HTB Write-up: Bounty
Windows file uploads always seem innocuous until they’re not. Bounty is an easy Windows box that teaches a classic IIS trick – the kind that shows up in real engagements more often than you’d think. Machine Info Field Value Name Bounty Platform HackTheBox OS Windows Difficulty Easy IP 10.129.35.196 TL;DR Port 80 exposes an IIS 7.5 server with a file upload endpoint. Standard extension filters block .aspx and .asp shells, but IIS processes web.config files as server-side code – uploading a malicious one gives RCE. From there, SeImpersonatePrivilege is enabled and the target is Windows Server 2008 R2, making Juicy Potato the natural escalation path to SYSTEM. ...