031#:HTB - Granny
It’s been a busy couple weeks for me so I’m excited to get some time to hack again. Today’s room will be Granny on Hack the Box. It’s another Windows machine so hopefully it goes smoothly with the last room I did still fresh on my mind.
The nnmap results are surprisingly sparse for a Windows room, but either way we need to move on to discovering site directories and checking over the website’s source code.
The main site doesn’t have anything going on, but the directories we discovered have some interesting things to explore. I found a password protected page at http://10.10.10.15/_vti_bin/_vti_adm/fpadmdll.dll.
I’m not finding much else with this though. Looking over nmap again I noticed it is a WebDAV server. I ended up looking up ‘IIS 6.0’ in Exploit DB.
We can see there are a few IIS 6.0 WebDAV Remote Authentication Bypass attacks available. This seems promising, especially since we already found a password protected web page. It looks like there is a metasploit module for this attack but I am going to try to go without metasploit at first in thew spirit of the OSCP.
I tried a php script that I couldn’t get working. I tried a perl script which somewhat worked but didn’t get me anything valuable. The third one I looked at for this was just a text file discussing the attack. I decided to give this a go and opened burpsuite to capture a request I can use.
After playing with this for a bit, I failed to make anything happen. There is a buffer overflow exploit listed in searchsploit that I haven’t tried yet. I failed to get this working correctly though and decided to use the same module in metasploit instead. After a bit of tinkering we have a shell.
To my surprise, this actually concluded the room as we are NT AUTHORITY\SYSTEM.
This room ended up being super easy. I spent some more time fiddling with the manual exploits after beating it, but I couldn’t get it to work in a reasonable amount of time. There are plenty of other rooms for me to explore though.