Pov

Machine Design

Behind the scenes on Pov machine configurations.

Requirements

  • VMWare Workstation or ESXI
  • 17GB Free storage
  • 2GB RAM
  • 2 CPU

Machine features

  • Windows Server 2019
  • IIS 10
    • IIS Authentication
    • IIS Vhost
    • ASP.NET 4.7
    • Machine Key
  • Web Applications
    • HTML / CSS / JS
    • ASP.NET

Credentials

Credentials to access the machine.

UserPassword
AdministratorqD6GsE4Q3pMg1Tq9
sfitzCyberSecFest2023!
alaadingf8gQ8fynP44ek1m3

Key Processes

The following table shows the relevant processes within the machine.

ProcessPortInformation
IIS80Default Application contains important information
New vhost dev.pov.htb
IIS8080Web application has Basic Authentication
Common vulnerabilities in download functions
ASP.NET application
WinRM5985Remote autenticacion for users

Automation / Crons

There is no scheduled task on this machine.

Firewall Rules

The following table shows the Firewall rules.

ProtocolPortStatusRule
ICMPAllowinbound
HTTP80Allowinbound
HTTP8080Allowinbound
WINRM5985Allowinbound
**Allowoutbound

Docker

There is no container running on the machine.

Other

There are no other files on the machine.

Updates and Patches

UpdateAffectKeep Version / Config
Windows SecurityNo
IISYes10
ASP.NETYes4.7
IIS Machine KeyYesDon’t change machine key
web.configYesDon’t modify
connection.xmlYesDon’t modify or delete

Machine creation

For the creation of this machine a Windows Server 2019 and IIS 10 were used to create this machine. The following document will show the steps necessary to configure the machine on your own if you would like to do so.

System Configurations

Update Windows Security

We need to install security updates first.

Install-Module -Name PSWindowsUpdate -Confirm:$False -Force
Import-Module PSWindowsUpdate
Get-WindowsUpdate -Install -AcceptAll -Verbose

Configure Hostname 

Rename-Computer -NewName "pov" -Restart

Disable PS History 

Set-PSReadLineOption -HistorySaveStyle SaveNothing

Disable Windows Defender 

Set-MpPreference -DisableRealtimeMonitoring $true

Disable UAC 

Set-Itemproperty -path 'HKLM:\Software\Microsoft\Windows\CurrentVersion\policies\system' -Name 'EnableLUA' -value 0

Configure Firewall 

netsh advfirewall firewall add rule name="ICMP Allow incoming V4 echo request" protocol=icmpv4:8,any dir=in action=allow
netsh advfirewall firewall add rule name= "Open Port 8080" dir=in action=allow protocol=TCP localport=8080

Configure Host file 

Add-Content -Path C:\windows\System32\drivers\etc\hosts -Value "127.0.0.1   pov.htb dev.pov.htb"

Create Users 

net user sfitz CyberFest2023! /add
net user alaading f8gQ8fynP44e /add
net localgroup "Remote Management Users" alaading /add

Note

You need login with those user to continue with next steps.

Create Flags (user/root) 

Add-Content -Path C:\Users\sfitz\Desktop\user.txt -Value "c33518aa20832e92024776c183d8b3e3"
Add-Content -Path C:\Users\Administrator\Desktop\root.txt -Value "114c9d4f74b58155f73c19f9c91e7d2c"

Modify Permission user.txt.

  • Right click on user.txt
  • Properties
  • Security
    • Advanced
    • Disable inheritance
      • Convert inherited permissions into explicit permissions on this object
    • Select sftiz user
    • Edit
      • Uncheck Full control, Modify, Write
      • Ok
      • Apply
      • Ok

Configure IIS

Install Windows IIS Features 

Install-WindowsFeature Web-Server -IncludeManagementTools
Enable-WindowsOptionalFeature -Online -FeatureName IIS-BasicAuthentication
Enable-WindowsOptionalFeature -Online -FeatureName IIS-ASPNET45 -All

Create Web Enviroment

Create web directories.

mkdir c:\inetpub\wwwroot\dev
mkdir c:\inetpub\wwwroot\public

Import Module.

Import-Module WebAdministration

Remove default web site.

Remove-Website -Name "Default Web Site"

Create new Application Pool.

New-WebAppPool -Name "public"
New-WebAppPool -Name "dev"

Create new web site.

New-Website -Name "public" -Port 80 -PhysicalPath "C:\inetpub\wwwroot\public" -ApplicationPool public
New-Website -Name "dev" -Port 8080 -HostHeader "dev.pov.htb" -PhysicalPath "C:\inetpub\wwwroot\dev" -ApplicationPool dev

Configure specific user to run web app.

Set-ItemProperty "IIS:\AppPools\public" -Name "ProcessModel" -Value @{UserName ="sfitz"; Password = "CyberFest2023!"; IdentityType = 3}
Set-ItemProperty "IIS:\AppPools\dev" -Name "ProcessModel" -Value @{UserName = "sfitz"; Password = "CyberFest2023!"; IdentityType = 3}

Configure Anonymous access user to public web app.

Set-WebConfigurationProperty -PSPath "IIS:\" -Location "public" -Name "username" -Value ""  -Filter "system.webServer/security/authentication/anonymousAuthentication"

Disable Anonymous Authentication dev app.

Set-WebConfigurationProperty -PSPath "IIS:\" -Location "dev" -Value $false -Name "enabled" -Filter "system.webServer/security/authentication/anonymousAuthentication"

Enable Basic Authentication dev app.

Set-WebConfigurationProperty -PSPath "IIS:\" -Location "dev" -Value $true -Name "enabled" -Filter "system.webServer/security/authentication/basicAuthentication"

Configure Machine Key in dev application

Note

To do this we need first copy all web files inside the machine.

Copy web files to root directory.

xcopy "C:\machine\web\dev" "C:\inetpub\wwwroot\dev" /s /e
xcopy "C:\machine\web\public" "C:\inetpub\wwwroot\public" /s /e

Run script to configure machine key.

$webConfigPath = "C:\machine\web\dev\web.config"
$webConfigContent = Get-Content -Path $webConfigPath
$newMachineKey = C:\machine\scripts\keys.ps1
$webConfigContent = $webConfigContent -replace '<machineKey.*?/>', $newMachineKey
$webConfigContent | Set-Content -Path $webConfigPath

Modify Local Security Policy

Disable SeImpersonatePrivilege

  • Go to Server Manager
  • Tools
    • Local Security Policy
    • Local Policies
      • User Rights Assigment
      • Impersonate a client after authentication
        • Remove IIS_IUSRS
        • Apply

Enable SeDebugPrivilege

  • Go to Server Manager
  • Tools
    • Local Security Policy
    • Local Policies
      • User Rights Assigment
      • Debug programs
        • Add alaading
        • Apply

Note

You will need a restart to take effect those modifications.

Delete All Files 

Remove-Item -Recurse -Force C:\machine

Credentials XML

Create XML credentials. When the pop up appers put the alaading credentials.

cd c:\Users\sfitz\Documents
Get-Credential | Export-CliXml -Path connection.xml

Configure Network Interface (Optional)

Note

Remember that if you plan to move the virtual machine between different networks or environments, you might need to adjust the IP settings accordingly to match the new network’s requirements.

netsh interface ipv4 set address name="Ethernet0" static 192.168.15.140 255.255.255.0 192.168.15.2