Intranet
intranet.ghost.htb was initially identified during the DNS enumeration, pointing to a loopback address
nginx must be the reverse proxy that expose this intranet to port 8008
Redirected to a login page at /login
LDAP Auth
It would appear that the intranet login page interacts via LDAP
If there is no input validation in place, I might be able to bypass the authentication via LDAP Injection
LDAP Injection (Authentication Bypass)
Testing for LDAP injection authentication bypass
This may be further leveraged
Retrieved a bearer token.
It appears to be an URL-encoded JWT that belongs to the kathryn.holland user
Requesting with the bearer token and redirected to /news
/news
Authentication bypassed and authenticated as the kathryn.holland user
There is a mention of Gitea and Bitbucket. It is entirely possible there might be an instance running somewhere
gitea_temp_principalseems to be the account and password being its corresponding intranet token- There is a secret in LDAP attributes
/users
The /users endpoint appears to reveal all the non-default domain accounts;
kathryn.hollandcassandra.sheltonrobert.steevesflorence.ramirezjustin.bradleyarthur.boydbeth.clarkcharles.grayjason.taylorintranet_principalgitea_temp_principalMost of them match Appending new domain accounts to theusers.txtfile
/forum
The /forum endpoint contains an interesting post
Bitbucket
Based on the post, it’s safe to assume that the justin.bradley user has a script running to check the pipeline results
There is a mention of both Gitea and Bitbucket. Those might be another sub-domains
kathyn.holland, who is supposedly a system administrator, replies to the post that the DNS entry is not configured presumably for Bitbucket
Updating the /etc/hosts file on Kali for testing