NSE: Script scanning 10.10.11.251.
Initiating NSE at 13:43
Completed NSE at 13:43, 5.05s elapsed
Initiating NSE at 13:43
Completed NSE at 13:43, 0.19s elapsed
Initiating NSE at 13:43
Completed NSE at 13:43, 0.00s elapsed
Nmap scan report for pov.htb (10.10.11.251)
Host is up (0.045s latency).
Not shown: 65534 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-favicon: Unknown favicon MD5: E9B5E66DEBD9405ED864CAC17E2A888E
|_http-title: pov.htb
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019 (89%)
Aggressive OS guesses: Microsoft Windows Server 2019 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=259 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 44.54 ms 10.10.14.1
2 46.01 ms pov.htb (10.10.11.251)
NSE: Script Post-scanning.
Initiating NSE at 13:43
Completed NSE at 13:43, 0.00s elapsed
Initiating NSE at 13:43
Completed NSE at 13:43, 0.00s elapsed
Initiating NSE at 13:43
Completed NSE at 13:43, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 154.49 seconds
Raw packets sent: 131260 (5.779MB) | Rcvd: 708 (137.723KB)
Port 80 - pov.htb
The enumeration of possible directories does not lead to anything special attention:
Port 80 - dev.pov.htb
It's possible to download the CV:
The enumeration of possible directories does not lead to anything special attention:
Info
sfitz@pov.htb
IIS httpd 10.0
Microsoft Windows Server 2019
dev.pov.htb subdomain
Exploitation (foothold)
If we intercept the request of downloading CV and we change the requested file with /web.config:
We can obtain the decryption key:
We can also request other files like default.aspx:
And we can see the backend code C#:
Referer to for the following exploitation tecnique used:
Now, MAC has been enabled for ViewState and due to vulnerability of local file reads we got access to the web.config file with configurations like validation key and algorithm as shown above, we can make use of ysoserial.net and generate payloads by providing the validation key and algorithm as parameters.
We can use the following command to generate the payload to insert in place of original __VIEWSTATE value:
There is no user flag as sfitz but with command net user we can see that there are other users like alaading so we need to search furthermore. Under Documents folder there is a connection.xml file:
PowerShell gives us a built-in way to both store and retrieve username and passwords securely using the commands Get-Credential, Export-CliXml and Import-CliXml.
Here's how you'd save a PSCredential object to a file:
Then, you want to use these credentials that have been exported previously, in a script for example.
You cannot use these credentials because items encrypted with one account cannot be decrypted using another account.
So, you must “runas” the script with the account you created the credentials file.
We try to decrypt the credentials using sfitz user:
cd "C:\Users\sfitz\Documents"
$credential = Import-CliXml -Path .\connection.xml
$credential.GetNetworkCredential().Password
...and it's a win!
Info
username: alaading / password:f8gQ8fynP44ek1m3
Privilege Escalation
Escalating locally not work so If we cannot switch user due to such as reverse shell sessions, we can spawn another shell as another user by using RunasCS.
