Hack The Box – Granny Walkthrough
Introduction
This was an easy Windows box that involved exploiting the PUT method in the WebDAV extension of the HTTP protocol to upload a reverse shell in order to obtain remote access, and exploiting a Windows vulnerability in the win32k.sys kernel mode driver.
Enumeration
The first thing to do is to run a TCP Nmap scan against the 1000 most common ports, and using the following flags:
- -sC to run default scripts
- -sV to enumerate applications versions
- -Pn to skip the host discovery phase, as some hosts will not respond to ping requests
- -oA to save the output in all formats available
It looks like the PUT method is allowed. This could be used to upload a web shell and obtain remote access to the machine.
Using davtest to check whether files can be uploaded to the web server
WebDAV Shell Upload Exploitation
Creating an .html shell using MSFvenom with the following flags
- -p to specify the payload type, in this case the Windows Meterpreter reverse shell
- LHOST to specify the local host IP address to connect to
- LPORT to specify the local port to connect to
- -f to specify the format, in this case asp
Then uploading the file first as html and then using the MOVE method to rename it to asp:
Starting MSFconsole, selecting the multi handler module, setting and running the exploit:
- RHOST to specify the target host IP address
- payload to specify the payload type, in this case the Windows reverse TCP shell
- LHOST to specify the local host IP address to connect to
- LPORT to specify the local port to connect to
Navigating to the .asp shell to trigger it
A call back was received which granted a reverse shell
Privilege Escalation
Migrating to a more stable and privileged process
Running the local exploit suggester to Metaspoit module to look for exploits, all that is required it to select the session to run the module against
Selecting the ms15-051 Client Copy Image exploit, setting the following flags and running the module:
- RHOSt to specify the target host IP address
- Session to specify the session to run the module against
- LHOST to specify the local host IP address to connect to
- LPORT to specify the local port to connect to
This exploit worked and granted a SYSTEM level shell.
Conclusion
This was a fairly easy box and even though it doesn’t necessarily bring anything new to the table it allows to practice WebDAV exploitation, Windows Kernel Exploits and overall it’s a pretty good machine.