Last updated
Last updated
IP Address: 10.10.11.251
Pov is a medium Windows machine that starts with a webpage featuring a business site. Enumerating the initial webpage, an attacker is able to find the subdomain dev.pov.htb. Navigating to the newly discovered subdomain, a download option is vulnerable to remote file read, giving an attacker the means to get valuable information from the web.config file. The subdomain uses the ViewState mechanism, which, in combination with the secrets leaked from the web.config file, is vulnerable to insecure deserialization, leading to remote code execution as the user sfitz. Looking at the remote filesystem, an attacker can discover and manipulate a file that reveals the credentials for the user alaading. Once the attacker has code execution as the user alaading the SeDebugPrivilege is abused to gain code execution in the context of a privileged application, ultimately resulting in code execution as nt authority\system.
From the secrets from web.config file, I can create .NET serialized object and attempt to get RCE
I inject the object above in _VIEWSTATE parameter and get a shell as alaading
It is a PS Credential for alaading:
PowerShell credentials are often used for scripting and automation tasks as a way to store encrypted credentials conveniently.
If you have SeDebug privileges, you can debug programs and processes from memory, so we can dump lsass.exe process and get all the secrets and hashes from the machine.
To get RCE as SYSTEM account, you can start meterperter shell and migrate to winlogon process from Metasploit
The credentials are protected using , which typically means they can only be decrypted by the same user on the same computer they were created on.
