3.9 KiB
HackTheBox-Granny
NMAP
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 6.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT POST
|_ Potentially risky methods: TRACE DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT
| http-ntlm-info:
| Target_Name: GRANNY
| NetBIOS_Domain_Name: GRANNY
| NetBIOS_Computer_Name: GRANNY
| DNS_Domain_Name: granny
| DNS_Computer_Name: granny
|_ Product_Version: 5.2.3790
|_http-server-header: Microsoft-IIS/6.0
| http-webdav-scan:
| Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
| Allowed Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK
| Server Type: Microsoft-IIS/6.0
| WebDAV type: Unknown
|_ Server Date: Wed, 26 May 2021 15:53:30 GMT
PORT 80 (HTTP)
As seen from the nmap scan , this web server is using IIS 6.0 version which might havev some vulnerabilites since it's old
Using Metasploit
On googling around exploits for IIS 6.0 I found a metasploit module
So use the metasploit module and configure the options
Right now we are not a privileged user so we need to find a way to escalate our privileges so let's run whoami /all
We can see Seimpersonate privleges is on , what Seimperonsate is that a local admin can impersonate himself to a logged user but here a service account has these privileges so we can abuse these to create a token which will enable us switch user to admin
Since this is a windows server 2003 operating system we are going to search for abusing the privileges for this particular system
We can see the file churrasco
which we can use to abuse impersonate privileges
Now to upload this on the target machine I had some problems while doing it as powershell was not available so we cannot use it's functionality to download files also curl
wasn't available too , certutil
was also giving problems
I then just used functionality of meterpreter to upload files and it worked like a charm
But I forogt to allow downloading malicious files as firefox gave a warningthat's why showing it's empty so let's download it again
https://github.com/Re4son/Churrasco/raw/master/churrasco.exe
To run commands through this exe churrasco.exe -d
after that the command we want to run as SYSTEM
I get a connection back didn't get a shell
And I soon reliazed my mistake that I didn't provide -e
argument to invoke cmd.exe
on getting a connection,so let's run it again
And now we got a shell as SYSTEM