Mirrors/CTF-Writeups
2
0
Fork 0
mirror of https://github.com/AbdullahRizwan101/CTF-Writeups synced 2024-09-20 14:21:55 +00:00
Code Issues Projects Releases Packages Wiki Activity
CTF-Writeups/HackTheBox/Granny.md

95 lines
3.9 KiB
Markdown
Raw Normal View History

Add files via upload
2021-05-31 20:29:07 +00:00
# HackTheBox-Granny
## NMAP
```bash
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 6.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT POST
|_ Potentially risky methods: TRACE DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT
| http-ntlm-info:
| Target_Name: GRANNY
| NetBIOS_Domain_Name: GRANNY
| NetBIOS_Computer_Name: GRANNY
| DNS_Domain_Name: granny
| DNS_Computer_Name: granny
|_ Product_Version: 5.2.3790
|_http-server-header: Microsoft-IIS/6.0
| http-webdav-scan:
| Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
| Allowed Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK
| Server Type: Microsoft-IIS/6.0
| WebDAV type: Unknown
|_ Server Date: Wed, 26 May 2021 15:53:30 GMT
```
## PORT 80 (HTTP)
<img src="https://imgur.com/a2c68mM.png"/>
As seen from the nmap scan , this web server is using IIS 6.0 version which might havev some vulnerabilites since it's old
## Using Metasploit
On googling around exploits for IIS 6.0 I found a metasploit module
<img src="https://imgur.com/TrmXjnl.png"/>
So use the metasploit module and configure the options
<img src="https://imgur.com/yPowb83.png"/>
<img src="https://imgur.com/UncUyLv.png"/>
Right now we are not a privileged user so we need to find a way to escalate our privileges so let's run `whoami /all`
<img src="https://i.imgur.com/Jtcm9HL.png"/>
We can see Seimpersonate privleges is on , what Seimperonsate is that a local admin can impersonate himself to a logged user but here a service account has these privileges so we can abuse these to create a token which will enable us switch user to admin
<img src="https://i.imgur.com/6Zd9geT.png"/>
Since this is a windows server 2003 operating system we are going to search for abusing the privileges for this particular system
<img src="https://imgur.com/lOdyVqP.png"/>
We can see the file `churrasco` which we can use to abuse impersonate privileges
<img src="https://imgur.com/XfgRuhF.png"/>
Now to upload this on the target machine I had some problems while doing it as powershell was not available so we cannot use it's functionality to download files also `curl` wasn't available too , `certutil` was also giving problems
<img src="https://i.imgur.com/eIItkUJ.png"/>
I then just used functionality of meterpreter to upload files and it worked like a charm
<img src="https://i.imgur.com/q1793f6.png"/>
But I forogt to allow downloading malicious files as firefox gave a warningthat's why showing it's empty so let's download it again
https://github.com/Re4son/Churrasco/raw/master/churrasco.exe
To run commands through this exe `churrasco.exe -d` after that the command we want to run as SYSTEM
<img src="https://i.imgur.com/H7CXxgB.png"/>
<img src="https://imgur.com/r0XG0LZ.png"/>
I get a connection back didn't get a shell
<img src="https://imgur.com/h6Ng31S.png"/>
And I soon reliazed my mistake that I didn't provide `-e` argument to invoke `cmd.exe` on getting a connection,so let's run it again
<img src="https://i.imgur.com/LBDzywu.png"/>
<img src="https://i.imgur.com/LBDzywu.png"/>
And now we got a shell as SYSTEM
Reference in a new issue Copy permalink