# Hack The Box: Love

### TL;DR;

To solve this machine, we begin by enumerating open ports – finding ports `80`, `135`, `139`, `443`, `445`, `3306`, `5000`, `5040`, `5985`, `5986`, `47001`, `49664`, `49665`, `49666`, `49667`, `49668`, `49669`, and `49670` open. From port `443`, we find a subdomain in the TLS certificate, which gives us access to a subdomain on port `80`. Using an SSRF vulnerability on the subdomain, we are able to get credentials to an admin interface hosted on port `80`. From the admin portal, we are able to upload a reverse shell, and get access to the machine as `phoebe` – who owns `user.txt`. As `phoebe`, we find a vulnerability that allows command execution as `NT Authority/SYSTEM`, which we exploit to create an administrative user. Using our created account, we gain access to the machine, and can now read `root.txt`.

### Enumeration

Like all machines, we begin by enumerating open ports using `nmap` – finding ports `80`, `135`, `139`, `443`, `445`, `3306`, `5000`, `5040`, `5985`, `5986`, `47001`, `49664`, `49665`, `49666`, `49667`, `49668`, `49669`, and `49670` open.

```\$ sudo nmap -v -p- --min-rate 3000 \$RHOST
[...]
nmap -p 80,135,139,443,445,3306,5000,5040,5985,5986,47001,49664,49665,49666,49667,49668,49669,49670 -sV -A -oA enum/nmap/tcp-scripts 10.129.102.57

# Nmap 7.91 scan initiated Sat May  1 15:04:46 2021 as: nmap -p 80,135,139,443,445,3306,5000,5040,5985,5986,47001,49664,49665,49666,49667,49668,49669,49670 -sV -A -oA enum/nmap/tcp-scripts 10.129.102.57
Nmap scan report for staging.love.htb (10.129.102.57)
Host is up (0.049s latency).

PORT      STATE SERVICE      VERSION
80/tcp    open  http         Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: Secure file scanner
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
443/tcp   open  ssl/http     Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: 403 Forbidden
| ssl-cert: Subject: commonName=staging.love.htb/organizationName=ValentineCorp/stateOrProvinceName=m/countryName=in
| Not valid before: 2021-01-18T14:00:16
|_Not valid after:  2022-01-18T14:00:16
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_  http/1.1
445/tcp   open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
3306/tcp  open  mysql?
5000/tcp  open  http         Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: 403 Forbidden
5040/tcp  open  unknown
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
5986/tcp  open  ssl/http     Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| ssl-cert: Subject: commonName=LOVE
| Subject Alternative Name: DNS:LOVE, DNS:Love
| Not valid before: 2021-04-11T14:39:19
|_Not valid after:  2024-04-10T14:39:19
|_ssl-date: 2021-05-01T20:29:08+00:00; +21m18s from scanner time.
| tls-alpn:
|_  http/1.1
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49664/tcp open  msrpc        Microsoft Windows RPC
49665/tcp open  msrpc        Microsoft Windows RPC
49666/tcp open  msrpc        Microsoft Windows RPC
49667/tcp open  msrpc        Microsoft Windows RPC
49668/tcp open  msrpc        Microsoft Windows RPC
49669/tcp open  msrpc        Microsoft Windows RPC
49670/tcp open  msrpc        Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 10|Longhorn|2008|7|Vista|XP|8.1 (96%)
OS CPE: cpe:/o:microsoft:windows_10 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_8.1
Aggressive OS guesses: Microsoft Windows 10 1709 - 1909 (96%), Microsoft Windows Longhorn (95%), Microsoft Windows 10 1709 - 1803 (93%), Microsoft Windows 10 1809 - 1909 (93%), Microsoft Windows 10 1511 (93%), Microsoft Windows 10 1703 (93%), Microsoft Windows Server 2008 R2 (93%), Microsoft Windows Server 2008 SP2 (93%), Microsoft Windows 7 SP1 (93%), Microsoft Windows 8 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Hosts: www.example.com, LOVE, www.love.htb; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 21m18s, deviation: 0s, median: 21m18s
| smb-security-mode:
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2021-05-01T20:28:53
|_  start_date: N/A

TRACEROUTE (using port 443/tcp)
1   48.34 ms 10.10.14.1
2   48.45 ms 10.129.102.57

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat May  1 15:07:51 2021 -- 1 IP address (1 host up) scanned in 185.03 seconds
```

From the results, we find the subdomain `staging.love.htb` via the “ssl-cert” nmap script on port `443`. For now, we will add it and its root domain to our `/etc/hosts` file. Since `nmap` showed us at least one subdomain, we use `openssl` to check for more potential ones. While running the tool, we also find a potential username.

Next, we enumerate the webservers hosted on ports `80`, `443`, and `5000` with `gobuster` and `nikto`. The only significant finding is that there is an `/admin` directory located on port `80`. Lastly, we check SMB (port `445`) and RPC (port `135`) for anonymous and `guest` authentication, however, these appear to be disabled.

### Getting User

Going to the main website on port `80`, we are presented with a login form for a voting system. We try some input validation checks, however, we do not find anything that may be vulnerable.

Next, we go to the website hosted at `staging.love.htb`, and are presented with a service called “Free File Scanner”.

Clicking on the “Demo” link, we are taken to `http://staging.love.htb/beta.php`. This page allows us to supply a URL to a file that it will scan. Since we are prevented from seeing the webserver on port `5000`, we attempt to access it via this tool. After sending `http://localhost:5000` as the URL to scan, we are able to exploit a Server-Side Request Forgery (SSRF) vulnerability, and access the website. The returned content appears to be administrative credentials for the voting system.

Reflecting back on our previous enumeration, we discovered an `/admin` directory on the root domain. Going to `http://love.htb/admin/index.php`, we are able to use the credentials, and log into the administrator interface.

Looking around the interface, there is not much functionality aside from creating content. Before we start altering the content, we head to the user’s settings. On this page, we are able to upload a profile picture. From previous experience, we have been able to use this functionality to upload and execute a reverse shell, so we will attempt it here. We know the web server is running php, so we will upload a php reverse shell. Since most our prepared php reverse shells are for Linux, we search GitHub for a Windows-based one. In our research, we find this one. We download it, make the necessary changes, and start a connection listener. Once our shell handler is running, we upload the reverse shell to the website. Once it it uploaded, we immediately get a connection back to us as `phoebe`.

Going to the user’s desktop folder, we are now able to read `user.txt`. For a better shell, we generate and upload a Windows native reverse shell.

### Getting Root

Now that we have a reverse shell as `phoebe`, we begin our local enumeration. One of the quick finds is grabbing the database credentials from `C:\xampp\htdocs\omrs\includes\conn.php`. These appear to also be be `phoebe`‘s system credentials.

Next, we run `WinPEAS` to automate the rest of the enumeration for us. One interesting finding we are given, is that “AlwaysInstallElevated” is enabled for the `LocalMachine` and `CurrentUser` registry hives. According to this guide, these permissions allow us to install “*.msi” files as `NT Authority\SYSTEM`. As the guide details, we generate a malicious “.msi” file using `msfvenom` using the “msi” format. This malicious install file will create a backdoor administrator user that we can use. Next, we upload it to the machine.

Once the malicious file is uploaded to the machine, we execute it to create the backdoored account. Once executed, we can use `evil-winrm` (or `psexec.py`) to log into the machine and read `root.txt`.

Thank you for taking the time to read my write-up. I am interested in other ways this machine has been solved. Feel free to reach out to me and we can discuss it. Thanks!