InfoSec LAB

Grandpa_Web_80

Created: 2 min read

Webroot

Webroot. Nmap Scan earlier enumerated that the target system is hosting a web server off of Microsoft IIS httpd 6.0 It shows the web server is under maintenance

Fuzzing

┌──(kali㉿kali)-[~/archive/htb/labs]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-files-lowercase.txt -u http://$IP/FUZZ -ic 
 
        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       
 
       v1.5.0 Kali Exclusive <3
________________________________________________
 
 :: Method           : GET
 :: URL              : http://10.10.10.14/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-files-lowercase.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
 
_vti_inf.html           [Status: 200, Size: 1754, Words: 198, Lines: 45, Duration: 36ms]
postinfo.html           [Status: 200, Size: 2440, Words: 327, Lines: 58, Duration: 31ms]
pagerror.gif            [Status: 200, Size: 2806, Words: 2, Lines: 1, Duration: 28ms]
iisstart.htm            [Status: 200, Size: 1433, Words: 131, Lines: 40, Duration: 29ms]
:: Progress: [35325/35325] :: Job [1/1] :: 1394 req/sec :: Duration: [0:00:28] :: Errors: 1 ::

Fuzzing for files doesn’t reveal anything exciting

┌──(kali㉿kali)-[~/archive/htb/labs]
└─$ ffuf -c -w /usr/share/dirb/wordlists/vulns/iis.txt -u http://$IP/FUZZ -ic
 
[...REDACTED...]
 
images                  [Status: 301, Size: 149, Words: 9, Lines: 2, Duration: 34ms]
_vti_bin                [Status: 301, Size: 155, Words: 9, Lines: 2, Duration: 31ms]
:: Progress: [59/59] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errors: 0 ::

Neither for the directories. Just the default installation.

CVE-2017-7269

Quick search on Google regarding IIS 6.0 reveals a list of exploits available. All of the search results had one thing in common.

it’s cve-2017-7269

Due to an improper validation of an ‘IF’ header in a PROPFIND request, Windows IIS version 6.0 is vulnerable to a buffer-overflow exploit

This vulnerability is exploited using the PROPFIND method and IF header. The PROPFIND method retrieves properties defined on the resource identified by the Request-URI. All the WebDAV-Compliant resources must support the PROPFIND method.

The IF header handles the state token as well as the ETags. It makes the request conditional by supplying a series of state lists with conditions that match tokens and ETags to specific resource. If all states present in the IF header fail, the request fails with 412 (Precondition Failed) status.

[more](https://www.trendmicro.com/en_us/research/17/c/iis-6-0-vulnerability-leads-code-execution.html#:~:text=Microsoft%20Internet%20Information%20Services%20(IIS,header%20in%20a%20PROPFIND%20request.&text=A%20remote%20attacker%20could%20exploit,crafted%20request%20using%20PROPFIND%20method.)

Exploit found online. Moving on the Exploitation Phase

Interactive Graph View

Backlinks