In this post, I would like to share a walkthrough of the Pov Machine from Hack the Box


This room will be considered a medium machine on Hack the Box

What will you gain from the Pov machine?


For the user flag, you must to exploit a file read and directory traversal vulnerability on the web page, read the ASP.NET secrets used for VIEWSTATE. Then, use ysoserial.net to craft a malicious serialized .NET payload to achieve code execution


As for the root flag, you need to exploit a PowerShell credential, and then utilize SeDebugPrivilege through both Metasploit and a PowerShell script (psgetsys.ps1).

Information Gathering on Pov Machine


Once we have started the VPN connection which requires a download from Hackthebox, we can start

[darknite@parrot]─[~/Documents/htb/pov]
└──╼ $nmap -sV -sC 10.10.11.251 -oA initial
Starting Nmap 7.93 ( https://nmap.org ) at 2024-06-08 06:42 EDT
Nmap scan report for 10.10.11.251
Host is up (0.29s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: pov.htb
|_http-server-header: Microsoft-IIS/10.0
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 35.08 seconds
┌─[darknite@parrot]─[~/Documents/htb/pov]
└──╼ $

Let’s access the website interface


There is nothing that we can see interesting on the website interface


There is also not much information that we can look into regarding the response via Burpsuite


Therefore, let’s enumerate the directory on the pov.htb by using gobuster tool


As a result, we can try to enumerate subdomains by using the same tool which is gobuster


From the subdomain, we are provided with a potential username on the machine


We can also read the profile of Stephen Fitz and we notice there’s a Download CV button which leads to the portfolio directory


I did notice that the data is shown below

__EVENTTARGET=download&
__EVENTARGUMENT=&
__VIEWSTATE=DY%2FikU7FyXJZCW0op4Kz6Bgqd4o%2FFtEfEsiowrOTlRKwk96TfCKJt6cwtTy82KRl93H2SNf4FCvmzZuhMaKfKMCbzZg%3D&
__VIEWSTATEGENERATOR=8E0F0FA3&
__EVENTVALIDATION=eGOIJz%2BJA4RbAfYNdIjP%2FXmYDtUaz97UabMUsYu%2Bg8ppRuevK%2FWEufVY9E0M8KqssT57LzrVSlgu%2FzTmjoojoiS270xt9sBSLasZ2CSk2sh4uF3oBk9hMWE%2FILb9D20b1kQDEA%3D%3D
&file=cv.pdf

If you look in the file section, there’s a file cv.pdf which we can download on our attacker’s machine


On the browser, we managed to see the actual CV of Stephen


Sadly, we cannot retrieve the /etc/passwd by using this method


Let’s see the configuration on the web.config


There is a lot of useful information that we can use to exploit it

Using the ysoserial tool to retrieve the reverse shell on pov machine


Let’s do some research on the ViewStateUserKeys and manage to find this page here to help us on the next step


Firstly, let’s exploit that mentioned on the website on Parrot OS(the machine that I use for playing this machine) but sadly, we have an error while executing the command


Again, we cannot execute the command even though I try on Linux PowerShell


As a last resort, we need to execute the command within Windows OS.


We managed to find a contact page that might be vulnerable to the attack


Let’s change the payload by included the contact.aspx on the path


We should copy-paste the payload as shown above


Let’s start our listener on our attacker’s machine


At last, we managed to retrieve a reverse shell connection back to us


The privileges of the sfitz are limited to two which are SeChangeNotifyPrivilege and SeIncreaseWorkingSetPrivilege state


We managed to find an XML file format within the Sfitz Document folder


The file did contain the information as shown above.


At last, we managed to retrieve the Username and Password


Let’s upload the RunasCs.exe into the victim’s machine


It looks like works a charm!


We should be getting shell by executing the command above




We can read the user flag by typing the “type user.txt” command

Escalate to Root Privileges Access


Firstly, we have a clear idea of the Privileges access of the users that we accessed


Let’s see the full access by bypassing the PowerShell


Let’s upload psgetsys.ps1 into the victim’s machine


However, it looks like some error appeared while trying to import the module


Therefore, let’s move the ps1 file into the programdata


It looks promising at this point


As a result, let’s upload nc.exe file into the victim’s machine


We should be looking at the process of the winlogon by using the Get-Process


Therefore, let’s execute the command above which shows an error appear


Let’s do some port-forwarding on the victim’s machine



After a while, the port-forwarding works as shown in the screenshot above


Let’s access the machine as alaading using the evil-winrm command



It looks promising at this point


Finally, we managed to retrieve the reverse shell connection back to us


We can read the root flag by typing the “type root.txt” command

Another way to obtain root via Metasploit


Normally, I will not even try using the Metasploit method but I do the method for learning sake


Firstly, we should create a malicious file by using msfvenom tool


Let’s start our listener on the Metasploit tool


We can use the same previous command which only changes the end of the command to the malicious file


Boom! We have successfully obtained the session on the Metasploit


From here, we can do a similar step as the one that we use without the Metasploit







Boom! We have the root flag


We also can obtain the hash using hashdump