# HackTheBox-Love
## Rustscan
```bash
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 127 Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-title: Voting System using PHP
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
443/tcp open ssl/http syn-ack ttl 127 Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
| ssl-cert: Subject: commonName=staging.love.htb/organizationName=ValentineCorp/stateOrProvinceName=m/countryName=in/organizationalUnitName=love.htb
/localityName=norway/emailAddress=roy@love.htb
| Issuer: commonName=staging.love.htb/organizationName=ValentineCorp/stateOrProvinceName=m/countryName=in/organizationalUnitName=love.htb/localityNa
me=norway/emailAddress=roy@love.htb
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-01-18T14:00:16
| Not valid after: 2022-01-18T14:00:16
| MD5: bff0 1add 5048 afc8 b3cf 7140 6e68 5ff6
| SHA-1: 83ed 29c4 70f6 4036 a6f4 2d4d 4cf6 18a2 e9e4 96c2
| -----BEGIN CERTIFICATE-----
| MIIDozCCAosCFFhDHcnclWJmeuqOK/LQv3XDNEu4MA0GCSqGSIb3DQEBCwUAMIGN
| MQswCQYDVQQGEwJpbjEKMAgGA1UECAwBbTEPMA0GA1UEBwwGbm9yd2F5MRYwFAYD
| VQQKDA1WYWxlbnRpbmVDb3JwMREwDwYDVQQLDAhsb3ZlLmh0YjEZMBcGA1UEAwwQ
| c3RhZ2luZy5sb3ZlLmh0YjEbMBkGCSqGSIb3DQEJARYMcm95QGxvdmUuaHRiMB4X
445/tcp open microsoft-ds syn-ack ttl 127 Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
3306/tcp open mysql? syn-ack ttl 127
| fingerprint-strings:
| LDAPBindReq, LPDString, NULL, giop:
|_ Host '10.10.14.154' is not allowed to connect to this MariaDB server
5000/tcp open http syn-ack ttl 127 Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
|_http-title: 403 Forbidden
5040/tcp open unknown syn-ack ttl 127
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
5986/tcp open ssl/http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| ssl-cert: Subject: commonName=LOVE
| Subject Alternative Name: DNS:LOVE, DNS:Love
| Issuer: commonName=LOVE
| Public Key type: rsa
| Public Key bits: 4096
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-04-11T14:39:19
| Not valid after: 2024-04-10T14:39:19
| MD5: d35a 2ba6 8ef4 7568 f99d d6f4 aaa2 03b5
| SHA-1: 84ef d922 a70a 6d9d 82b8 5bb3 d04f 066b 12f8 6e73
47001/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
49664/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49665/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49666/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49667/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49668/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49669/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49670/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
```
We can see a domain name `love.htb` and `staging.love.htb` so let's add this to our `/etc/hosts` file
## PORT 80 (HTTP)
On intercepting the request with `burp suite` we can see POST parameters
I tried messing with parameters and got the error in sql
Tried to do sqli but didn't work so let's visit staging.love.htb
This seems to load a file using url so let's try to add our php shell
``
But this didn't work so there was port 5000 open on the machine which we cannot access
So let's try to access this port through that url input field
And we got voter admin's credentials but this won't work there as it needs an id
So I though maybe searching on google for voter system and found the exact same application
https://www.sourcecodester.com/php/12306/voting-system-using-php.html
So we need to navigate to `/admin` in order to login with credentials
Click on `Voters` from the dashboard
Add a new voter and for a profile picture add a php file either with GET paramter like I did above or powney shell
And opening this php file we will get an interactive shell
Now generate a msfvenom payload because the file gets deleted because of some script of task running in the background
Now for privilege escalation we can run `PowerUp.ps1` script to enumerate for misconfigurations or potential vectors for privesc, import the powershell script and run `Invoke-Allchecks`
We can see that installation for any program will be installed as SYSTEM
I used this as a reference
https://www.hackingarticles.in/windows-privilege-escalation-alwaysinstallelevated/
Now there were tons of articles on how you can abuse so there were many ways you can either use the abuse function you saw by just running `Write-UserAddMSI` and on running ,it will create a msi program which you can install and it will create a local admin user
Another way was to metasploit's post exploit module `use exploit/windows/local/always_install_elevated` but I did this exploit manually , I generate a windows 64 bit payload as the noramal one didn't respond
This is will create windows installer file which can install it on the target machine using `msiexec`. So upload it to the target machine