Love - HackTheBox
I started by doing a scan with Nmap to detect open ports and services.
┌──(root💀kali)-[/home/kali/HTB/Love]
└─# nmap -sS --min-rate 5000 -v -n -Pn 10.10.10.239 -oN targeted
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-08 01:38 EDT
Initiating SYN Stealth Scan at 01:38
Scanning 10.10.10.239 [1000 ports]
Discovered open port 445/tcp on 10.10.10.239
Discovered open port 135/tcp on 10.10.10.239
Discovered open port 139/tcp on 10.10.10.239
Discovered open port 443/tcp on 10.10.10.239
Discovered open port 3306/tcp on 10.10.10.239
Discovered open port 80/tcp on 10.10.10.239
Discovered open port 5000/tcp on 10.10.10.239
Completed SYN Stealth Scan at 01:38, 0.40s elapsed (1000 total ports)
Nmap scan report for 10.10.10.239
Host is up (0.070s latency).
Not shown: 993 closed ports
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
3306/tcp open mysql
5000/tcp open upnp
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.48 seconds
Raw packets sent: 1314 (57.816KB) | Rcvd: 1000 (40.028KB)
Next, perform another scan to identify the service running for each port found.
┌──(root💀kali)-[/home/kali/HTB/Love]
└─# nmap -sC -sV -p80,135,139,443,445,3306,5000 10.10.10.239 -oN webscan
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-08 01:39 EDT
Nmap scan report for 10.10.10.239
Host is up (0.067s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
| http-cookie-flags:
| /:
| PHPSESSIONS:
|_ httponly flag not set
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: Voting System using PHP
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
443/tcp open ssl/http Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: 403 Forbidden
| ssl-cert: Subject: commonName=staging.love.htb/organizationName=ValentineCorp/stateOrProvinceName=m/countryName=in
| Not valid before: 2021-01-18T14:00:16
|_Not valid after: 2022-01-18T14:00:16
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
445/tcp open microsoft-ds Windows 10 Pro 19042 microsoft-ds (workgroup: WORKGROUP)
3306/tcp open mysql?
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, FourOhFourRequest, HTTPOptions, Help, Kerberos, LDAPBindReq, LDAPSearchReq, LPDString, RPCCheck, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServerCookie, X11Probe:
|_ Host '10.10.16.7' is not allowed to connect to this MariaDB server
5000/tcp open http Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: 403 Forbidden
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3306-TCP:V=7.91%I=7%D=8/8%Time=610F6E35%P=x86_64-pc-linux-gnu%r(HTT
SF:POptions,49,"E\0\0\x01\xffj\x04Host\x20'10\.10\.16\.7'\x20is\x20not\x20
SF:allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(RPCChec
SF:k,49,"E\0\0\x01\xffj\x04Host\x20'10\.10\.16\.7'\x20is\x20not\x20allowed
SF:\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(DNSVersionBind
SF:ReqTCP,49,"E\0\0\x01\xffj\x04Host\x20'10\.10\.16\.7'\x20is\x20not\x20al
SF:lowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(DNSStatus
SF:RequestTCP,49,"E\0\0\x01\xffj\x04Host\x20'10\.10\.16\.7'\x20is\x20not\x
SF:20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(Help,
SF:49,"E\0\0\x01\xffj\x04Host\x20'10\.10\.16\.7'\x20is\x20not\x20allowed\x
SF:20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(SSLSessionReq,49
SF:,"E\0\0\x01\xffj\x04Host\x20'10\.10\.16\.7'\x20is\x20not\x20allowed\x20
SF:to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(TerminalServerCook
SF:ie,49,"E\0\0\x01\xffj\x04Host\x20'10\.10\.16\.7'\x20is\x20not\x20allowe
SF:d\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(TLSSessionReq
SF:,49,"E\0\0\x01\xffj\x04Host\x20'10\.10\.16\.7'\x20is\x20not\x20allowed\
SF:x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(Kerberos,49,"E\
SF:0\0\x01\xffj\x04Host\x20'10\.10\.16\.7'\x20is\x20not\x20allowed\x20to\x
SF:20connect\x20to\x20this\x20MariaDB\x20server")%r(SMBProgNeg,49,"E\0\0\x
SF:01\xffj\x04Host\x20'10\.10\.16\.7'\x20is\x20not\x20allowed\x20to\x20con
SF:nect\x20to\x20this\x20MariaDB\x20server")%r(X11Probe,49,"E\0\0\x01\xffj
SF:\x04Host\x20'10\.10\.16\.7'\x20is\x20not\x20allowed\x20to\x20connect\x2
SF:0to\x20this\x20MariaDB\x20server")%r(FourOhFourRequest,49,"E\0\0\x01\xf
SF:fj\x04Host\x20'10\.10\.16\.7'\x20is\x20not\x20allowed\x20to\x20connect\
SF:x20to\x20this\x20MariaDB\x20server")%r(LPDString,49,"E\0\0\x01\xffj\x04
SF:Host\x20'10\.10\.16\.7'\x20is\x20not\x20allowed\x20to\x20connect\x20to\
SF:x20this\x20MariaDB\x20server")%r(LDAPSearchReq,49,"E\0\0\x01\xffj\x04Ho
SF:st\x20'10\.10\.16\.7'\x20is\x20not\x20allowed\x20to\x20connect\x20to\x2
SF:0this\x20MariaDB\x20server")%r(LDAPBindReq,49,"E\0\0\x01\xffj\x04Host\x
SF:20'10\.10\.16\.7'\x20is\x20not\x20allowed\x20to\x20connect\x20to\x20thi
SF:s\x20MariaDB\x20server");
Service Info: Hosts: www.example.com, LOVE, www.love.htb; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 2h41m34s, deviation: 4h02m30s, median: 21m33s
| smb-os-discovery:
| OS: Windows 10 Pro 19042 (Windows 10 Pro 6.3)
| CPE OS: cpe:/o:microsoft:windows_10::-
| Computer name: Love
| NetBIOS computer name: LOVE\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2021-08-07T23:01:47-07:00
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-08-08T06:01:46
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 30.02 seconds
I saw that I had three web servers, I started with the one that ran the http protocol.
Apparently it was nothing interesting, so I turned to the port that ran with https and it gave me 403 FORBIDDEN and the one that ran on port 5000 also had no access to it, so I thought about doing a subdomain fuzzing, for this I added love.htb in /etc/hosts.
For this I used wfuzz and found a subdomain called staging.
┌──(root💀kali)-[/home/kali/HTB/Love]
└─# wfuzz -c --hc=404 -w /usr/share/spiderfoot/dicts/subdomains-10000.txt -u http://love.htb/ -f sub-fighter -H "Host: FUZZ.love.htb" --hw=324
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://love.htb/
Total requests: 9985
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000065: 200 191 L 404 W 5357 Ch "staging"
Total time: 0
Processed Requests: 9985
Filtered Requests: 9984
Requests/sec.: 0
I entered the subdomain in the /etc/hosts.
It redirected me to a different page, the page itself did not report anything interesting to me.
It had a section called demo, I accessed it and found the following, it seemed to be a file scanner, after some trial and error, I managed to come to the conclusion that the web server running on port 5000 could be accessible in some way from localhost, that is, locally within the machine, and yes, it reported a credential to me.
But I didn’t know what it could be useful for, so I did another fuzzing of the web to try to find some login panel, for this I used wfuzz again.
┌──(root💀kali)-[/home/kali/HTB/Love]
└─# wfuzz -c --hc=404 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://love.htb/FUZZ -f sub-fightertwo --hw=324
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://love.htb/FUZZ
Total requests: 220560
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000016: 301 9 L 30 W 330 Ch "images"
000000203: 301 9 L 30 W 330 Ch "Images"
000000259: 301 9 L 30 W 329 Ch "admin"
000000519: 301 9 L 30 W 331 Ch "plugins"
I found a directory that caught my attention, called admin, accessing it, I changed the panel to a different one, immediately I entered the credential using the admin user.
And I authenticate into the panel, before doing anything, I tried to search for some voting system exploit with ‘searchsploit’ and found one that allowed me to gain access to the machine with prior authentication.
┌──(root💀kali)-[/home/kali/HTB/Love]
└─# searchsploit voting system 130 ⨯
---------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------------------------------------------------- ---------------------------------
Online Voting System - Authentication Bypass | php/webapps/43967.py
Online Voting System 1.0 - Authentication Bypass (SQLi) | php/webapps/50075.txt
Online Voting System 1.0 - Remote Code Execution (Authenticated) | php/webapps/50076.txt
Online Voting System 1.0 - SQLi (Authentication Bypass) + Remote Code Execution (RCE) | php/webapps/50088.py
Online Voting System Project in PHP - 'username' Persistent Cross-Site Scripting | multiple/webapps/49159.txt
Voting System 1.0 - Authentication Bypass (SQLI) | php/webapps/49843.txt
Voting System 1.0 - File Upload RCE (Authenticated Remote Code Execution) | php/webapps/49445.py
Voting System 1.0 - Remote Code Execution (Unauthenticated) | php/webapps/49846.txt
Voting System 1.0 - Time based SQLI (Unauthenticated SQL injection) | php/webapps/49817.txt
WordPress Plugin Poll_ Survey_ Questionnaire and Voting system 1.5.2 - 'date_answers' Blind SQL Injection | php/webapps/50052.txt
---------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
I transferred php/webapps/49445.py to my machine with the -m parameter of searchsploit and had to make some modifications so that it would pull exactly through the server that the victim machine was running on.
I ran it with a netcat session and gained access to the machine.
I could now see the user’s “flag”.
ESCALADA DE PRIVILEGIOS
Now all that was missing was the privilege escalation, for this I transferred ‘winPEAS.exe’ to the victim machine and launched it to do a deeper enumeration of the system in an automated way, I found that AlwaysIntallElevated had a value of 1, meaning that it could deposit .msi files with elevated privileges.
I created a malicious .msi file with msfvenom and transferred it to the machine with a Python server running on port 80.
I transferred it and ran it.
And I gained access through a netcat session, I could now view the root flag.
Leave a comment