Granny

Personal Rating: Hard

I had to rate this hard because I did not know how to exploit the webserver manually and how to do the privilege escalation without metasploit at the time of doing the box.

Enumeration

Running an initial nmap scan:

sudo nmap -sV -sC <IP>

80/tcp open  http    Microsoft IIS httpd 6.0
|_http-title: Under Construction
| http-webdav-scan: 
|   Allowed Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK
|   WebDAV type: Unknown
|   Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
|   Server Date: Thu, 23 Feb 2023 22:26:54 GMT
|_  Server Type: Microsoft-IIS/6.0
|_http-server-header: Microsoft-IIS/6.0
| http-methods: 
|_  Potentially risky methods: TRACE DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
<SNIP>

IIS RCE w/ Metasploit

This was the module that gave me a shell as IIS, which could be found after some research about the IIS version: windows/local/ms16_016_webdav

The exploit behind that is CVE-2016-0051; https://www.exploit-db.com/exploits/40085

The way to do the privilege escalation was to migrate to another process running as system using metasploit. I am not sure how to do this manually as of now.

NOTE: I could have enumerated the host manually and would have found several privilege escalation vulnerabilies working, like this one: ms15_051. Scripts like winPEASS would have helped with that a lot.