Official Love Discussion

This is my first time doing a good Windows box all the way through and it definitely helped me understand Windows pentesting methodology better. I also highly recommend https://book.hacktricks.xyz/ if you’re new like me.

Anyone having issues logging in with the creds? I’ve tried it on all 3 login pages, but it keeps coming up with incorrect password.

EDIT: nvm works now…

Hello does anybody have issues validating the hashes on this machine?

I have both hashes of love user and admin but none is accepted

C:\Users\Phoebe\Desktop>type user.txt
type user.txt
d4c32c4f8b3c130< the rest is removed>

C:\users\Administrator\Desktop>type root.txt
type root.txt
ad386382580a1< the rest is removed>

Hello guys, after enumerations i got a web page that required admin login, but i got the user name and login for admin and the password too but i have no success in logging into the web site/server coz its saying incorrect passwd.Is there any other way out?

Finally rooted.

I have spent way longer on foothold right in front of the entrypoint, just because ignoring some findings of my nmap scan. As others have told, the solution is right in front of you after you did the nmap scan. There are actually two important results in nmap which are easy to overlook.

I have found the privesc path after a few minutes, but due to a typo my command did not execute correctly… After a few days I have learned how to write quiet correctly X-D

@xenacod said:
Hello guys, after enumerations i got a web page that required admin login, but i got the user name and login for admin and the password too but i have no success in logging into the web site/server coz its saying incorrect passwd.Is there any other way out?

site enumeration is key

@jvlavl said:

Hello does anybody have issues validating the hashes on this machine?

I have both hashes of love user and admin but none is accepted

C:\Users\Phoebe\Desktop>type user.txt
type user.txt
d4c32c4f8b3c130< the rest is removed>

C:\users\Administrator\Desktop>type root.txt
type root.txt
ad386382580a1< the rest is removed>

Hashes are dynamic, which means they change every time the box reboots and are different between VPN connections. They have a short lifespan on most boxes.

However, it also means that sometimes the hashes aren’t properly initialised during the boot cycle. This is getting rarer now but still seems to happen.

Also, if there is a reset request between you getting the hash and submitting the hash, then your hashes are no longer valid. Really, they need to be used quickly.

For anyone facing this problem you have very few choices:

  • reset the box, re-pwn it and get the new hashes, submit them. If they aren’t new hashes or if they get rejected as well you need to go to the other option.
  • raise a ticket with HTB support. They will want to double-check your exploitation so may ask you to explain exactly how you compromised the box. This is simply to check that people aren’t just “trying hashes they found online”. Once you have convinced them your hashes are legitimate and the box is broken, they can fix it. You may need to repwn once they’ve fixed it.
  • Wait. Hopefully in a few days/weeks, someone else will report it and the box will get fixed. Repwn it, get new hashes, submit flags, get points.

There isn’t really a lot else. Some people reset the box a lot but that makes the problem worse.

@xenacod said:

Hello guys, after enumerations i got a web page that required admin login, but i got the user name and login for admin and the password too but i have no success in logging into the web site/server coz its saying incorrect passwd.Is there any other way out?

Check for typos.

Can I get some help?

I got to the rce part, however multiple different shells all return errors and meterpreter tells me they are “Invalid”.
Is there an extra step to do before they execute properly?

@RandomPerson00 said:

Can I get some help?

I got to the rce part,

Just to check, is this for user or root?

however multiple different shells all return errors and meterpreter tells me they are “Invalid”.
Is there an extra step to do before they execute properly?

If this is for root, double-check the architecture and format you use to create the .*** you want to upload. Although I don’t think it is necessary here, I tend to use -e and some options just to be on the safe side.

If you build the .*** correctly, it should work.

Anyone having issues with the Revshell? Its connecting back but dosent complete the shell. Am i missing something?

the website that takes a url kind of scrapes off a part of your script when it encounters some uncommon characters. am i looking at the right place to get a shell?

@TazWake

Sorry, I meant the user part on the website. I think I am having the same problem as @wooly13

So far I only had a shell that ran in the browser but I could not get that back again. All other die immediately.

Edit: I guess others have mentioned the same issues before around page 3. The Solution seems to be S**F. I will have to check that out. No idea what to do though.

Also, for those who knew. Where did you learn this?

Rooted, anyone that needs a nudge feel free to pm me

So I have been off and on trying to get a shell with this motha for a hot minute. I have creds and a spot to upload some action (so I think) but it don’t like any of my action except some jank weevely code that is tricky to say the least. If you know weevely please hit me back. Or if anyone wants to drop a hint please do. Thanks.

All right. Stuck on root now.
I have found something on winpeas about “AIE******” but it doesn’t seem to work.
Further I had found the users hashes but I can’t seem to crack them.

Reading the other posts here the solution should be stupidly simple but I have no idea.

Nice machine to come back to htb with.

Foothold: careful enumeration will help you discover the first tidbit, then always always always try to access new things that maybe you werent able to before

User: Fairly straightforward, Find a way to execute your own code

Root: Find a priv esc tool - note: i do not use winpeas - if one tool doesnt work for you, find another. I use a powershell script - PM me for the tool’s repo.

Hint: if you have a shell then it drops, your shell method of choice is either unstable (try a different technology method) or the htb processes did some automated cleanup. I typically get a foothold and move my tools to a folder I know wont be in the cleanup processes.

Nice one.

Anyone can confirm this machines privesc works ? It seems the machine is bugged, the service necessary for the privesc is not running.

I found the file url in “http://love.htb/” but I saw in the walkthroughs they put “http://127.0.0.1” and I don’t understand why they did this ?!, I thought I could upload a payload in the file url by put the path of the payload in my machine and my ip and my port !!, plz I need help to uderstand this