In this post, I would like to share a walkthrough of the Pov Machine from Hack the Box

This room will be considered a medium machine on Hack the Box

What will you gain from the Pov machine?

For the user flag, you must to exploit a file read and directory traversal vulnerability on the web page, read the ASP.NET secrets used for VIEWSTATE. Then, use ysoserial.net to craft a malicious serialized .NET payload to achieve code execution

As for the root flag, you need to exploit a PowerShell credential, and then utilize SeDebugPrivilege through both Metasploit and a PowerShell script (psgetsys.ps1).

Information Gathering on Pov Machine

Once we have started the VPN connection which requires a download from Hackthebox, we can start

[darknite@parrot]─[~/Documents/htb/pov]
└──╼ $nmap -sV -sC 10.10.11.251 -oA initial
Starting Nmap 7.93 ( https://nmap.org ) at 2024-06-08 06:42 EDT
Nmap scan report for 10.10.11.251
Host is up (0.29s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: pov.htb
|_http-server-header: Microsoft-IIS/10.0
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 35.08 seconds
┌─[darknite@parrot]─[~/Documents/htb/pov]
└──╼ $

Let’s access the website interface

There is nothing that we can see interesting on the website interface

There is also not much information that we can look into regarding the response via Burpsuite

Therefore, let’s enumerate the directory on the pov.htb by using gobuster tool

As a result, we can try to enumerate subdomains by using the same tool which is gobuster

From the subdomain, we are provided with a potential username on the machine

We can also read the profile of Stephen Fitz and we notice there’s a Download CV button which leads to the portfolio directory

I did notice that the data is shown below

__EVENTTARGET=download&
__EVENTARGUMENT=&
__VIEWSTATE=DY%2FikU7FyXJZCW0op4Kz6Bgqd4o%2FFtEfEsiowrOTlRKwk96TfCKJt6cwtTy82KRl93H2SNf4FCvmzZuhMaKfKMCbzZg%3D&
__VIEWSTATEGENERATOR=8E0F0FA3&
__EVENTVALIDATION=eGOIJz%2BJA4RbAfYNdIjP%2FXmYDtUaz97UabMUsYu%2Bg8ppRuevK%2FWEufVY9E0M8KqssT57LzrVSlgu%2FzTmjoojoiS270xt9sBSLasZ2CSk2sh4uF3oBk9hMWE%2FILb9D20b1kQDEA%3D%3D
&file=cv.pdf

If you look in the file section, there’s a file cv.pdf which we can download on our attacker’s machine

On the browser, we managed to see the actual CV of Stephen

Sadly, we cannot retrieve the /etc/passwd by using this method

Let’s see the configuration on the web.config

There is a lot of useful information that we can use to exploit it

Using the ysoserial tool to retrieve the reverse shell on pov machine

Let’s do some research on the ViewStateUserKeys and manage to find this page here to help us on the next step

Firstly, let’s exploit that mentioned on the website on Parrot OS(the machine that I use for playing this machine) but sadly, we have an error while executing the command

Again, we cannot execute the command even though I try on Linux PowerShell

As a last resort, we need to execute the command within Windows OS.

We managed to find a contact page that might be vulnerable to the attack

Let’s change the payload by included the contact.aspx on the path

We should copy-paste the payload as shown above

Let’s start our listener on our attacker’s machine

At last, we managed to retrieve a reverse shell connection back to us

The privileges of the sfitz are limited to two which are SeChangeNotifyPrivilege and SeIncreaseWorkingSetPrivilege state

We managed to find an XML file format within the Sfitz Document folder

The file did contain the information as shown above.

At last, we managed to retrieve the Username and Password

Let’s upload the RunasCs.exe into the victim’s machine

It looks like works a charm!

We should be getting shell by executing the command above

We can read the user flag by typing the “type user.txt” command

Escalate to Root Privileges Access

Firstly, we have a clear idea of the Privileges access of the users that we accessed

Let’s see the full access by bypassing the PowerShell

Let’s upload psgetsys.ps1 into the victim’s machine

However, it looks like some error appeared while trying to import the module

Therefore, let’s move the ps1 file into the programdata

It looks promising at this point

As a result, let’s upload nc.exe file into the victim’s machine

We should be looking at the process of the winlogon by using the Get-Process

Therefore, let’s execute the command above which shows an error appear

Let’s do some port-forwarding on the victim’s machine

After a while, the port-forwarding works as shown in the screenshot above

Let’s access the machine as alaading using the evil-winrm command

It looks promising at this point

Finally, we managed to retrieve the reverse shell connection back to us

We can read the root flag by typing the “type root.txt” command

Another way to obtain root via Metasploit

Normally, I will not even try using the Metasploit method but I do the method for learning sake

Firstly, we should create a malicious file by using msfvenom tool

Let’s start our listener on the Metasploit tool

We can use the same previous command which only changes the end of the command to the malicious file

Boom! We have successfully obtained the session on the Metasploit

From here, we can do a similar step as the one that we use without the Metasploit

Boom! We have the root flag

We also can obtain the hash using hashdump