Post

HTB Analysis: Walkthrough

Posted Updated
Preview Image
By partyh4t
6 min read
HTB Analysis: Walkthrough

image

This machine starts off with a directory fuzzing attack on a web server being hosted on the target. This leads to the identification of an directory that’s vulnerable to a LDAP injection attack within the ?name parameter. This gives access to a users password that we can use to login to a SOC dashboard, which contains a file upload module, allowing us to upload a web shell and gain a foothold onto the system. To escalate privileges, we utilize winpeas.exe to identify autologon credentials for a domain user, allowing us to win-rm into the machine. The escalation to root involves a DLL Hijacking misconfiguration on the target pertaining to snort.exe.

0) Machine Overview

  1. Scans
  2. Web Enumeration
  3. RPC Enumeration
  4. Web Enumeration (Revisited)
  5. Privilege Escalation 1
  6. Privilege Escalation 2

1) Scans

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

Nmap scan report for 10.10.11.250
Host is up (0.026s latency).
Not shown: 989 closed tcp ports (reset)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-01-25 00:11:18Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: analysis.htb0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
3306/tcp open  mysql         MySQL (unauthorized)
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0
33060/tcp open  mysqlx?
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0
Service Info: Host: DC-ANALYSIS; OS: Windows; CPE: cpe:/o:microsoft:windows

2) Web Enumeration

image

Interesting Directories: analysis.htb/bat 403 internal.analysis.htb/dashboard 403 internal.analysis.htb/employees 404/403?

In this case, there isn’t much for us to do, I tried lots of directory bruteforcing, but nothing too interesting popped out, so I decided to look into some other avenues.

3) RPC Enumeration

The reason I’m trying this after the web enumeration was because, I had originally exhausted all options except port 80, until I realized this exact command that I had run earlier, hadn’t worked originally, but now it did:

image

With us able to connect to msrpc using a null session, we have lots we can mess with.

I first tried lookupsids.py from impacket, but had no luck. Usually one other thing I like doing in these cases is trying kerbrute to see if i can find any usernames:

image Indeed we can. At this point, I had tried tons of things, like bruteforcing multiple services, password spraying, asrep-roasting, but none of it worked. That’s when I went back to directory bruteforcing, sensing that there must be something behind those directories in that subdomain.

4) Web Enumeration Revisited

Earlier, I had discovered some interesting endpoints like: /users, /employees, /dashboard. One misconception I had was that if the server was IIS, it wouldn’t use PHP. I always assumed nginx/apache = .php, and IIS = .asp/aspx , but I was wrong.

This time i tried my bruteforce with -x php, and discovered many interesting things, the most interesting being this endpoint:

image

When I accessed it, it returned: missing parameter

Well, lets try fuzzing the parameter:

image

And now if we access that, we’re returned with some interesting information.

image

So its clearly pulling lots of information, and we can assume it may even be via LDAP. So I tried providing the names I found earlier through kerbrute. (We also could have fuzzed the endpoint again with a user-list.) image

This is interesting as, its almost as if its taking our input and using it directly performing an LDAP query with it…. What if we could inject our own LDAP query alongside it?

Confirmation it is indeed injectable:

(PaylaodsAllTheThings Example Payloads) (Default Attributes)

image image

I tried many attributes, especially userPassword, but none really stood out.

So I decided to try fuzzing the description attribute for technician since it was the only one that returned like, a proper response that showed that the query was successful.

We can do that by first putting in random characters before the *, and seeing what resolves.

We could have written a script for this, but my scripting skills are not up to par at the moment, so I did it manually:

1

ffuf -u '<http://internal.analysis.htb/users/list.php?name=technician>)(description=FUZZ*' -w wordlist2.txt -fs 406

Which returned:

image

In this case, we’re looking for 418’s in the size.

Then we can just add 9 and do description=9FUZZ* and proceed all the way until:

1

ffuf -u '<http://internal.analysis.htb/users/list.php?name=technician>)(description=97NTtl*4QP96BVFUZZ*' -w wordlist2.txt -fs 406

image

At this point it only returned some special characters which tend to conflict with the query, so we have to take these 418’s with a grain of salt, albeit it one of the characters in the description does actually end up being a *.

I went to check to make sure if I had hit the final character: http://internal.analysis.htb/users/list.php?name=technician)(description=97NTtl*4QP96BV (Exclude *)

image

And as we can see, the query resolved/responded like we expected. Lets go and see if this 97NTtl*4QP96BV password means anything for us.

Trying it on /employees/login.php, which was one of the endpoints I discovered earlier when FUZZing, gives us access to an Admin Dashboard:

image

Within the admin panel, there is a file upload section:

image

So I uploaded pownyshell.php, and headed to /dashboard/uploads/pownyshell.php:

image

Lets leverage this to get a full meterpreter session:

image

5) Privilege Escalation 1

Did quite a bit of manual enum, but nothing looked too promising at the moment. So I decided to run winPEASx64.exe

Thanks to it, we found some autologon credentials belonging to jdoe, which we can use to win-rm into the machine: image

6) Privilege Escalation 2

Lets run WinPEAS again, maybe our new user will have some interesting privileges over something: image

I checked if I had write privileges to the BCTextEncoder directory originally, as maybe i could write my own BCTextEncoder.exe file, but I couldnt.

So I made my own run.bat file that would run nc64.exe:

image

Once I had it on the machine, we did actually get a call back, but unfortunately it was as jdoe, and not Administrator. Im not exactly sure why thats the case, as it seemed that it was going to be run by Administrator. Nevertheless, I had one more thing to check:

image

Seems theres a snort.exe service that run’s occasionally, and we have write privileges to most of the Snort directory. DLL Hijacking it is.

Now it wasn’t that simple originally, as I assumed I could either just write one of the DLL’s in the bin directory into the previous directory, hoping it would execute it instead of the one in /bin:

image

So I named it wpcap.dll, and tried running the executable myself, and also waiting to see if it would ever call back to listener. It didn’t. Eventually I decided to actually do my due-diligence and look through some of the directories in Snort and read some documentation. That’s where I found out that any DLL’s placed within the C:\\Snort\\lib\\snort_dynamicpreprocessor would get executed:

image

So I did just that, placed test.dll within the directory, and sure enough within a few minutes, I got a call back:

image

image

One thing to take away from this priv-esc is that its always worth checking where certain files may be stored, and reading documentation to find how an executable may be calling certain DLL’s.

HTB
HTB Active Directory LDAP Injection DLL Hijacking
This post is licensed under CC BY 4.0 by the author.