to several internal users, regarding the automation of URL checks and additions to the OSINT portal. The email asks recipients to drop any web shortcuts they have into the C:\inetpub\testing
folder for testing purposes. The “OSINT Application Testing” message appears to be a standard internal request but could also be exploited if handled improperly.
Craft malicious HTA file
To exploit the situation, we’ll craft a malicious .hta
file inside C:\inetpub\testing
and wait for the automation to execute it.
An HTA (HTML Application) attack leverages the ability of HTA files to run harmful code on a victim’s system. HTA files, with the .hta
extension, are processed by Microsoft’s HTML Application Host (mshta.exe) and can contain HTML, VBScript, JavaScript, or other web technologies. Once opened, HTA files run as standalone applications, inheriting the privileges of the user who executes them.
The script can be found here
We will create a shell.hta
file with the content above. On the target system, we will run the following commands to download the shell.hta
file and create a shortcut pointing to it
We will use impacket-smbserver
to initiate the shell connection.
We can retrieve the user flag by executing the type user.txt
command.
Escalate to Root Privileges Access on Axlle Machine
Privilege Escalation:
Since this is an Active Directory environment, we will upload and execute bloodhound.exe
.
The members of the group WEB DEVS@AXLLE.HTB can change the password of the user JACOB.GREENY@AXLLE.HTB without needing to know the current password.
First, we need to transfer the PowerView.ps1
script to the victim’s machine and execute it. Once executed, we can use PowerView to change the password for the user jacob
to any value we choose.
We can successfully use WinRM to log in as Jacob with the changed password.
Inside the App Development folder, there is a README.md
file which mentions that the standalonerunner.exe
file is executed as SYSTEM through automation. The standalonerunner.exe
can be found in the directory C:\Program Files (x86)\Windows Kits\10\Testing\StandaloneTesting\Internal\x64
.
The file has the following permissions:
- Full Control: AXLLE\Administrator, NT AUTHORITY\SYSTEM, BUILTIN\Administrators
- Read & Execute, Write: AXLLE\App Devs
- Read & Execute: BUILTIN\Users, APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES, APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES
- Read Only: Everyone
Since Jacob is in the App Devs group, we have write access to the file. We can now replace standalonerunner.exe
with our malicious payload.
We will begin by generating a reverse shell executable using msfvenom
.
Transfer the reverse shell payload to the system and replace the existing standalonerunner.exe
one with it. After a few seconds, the automation runs the reverse shell payload as SYSTEM, giving us a shell with administrator privileges.
We can retrieve the root flag by executing the type root.txt
command.
No responses yet