HTB - Bounty

Back at it with HTB Bounty. Once again we are attacking IIS. Lets begin:

Or initial nmap scan only shows 1 port open: PORT 80

And all we get is a picture of merlin:

It leads us to two different directories

/transfer.aspx (Status: 200)

/uploadedfiles (Status: 301)

For the /transfer.aspx site I can upload files and visit by visiting the filename in uploadedfiles/filename

So lets get a shell going:

I can’t upload an .aspx file directly so I need to work some magic.

Getting the initial foothold

Thanks to the blog by 0xdf I really wouldn’t have figured this out without the help from this person. So instead of me trying to explain it, I will post the link here: https://0xdf.gitlab.io/2018/10/27/htb-bounty.html

What happens is we need to upload a web.config file that executes a command to pull a script (Nishangs Invoke Powershell) from our server and execute it, calling back to our listener.

This is the web.config file:

Once we have shell, we can use juicypotato to exploit privileges and gain root.

I’ll write more about JuicyPotato in another post and link it back because this is now the second time I’ve used this exploit and it’s still relevant in the world today.