BOUNTY
- Layout for this exercise:
1 - INTRODUCTION
- The goal of this exercise is to develop a hacking process for the vulnerable machine Bounty what is a retired machine from the Hack the Box pentesting platform:
https://www.hackthebox.eu
2 - ENUMERATION
- Bounty's IP is 10.10.10.93:
- Scanning with Nmap, Bounty seems to be a Windows system with a web server running IIS/7.5 at port 80:
- Connecting to the web server:
- Dirbuster (using file extension aspx or asp because the server runs IIS) discovers file transfer.aspx and folder /uploadedFiles:
- Checking transfer.aspx it is an uploader:
- Folder /uploadedFiles seems to be forbidden at this moment:
3 - EXPLOITATION
- web.config files play an important role in storing IIS/7 (and higher) settings, very similar to a .htaccess file in Apache web server.
- web.config files can be used to bypass protections around the file uploaders by including ASP code, instead of directly uploadind ASP exploits that in our case are blacklisted.
- For further information:
https://soroush.secproject.com/blog/2014/07/upload-a-web-config-file-for-fun-profit/
- Let's try this web.config file to illustrate this technique, where the ASP code just adds 1 + 2:
- Uploading successfully web.config:
- Running web.config with the browser, as expected the result is the number 3 displayed at the screen:
- So it seems that an interesting technique to exploit the vulnerable machine will be to upload some kind of exploit (using the web.config template) with transfer.aspx and run it remotely through the browser.
- For instance let's copy locally this Powershell reverse shell exploit, adapting to our needs in terms of IP and port:
https://gist.github.com/egre55/c058744a4240af6515eb32b2d33fbed3#file-powershell_reverse_shell-ps1
- Inserting the reference to powershell_reverse_shell.ps1 into a new web.config:
- Setting a simple HTTP server at port 80:
- Setting a Netcat listening session at port 7777:
- Uploading web.config:
- Running web.config remotely:
- The consequence is a low privileged remote shell:
4 - CAPTURING THE 1st FLAG
- Reading user.txt (using option -Force to discover hidden files):
5 - PRIVILEGE ESCALATION
- However to achieve a remote root shell we need something more powerful than the previous shell.
- Creating a Meterpreter reverse shell exploit.exe with msfvenom:
- Transferring the exploit from Kali to Bounty:
- Setting a Meterpreter listening session:
- Running exploit.exe:
- The consequence is a Meterpreter session:
- Using the post exploitation module to find a privilege escalation exploit, for instance ms10_092_schelevator:
- Backgrounding the session and running the exploit we get a remote shell as privileged user NT AUTHORITY\SYSTEM:
6 - CAPTURING THE 2nd FLAG
- Reading root.txt: