OSCP PREPROTİONS – HTB Granny

Granny machine is a vulnerable machine with windows operating system among retired machines. User and root flags are expected to be obtained
We perform a network scan with nmap to recognize the target machine.
Classic scan

Full port scan

As a result of the port scan, only port 80/tcp open http Microsoft IIS httpd 6.0 is open.
We are enumerating port 80.
In the Nmap scan we saw that the version is “Microsoft IIS httpd 6.0”. And it uses WebDAV.
Webdav (Web Distributed Authoring and Versioning) is an http protocol that allows us to manage files on web servers. We can think of it like ftp. It can be installed on both IIS and Apache and is used with ports 80 or 443. It allows us to manage files from the browser without the need for an extra application.
Having Webdav means that we can potentially add and remove files.
Let’s go through the browser

We looked at the source code, we looked at the developer room, we checked with wappalyzer and there was nothing that caught our eye. There may be hidden files and directories, so we assigned them with gpbıster but we didn’t get any results.
We will use the davtest tool to see which files we can upload to webdav.

This means that only HTML, TXT files can be executed, while aspx, asp shells cannot PUT. This is very important information because the extension must be correct for the Web server to run the uploaded file. Here we are not installing asp and aspx. It would be advantageous for us to install a web shell here, but we can’t, so we upload it as a txt file and then convert it to aspx by renaming it.
I use curl to do this.

We prepared our webshell and transmitted it in txt format with curl

Let’s go to the target and see

Now we will change this txt file to aspx

Now we go to the destination as aspx

I asked him to give us all kinds of revershell here, he gave us shell, let’s search for exploits on Google about it

I tried exploit codes on github, downloaded a python code I found here and ran it as they asked and it gave me reversehll
https://github.com/crypticdante/CVE-2017-7269/blob/main/ii6_reverse_shell.py

As you can see, the exploit I dowloand gave us our shell
We could not reach user and root flags when we do not have authorization in this shell

Here we provide local enumeration to provide privilege escalation
We get information about the system with Systeminfo

Instead of looking at what kind of vulnerabilities are there, we use the Windows-Exploit-Suggester tool

We encountered a lot of vulnerability here

Microsoft Windows Server 2003 – Token Kidnapping Local Privilege Escalation
Vulnerability.

We know that we can provide privilege escalation using the Churrasco tool, we download this tool.
Then we transferred it to the target machine using the smbserver.py tool.

When we run the command using this exe we see that we are in the nt authority\system user.
Then we pass nc.exe to the target and set it to give us revershell

As you can see we have received revershell in high authorized user

In this way we obtained user and root flags