Bounty

Well that was super annoying. I’ve rooted the box finally. Getting a shell was a wee bit tricky and with some suggestions from others helped me get the right command - this should be the hard part though.

Priv Esc according to those who have done it is supposedly super easy. It wasn’t so for me. Despite having done the same exploit as those who have done it (via the writeup on github (need root.txt as password) - I can see I have used the exact same exploit as them however for whatever reason it did not work for me and I have no idea why.

So I spent a painfully long time trying to figure out where I was going wrong with increasingly complicated ways of trying to exploit.

Anyway, got system in the end using a different exploit - so to answer @halfluke - yes there’s a different way to exploit it. It’s harder to find but it worked for me in the end. Phew. From writeup’s others have done, it is easy. I followed the same path, but didn’t work for me.

I’ll have to reset box and see if I can do it again with that easy exploit and see where I went wrong. Good to learn.

Good box to learn about getting an initial foothold using something that many tend to overlook (even I’m guilty of this).

I think I have the idea about what to do. anyone there to help me to check if I am doing it right?

Hello guys, I’m in the very beginning with this machine :frowning:
The only thing I found about bounty are two folders, but couldn’t find anything inside.
Some good soul can help me with hints? I’m scanning the host now, trying to find files, but the lists I’m using (or maybe the extensions) find nothing!!
In PM, or here on the forum, I’ll be very happy to have some help!
Thank you!

Would like to thank @0zcool for his help! Finally got root!!! :smiley: PM if anyone needs help!

@CHUCHO said:
Rooted!. Anyone could did it without M******r?

I rooted it without Meterpreter but I used Meterpreter to get a shell :slight_smile:

Hi guys! Could you please give me a hint of Bounty machine? I tried to use dirb with iis and extension wordlist but it didn’t work. Please PM me!
Thank you!

@nhanlh1493 said:
Hi guys! Could you please give me a hint of Bounty machine? I tried to use dirb with iis and extension wordlist but it didn’t work. Please PM me!
Thank you!

same dificulties here bro, if someone help you, please help me too!

@nhanlh1493 said:
Hi guys! Could you please give me a hint of Bounty machine? I tried to use dirb with iis and extension wordlist but it didn’t work. Please PM me!
Thank you!

Enumerate webserver and header. Once you have that find associated file extensions and let dirbuster do the work.

can anyone provide some hints in Pm

I got user.txt thanks @redout :wink:

I’m stuck in the RCE… I found a way to bypass the upload filter using w*******g and now I’m able to run some asp commands using the uploaded w********g but I’m receiving 500 error when changing it and uploading a payload from PayloadsAllTheThings. Please send me a PM

I got root! :wink:

can anyone provide some hints on how to get shell, I just started working with this box and just found page to upload file. please do PM me.

@JAGADEESAN said:
can anyone provide some hints on how to get shell, I just started working with this box and just found page to upload file. please do PM me.

Find all possible extension for the server type and header, fuzz to see which ones can upload, then google for exploits with that file extension. There is an mdsn page will all extension types that will help you.

I’ve read through all the posts and am unfortunately still stuck on this box. Can someone PM me some advice on the initial foothold? Everything I’ve tried, from webshells to actual reverse shells, has resulted in a 500. I had the most success with the webshell, wherein I could access it and see my current user, but trying to execute any commands gives me a 500 error. Thank you in advance

I’ve fuzzed every filetype I can think of or google regarding this arch. All I get is heartache and sorrow. Can someone throw me a bone?

@backspace said:
I’ve fuzzed every filetype I can think of or google regarding this arch. All I get is heartache and sorrow. Can someone throw me a bone?

Same here !!! Tried all word lists.

Who can help me!! I can upload and find the file but dont know how to get shell or RCE~! PM me please!!

Hoping someone can help, got user.txt, itterated through the box internally and tried several methods of connecting back to my box with no success. could someone pm me to direct me in the right method, I can show what I have done and the commands used and the two vulns I believe to be in place. thanks

Rooted: learning all the time, onto the next box

Pro tip for anyone else trying the webshell method: Don’t blindly use an example found online. Some things may need to be changed to get it properly working. If you haven’t already, watching ippsec’s walkthroughs on other Windows machines will tell you what should be changed to get it working.