Back at it with HTB Bounty. Once again we are attacking IIS. Lets begin:
Or initial nmap scan only shows 1 port open: PORT 80
And all we get is a picture of merlin:
It leads us to two different directories
/transfer.aspx (Status: 200)
/uploadedfiles (Status: 301)
For the /transfer.aspx site I can upload files and visit by visiting the filename in uploadedfiles/filename
So lets get a shell going:
I can’t upload an .aspx file directly so I need to work some magic.
Getting the initial foothold
Thanks to the blog by
0xdf I really wouldn’t have figured this out without the help from this person. So instead of me trying to explain it, I will post the link here: https://0xdf.gitlab.io/2018/10/27/htb-bounty.html
What happens is we need to upload a web.config file that executes a command to pull a script (Nishangs Invoke Powershell) from our server and execute it, calling back to our listener.
This is the web.config file:
Once we have shell, we can use juicypotato to exploit privileges and gain root.
I’ll write more about JuicyPotato in another post and link it back because this is now the second time I’ve used this exploit and it’s still relevant in the world today.