Granny
Personal Rating: Hard
I had to rate this hard because I did not know how to exploit the webserver manually and how to do the privilege escalation without metasploit at the time of doing the box.
Enumeration
Running an initial nmap scan:
sudo nmap -sV -sC <IP>
80/tcp open http Microsoft IIS httpd 6.0
|_http-title: Under Construction
| http-webdav-scan:
| Allowed Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK
| WebDAV type: Unknown
| Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
| Server Date: Thu, 23 Feb 2023 22:26:54 GMT
|_ Server Type: Microsoft-IIS/6.0
|_http-server-header: Microsoft-IIS/6.0
| http-methods:
|_ Potentially risky methods: TRACE DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
<SNIP>
IIS RCE w/ Metasploit
This was the module that gave me a shell as IIS, which could be found after some research about the IIS version: windows/local/ms16_016_webdav
The exploit behind that is CVE-2016-0051; https://www.exploit-db.com/exploits/40085
The way to do the privilege escalation was to migrate to another process running as system using metasploit. I am not sure how to do this manually as of now.
NOTE: I could have enumerated the host manually and would have found several privilege escalation vulnerabilies working, like this one: ms15_051. Scripts like winPEASS would have helped with that a lot.
Last updated