HackTheBox – Bounty Web.config File upload && Juicy Potato exploit

00:00-Intro
00:42-Start of the Nmap Scan
01:50-Looking at the web server
04:22-Start of Directory Bruteforcing using Gobuster
07:15-Found File Upload endpoint, Now trying to test that functionality
08:26-Burp Render Functionality
11:08-Trying to bypass the file upload restriction and trying to get reverse shell
17:06-After trying basic bypasses like %00 or otheres Lets try web.config file upload
20:34-whoami command does not get executed
22:39-Noraml RCE did not worked so trying Blind RCE using tcpdump and it worked
23:48-Getting a reverse shell using Nishang invoke-powershelltcp.ps1
27:40-Start of privilege Escalation
28:02-Found SEImpersonate Privilege so trying Juicy Potato and solving the box
38:08-User.txt was hidden so found out that as well using attrib command