Grandpa

Overview

Initial Exploit : Microsoft IIS 6.0 Webdav Exploit

Privilege Escation : Abuse SeImpersonatePrivilege Token or Kernel Exploit

Enumeration

Run full port scan on the target

Port Scanning

PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 6.0
| http-methods: 
|_  Potentially risky methods: TRACE COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT MOVE MKCOL PROPPATCH
| http-ntlm-info: 
|   Target_Name: GRANPA
|   NetBIOS_Domain_Name: GRANPA
|   NetBIOS_Computer_Name: GRANPA
|   DNS_Domain_Name: granpa
|   DNS_Computer_Name: granpa
|_  Product_Version: 5.2.3790
|_http-server-header: Microsoft-IIS/6.0
|_http-title: Under Construction
| http-webdav-scan: 
|   Allowed Methods: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK
|   WebDAV type: Unknown
|   Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
|   Server Type: Microsoft-IIS/6.0
|_  Server Date: Thu, 25 Jun 2020 11:05:43 GMT

Port 80 was running vulnerable version of IIS 6.0

The scan shows that the HTTP PUT method is allowed. This could potentially give us the ability to save files on the web server. Since this is an IIS Microsoft web server, the type of files it executes are ASP and ASPX. So let’s check if we’re allowed to upload these file extensions.

davtest --url http://10.10.10.14

We were unable to put files on web server

Lets search this version on google

We got some exploits we also know webdav is enabled on this website

Summary

Microsoft IIS 6.0 was vulnerable to Remote Exploit

Exploitation

We got a working exploit from github

iis6-exploit-2017-CVE-2017-7269/iis6 reverse shell at master · g0rx/iis6-exploit-2017-CVE-2017-7269GitHub

Lets use this exploit to get reverse shell

We got reverse shell using this exploit

Privilege Escalation

After getting shell of service account we will first check for permissions using whoami /priv cmd

Refer to Granny box for exploitation of this token