Love is an Easy box from HTB and created by pwnmeow. This box features subdomain lookup and AlwaysInstallElevated privesc. I start every scan with an RustScan and convert it to a PDF for easier viewing. This is bundled into my setup.sh script which I’ve mentioned in a few of my other posts. RustScan with NMAP filters shows a website with registration available on Port 80. I also notice Port 443 is open so I navigate over to the HTTPS version of the website. I see a certificate with some useful information.

Port 80 showing the Voting System screen.

HTTPS Certificate showing some useful information.

Seeing the certificate I notice a subdomain. I add the primary domain and the subdomain to my host file.

Adding sub-domain to my host file.

I also note down the [email protected] address as possible username and ValentineCorp as a possible company. I visit both domains with HTTPS and get a pop on the staging website.

Staging File Scanner website.

I notice at the top of the screen that a Demo link is available. I setup a nc listener and click Scan file I get a hit back showing that code execution via RFI or traversal might be possible.

After striking out for a few minutes my NMAP scan finishes. Reviewing the results I notice that Port 5000 is running a website and giving a 403 Error.

Port 5000 showing 403 Forbidden.

I use the file scanner to navigate to the page and pick up the credentials for the voting system.

Free File Scanner shows the Password Dashboard.

I note down the credentials in my notes and head over to the voting page. Upon logging in I note down the name of the user we are logged in as and notice the Copyright for the site says 2018. As this box came out in 2021 we can assume this is intentional.

Google showing me the way…

After viewing the ExploitDB article I was unable to get a response. Instead I tried the exploit manually which worked.

Creating a new malicious candidate.

I created a Candidate and uploaded a shell.php which is a fork of the PenTestMonkey PHP reverse shell. To catch the shell I setup a nc listener –

Once on the system I get the user flag and create a directory in the Windows\Temp directory and download WinPEAS to the box. The scan comes back that AlwaysInstallElevated is enabled.

LinPEAS showing AlwaysInstallElevated.

I kill the session for the PHP shell and change the port to 9001. This is because my setup script creates MSFVenomshells that default to Port 1234. I alter the PHP shell and get back into the environment. I then pull the .MSI shell I have to perform the privilege escalation.

Rooted Love from HTB.