HackTheBox – Love

Welcome to another post with the write-up of the HackTheBox machine “Love”. This was a great challenge because it involved the exploitation of common web vulnerabilities.

Initial enumeration

We launch Nmap and find out some interesting ports:

There are HTTP, HTTPS as well as MySQL and other not so typical ones. Since the default MySQL server configuration doesn’t allow connections from outside the box, this port normally is not as interesting to check as the web servers.

A second Nmap scan revealed a third web server listening on port 5000:

We check quickly the web server in port 5000 and we obtain a “Forbidden”

Then, we access the HTTP server in port 80 and the following content is displayed:

After check some common / default passwords, we see that this isn’t apparently the way to break into the server.

It seems that port 80 has not so much for us by the moment, let’s enumerate the 443 one, which is HTTPS service. Normally, the TLS certificate discloses interesting information so it is always worthy to check it.

The certificate reveals two domains:

  • staging.love.htb
  • love.htb

We include the “staging.love.htb” to the /etc/hosts file and we access the following web page:

Accessing the admin panel

In the “Demo” page there is a form that smells like SSRF so far. We verify this vulnerability requesting a fake resource in a local HTTP server:

In this moment, we remember the first web page where we couldn’t access because a Forbidden access. Using this SSRF we should be able to access to this content.

For our surprise, the content discloses the administrator’s password:

With this credentials we try every single login and we’ve not luck. The main task now is to find out some administration panel or application where we can access for further exploitation.

The admin panel is identified in the “http://love.htb/admin” and we access to this content:

We obtain some hashed credentials in “http://love.htb/admin/voters.php”:

Remote code execution

After crack the hashes, all them correspond with “password123”. It was not identified any way to use this credentials.

The next approach is to find vulnerabilities in the CMS, which is identified as “Voting System”. We saw this link and we figured that any kind of vulnerability is existing, related with the user’s profile that is capable of upload a webshell and, therefore, execute code in the underlying operative system.

We couldn’t get a reverse shell using the exploit itself, so we decided to manually exploit it. In order to do so, the only thing needed was to create a new user and upload a webshell in his user’s profile.

Privilege escalation

The privilege escalation was pretty straightforward since the method is well known, the “AlwaysInstallElevated” registry was enabled so it is possible to install malicious software with SYSTEM privileges and therefore, obtain a elevated session.

Following the steps available here, we escalate privileges to SYSTEM.

Posted on