2. Pov
2.1. Machine Info
<<<<<<< HEAD
2.2. Recon
2.2.1. port
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: pov.htb
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019 (88%)
Aggressive OS guesses: Microsoft Windows Server 2019 (88%)
No exact OS matches for host (test conditions non-ideal).
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
2.2.2. path
└─╼$ gobuster dir -u http://pov.htb -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt -t 64 -k --no-error
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://pov.htb
[+] Method: GET
[+] Threads: 64
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: php,html,txt
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/img (Status: 301) [Size: 142] [--> http://pov.htb/img/]
/index.html (Status: 200) [Size: 12330]
/css (Status: 301) [Size: 142] [--> http://pov.htb/css/]
/Index.html (Status: 200) [Size: 12330]
/js (Status: 301) [Size: 141] [--> http://pov.htb/js/]
/IMG (Status: 301) [Size: 142] [--> http://pov.htb/IMG/]
/INDEX.html (Status: 200) [Size: 12330]
/*checkout* (Status: 400) [Size: 3420]
/CSS (Status: 301) [Size: 142] [--> http://pov.htb/CSS/]
/Img (Status: 301) [Size: 142] [--> http://pov.htb/Img/]
/JS (Status: 301) [Size: 141] [--> http://pov.htb/JS/]
2.2.3. subdomain
└─╼$ gobuster vhost -u http://pov.htb/ -t 35 --append-domain -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://pov.htb/
[+] Method: GET
[+] Threads: 35
[+] Wordlist: /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
[+] Append Domain: true
===============================================================
Starting gobuster in VHOST enumeration mode
===============================================================
Found: dev.pov.htb Status: 302 [Size: 152] [--> http://dev.pov.htb/portfolio/]
2.2.4. Email
Email : sfitz@pov.htb
2.3. Foothold
=======
38e3e6a ([+] Add season4 machine info.)
Notice: the full version of write-up is here.
2.4. Exploit Chain
port scan -> LFI -> web.config -> VIESTATE deserialization exploit -> sfitz shell -> enum alaading’s PSCredential
-> create credential -> RunasCs to trigger a reverse powershell of alaading’s priv with enabled SeDebugPrivilege -> msfvenom revshell.exe executed -> meterpreter: hashdump, smart_hashdump -> all hashes -> chisel to do port forwarding, kali’ 5985 = windows’s 5985 -> evil-winrm: admin shell
-> get username and password -> netstat enum -> port forwarding by chisel -> evil-winrm to login as alaading’s priv with the found credential -> msf reverse file executed -> meterpreter: hash dump -> evil-winrm: admin shell
2.5. Beyond Root
why powershell reverse shell has no SeDebugPrivilege
why powershell spawned by RunasCs has SeDebugPrivilege while cmd does not have SeDebugPrivilege
why evil-winrm has all privileges enabled