Hello everyone , in this post I will be sharing my writeup for HTB Love machine , which is an easy level windows box. It involved a web page which was having an open source PHP voting system application which required admin user credentials which we got from the subdomain we found from SSL certificate ,on that domain there was file scanner application which was vulnerable to SSRF (Server Side Request Forgery) through that we can access what was running on other http port (port 5000) , through that we got the credential of admin user and logged in. After logging in we could add a user and could upload a picture that’s where we had the possibility of uploading php reverse shell and got foothold on to the machine. Being the user “phoebe” we ran PowerUp.ps1 which enumerated the misconfigurations for us and found AlwaysIntallElevated was enabled which allowed us to get SYSTEM on the machine.
Rustscan
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 127 Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-title: Voting System using PHP
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
443/tcp open ssl/http syn-ack ttl 127 Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
| ssl-cert: Subject: commonName=staging.love.htb/organizationName=ValentineCorp/stateOrProvinceName=m/countryName=in/organizationalUnitName=love.htb
/localityName=norway/emailAddress=roy@love.htb
| Issuer: commonName=staging.love.htb/organizationName=ValentineCorp/stateOrProvinceName=m/countryName=in/organizationalUnitName=love.htb/localityNa
me=norway/emailAddress=roy@love.htb
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-01-18T14:00:16
| Not valid after: 2022-01-18T14:00:16
| MD5: bff0 1add 5048 afc8 b3cf 7140 6e68 5ff6
| SHA-1: 83ed 29c4 70f6 4036 a6f4 2d4d 4cf6 18a2 e9e4 96c2
| -----BEGIN CERTIFICATE-----
| MIIDozCCAosCFFhDHcnclWJmeuqOK/LQv3XDNEu4MA0GCSqGSIb3DQEBCwUAMIGN
| MQswCQYDVQQGEwJpbjEKMAgGA1UECAwBbTEPMA0GA1UEBwwGbm9yd2F5MRYwFAYD
| VQQKDA1WYWxlbnRpbmVDb3JwMREwDwYDVQQLDAhsb3ZlLmh0YjEZMBcGA1UEAwwQ
| c3RhZ2luZy5sb3ZlLmh0YjEbMBkGCSqGSIb3DQEJARYMcm95QGxvdmUuaHRiMB4X
445/tcp open microsoft-ds syn-ack ttl 127 Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
3306/tcp open mysql? syn-ack ttl 127
| fingerprint-strings:
| LDAPBindReq, LPDString, NULL, giop:
|_ Host '10.10.14.154' is not allowed to connect to this MariaDB server
5000/tcp open http syn-ack ttl 127 Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
|_http-title: 403 Forbidden
5040/tcp open unknown syn-ack ttl 127
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
5986/tcp open ssl/http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| ssl-cert: Subject: commonName=LOVE
| Subject Alternative Name: DNS:LOVE, DNS:Love
| Issuer: commonName=LOVE
| Public Key type: rsa
| Public Key bits: 4096
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-04-11T14:39:19
| Not valid after: 2024-04-10T14:39:19
| MD5: d35a 2ba6 8ef4 7568 f99d d6f4 aaa2 03b5
| SHA-1: 84ef d922 a70a 6d9d 82b8 5bb3 d04f 066b 12f8 6e73
47001/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
49664/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49665/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49666/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49667/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49668/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49669/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49670/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPCWe can see a domain name love.htb and staging.love.htb so let's add this to our /etc/hosts file
PORT 80 (HTTP)
On intercepting the request with burp suite we can see POST parameters
I tried messing with parameters and got the error in sql
Tried to do sqli but didn’t work so let’s visit staging.love.htb
This seems to load a file using url so let’s try to add our php shell
<?php system($_GET['cmd']); ?>
But this didn’t work so there was port 5000 open on the machine which we cannot access
So let’s try to access this port through that url input field
And we got voter admin’s credentials but this won’t work there as it needs an id
So I though maybe searching on google for voter system and found the exact same application
https://www.sourcecodester.com/php/12306/voting-system-using-php.html
So we need to navigate to /admin in order to login with credentials
Click on Voters from the dashboard
Add a new voter and for a profile picture add a php file either with GET paramter like I did above or powney shell
And opening this php file we will get an interactive shell
Now generate a msfvenom payload because the file gets deleted because of some script of task running in the background
Now for privilege escalation we can run PowerUp.ps1 script to enumerate for misconfigurations or potential vectors for privesc, import the powershell script and run Invoke-Allchecks
We can see that installation for any program will be installed as SYSTEM
I used this as a reference https://www.hackingarticles.in/windows-privilege-escalation-alwaysinstallelevated/
Now there were tons of articles on how you can abuse so there were many ways you can either use the abuse function you saw by just running Write-UserAddMSI and on running ,it will create a msi program which you can install and it will create a local admin user
Another way was to metasploit’s post exploit module use exploit/windows/local/always_install_elevated but I did this exploit manually , I generate a windows 64 bit payload as the noramal one didn't respond
This is will create windows installer file which can install it on the target machine using msiexec. So upload it to the target machine
