HackTheBox Grandpa Writeup

Reconnaissance

Enumeration

Exploitation

Windows Privilege Escalation with Metasploit

________________________________________

Reconnaissance

Run the nmapAutomator.sh script to automate all of the process of recon/enumeration.

We can see there is only 1 port open port 80 running Microsoft IIS httpd 6.0, lets browse it

Enumeration

nothing look interesting, nmapautomator scan shows that HTTP PUT method is allowed, so lets check what type of file allowed to upload.Exploitation

So it don’t allow us to upload files. After googling we can find Microsoft IIS WebDav ScStoragePathFromUrl Overflow – Rapid7exploit lets fire up Metasploit and configure itwe got the meterpreter shell when we run getuid command we get an error because of unstable process to fix it migrate the running process on the box but still we get limited access.

Windows Privilege Escalation with Metasploit

Since we have low priv lets go for Privilege escalation to get full access. Background the meterpreter session and search local_exploit_suggester for Privilege Escalation it will suggest us possible exploit that we can use to get privilege escalation We will “use exploit/windows/local/ms15_051_client_copy_image” other’s also will work fine. Lets run the exploit

we got the shell with “NT AUTHORITY\SYSTEM” user flag is in “C:\Documents and Settings\Harry\Desktop” and root flag is in “C:\Documents and Settings\Administrator\Desktop”           

Leave a Reply

Your email address will not be published. Required fields are marked *