CTF-Writeups/HackTheBox/Love.md
2021-05-02 07:57:46 +05:00

6.9 KiB

HackTheBox-Love

Rustscan

                               
PORT      STATE SERVICE      REASON          VERSION
80/tcp    open  http         syn-ack ttl 127 Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)                                                
| http-cookie-flags:                                              
|   /:                                                     
|     PHPSESSID:                                        
|_      httponly flag not set                               
|_http-title: Voting System using PHP  
135/tcp   open  msrpc        syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn  syn-ack ttl 127 Microsoft Windows netbios-ssn
443/tcp   open  ssl/http     syn-ack ttl 127 Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
| ssl-cert: Subject: commonName=staging.love.htb/organizationName=ValentineCorp/stateOrProvinceName=m/countryName=in/organizationalUnitName=love.htb
/localityName=norway/emailAddress=roy@love.htb
| Issuer: commonName=staging.love.htb/organizationName=ValentineCorp/stateOrProvinceName=m/countryName=in/organizationalUnitName=love.htb/localityNa
me=norway/emailAddress=roy@love.htb                                       
| Public Key type: rsa                       
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-01-18T14:00:16
| Not valid after:  2022-01-18T14:00:16
| MD5:   bff0 1add 5048 afc8 b3cf 7140 6e68 5ff6
| SHA-1: 83ed 29c4 70f6 4036 a6f4 2d4d 4cf6 18a2 e9e4 96c2
| -----BEGIN CERTIFICATE-----
| MIIDozCCAosCFFhDHcnclWJmeuqOK/LQv3XDNEu4MA0GCSqGSIb3DQEBCwUAMIGN
| MQswCQYDVQQGEwJpbjEKMAgGA1UECAwBbTEPMA0GA1UEBwwGbm9yd2F5MRYwFAYD
| VQQKDA1WYWxlbnRpbmVDb3JwMREwDwYDVQQLDAhsb3ZlLmh0YjEZMBcGA1UEAwwQ
| c3RhZ2luZy5sb3ZlLmh0YjEbMBkGCSqGSIb3DQEJARYMcm95QGxvdmUuaHRiMB4X
445/tcp   open  microsoft-ds syn-ack ttl 127 Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
3306/tcp  open  mysql?       syn-ack ttl 127
| fingerprint-strings: 
|   LDAPBindReq, LPDString, NULL, giop: 
|_    Host '10.10.14.154' is not allowed to connect to this MariaDB server 
5000/tcp  open  http         syn-ack ttl 127 Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
|_http-title: 403 Forbidden
5040/tcp  open  unknown      syn-ack ttl 127
5985/tcp  open  http         syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
5986/tcp  open  ssl/http     syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| ssl-cert: Subject: commonName=LOVE
| Subject Alternative Name: DNS:LOVE, DNS:Love
| Issuer: commonName=LOVE
| Public Key type: rsa
| Public Key bits: 4096
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-04-11T14:39:19
| Not valid after:  2024-04-10T14:39:19
| MD5:   d35a 2ba6 8ef4 7568 f99d d6f4 aaa2 03b5
| SHA-1: 84ef d922 a70a 6d9d 82b8 5bb3 d04f 066b 12f8 6e73
47001/tcp open  http         syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)          
|_http-title: Not Found                                                   
49664/tcp open  msrpc        syn-ack ttl 127 Microsoft Windows RPC
49665/tcp open  msrpc        syn-ack ttl 127 Microsoft Windows RPC
49666/tcp open  msrpc        syn-ack ttl 127 Microsoft Windows RPC
49667/tcp open  msrpc        syn-ack ttl 127 Microsoft Windows RPC
49668/tcp open  msrpc        syn-ack ttl 127 Microsoft Windows RPC
49669/tcp open  msrpc        syn-ack ttl 127 Microsoft Windows RPC
49670/tcp open  msrpc        syn-ack ttl 127 Microsoft Windows RPC

We can see a domain name love.htb and staging.love.htb so let's add this to our /etc/hosts file

PORT 80 (HTTP)

On intercepting the request with burp suite we can see POST parameters

I tried messing with parameters and got the error in sql

Tried to do sqli but didn't work so let's visit staging.love.htb

This seems to load a file using url so let's try to add our php shell

<?php system($_GET['cmd']); ?>

But this didn't work so there was port 5000 open on the machine which we cannot access

So let's try to access this port through that url input field

And we got voter admin's credentials but this won't work there as it needs an id

So I though maybe searching on google for voter system and found the exact same application

https://www.sourcecodester.com/php/12306/voting-system-using-php.html

So we need to navigate to /admin in order to login with credentials

Click on Voters from the dashboard

Add a new voter and for a profile picture add a php file either with GET paramter like I did above or powney shell

And opening this php file we will get an interactive shell

Now generate a msfvenom payload because the file gets deleted because of some script of task running in the background

Now for privilege escalation we can run PowerUp.ps1 script to enumerate for misconfigurations or potential vectors for privesc, import the powershell script and run Invoke-Allchecks

We can see that installation for any program will be installed as SYSTEM

I used this as a reference https://www.hackingarticles.in/windows-privilege-escalation-alwaysinstallelevated/

Now there were tons of articles on how you can abuse so there were many ways you can either use the abuse function you saw by just running Write-UserAddMSI and on running ,it will create a msi program which you can install and it will create a local admin user

Another way was to metasploit's post exploit module use exploit/windows/local/always_install_elevated but I did this exploit manually , I generate a windows 64 bit payload as the noramal one didn't respond

This is will create windows installer file which can install it on the target machine using msiexec. So upload it to the target machine