Love - HackTheBox
Comencé haciendo un escaneo con Nmap para detectar puertos y servicios abiertos.
┌──(root💀kali)-[/home/kali/HTB/Love]
└─# nmap -sS --min-rate 5000 -v -n -Pn 10.10.10.239 -oN targeted
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-08 01:38 EDT
Initiating SYN Stealth Scan at 01:38
Scanning 10.10.10.239 [1000 ports]
Discovered open port 445/tcp on 10.10.10.239
Discovered open port 135/tcp on 10.10.10.239
Discovered open port 139/tcp on 10.10.10.239
Discovered open port 443/tcp on 10.10.10.239
Discovered open port 3306/tcp on 10.10.10.239
Discovered open port 80/tcp on 10.10.10.239
Discovered open port 5000/tcp on 10.10.10.239
Completed SYN Stealth Scan at 01:38, 0.40s elapsed (1000 total ports)
Nmap scan report for 10.10.10.239
Host is up (0.070s latency).
Not shown: 993 closed ports
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
3306/tcp open mysql
5000/tcp open upnp
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.48 seconds
Raw packets sent: 1314 (57.816KB) | Rcvd: 1000 (40.028KB)
Seguidamente efectúe otro escaneo para identificar el servicio que corre para cada puerto encontrado.
┌──(root💀kali)-[/home/kali/HTB/Love]
└─# nmap -sC -sV -p80,135,139,443,445,3306,5000 10.10.10.239 -oN webscan
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-08 01:39 EDT
Nmap scan report for 10.10.10.239
Host is up (0.067s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: Voting System using PHP
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
443/tcp open ssl/http Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: 403 Forbidden
| ssl-cert: Subject: commonName=staging.love.htb/organizationName=ValentineCorp/stateOrProvinceName=m/countryName=in
| Not valid before: 2021-01-18T14:00:16
|_Not valid after: 2022-01-18T14:00:16
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
445/tcp open microsoft-ds Windows 10 Pro 19042 microsoft-ds (workgroup: WORKGROUP)
3306/tcp open mysql?
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, FourOhFourRequest, HTTPOptions, Help, Kerberos, LDAPBindReq, LDAPSearchReq, LPDString, RPCCheck, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServerCookie, X11Probe:
|_ Host '10.10.16.7' is not allowed to connect to this MariaDB server
5000/tcp open http Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: 403 Forbidden
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3306-TCP:V=7.91%I=7%D=8/8%Time=610F6E35%P=x86_64-pc-linux-gnu%r(HTT
SF:POptions,49,"E\0\0\x01\xffj\x04Host\x20'10\.10\.16\.7'\x20is\x20not\x20
SF:allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(RPCChec
SF:k,49,"E\0\0\x01\xffj\x04Host\x20'10\.10\.16\.7'\x20is\x20not\x20allowed
SF:\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(DNSVersionBind
SF:ReqTCP,49,"E\0\0\x01\xffj\x04Host\x20'10\.10\.16\.7'\x20is\x20not\x20al
SF:lowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(DNSStatus
SF:RequestTCP,49,"E\0\0\x01\xffj\x04Host\x20'10\.10\.16\.7'\x20is\x20not\x
SF:20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(Help,
SF:49,"E\0\0\x01\xffj\x04Host\x20'10\.10\.16\.7'\x20is\x20not\x20allowed\x
SF:20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(SSLSessionReq,49
SF:,"E\0\0\x01\xffj\x04Host\x20'10\.10\.16\.7'\x20is\x20not\x20allowed\x20
SF:to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(TerminalServerCook
SF:ie,49,"E\0\0\x01\xffj\x04Host\x20'10\.10\.16\.7'\x20is\x20not\x20allowe
SF:d\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(TLSSessionReq
SF:,49,"E\0\0\x01\xffj\x04Host\x20'10\.10\.16\.7'\x20is\x20not\x20allowed\
SF:x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(Kerberos,49,"E\
SF:0\0\x01\xffj\x04Host\x20'10\.10\.16\.7'\x20is\x20not\x20allowed\x20to\x
SF:20connect\x20to\x20this\x20MariaDB\x20server")%r(SMBProgNeg,49,"E\0\0\x
SF:01\xffj\x04Host\x20'10\.10\.16\.7'\x20is\x20not\x20allowed\x20to\x20con
SF:nect\x20to\x20this\x20MariaDB\x20server")%r(X11Probe,49,"E\0\0\x01\xffj
SF:\x04Host\x20'10\.10\.16\.7'\x20is\x20not\x20allowed\x20to\x20connect\x2
SF:0to\x20this\x20MariaDB\x20server")%r(FourOhFourRequest,49,"E\0\0\x01\xf
SF:fj\x04Host\x20'10\.10\.16\.7'\x20is\x20not\x20allowed\x20to\x20connect\
SF:x20to\x20this\x20MariaDB\x20server")%r(LPDString,49,"E\0\0\x01\xffj\x04
SF:Host\x20'10\.10\.16\.7'\x20is\x20not\x20allowed\x20to\x20connect\x20to\
SF:x20this\x20MariaDB\x20server")%r(LDAPSearchReq,49,"E\0\0\x01\xffj\x04Ho
SF:st\x20'10\.10\.16\.7'\x20is\x20not\x20allowed\x20to\x20connect\x20to\x2
SF:0this\x20MariaDB\x20server")%r(LDAPBindReq,49,"E\0\0\x01\xffj\x04Host\x
SF:20'10\.10\.16\.7'\x20is\x20not\x20allowed\x20to\x20connect\x20to\x20thi
SF:s\x20MariaDB\x20server");
Service Info: Hosts: www.example.com, LOVE, www.love.htb; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 2h41m34s, deviation: 4h02m30s, median: 21m33s
| smb-os-discovery:
| OS: Windows 10 Pro 19042 (Windows 10 Pro 6.3)
| OS CPE: cpe:/o:microsoft:windows_10::-
| Computer name: Love
| NetBIOS computer name: LOVE\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2021-08-07T23:01:47-07:00
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-08-08T06:01:46
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 30.02 seconds
Vi que tenía tres servidores web, empece por el que corría con el protocolo http.
Al parecer no era nada interesante, por lo que recurrí al puerto que corría con https y me dio 403 FORBIDDEN y el que corría por el puerto 5000 tampoco tenía acceso a él, por lo que pensé en hacer un fuzzing de subdominios, para ello agregue love.htb en el /etc/hosts.
Para ello utilicé wfuzz y encontré un subdominio llamado staging.
┌──(root💀kali)-[/home/kali/HTB/Love]
└─# wfuzz -c --hc=404 -w /usr/share/spiderfoot/dicts/subdomains-10000.txt -u http://love.htb/ -f sub-fighter -H "Host: FUZZ.love.htb" --hw=324
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://love.htb/
Total requests: 9985
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000065: 200 191 L 404 W 5357 Ch "staging"
Total time: 0
Processed Requests: 9985
Filtered Requests: 9984
Requests/sec.: 0
Introduje el subdominio en el /etc/hosts.
Me redirigió a una página diferente, en sí la página no me reporto nada interesante.
Tenía una sección llamada demo, accedí a ella y encontré lo siguiente, al parecer era un escáner de archivos, tras un tiempo de prueba y error, logre dar con la conclusión de que el servidor web que corría por el puerto 5000 podría ser accesible de alguna manera desde localhost es decir en local dentro de la máquina, y si, me reporto una credencial.
Pero no sabía para que me podía servir, por lo que hice otro fuzzing a la web para tratar de encontrar algún panel de inicio de sesión, para ello hice uso otra vez de wfuzz.
┌──(root💀kali)-[/home/kali/HTB/Love]
└─# wfuzz -c --hc=404 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://love.htb/FUZZ -f sub-fightertwo --hw=324
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://love.htb/FUZZ
Total requests: 220560
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000016: 301 9 L 30 W 330 Ch "images"
000000203: 301 9 L 30 W 330 Ch "Images"
000000259: 301 9 L 30 W 329 Ch "admin"
000000519: 301 9 L 30 W 331 Ch "plugins"
Me encontró un directorio que me llamo mucho la atención, llamado admin, accediendo, cambio el panel a otro diferente, inmediatamente introduje la credencial haciendo uso del usuario admin.
Y me autentico en el panel, antes de hacer nada, intente buscar algún exploit de voting system con ‘searchsploit’ y encontré uno que me permitía ganar acceso a la máquina con autenticación previa.
┌──(root💀kali)-[/home/kali/HTB/Love]
└─# searchsploit voting system 130 ⨯
---------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------------------------------------------------- ---------------------------------
Online Voting System - Authentication Bypass | php/webapps/43967.py
Online Voting System 1.0 - Authentication Bypass (SQLi) | php/webapps/50075.txt
Online Voting System 1.0 - Remote Code Execution (Authenticated) | php/webapps/50076.txt
Online Voting System 1.0 - SQLi (Authentication Bypass) + Remote Code Execution (RCE) | php/webapps/50088.py
Online Voting System Project in PHP - 'username' Persistent Cross-Site Scripting | multiple/webapps/49159.txt
Voting System 1.0 - Authentication Bypass (SQLI) | php/webapps/49843.txt
Voting System 1.0 - File Upload RCE (Authenticated Remote Code Execution) | php/webapps/49445.py
Voting System 1.0 - Remote Code Execution (Unauthenticated) | php/webapps/49846.txt
Voting System 1.0 - Time based SQLI (Unauthenticated SQL injection) | php/webapps/49817.txt
WordPress Plugin Poll_ Survey_ Questionnaire and Voting system 1.5.2 - 'date_answers' Blind SQL Injection | php/webapps/50052.txt
---------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Transferí php/webapps/49445.py a mí máquina con el parámetro -m de searchsploit y tuve que hacer unas modificaciones para que tire justamente por el servidor por el que corría la máquina víctima.
Lo ejecute con una sesión de netcat y gane acceso a la máquina.
Ya pude ver la “flag” del usuario.
ESCALADA DE PRIVILEGIOS
Ahora solo faltaba la escalada de privilegios, para ello me transferí ‘winPEAS.exe’ a la máquina víctima y lo lancé para hacer una enumeración más profunda del sistema de manera automatizada, encontré que AlwaysIntallElevated tenía un valor de 1, es decir que podía depositar archivos .msi con privilegios elevados.
Cree un archivo .msi malicioso con msfvenom y lo transferí a la máquina con un servidor de Python corriendo por el puerto 80.
Lo transferí y lo ejecuté.
Y gané acceso por una sesión de netcat, ya pude visualizar la “flag” root.
Leave a comment