Mirrors/CTF-Writeups
2
0
Fork 0
mirror of https://github.com/AbdullahRizwan101/CTF-Writeups synced 2024-09-20 06:11:56 +00:00
Code Issues Projects Releases Packages Wiki Activity
CTF-Writeups/HackTheBox/Granny.md
ARZ 3df5fef1d8
Add files via upload
2021-06-01 01:29:07 +05:00

3.9 KiB
Raw Blame History

HackTheBox-Granny

NMAP


PORT   STATE SERVICE REASON          VERSION                                                                                                        
80/tcp open  http    syn-ack ttl 127 Microsoft IIS httpd 6.0
| http-methods:                                           
|   Supported Methods: OPTIONS TRACE GET HEAD DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT POST
|_  Potentially risky methods: TRACE DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT                                               
| http-ntlm-info:                                                         
|   Target_Name: GRANNY                                     
|   NetBIOS_Domain_Name: GRANNY                                           
|   NetBIOS_Computer_Name: GRANNY                                         
|   DNS_Domain_Name: granny                                               
|   DNS_Computer_Name: granny                                     
|_  Product_Version: 5.2.3790                           
|_http-server-header: Microsoft-IIS/6.0
| http-webdav-scan:                  
|   Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
|   Allowed Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK
|   Server Type: Microsoft-IIS/6.0                                        
|   WebDAV type: Unknown             
|_  Server Date: Wed, 26 May 2021 15:53:30 GMT

PORT 80 (HTTP)

As seen from the nmap scan , this web server is using IIS 6.0 version which might havev some vulnerabilites since it's old

Using Metasploit

On googling around exploits for IIS 6.0 I found a metasploit module

So use the metasploit module and configure the options

Right now we are not a privileged user so we need to find a way to escalate our privileges so let's run whoami /all

We can see Seimpersonate privleges is on , what Seimperonsate is that a local admin can impersonate himself to a logged user but here a service account has these privileges so we can abuse these to create a token which will enable us switch user to admin

Since this is a windows server 2003 operating system we are going to search for abusing the privileges for this particular system

We can see the file churrasco which we can use to abuse impersonate privileges

Now to upload this on the target machine I had some problems while doing it as powershell was not available so we cannot use it's functionality to download files also curl wasn't available too , certutil was also giving problems

I then just used functionality of meterpreter to upload files and it worked like a charm

But I forogt to allow downloading malicious files as firefox gave a warningthat's why showing it's empty so let's download it again

https://github.com/Re4son/Churrasco/raw/master/churrasco.exe

To run commands through this exe churrasco.exe -d after that the command we want to run as SYSTEM

I get a connection back didn't get a shell

And I soon reliazed my mistake that I didn't provide -e argument to invoke cmd.exe on getting a connection,so let's run it again

And now we got a shell as SYSTEM