htb Analysis wp

施工中

Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-20 23:15 ESTNmap scan report for 10.129.7.235Host is up (0.47s latency).PORTSTATE SERVICE VERSION53/tcpopendomainSimple DNS Plus80/tcpopenhttpMicrosoft HTTPAPI httpd 2.0 (SSDP/UPnP)|_http-title: Not Found|_http-server-header: Microsoft-HTTPAPI/2.088/tcpopenkerberos-secMicrosoft Windows Kerberos (server time: 2024-01-21 04:15:26Z)135/tcp openmsrpc Microsoft Windows RPC139/tcp opennetbios-ssn Microsoft Windows netbios-ssn389/tcp openldapMicrosoft Windows Active Directory LDAP (Domain: analysis.htb0., Site: Default-First-Site-Name)445/tcp openmicrosoft-ds?464/tcp openkpasswd5?593/tcp openncacn_httpMicrosoft Windows RPC over HTTP 1.0636/tcp opentcpwrapped3268/tcpopenldapMicrosoft Windows Active Directory LDAP (Domain: analysis.htb0., Site: Default-First-Site-Name)3269/tcpopentcpwrapped3306/tcpopenmysql MySQL (unauthorized)5985/tcpopenhttpMicrosoft HTTPAPI httpd 2.0 (SSDP/UPnP)|_http-server-header: Microsoft-HTTPAPI/2.0|_http-title: Not Found9389/tcpopenmc-nmf.NET Message Framing33060/tcp openmysqlx?| fingerprint-strings: | DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, TLSSessionReq, afp: | Invalid message"| HY000| LDAPBindReq: | *Parse error unserializing protobuf message"| HY000| oracle-tns: | Invalid message-frame."|_HY00047001/tcp openhttpMicrosoft HTTPAPI httpd 2.0 (SSDP/UPnP)|_http-server-header: Microsoft-HTTPAPI/2.0|_http-title: Not Found49664/tcp openmsrpc Microsoft Windows RPC49665/tcp openmsrpc Microsoft Windows RPC49666/tcp openmsrpc Microsoft Windows RPC49667/tcp openmsrpc Microsoft Windows RPC49669/tcp openmsrpc Microsoft Windows RPC49670/tcp openncacn_httpMicrosoft Windows RPC over HTTP 1.049671/tcp openmsrpc Microsoft Windows RPC49674/tcp openmsrpc Microsoft Windows RPC49685/tcp openmsrpc Microsoft Windows RPC49688/tcp openmsrpc Microsoft Windows RPC49706/tcp openmsrpc Microsoft Windows RPC1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :SF-Port33060-TCP:V=7.94%I=7%D=1/20%Time=65AC9A62%P=x86_64-pc-linux-gnu%r(GSF:enericLines,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(GetRequest,9,"\x05\0\0\SF:0\x0b\x08\x05\x1a\0")%r(RTSPRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%rSF:(RPCCheck,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(DNSVersionBindReqTCP,9,"\SF:x05\0\0\0\x0b\x08\x05\x1a\0")%r(DNSStatusRequestTCP,2B,"\x05\0\0\0\x0b\SF:x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\SF:"\x05HY000")%r(TerminalServerCookie,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%rSF:(TLSSessionReq,2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\xSF:10\x88'\x1a\x0fInvalid\x20message\"\x05HY000")%r(Kerberos,9,"\x05\0\0\0SF:\x0b\x08\x05\x1a\0")%r(SMBProgNeg,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(FSF:ourOhFourRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LPDString,9,"\x05\SF:0\0\0\x0b\x08\x05\x1a\0")%r(LDAPSearchReq,2B,"\x05\0\0\0\x0b\x08\x05\x1SF:a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY000SF:")%r(LDAPBindReq,46,"\x05\0\0\0\x0b\x08\x05\x1a\x009\0\0\0\x01\x08\x01\SF:x10\x88'\x1a\*Parse\x20error\x20unserializing\x20protobuf\x20message\"\SF:x05HY000")%r(SIPOptions,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(TerminalSerSF:ver,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(NCP,9,"\x05\0\0\0\x0b\x08\x05\xSF:1a\0")%r(NotesRPC,2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x0SF:1\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY000")%r(JavaRMI,9,"\x05\0\0SF:\0\x0b\x08\x05\x1a\0")%r(oracle-tns,32,"\x05\0\0\0\x0b\x08\x05\x1a\0%\0SF:\0\0\x01\x08\x01\x10\x88'\x1a\x16Invalid\x20message-frame\.\"\x05HY000"SF:)%r(ms-sql-s,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(afp,2B,"\x05\0\0\0\x0bSF:\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20messageSF:\"\x05HY000");Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed portDevice type: general purpose|WAPRunning (JUST GUESSING): Microsoft Windows 2019|2022|2012|10|2016|Longhorn (92%), Asus embedded (85%), Linux 3.X (85%)OS CPE: cpe:/o:microsoft:windows_server_2012:r2 cpe:/o:microsoft:windows_10 cpe:/o:microsoft:windows_server_2016 cpe:/o:microsoft:windows cpe:/h:asus:rt-n56u cpe:/o:linux:linux_kernel:3.4 cpe:/o:linux:linux_kernel:3.16Aggressive OS guesses: Microsoft Windows Server 2019 (92%), Microsoft Windows Server 2022 (89%), Microsoft Windows Server 2012 R2 (89%), Microsoft Windows 10 1909 (87%), Microsoft Windows Server 2012 or Server 2012 R2 (86%), Microsoft Windows Server 2016 (86%), Microsoft Windows Longhorn (85%), ASUS RT-N56U WAP (Linux 3.4) (85%), Linux 3.16 (85%)No exact OS matches for host (test conditions non-ideal).Network Distance: 2 hopsService Info: Host: DC-ANALYSIS; OS: Windows; CPE: cpe:/o:microsoft:windowsHost script results:| smb2-time: | date: 2024-01-21T04:17:11|_start_date: N/A| smb2-security-mode: | 3:1:1: |_Message signing enabled and required|_clock-skew: -1sTRACEROUTE (using port 3306/tcp)

# extended LDIF## LDAPv3# base  (default) with scope baseObject# filter: (objectclass=*)# requesting: ALL##dn:domainFunctionality: 7forestFunctionality: 7domainControllerFunctionality: 7rootDomainNamingContext: DC=analysis,DC=htbldapServiceName: analysis.htb:dc-analysis$@ANALYSIS.HTBisGlobalCatalogReady: TRUEsupportedSASLMechanisms: GSSAPIsupportedSASLMechanisms: GSS-SPNEGOsupportedSASLMechanisms: EXTERNALsupportedSASLMechanisms: DIGEST-MD5supportedLDAPVersion: 3supportedLDAPVersion: 2supportedLDAPPolicies: MaxPoolThreadssupportedLDAPPolicies: MaxPercentDirSyncRequestssupportedLDAPPolicies: MaxDatagramRecvsupportedLDAPPolicies: MaxReceiveBuffersupportedLDAPPolicies: InitRecvTimeoutsupportedLDAPPolicies: MaxConnectionssupportedLDAPPolicies: MaxConnIdleTimesupportedLDAPPolicies: MaxPageSizesupportedLDAPPolicies: MaxBatchReturnMessagessupportedLDAPPolicies: MaxQueryDurationsupportedLDAPPolicies: MaxDirSyncDurationsupportedLDAPPolicies: MaxTempTableSizesupportedLDAPPolicies: MaxResultSetSizesupportedLDAPPolicies: MinResultSetssupportedLDAPPolicies: MaxResultSetsPerConnsupportedLDAPPolicies: MaxNotificationPerConnsupportedLDAPPolicies: MaxValRangesupportedLDAPPolicies: MaxValRangeTransitivesupportedLDAPPolicies: ThreadMemoryLimitsupportedLDAPPolicies: SystemMemoryLimitPercentsupportedControl: 1.2.840.113556.1.4.319supportedControl: 1.2.840.113556.1.4.801supportedControl: 1.2.840.113556.1.4.473supportedControl: 1.2.840.113556.1.4.528supportedControl: 1.2.840.113556.1.4.417supportedControl: 1.2.840.113556.1.4.619supportedControl: 1.2.840.113556.1.4.841supportedControl: 1.2.840.113556.1.4.529supportedControl: 1.2.840.113556.1.4.805supportedControl: 1.2.840.113556.1.4.521supportedControl: 1.2.840.113556.1.4.970supportedControl: 1.2.840.113556.1.4.1338supportedControl: 1.2.840.113556.1.4.474supportedControl: 1.2.840.113556.1.4.1339supportedControl: 1.2.840.113556.1.4.1340supportedControl: 1.2.840.113556.1.4.1413supportedControl: 2.16.840.1.113730.3.4.9supportedControl: 2.16.840.1.113730.3.4.10supportedControl: 1.2.840.113556.1.4.1504supportedControl: 1.2.840.113556.1.4.1852supportedControl: 1.2.840.113556.1.4.802supportedControl: 1.2.840.113556.1.4.1907supportedControl: 1.2.840.113556.1.4.1948supportedControl: 1.2.840.113556.1.4.1974supportedControl: 1.2.840.113556.1.4.1341supportedControl: 1.2.840.113556.1.4.2026supportedControl: 1.2.840.113556.1.4.2064supportedControl: 1.2.840.113556.1.4.2065supportedControl: 1.2.840.113556.1.4.2066supportedControl: 1.2.840.113556.1.4.2090supportedControl: 1.2.840.113556.1.4.2205supportedControl: 1.2.840.113556.1.4.2204supportedControl: 1.2.840.113556.1.4.2206supportedControl: 1.2.840.113556.1.4.2211supportedControl: 1.2.840.113556.1.4.2239supportedControl: 1.2.840.113556.1.4.2255supportedControl: 1.2.840.113556.1.4.2256supportedControl: 1.2.840.113556.1.4.2309supportedControl: 1.2.840.113556.1.4.2330supportedControl: 1.2.840.113556.1.4.2354supportedCapabilities: 1.2.840.113556.1.4.800supportedCapabilities: 1.2.840.113556.1.4.1670supportedCapabilities: 1.2.840.113556.1.4.1791supportedCapabilities: 1.2.840.113556.1.4.1935supportedCapabilities: 1.2.840.113556.1.4.2080supportedCapabilities: 1.2.840.113556.1.4.2237subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=analysis,DC=htbserverName: CN=DC-ANALYSIS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=C onfiguration,DC=analysis,DC=htbschemaNamingContext: CN=Schema,CN=Configuration,DC=analysis,DC=htbnamingContexts: DC=analysis,DC=htbnamingContexts: CN=Configuration,DC=analysis,DC=htbnamingContexts: CN=Schema,CN=Configuration,DC=analysis,DC=htbnamingContexts: DC=DomainDnsZones,DC=analysis,DC=htbnamingContexts: DC=ForestDnsZones,DC=analysis,DC=htbisSynchronized: TRUEhighestCommittedUSN: 377026dsServiceName: CN=NTDS Settings,CN=DC-ANALYSIS,CN=Servers,CN=Default-First-Sit e-Name,CN=Sites,CN=Configuration,DC=analysis,DC=htbdnsHostName: DC-ANALYSIS.analysis.htbdefaultNamingContext: DC=analysis,DC=htbcurrentTime: 20240121042529.0ZconfigurationNamingContext: CN=Configuration,DC=analysis,DC=htb# search resultsearch: 2result: 0 Success# numResponses: 2# numEntries: 1

└─$ kerbrute userenum --dc xxxxxxx-d analysis.htb /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames-dup.txt__ __ __/ /__________/ /__________/ /____ / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \ / ,Using KDC(s):2024/01/21 00:02:11 > xxxxxxxxxxxx2024/01/21 00:05:17 >[+] VALID USERNAME: jdoe@analysis.htb2024/01/21 00:07:48 >[+] VALID USERNAME: ajohnson@analysis.htb2024/01/21 00:13:41 >[+] VALID USERNAME: cwilliams@analysis.htb2024/01/21 00:16:13 >[+] VALID USERNAME: wsmith@analysis.htb2024/01/21 00:25:11 >[+] VALID USERNAME: jangel@analysis.htb2024/01/21 00:56:20 >[+] VALID USERNAME: technician@analysis.htb

gobuster dns buster

└─$ feroxbuster -u http://internal.analysis.htb -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-small-words-lowercase.txt -d 2 -x html,txt,php,zip,rar,bat________ __ ____ __ ___|__|__|__) |__) | /`/\ \_/ | |\ |__||___ |\ |\ | \__,\__/ / \ | |__/ |___by Ben "epi" Risherver: 2.10.1───────────────────────────┬────────────────────── Target Url│ http://internal.analysis.htb Threads │ 50 Wordlist│ /usr/share/wordlists/seclists/Discovery/Web-Content/raft-small-words-lowercase.txt Status Codes│ All Status Codes! Timeout (secs)│ 7 User-Agent│ feroxbuster/2.10.1 Config File │ /etc/feroxbuster/ferox-config.toml Extract Links │ true Extensions│ [html, txt, php, zip, rar, bat] HTTP methods│ [GET] Recursion Depth │ 2───────────────────────────┴────────────────────── Press [ENTER] to use the Scan Management Menu™──────────────────────────────────────────────────404GET 29l 91w 1273c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter403GET 29l 93w 1284c http://internal.analysis.htb/301GET2l 10w170c http://internal.analysis.htb/users => http://internal.analysis.htb/users/200GET1l2w 17c http://internal.analysis.htb/users/list.php301GET2l 10w174c http://internal.analysis.htb/dashboard => http://internal.analysis.htb/dashboard/301GET2l 10w177c http://internal.analysis.htb/dashboard/js => http://internal.analysis.htb/dashboard/js/301GET2l 10w178c http://internal.analysis.htb/dashboard/css => http://internal.analysis.htb/dashboard/css/200GET4l5w 38c http://internal.analysis.htb/dashboard/index.php301GET2l 10w178c http://internal.analysis.htb/dashboard/img => http://internal.analysis.htb/dashboard/img/200GET 35l211w 1426c http://internal.analysis.htb/dashboard/license.txt302GET1l1w3c http://internal.analysis.htb/dashboard/logout.php => ../employees/login.php301GET2l 10w178c http://internal.analysis.htb/dashboard/lib => http://internal.analysis.htb/dashboard/lib/301GET2l 10w182c http://internal.analysis.htb/dashboard/uploads => http://internal.analysis.htb/dashboard/uploads/200GET277l519w 4998c http://internal.analysis.htb/dashboard/css/style.css200GET 23l213w13633c http://internal.analysis.htb/dashboard/img/user.jpg200GET7l158w 9028c http://internal.analysis.htb/dashboard/lib/waypoints/waypoints.min.js200GET206l690w 9060c http://internal.analysis.htb/dashboard/lib/tempusdominus/css/tempusdominus-bootstrap-4.min.css200GET207l522w 5590c http://internal.analysis.htb/dashboard/js/main.js200GET237l800w13143c http://internal.analysis.htb/dashboard/404.html200GET1l 38w 2302c http://internal.analysis.htb/dashboard/lib/easing/easing.min.js200GET6l 64w 2936c http://internal.analysis.htb/dashboard/lib/owlcarousel/assets/owl.carousel.min.css200GET1l 1421w32832c http://internal.analysis.htb/dashboard/lib/tempusdominus/js/moment-timezone.min.js200GET7l279w42766c http://internal.analysis.htb/dashboard/lib/owlcarousel/owl.carousel.min.js200GET0l0w0c http://internal.analysis.htb/dashboard/upload.php200GET7l 1022w56879c http://internal.analysis.htb/dashboard/lib/tempusdominus/js/tempusdominus-bootstrap-4.min.js200GET6l 3783w 164309c http://internal.analysis.htb/dashboard/css/bootstrap.min.css200GET 13l 2708w 194890c http://internal.analysis.htb/dashboard/lib/chart/chart.min.js200GET1l 6490w 326657c http://internal.analysis.htb/dashboard/lib/tempusdominus/js/moment.min.js403GET 29l 93w 1284c http://internal.analysis.htb/dashboard/200GET4l4w 35c http://internal.analysis.htb/dashboard/form.php200GET4l4w 35c http://internal.analysis.htb/dashboard/details.php301GET2l 10w174c http://internal.analysis.htb/employees => http://internal.analysis.htb/employees/200GET 30l 60w 1085c http://internal.analysis.htb/employees/login.php200GET4l4w 35c http://internal.analysis.htb/dashboard/tickets.php200GET4l4w 35c http://internal.analysis.htb/dashboard/emergency.php

fuzz .php api

ldap injection

有特殊符号

–
login in

update:.hta or .php

root

winpeas get next user password（so ez realhard? :<）

—>
lld Hijack
—>root