InfoSec LAB

Axlle_Web

Created: 3 min read

Web

Nmap discovered a Web service on the target port 80 The running service is Microsoft IIS httpd 10.0

It’s a website for a software development company

About

The about section claims that the website is down for maintenance. It outlines that invoices or requests can be made to accounts@axlle.htb in Excel format. It also claims that all macros are disabled for security purpose.

Leveraging Excel macro has been a common practice for code execution. As common as it is, it is blocked & disabled by default.

Additionally, there are many extensions that are associated with Excel, and some of them can be used for code execution.

.xll being one of them. It’s a DLL executable for Excel. There is a very high likelihood of the target Excel instance accepting the .xll format, and I will explore that

accounts@axlle.htb

┌──(kali㉿kali)-[~/archive/htb/labs/axlle]
└─$ echo accounts > users.txt                                        
 
┌──(kali㉿kali)-[~/archive/htb/labs/axlle]
└─$ kerbrute userenum --dc mainframe.axlle.htb -d AXLLE.HTB ./users.txt                           
 
    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        
 
Version: v1.0.3 (9dad6e1) - 06/26/24 - Ronnie Flathers @ropnop
 
2024/06/26 18:31:57 >  Using KDC(s):
2024/06/26 18:31:57 >  	mainframe.axlle.htb:88
 
2024/06/26 18:32:02 >  Done! Tested 1 usernames (0 valid) in 5.116 seconds

The account, accounts, doesn’t appear to be a domain account

Projects

The Projects section features 2 projects; OSINT engine and Keyboard Translator

Wappalyzer identified technologies involved

Fuzzing

┌──(kali㉿kali)-[~/archive/htb/labs/axlle]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -t 200 -u 'http://mainframe.axlle.htb/FUZZ' -ic
________________________________________________
 :: Method           : GET
 :: URL              : http://mainframe.axlle.htb/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-big.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 200
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
                        [Status: 200, Size: 10228, Words: 3640, Lines: 167, Duration: 32ms]
assets                  [Status: 301, Size: 157, Words: 9, Lines: 2, Duration: 146ms]
css                     [Status: 301, Size: 154, Words: 9, Lines: 2, Duration: 132ms]
js                      [Status: 301, Size: 153, Words: 9, Lines: 2, Duration: 96ms]
Assets                  [Status: 301, Size: 157, Words: 9, Lines: 2, Duration: 99ms]
CSS                     [Status: 301, Size: 154, Words: 9, Lines: 2, Duration: 84ms]
JS                      [Status: 301, Size: 153, Words: 9, Lines: 2, Duration: 89ms]
:: Progress: [1273820/1273820] :: Job [1/1] :: 3003 req/sec :: Duration: [0:11:52] :: Errors: 0 ::

Nothing found

Virtual Host / Sub-domain Discovery

┌──(kali㉿kali)-[~/archive/htb/labs/axlle]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t 200 -u http://$IP/ -H 'Host: FUZZ.axlle.htb' -ic -mc all -fs 10228
________________________________________________
 :: Method           : GET
 :: URL              : http://10.10.11.21/
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt
 :: Header           : Host: FUZZ.axlle.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 200
 :: Matcher          : Response status: all
 :: Filter           : Response size: 10228
________________________________________________

Nothing found

Interactive Graph View

Backlinks