hackthebox bounty walkthrough

Starting with nmap

port 80 shows just a picture named merlin.jpg. Possibly a user in the box.

hackthebox – bounty -merlin

Doing gobuster and scanning with .aspx extension we get two things of interest.

First transfer.aspx where we can upload files and second UploadedFiles where we get to access the files we uploaded.

hackthebox = bounty – transfer

Doing enumeration, we find that we can only upload image files and .config file. Searching in Google for exploitation using .config file, we find this link. It demonstrated how we can use web.config file to run commands.

The content of web.config is as follows

We have to replace PAYLOAD with the command that we want to run. We use powershell to get a shell here. Replace PAYLOAD with following command

where is local IP address and shell .ps1 is a copy of Invoke-PowerShellTcp.ps1 which can be found in nishang GitHub repo.

Set up a web server

Then upload web.config file and access it through, you will get a shell

For user.txt you need to run following command

For priv esac we will first get the system information by running sysinfo command and then use windows exploit suggestor

We use MS10-059. Download the binary from here. Put this in the same directory from where we have served web. I have renamed it to ms59.exe. Download it in remote machine using certutil.

Run the exe to get a shell. Do not forget to listen on the port

At last

Leave a Reply

Your email address will not be published. Required fields are marked *