Granny is an easy Windows box. As the machine only had a single open port, the attack vector seemed to be very straight forward. However, as it turned out, there exist multiple ways to get initial access to the system. There is a rather easy way that required the usage of a metasploit module. The other way required manual interaction with the WebDAV HTTP extension to upload files. Once we had the initial meterpreter session, migration of the process as well as another metasploit exploit was necessary to obtain system access. Overall a great box for beginners!
Enumeration
As always, we start by scanning the target machine’s open ports:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
rustscan --ulimit 5000 granny.htb -- sV -sC -oN nmap_scan
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack Microsoft IIS httpd 6.0
| http-ntlm-info:
| Target_Name: GRANNY
| NetBIOS_Domain_Name: GRANNY
| NetBIOS_Computer_Name: GRANNY
| DNS_Domain_Name: granny
| DNS_Computer_Name: granny
|_ Product_Version: 5.2.3790
|_http-title: Under Construction
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT POST
|_ Potentially risky methods: TRACE DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT
| http-webdav-scan:
| Server Type: Microsoft-IIS/6.0
| Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
| WebDAV type: Unknown
| Allowed Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK
|_ Server Date: Tue, 31 May 2022 12:55:13 GMT
|_http-server-header: Microsoft-IIS/6.0
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
The only open port is port 80 which exposes Microsoft IIS 6.0.
Enumeration of Port 80 - Microsoft IIS 6.0
Looking at the website in the browser, we just see the default “Under Construction” message.
So either the webserver is completely empty or there are some hidden directories which we first have to discover using a tool such as feroxbuster or gobuster. Here are the results of such a scan:
Even though there seem to be some interesting directories such as _private or _vti_bin, it turns out that all of them are either empty or not helpful at all.
Initial Foothold
As there are no direct hints on the website itself, we gonna look into something different. As we will see later, there are actually two ways to get initial access to the system. First, we gonna look at the one that’s most obvious.
Method 1 - Exploiting a Buffer Overflow in IIS 6.0 - WebDAV
Nmap has already given us the information that we are dealing with Microsoft IIS 6.0. A quick search on google/searchsploit reveals several existing vulnerabilities. One of them is particularly interesting as a Remote Buffer Overflow usually gives us full abilities to execute code.
However, the existing script (41738.py) is poorly documented and in general seems to be of low quality. That’s why I used an existing metasploit module called exploit/windows/iis/iis_webdav_scstoragepathfromurl.
Configuring the options as seen below and running the module results in getting a meterpreter session:
Method 2 - Exploiting WebDAV PUT/MOVE
Another method is to exploit the supported HTTP methods (OPTIONS TRACE GET HEAD DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT POST). Many of these methods such as PROPFIND or PROPPATCH are not part of the standard HTTP. They come with an HTTP extension called WebDAV.
“WebDAV (RFC 4918) is an extension to HTTP, the internet protocol that web-browsers and webservers use to communicate with each other. The WebDAV protocol enables a webserver to behave like a fileserver too, supporting collaborative authoring of web content.” https://www.comparitech.com/net-admin/webdav/
Using the tool davtest, we can quickly check our permissions of what we can upload and which files can be executed. The output below shows us that we can upload pl, html, php, jhtml, cfm, jsp and txt files and that following file types can be executed: html and txt. Of course, it can only check the exec permission of successfully uploaded files. Thus, e.g. it was not tested whether .asp files can be executed as it was not possible to upload them in first place.
However, we also have the HTTP method MOVE which allows us to move files on the server to different locations. This also includes changing the file-extension.
Therefore, the idea is to upload a file as one of the aforementioned file types. After that, we MOVE the file and change the file extension to one of the file types that were previously not tested such as .asp.
The steps to obtain the reverse shell are depicted below:
Privilege Escalation
A cool feature of metasploit is the local exploit suggester that basically takes an established meterpreter session and checks for existing privilege escalation vulnerabilities. Running the suggester on our meterpreter sessions outputs the following findings:
I usually start with the findings that “could not be validated”. Don’t ask me why. However, as it turns out, all of them work.
So in this walkthrough I just randomly picked one (in this case exploit/windows/local/ms15_051_client_copy_image). After configuring the module, we run the exploit. But it fails!
1
2
3
4
5
msf6 exploit(windows/local/ms15_051_client_copy_image) > run
[*] Started reverse TCP handler on 10.10.14.132:4444
[-] Exploit failed: Rex::Post::Meterpreter::RequestError stdapi_sys_config_getsid: Operation failed: Access is denied.
[*] Exploit completed, but no session was created.
This error occurs if the current process does not have sufficient privileges. This means, we first have to migrate the meterpreter process to another process (Information on how that works, can be found here).
Once migrated, we can again run the exploit and this time it works! We got NT AUTHORITY\SYSTEM access!
Final step is to capture the user and root flag.
