Hack the Box-Love Walkthrough HTB-Love

The actual foothold isn’t hard once you get the right path. Root is very simple once you do your standard parts. Be careful to not go too far down the route of breaking ha… i mean hearts… that’s only going to cause you pain later

Let’s walkthrough how I’ve Rooted this box.

Running normal Nmap scan with Aggressive scanning.

80 port discovery login interface, prompting that the development language is PHP

Obtain the host name through the ssl certificate

Add to hosts

10.10.10.239 staging.love.htb love.htb
penetration
I found the file scanning service through staging.love.htb, which is used to identify Virus, but it is not open, but there is a Demo page.

You can enter the URL on the Demo page, and it seems that an HTTP request will be issued

After trying RFI seems to have failed, but SSRF seems to be no problem

Access to port 5000 before returns 403

Here you can use SSRF to access port 5000

http://127.0.0.1:5000
Successfully get the credentials admin/@LoveIsInTheAir!!!!

Here you can log in to the previous page of 80, pay attention to the background address http://10.10.10.239/admin

On logging in I tried editing my admin profile and found that I could upload a image for my profile, Well i guess its time for upload my PHP backdoor and try whether it accepts or not.

Now, its time to execute php shell to do so I tried adding a vote cause it shows your profile image on adding a vote.

So I can see that my payload instead my profile picture by it isn’t executed lets try executing it.

By Inspecting Element I can get my address which will execute payload and I’ll have access to the system.

I’ve used a very user friendly payload so that I can just click on directories and get user.txt and root.txt. So I’ll first redirect to root directory and fin user.txt first.

On getting user.txt I also tried accessing root.txt with the same shell but I didn’t had privilege's to do so its time to escalate privilege by creating windows metasploit payload.

Now lets upload this payload to pictures and execute it to get a metasploit session.

Here I’ve uploaded by .exe payload now will browser my payload through ,y php shell and execute it via cmd.

Payload execution.(Look at the URL in the below picture)

Once it got executed I was able to establish metasploit session.

Though I got session established but its still not with escalated privilege, so let’s put this session into background and search for payload which can escalate for us.

I found a payload which gives you elevated privilege when run. Lets try using it.

Now that I have an elevated session I can try browsing Administrator directory and find root.txt.

I you are unable to find root.txt follow the pictures and execute command accordingly.

I got root.txt too!!!

Happy Hacking

Keep Coming for more.