I can have more details on the exploit with searchsploit -x 41738.py I use the following command searchsploit iis 6.0 Searchsploit is a command line search tool for Exploit Database I use Searchsploit to check if there is any known vulnerability on IIS 6.0. I use the following command davtest -url I use davtest to check if I can upload files We can see on the server support section that Microsoft's IIS has a WebDAV module. WebDAV or Web Distributed Authoring and Versioning ( WebDAV) is an extension of the Hypertext Transfer Protocol that allows clients to perform remote Web content authoring operations. Here is more info on this script from the nmap website It then sends a PROPFIND request and tries to fetch exposed directories and internal IP addresses by doing pattern matching in the response body nmap -script http-webdav-scan -p80 grandpa.htb The script sends an OPTIONS request which lists the dav type, server type, date and allowed methods. I use nmap script to try to get more information. We can also see from the http-title that the website is "under construction" and that there is a http-webdav-scan with all the allowed methods IIS 6.0 (code name "Duct Tape"), included with Windows Server 2003 and Windows XP Professional 圆4 Edition, added support for IPv6 and included a new worker process model that increased security as well as reliability HTTP.sys was introduced in IIS 6.0 as an HTTP-specific protocol listener for HTTP requests Internet Information Services ( IIS, formerly Internet Information Server) is an extensible web server software created by Microsoft for use with the Windows NT family. We know that the server is an IIS 6.0 from the http-server-header. most often used by Hypertext Transfer Protocol (HTTP) We can see that there is only 1 open port: If you find the results a little bit too overwhelming, you can do another command to get only the open ports. Grandpa.htb: hostname for the Grandpa box A: Enable OS detection, version detection, script scanning, and traceroute I use the following command to perform an intensive scan: nmap -A -v grandpa.htb If you want to learn more about it, you can have a look at the documentation here. There are many commands you can use with this tool to scan the network. It uses raw IP packets to determine what hosts are available on the network, what services those hosts are offering, what operating systems they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. Nmap is a free and open source utility for network discovery and security auditing. It is always better to spend more time on that phase to get as much information as you could. This is one of the most important parts as it will determine what you can try to exploit afterwards. The first step before exploiting a machine is to do a little bit of scanning and reconnaissance. With 10.10.10.14 grandpa.htb Step 1 - Reconnaissance I add grandpa on the /etc/hosts file nano /etc/hosts We will use the following tools to pawn the box on a Kali Linux box This vulnerability is trivial to exploit and granted immediate access to thousands of IIS servers around the globe when it became public knowledge Grandpa is one of the simpler machines on Hack The Box, however it covers the widely-exploited CVE-2017-7269. Only write-ups of retired HTB machines are allowed. Some of them are simulating real world scenarios and some of them lean more towards a CTF style of challenge. It contains several challenges that are constantly updated. Hack The Box (HTB) is an online platform allowing you to test your penetration testing skills.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |