Introduction to Axlle:

In this write-up, we will explore the “Axlle” machine from Hack The Box, categorized as a Hard difficulty challenge. This walkthrough will cover the reconnaissance, exploitation, and privilege escalation steps required to capture the flag.

Objective:

The goal of this walkthrough is to complete the “Axlle” machine from Hack The Box by achieving the following objectives:

User Flag:

Gaining a Foothold via Excel XLL Exploit

  • This technique shows how to achieve an initial foothold by delivering a reverse shell through a malicious XLL file in Excel. When the target opens the compromised XLL file, it activates the reverse shell.

Root Flag:

LOLBINs StandaloneRunner Exploit:

  • In the \App Development\kbfiltr\README.md, it’s noted that standalonerunner.exe is automated to run as a SYSTEM for testing and debugging the driver.
  • To check directory permissions, use:
    icacls "C:\Program Files (x86)\Windows Kits\10\Testing\StandaloneTesting\Internal\x64"
  • The folder is writable, but the files inside are not. This means new files can be created, but existing ones can’t be modified.
  • Exploitation involves placing a malicious file in the writable directory and using standalonerunner.exe to execute commands as SYSTEM.

Enumerating the Machine

Reconnaissance:

Nmap Scan:

Begin with a network scan to identify open ports and running services on the target machine.

nmap -sC -sV -oN nmap_initial.txt 10.10.11.21

Nmap Output:

┌─[darknite@parrot]─[~/Documents/htb/axlle]
└──╼ $nmap -sC -sV 10.10.11.21 -oA initial 
Starting Nmap 7.94 SVN ( https://nmap.org ) at 2024-11-15 07:31 EST
Nmap scan report for 10.10.11.21
Host is up (0.19s latency).
Not shown: 987 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
25/tcp   open  smtp          hMailServer smtpd
| smtp-commands: MAINFRAME, SIZE 20480000, AUTH LOGIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: Axlle Development
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-11-15 12:32:13Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: axlle.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: axlle.htb0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
Service Info: Host: MAINFRAME; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2024-11-15T12:32:26
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 75.96 seconds

Analysis:

  • Port 25 (SMTP): hMailServer smtpd service, supporting commands like AUTH LOGIN, HELO, EHLO, and others, which indicates the presence of an email server.
  • Port 53 (DNS): Simple DNS Plus service, handling domain name resolution.
  • Port 80 (HTTP): Microsoft IIS 10.0 web server, potentially hosting the “Axlle Development” site. The TRACE method is available, which could pose a security risk.
  • Port 88 (Kerberos): Microsoft Windows Kerberos service, used for authentication in Active Directory environments.
  • Port 135 (MSRPC): Microsoft Windows RPC service, typically used for inter-process communication and remote management.
  • Port 139 (NetBIOS): Microsoft Windows NetBIOS service, used for file sharing and network services.
  • Port 389 (LDAP): Microsoft Active Directory LDAP service for directory services, supporting the domain axlle.htb0.
  • Port 445 (Microsoft-DS): Likely related to Microsoft SMB or Active Directory services, though further investigation may be required.
  • Port 464 (Kpasswd5): Potential Kerberos password change service.
  • Port 593 (RPC-HTTP): Microsoft Windows RPC over HTTP, enabling remote management of Windows systems.
  • Port 636 (LDAP over SSL): Encrypted LDAP service (TCP wrapped).
  • Port 3268 (LDAP): Active Directory Global Catalog service, supporting queries across the domain.
  • Port 3269 (LDAP over SSL): Secure LDAP service for the Global Catalog.

Web Enumeration:

Perform web enumeration to discover potentially exploitable directories and files.

Let’s access the website interface

The software company’s maintenance page highlights issues with emails sent in Excel format, specifying that macros have been disabled. This suggests the initial foothold may be associated with email-based phishing attempts.

XLL Execution on Axlle machine

After extensive testing, we identified a vulnerability in the mail server allowing for XLL execution. The script exploiting the vulnerability is available here

An XLL execution attack exploits XLL (Excel Add-In) files to run malicious code within Microsoft Excel. These XLL files, essentially DLLs tailored for Excel, enable developers to enhance Excel’s functionality with custom features and functions.

Another source for this vulnerability can be accessed here

A screenshot of a computer screen

Description automatically generated

To proceed, we will begin by creating an dark.c file with the content shown above

To install x86_64-w64-mingw32-gcc, start by updating your package manager using sudo apt update. Then, install the MinGW-w64 toolchain with sudo apt install gcc-mingw-w64-x86-64.

Finally, confirm the installation by running x86_64-w64-mingw32-gcc --version to verify that the compiler is correctly set up and operational.

With dark.c prepared, we will compile it using x86_64-w64-mingw32-gcc.

Let’s set up our listener.

Sending emails using Swaks

Swaks (Swiss Army Knife for SMTP) is a versatile command-line tool for testing and debugging email servers. It allows users to send custom email messages via SMTP, enabling the simulation of various email scenarios, including authentication, encryption, and content customization. Swaks is commonly used in security testing and troubleshooting email configurations.

Let’s send the compiled dark.xll to accounts@axlle.htb using Swaks.

Finally, we were able to establish the reverse shell connection.

A computer screen with green text

Description automatically generated
A computer screen with green text

Description automatically generated

While exploring the file system, we found a .eml file inside the hMailServer directory.

PS C:\Program Files (x86)\hMailServer\Data\axlle.htb\dallon.matrix\2f> type *
Return-Path: webdevs@axlle.htb
Received: from bumbag (Unknown [192.168.77.153])
	by MAINFRAME with ESMTP
	; Mon, 1 Jan 2024 06:32:24 -0800
Date: Tue, 02 Jan 2024 01:32:23 +1100
To: dallon.matrix@axlle.htb,calum.scott@axlle.htb,trent.langdon@axlle.htb,dan.kendo@axlle.htb,david.brice@axlle.htb,frankie.rose@axlle.htb,samantha.fade@axlle.htb,jess.adams@axlle.htb,emily.cook@axlle.htb,phoebe.graham@axlle.htb,matt.drew@axlle.htb,xavier.edmund@axlle.htb,baz.humphries@axlle.htb,jacob.greeny@axlle.htb
From: webdevs@axlle.htb
Subject: OSINT Application Testing
Message-Id: <20240102013223.019081@bumbag>
X-Mailer: swaks v20201014.0 jetmore.org/john/code/swaks/

Hi everyone,

The Web Dev group is doing some development to figure out the best way to automate the checking and addition of URLs into the OSINT portal.

We ask that you drop any web shortcuts you have into the C:\inetpub\testing folder so we can test the automation.

Yours in click-worthy URLs,

The Web Dev Team

We came across an email from the Web Dev team to several internal users, regarding the automation of URL checks and additions to the OSINT portal. The email asks recipients to drop any web shortcuts they have into the C:\inetpub\testing folder for testing purposes. The “OSINT Application Testing” message appears to be a standard internal request but could also be exploited if handled improperly.

Craft malicious HTA file

To exploit the situation, we’ll craft a malicious .hta file inside C:\inetpub\testing and wait for the automation to execute it.

An HTA (HTML Application) attack leverages the ability of HTA files to run harmful code on a victim’s system. HTA files, with the .hta extension, are processed by Microsoft’s HTML Application Host (mshta.exe) and can contain HTML, VBScript, JavaScript, or other web technologies. Once opened, HTA files run as standalone applications, inheriting the privileges of the user who executes them.

The script can be found here

A screen shot of a computer

Description automatically generated

We will create a shell.hta file with the content above. On the target system, we will run the following commands to download the shell.hta file and create a shortcut pointing to it

A screenshot of a computer

Description automatically generated

We will use impacket-smbserver to initiate the shell connection.

A computer screen with green text

Description automatically generated
A green text on a black background

Description automatically generated

We can retrieve the user flag by executing the type user.txt command.

Escalate to Root Privileges Access on Axlle Machine

Privilege Escalation:

Since this is an Active Directory environment, we will upload and execute bloodhound.exe.

The members of the group WEB DEVS@AXLLE.HTB can change the password of the user JACOB.GREENY@AXLLE.HTB without needing to know the current password.

First, we need to transfer the PowerView.ps1 script to the victim’s machine and execute it. Once executed, we can use PowerView to change the password for the user jacob to any value we choose.

A computer screen with text on it

Description automatically generated

We can successfully use WinRM to log in as Jacob with the changed password.

A screenshot of a computer program

Description automatically generated
A screenshot of a computer

Description automatically generated
A screenshot of a computer

Description automatically generated

Inside the App Development folder, there is a README.md file which mentions that the standalonerunner.exe file is executed as SYSTEM through automation. The standalonerunner.exe can be found in the directory C:\Program Files (x86)\Windows Kits\10\Testing\StandaloneTesting\Internal\x64.

A screen shot of a computer

Description automatically generated

The file has the following permissions:

  • Full Control: AXLLE\Administrator, NT AUTHORITY\SYSTEM, BUILTIN\Administrators
  • Read & Execute, Write: AXLLE\App Devs
  • Read & Execute: BUILTIN\Users, APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES, APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES
  • Read Only: Everyone

Since Jacob is in the App Devs group, we have write access to the file. We can now replace standalonerunner.exe with our malicious payload.

A screen shot of a computer

Description automatically generated

We will begin by generating a reverse shell executable using msfvenom.

Transfer the reverse shell payload to the system and replace the existing standalonerunner.exe one with it. After a few seconds, the automation runs the reverse shell payload as SYSTEM, giving us a shell with administrator privileges.

We can retrieve the root flag by executing the type root.txt command.

Categories:

No responses yet

Leave a Reply

Your email address will not be published. Required fields are marked *