HTB – Grandpa

I wanted to start hitting some Windows boxes because I’ve been really focusing on the Linux machines on the TJNULL list and same deal with Proving Grounds. So I picked this one randomly and saw it was rated Easy and thought I would give it a shot, blind. The box was very straightforward and had one little gimmick at the end that gave me trouble but I worked through it and figured a workaround.

So what happened to Grandpa? Well we started off with our basic nmap scan and see that there is a webserver running, some basic enumeration leads us to the version number and a few exploits. We tried one, didn’t work, tried the next and bingo. Once we had a shell we had to figure out a way to escalate privileges. We used a tool called Churrasco to pop a root shell and capture both flags. Read on to see how it all went down.

As for the OSCP what did this box teach me:

  1. If one exploit fails, try the next
  2. Understand different methods of sharing files
  3. Kernel exploits for Windows

Walkthrough for Grandpa

The IP for Grandpa is 10.10.10.14

First step as always is a nmap scan of our target host:

After this I did a full port scan with nothing to report.

Our initial scan only returns:

80/tcp open http Microsoft IIS httpd 6.0

I visited the page but just a default page. My next step was to run a goBuster scan but nothing to report!

So what the heck now?

We go back to our scan and review it. I noticed that our scan showed us that the PUT option was available. I tried to upload a file via PUT because if I could do that then I could upload a reverse shell and be done.

But we were denied. Back to the drawing board.

I started searching for exploits for IIS v6.0 and came across two. One involving the PROPFIND option and another buffer overflow.

I tried the PROPFIND exploit first but ran into a few dead ends.

Then I decided to go with the buffer overflow. The vulnerability is called `ScStoragePathFromUrl' Remote Buffer Overflow`

I found a script on searchsploit that was easy to configure and utilized python2. I executed the script:

and on my listener I received back a connection. There wasn’t much here but I did find an Administrator and Harry directory that were both locked down.

Privesc

To spare you all my angst. Grandpa is meant to be exploited via a kernel exploit called Churrasco.

Churrasco exploits the way that Microsoft Windows addresses tokens requested by the Microsoft Distributed Transaction Coordinator (MSDTC), and by properly isolating WMI providers and processes that run under the NetworkService or LocalService accounts.

Essentially it impersonates an administrator user. The next step esepcially in these Windows boxes is transferring files over to your box to use. My smbserver.py was giving me loads of trouble and wasn’t working properly. There is no wget, no curl etc.

So I found a tool called certutil. This tool allows you to download files via the command line.

This outputs a file called a Blob0_0.bin, I just used rename Blob0_0.bin churrasco.exe for clarity.

We then execute churrasco:

and back on our listener:

From there its simply navigating the file system for some flags:

This was a fun box. Quick and to the point and always nice for a good quick win! These old boxes always end up teaching you workarounds for things. Like certutil, solid save for me!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: