Hack the Box: Bounty Walkthrough

Today we are going to solve another CTF challenge “Bounty”. It is a retired vulnerable lab presented by Hack the Box for helping pentester’s to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Medium

Task: To find user.txt and root.txt file

Note: Since these labs are online available therefore they have a static IP. The IP of Bounty is


Let’s start off with our basic nmap command to find out the open ports and services.

Things to be observers from its result are port 80 is open for http and Microsoft-IIS/7.5 is service banner.

Let’s navigate to port 80 through a web browser. By exploring IP in the URL box, it puts up following web page as shown in the below image.

Since we didn’t get any remarkable clue from the home page, therefore, we have opted Dirbuster tool for directory enumeration thus execute the following, here we had used directory-list-2.3-medium.txt directory for web directory enumeration.

Hmm!! Here I received HTTP response for /transfer.aspx file and /uploadedFiles directories.

When we have explored in the browser and further welcomed by following web Page given below. The following web page lets you upload a file.

We try have many attempts to upload a file but every time we get a message “Invalid File. Please try again”.

 After so many efforts, I found this link on googling “IIS 7.5 rce upload”. Here we read about the web.config file, which plays an important role in storing IIS7 (and higher) settings. It is very similar to a .htaccess file in Apache web server. Uploading a .htaccess file to bypass protections around the uploaded files is a known technique.

So with the help of above given link we create an asp file to run web.config which will response by adding 1 and 2.

As you can observe, our web.config file is successfully uploaded inside /uploadedfiles/ directory.

So we have executed this file, it has given the expected response “3” which is sum of 1 and 2. Hence now we can inject malicious code in this file which can create RCE vulnerability through it.

Luckily!! I found this link:  https://raw.githubusercontent.com/tennc/webshell/master/asp/webshell.asp link for ASP webshell . So I copied the whole content of asp webshell in our web.config file and upload it.

On executing updated web.config file, it creates a form where we can run command as RCE. Once such surface you can run any malicious command to exploit RCE. Here we will be executing powershell code generated via web delivery module of metasploit.

Past the highlighted code given in the image mstasploit inside the text file and run this code to get meterpreter session.

Great!! We have successfully got meterpreter session of the victim’s machine, now let’s find out the user.txt file to finish this task.

We successfully found user.txt file inside /users/merlin/Desktop. Next we need to find out root.txt file to finish this challenge and as we know for that we need to escalated root privilege.