HTB – Bounty

Back at it with HTB Bounty. Once again we are attacking IIS. Lets begin:

Or initial nmap scan only shows 1 port open: PORT 80

And all we get is a picture of merlin:

Lets run goBuster and see what else we can find:

It leads us to two different directories

/transfer.aspx (Status: 200)

/uploadedfiles (Status: 301)

For the /transfer.aspx site I can upload files and visit by visiting the filename in uploadedfiles/filename

So lets get a shell going:

I can’t upload an .aspx file directly so I need to work some magic.

Getting the initial foothold

Thanks to the blog by 0xdf I really wouldn’t have figured this out without the help from this person. So instead of me trying to explain it, I will post the link here: https://0xdf.gitlab.io/2018/10/27/htb-bounty.html

What happens is we need to upload a web.config file that executes a command to pull a script (Nishangs Invoke Powershell) from our server and execute it, calling back to our listener.

This is the web.config file:

Once we have shell, we can use juicypotato to exploit privileges and gain root.

I’ll write more about JuicyPotato in another post and link it back because this is now the second time I’ve used this exploit and it’s still relevant in the world today.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: