Love machine is an intentionally vulnerable machine with Windows operating system among the reitred machines. It is expected to obtain user and root flags using these vulnerabilities.
We perform a network scan with nmap to recognize the target machine.
Full port scan
We have encountered open ports. We have detected love.htb as the domain address and staging.love.htb as the ssl address and we add it to /etc/hosts file. Let’s first enuemration smb from open ports, let’s see if there is anonymous sharing.
We did not get a result in smb.
Let’s look at mysql
We don’t have connection authorization.
We continue with port 80 enumeration.
Here we encountered a panel called Voting System, we tried default paroalr here, we looked at the source codes and we could not get any results. Let’s see if there is a vulnerability related to this
When we look at the exploit here, it asks us for credential information
We note that we do not know these, we continue this vulnerability.
On port 5000, the http protocol is also running, let’s provide enuemration here via browser
We encountered a forbiden error.
On ssl port 443 we encountered staging.love.htb let’s go to this
We looked at the source code as if the Submit button is not working, there is no useful information. We see the demo part above
When I click on the demo button, it redirects to the beta.php page.
Here url gidi file scanning here I did not say a public address here, when I opened the web server from my machine I made a request and it provided the request.
Here it saw the file in the directory. Let’s test if it can read the contents of the file
As you can see, it even read the contents of the nmap.txt file.
Here we have in mind that we can’t connect when we don’t have permission on port 5000, let’s try to see if it comes if we make a request
Here we got forbidden error again, but we know that this port is working on this machine, so if we try to connect from locahost, let’s try to connect with 127.0.0.1.
We were able to access it when it was localhost. We also saw that there was an SSRF vulnerability here.
This page provides us with credential information, we take this information and try it in our exploit.
We first edit the exploit
Then we run the exploit code and get shelli on the user love\phoebe.
Here we get the user flag
But we could not access the administratore, so we provide local enumeration.
Here we download and run the winpeas tool.
AlwaysInstallElevated is said to be true. (You can use AlwaysInstallElevated policy to install a Windows Installer package with elevated (system) privileges.)
We go from the hacktrick source link provided.
Let’s try what they say right now
We saw that it was really open
To use it, we need to create a payload from msfvenom
We created the share and transferred it to the target machine, then we start listening to the port with nc and finally we run the msi file
We obtained shell from user System
In this way we have obtained the root flag