![]() Transfer.aspx / UploadedFiles General Functionality ![]() The response headers indicate that the site is powered by gobuster -u -w usr/share/wordlists/dirbuster/ -t 30 -o gobuster_root -x aspx The site itself just gives an image of a wizard, merlin.jpg: Nmap done: 1 IP address (1 host up) scanned in 10.92 seconds ![]() Service Info: OS: Windows CPE: cpe:/o:microsoft:windows Nmap done: 1 IP address (1 host up) scanned in 26.76 nmap -p 80 -sC -sV -oA nmap/initial 10.10.10.93 ![]() Nmap only shows port 80, running IIS nmap -p-min-rate 5000 -oA nmap/alltcp 10.10.10.93 Escalation Method 2: Kernel Exploits - Metasploit.When I first wrote this post, Watson wouldn’t run on Bounty, but thanks to some quick work from Rasta Mouse and Mark S, I was able to update the post to include it. I’ll show a handful of ways to enumerate and to escalate privilege, including a really neat new tool, Watson. Initial shell provides access as an unprivileged user on a relatively unpatched host, vulnerable to several kernel exploits, as well as a token privilege attack. Bounty was one of the easier boxes I’ve done on HTB, but it still showcased a neat trick for initial access that involved embedding ASP code in a web.config file that wasn’t subject to file extension filtering.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |