Scanning and Enumeration

Scanning

kali@kali:~/HTB/Grandpa$ nmap -sC -sV -p 80 10.10.10.14
Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-23 16:30 EST
Nmap scan report for 10.10.10.14
Host is up (0.079s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 6.0
| http-methods: 
|_  Potentially risky methods: TRACE COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT MOVE MKCOL PROPPATCH
|_http-server-header: Microsoft-IIS/6.0
|_http-title: Under Construction
| http-webdav-scan: 
|   WebDAV type: Unknown
|   Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
|   Allowed Methods: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK
|   Server Date: Mon, 23 Nov 2020 21:37:50 GMT
|_  Server Type: Microsoft-IIS/6.0
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Enumeration

We see that this uses Microsoft IIS http 6.0. Let's check if we can upload anyfiles asp and aspx.

kali@kali:~/HTB/Grandpa$ davtest --url http://10.10.10.14
********************************************************
 Testing DAV connection
OPEN            SUCCEED:                http://10.10.10.14
********************************************************
NOTE    Random string for this session: h3iJPX4ir
********************************************************
 Creating directory
MKCOL           FAIL
********************************************************
 Sending test files
PUT     cfm     FAIL
PUT     php     FAIL
PUT     txt     FAIL
PUT     asp     FAIL
PUT     html    FAIL
PUT     jsp     FAIL
PUT     aspx    FAIL
PUT     cgi     FAIL
PUT     pl      FAIL
PUT     jhtml   FAIL
PUT     shtml   FAIL

********************************************************
/usr/bin/davtest Summary:

As shown above we cannot.

Running a Searchsploit run we find that it is vulnerable to a BUFFER Overflow

This Buffer Overlow has been unstable to many users, therefore we will use Metasploit.