mirror of
https://github.com/AbdullahRizwan101/CTF-Writeups
synced 2024-11-14 00:07:14 +00:00
94 lines
3.9 KiB
Markdown
94 lines
3.9 KiB
Markdown
# HackTheBox-Granny
|
|
|
|
## NMAP
|
|
|
|
```bash
|
|
|
|
PORT STATE SERVICE REASON VERSION
|
|
80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 6.0
|
|
| http-methods:
|
|
| Supported Methods: OPTIONS TRACE GET HEAD DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT POST
|
|
|_ Potentially risky methods: TRACE DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT
|
|
| http-ntlm-info:
|
|
| Target_Name: GRANNY
|
|
| NetBIOS_Domain_Name: GRANNY
|
|
| NetBIOS_Computer_Name: GRANNY
|
|
| DNS_Domain_Name: granny
|
|
| DNS_Computer_Name: granny
|
|
|_ Product_Version: 5.2.3790
|
|
|_http-server-header: Microsoft-IIS/6.0
|
|
| http-webdav-scan:
|
|
| Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
|
|
| Allowed Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK
|
|
| Server Type: Microsoft-IIS/6.0
|
|
| WebDAV type: Unknown
|
|
|_ Server Date: Wed, 26 May 2021 15:53:30 GMT
|
|
|
|
```
|
|
|
|
## PORT 80 (HTTP)
|
|
|
|
<img src="https://imgur.com/a2c68mM.png"/>
|
|
|
|
As seen from the nmap scan , this web server is using IIS 6.0 version which might havev some vulnerabilites since it's old
|
|
|
|
|
|
## Using Metasploit
|
|
|
|
On googling around exploits for IIS 6.0 I found a metasploit module
|
|
|
|
<img src="https://imgur.com/TrmXjnl.png"/>
|
|
|
|
So use the metasploit module and configure the options
|
|
|
|
<img src="https://imgur.com/yPowb83.png"/>
|
|
|
|
<img src="https://imgur.com/UncUyLv.png"/>
|
|
|
|
Right now we are not a privileged user so we need to find a way to escalate our privileges so let's run `whoami /all`
|
|
|
|
<img src="https://i.imgur.com/Jtcm9HL.png"/>
|
|
|
|
We can see Seimpersonate privleges is on , what Seimperonsate is that a local admin can impersonate himself to a logged user but here a service account has these privileges so we can abuse these to create a token which will enable us switch user to admin
|
|
|
|
<img src="https://i.imgur.com/6Zd9geT.png"/>
|
|
|
|
Since this is a windows server 2003 operating system we are going to search for abusing the privileges for this particular system
|
|
|
|
|
|
<img src="https://imgur.com/lOdyVqP.png"/>
|
|
|
|
We can see the file `churrasco` which we can use to abuse impersonate privileges
|
|
|
|
<img src="https://imgur.com/XfgRuhF.png"/>
|
|
|
|
Now to upload this on the target machine I had some problems while doing it as powershell was not available so we cannot use it's functionality to download files also `curl` wasn't available too , `certutil` was also giving problems
|
|
|
|
<img src="https://i.imgur.com/eIItkUJ.png"/>
|
|
|
|
I then just used functionality of meterpreter to upload files and it worked like a charm
|
|
|
|
<img src="https://i.imgur.com/q1793f6.png"/>
|
|
|
|
But I forogt to allow downloading malicious files as firefox gave a warningthat's why showing it's empty so let's download it again
|
|
|
|
|
|
https://github.com/Re4son/Churrasco/raw/master/churrasco.exe
|
|
|
|
To run commands through this exe `churrasco.exe -d` after that the command we want to run as SYSTEM
|
|
|
|
<img src="https://i.imgur.com/H7CXxgB.png"/>
|
|
|
|
<img src="https://imgur.com/r0XG0LZ.png"/>
|
|
|
|
I get a connection back didn't get a shell
|
|
|
|
<img src="https://imgur.com/h6Ng31S.png"/>
|
|
|
|
And I soon reliazed my mistake that I didn't provide `-e` argument to invoke `cmd.exe` on getting a connection,so let's run it again
|
|
|
|
<img src="https://i.imgur.com/LBDzywu.png"/>
|
|
|
|
<img src="https://i.imgur.com/LBDzywu.png"/>
|
|
|
|
And now we got a shell as SYSTEM
|