Hello everyone , in this post I will be sharing my writeup for HTB Love machine , which is an easy level windows box. It involved a web page which was having an open source PHP voting system application which required admin user credentials which we got from the subdomain we found from SSL certificate ,on that domain there was file scanner application which was vulnerable to SSRF (Server Side Request Forgery) through that we can access what was running on other http port (port 5000) , through that we got the credential of admin user and logged in. After logging in we could add a user and could upload a picture that’s where we had the possibility of uploading php reverse shell and got foothold on to the machine. Being the user “phoebe” we ran PowerUp.ps1 which enumerated the misconfigurations for us and found AlwaysIntallElevated was enabled which allowed us to get SYSTEM on the machine.

Rustscan

We can see a domain name love.htb and staging.love.htb so let's add this to our /etc/hosts file

PORT 80 (HTTP)

On intercepting the request with burp suite we can see POST parameters

I tried messing with parameters and got the error in sql

Tried to do sqli but didn’t work so let’s visit staging.love.htb

This seems to load a file using url so let’s try to add our php shell

<?php system($_GET['cmd']); ?>

But this didn’t work so there was port 5000 open on the machine which we cannot access

So let’s try to access this port through that url input field

And we got voter admin’s credentials but this won’t work there as it needs an id

So I though maybe searching on google for voter system and found the exact same application

https://www.sourcecodester.com/php/12306/voting-system-using-php.html

So we need to navigate to /admin in order to login with credentials

Click on Voters from the dashboard

Add a new voter and for a profile picture add a php file either with GET paramter like I did above or powney shell

And opening this php file we will get an interactive shell

Now generate a msfvenom payload because the file gets deleted because of some script of task running in the background

Now for privilege escalation we can run PowerUp.ps1 script to enumerate for misconfigurations or potential vectors for privesc, import the powershell script and run Invoke-Allchecks

We can see that installation for any program will be installed as SYSTEM

I used this as a reference https://www.hackingarticles.in/windows-privilege-escalation-alwaysinstallelevated/

Now there were tons of articles on how you can abuse so there were many ways you can either use the abuse function you saw by just running Write-UserAddMSI and on running ,it will create a msi program which you can install and it will create a local admin user

Another way was to metasploit’s post exploit module use exploit/windows/local/always_install_elevated but I did this exploit manually , I generate a windows 64 bit payload as the noramal one didn't respond

This is will create windows installer file which can install it on the target machine using msiexec. So upload it to the target machine

BS CS undergraduate | CTF Player