CTF Walkthroughs, Hack The Box

Hack The Box – Grandpa Walkthrough

January 21, 2021 | by Stefano Lanaro

Introduction

This was an easy Windows box that involved exploiting a WebDAV buffer overflow vulnerability present in IIS version 6 and using a vulnerability in the windows WMI service to escalate privileges.

Enumeration

The first thing to do is to run a TCP Nmap scan against the 1000 most common ports, and using the following flags:

  • -sC to run default scripts
  • -sV to enumerate applications versions

From the scan, it appears that the PUT method is available, which means this could be exploited to upload a shell onto the web server.

Exploiting IIS 6 WebDAV Buffer Overfow

Using davtest to check whether a shell can be updated, all tests failed

Using SearchSploit to find exploits with WebDAV affecting IIS version 6:

Googling for the first vulnerability in order to find a better script, as the one in SearchSploit did not work properly:

Found a custom script for this exploit on GitHub

Cloning the GitHub repository and moving the shell to the current directory

The next step is to set up a Netcat listener, which will catch our reverse shell when it is executed by the victim host, using the following flags:

  • -l to listen for incoming connections
  • -v for verbose output
  • -n to skip the DNS lookup
  • -p to specify the port to listen on

When executing the exploit providing the local/remote IP addresses and the local port to connect to, this grants a reverse shell:

Privilege Escalation

This version of Windows is affected by a local privilege escalation in the WMI Service. This affects the following Windows versions:

  • Windows XP SP2
  • Windows Server 2003
  • Windows Vista
  • Windows Server 2008

The author of the exploit has released a malicious executable available on GitHub at the following link: https://github.com/Re4son/Churrasco/

Cloning the GitHub repository and transferring the Churrasco exploit to the victim host using SMB

Transferring the Netcat Windows executable to the victim host using SMB:

The next step is to set up a Netcat listener, which will catch our reverse shell when it is executed by the victim host, using the following flags:

  • -l to listen for incoming connections
  • -v for verbose output
  • -n to skip the DNS lookup
  • -p to specify the port to listen on

Executing the Churrasco exploit with the Netcat executable as the command, providing the Kali IP address, port and the command to be executed (cmd.exe)

This grants a reverse shell as the SYSTEM user.

Conclusion

This was quite a unique box and even though it involved WebDAV it wasn’t the usual exploitation process through the upload of a shell, which was really interesting. The privilege escalation process was also quite peculiar and it was the first time I have exploited this WMI vulnerability.