Love machine is an intentionally vulnerable machine with Windows operating system among the reitred machines. It is expected to obtain user and root flags using these vulnerabilities.
We perform a network scan with nmap to recognize the target machine.
Classic Scan

Full port scan

We have encountered open ports. We have detected love.htb as the domain address and staging.love.htb as the ssl address and we add it to /etc/hosts file. Let’s first enuemration smb from open ports, let’s see if there is anonymous sharing.

We did not get a result in smb.
Let’s look at mysql

We don’t have connection authorization.
We continue with port 80 enumeration.

Here we encountered a panel called Voting System, we tried default paroalr here, we looked at the source codes and we could not get any results. Let’s see if there is a vulnerability related to this

When we look at the exploit here, it asks us for credential information

We note that we do not know these, we continue this vulnerability.
On port 5000, the http protocol is also running, let’s provide enuemration here via browser

We encountered a forbiden error.
On ssl port 443 we encountered staging.love.htb let’s go to this

We looked at the source code as if the Submit button is not working, there is no useful information. We see the demo part above
When I click on the demo button, it redirects to the beta.php page.

Here url gidi file scanning here I did not say a public address here, when I opened the web server from my machine I made a request and it provided the request.

Here it saw the file in the directory. Let’s test if it can read the contents of the file

As you can see, it even read the contents of the nmap.txt file.
Here we have in mind that we can’t connect when we don’t have permission on port 5000, let’s try to see if it comes if we make a request

Here we got forbidden error again, but we know that this port is working on this machine, so if we try to connect from locahost, let’s try to connect with

We were able to access it when it was localhost. We also saw that there was an SSRF vulnerability here.
This page provides us with credential information, we take this information and try it in our exploit.
We first edit the exploit

Then we run the exploit code and get shelli on the user love\phoebe.

Here we get the user flag

But we could not access the administratore, so we provide local enumeration.
Here we download and run the winpeas tool.

AlwaysInstallElevated is said to be true. (You can use AlwaysInstallElevated policy to install a Windows Installer package with elevated (system) privileges.)
We go from the hacktrick source link provided.

Let’s try what they say right now

We saw that it was really open
To use it, we need to create a payload from msfvenom

We created the share and transferred it to the target machine, then we start listening to the port with nc and finally we run the msi file

We obtained shell from user System
In this way we have obtained the root flag


  1. ecommerce

    Hello there! Do you know if they make any plugins to help with Search Engine Optimization? I’m trying to get my blog to rank for some targeted keywords but I’m
    not seeing very good success. If you know of any please share.
    Thanks! You can read similar blog here: Najlepszy sklep

  2. Szpiegowskie Telefonu

    Gdy zapomnisz hasła do zablokowania ekranu, jeśli nie wprowadzisz prawidłowego hasła, odblokowanie i uzyskanie dostępu będzie trudne. Jeśli okaże się, że Twój chłopak / dziewczyna jest podejrzana, być może pomyślałeś o włamaniu się do jego telefonu Samsung, aby uzyskać więcej dowodów. Tutaj zapewnimy Ci najlepsze rozwiązanie, jak złamać hasło telefonu komórkowego Samsung.

  3. Dusti Mccain

    We’re a gaggle of volunteers and starting a new scheme in our community. Your website offered us with useful information to paintings on. You’ve performed a formidable activity and our entire group can be grateful to you.

  4. Fitspresso reviews

    I am curious to find out what blog system you have been utilizing? I’m experiencing some small security issues with my latest blog and I’d like to find something more safe. Do you have any recommendations?

Bir yanıt yazın

E-posta adresiniz yayınlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir