HTB Grandpa Windows
Published on 17 Dec 2018
Easy box, metasploit and windows suggester will accomplish the task
Recon
Nmap scan report for 10.10.10.14
Host is up (0.048s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 6.0
| http-methods:
|_ Potentially risky methods: TRACE COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT MOVE MKCOL PROPPATCH
|_http-server-header: Microsoft-IIS/6.0
|_http-title: Under Construction
| http-webdav-scan:
| Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
| WebDAV type: Unkown
| Allowed Methods: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK
| Server Date: Sat, 12 Oct 2019 05:01:08 GMT
|_ Server Type: Microsoft-IIS/6.0
| vulners:
| cpe:/a:microsoft:iis:6.0:
|_ IIS_PHP_AUTH_BYPASS.NASL 0.0 https://vulners.com/nessus/IIS_PHP_AUTH_BYPASS.NASL
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Exploitation
So our nmap scan reveals that our target machine is vulnerable to IIS_PHP_AUTH_BYPASS.NASL
We use metasploit module
exploit/windows/iis/iis_webdav_scstoragepathfromurl
However our shell is very unstable so we use msfvenom to create a more consistent shell with meterpreter
We upload our shell to our target machine
Privilege Escalation
We grab the systeminfo from the machine
Host Name: GRANPA
OS Name: Microsoft(R) Windows(R) Server 2003, Standard Edition
OS Version: 5.2.3790 Service Pack 2 Build 3790
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Uniprocessor Free
Registered Owner: HTB
Registered Organization: HTB
Product ID: 69712-296-0024942-44782
Original Install Date: 4/12/2017, 5:07:40 PM
System Up Time: 0 Days, 0 Hours, 46 Minutes, 43 Seconds
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: X86-based PC
Processor(s): 1 Processor(s) Installed.
[01]: x86 Family 6 Model 63 Stepping 2 GenuineIntel ~2298 Mhz
BIOS Version: INTEL - 6040000
Windows Directory: C:\WINDOWS
System Directory: C:\WINDOWS\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (GMT+02:00) Athens, Beirut, Istanbul, Minsk
Total Physical Memory: 1,023 MB
Available Physical Memory: 773 MB
Page File: Max Size: 2,470 MB
Page File: Available: 2,306 MB
Page File: In Use: 164 MB
Page File Location(s): C:\pagefile.sys
Domain: HTB
Logon Server: N/A
Hotfix(s): 1 Hotfix(s) Installed.
[01]: Q147222
Network Card(s): N/A
- We use the obtained info and use with windows-suggester and choose our exploit
[E] MS14-070: Vulnerability in TCP/IP Could Allow Elevation of Privilege (2989935) - Important
2/3
[*] http://www.exploit-db.com/exploits/35936/ -- Microsoft Windows Server 2003 SP2 - Privilege Escalation, PoC
We use metasploit module: exploit/windows/local/ms14_070_tcpip_ioctl
Finally we got ROOT
FLAGS
ROOT "9359e905a2c35f861f6a57cecf28bb7b"
USER "bdff5ec67c3cff017f2bedc146a5d869"