Love is an easy linux box created by pwnmeow. Initial Foothold was finding a credentials with a staging file scanner and using that to login to admin route of voting system. and uploading a php shell using which we get a shell.After getting shell running winPEAs we see we have AlwaysInstallElevated privilege. using which we get Administrator shell.
# Nmap 7.91 scan initiated Sun May 2 09:32:59 2021 as: nmap -sC -sV -oN nmap/love 10.129.123.28 Nmap scan report for love.htb (10.129.123.28) Host is up (0.16s latency). Not shown: 993 closed ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27) | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set |_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27 |_http-title: Voting System using PHP 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 443/tcp open ssl/http Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27) |_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27 |_http-title: 403 Forbidden | ssl-cert: Subject: commonName=staging.love.htb/organizationName=ValentineCorp/stateOrProvinceName=m/countryName=in | Not valid before: 2021-01-18T14:00:16 |_Not valid after: 2022-01-18T14:00:16 |_ssl-date: TLS randomness does not represent time | tls-alpn: |_ http/1.1 445/tcp open microsoft-ds Windows 10 Pro 19042 microsoft-ds (workgroup: WORKGROUP) 3306/tcp open mysql? 5000/tcp open http Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27) |_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27 |_http-title: 403 Forbidden Service Info: Hosts: www.example.com, LOVE, www.love.htb; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results: |_clock-skew: mean: 2h41m30s, deviation: 4h02m30s, median: 21m29s | smb-os-discovery: | OS: Windows 10 Pro 19042 (Windows 10 Pro 6.3) | OS CPE: cpe:/o:microsoft:windows_10::- | Computer name: Love | NetBIOS computer name: LOVE\x00 | Workgroup: WORKGROUP\x00 |_ System time: 2021-05-01T21:25:01-07:00 | smb-security-mode: | account_used: <blank> | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2021-05-02T04:25:00 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sun May 2 09:33:43 2021 -- 1 IP address (1 host up) scanned in 43.53 seconds
from this we see many intresting things but lets start with web services 80 and 443 from the cert common name we find staging.love.htb
Web (80 and 443)
Lets check the cert again in browser for any other info
We only se the same.
lets check love.htb on both 80 and 443
In that we see an demo
Seeing an URL I tried to curl myself and was seeing i was getting a request.
So I tried to curl a reverse shell. but was unsucessful.
Playing aroud with that to get anything from it.
I got nothing.
So I started an gobuster on love.htb and staging.love.htb
and started looking at other things smb gave me nothing another intresting port for me was 5000 visting that i got Forbidden (Maybe that is only allowed from internal network, localhost).
Lets go back to File Scanner
and try for http://127.0.0.1:5000/ and bingo we see an result and some credential.