HTB Retires: Granny

Hack The Box: Retires Granny

bugs-eggs-06.jpg

Let's Start off with a simple Nmap Scan to see what open ports and services are available
 

gr1.png

There we go, only one port open for business
Port 80 and Microsoft IIS httpd 6.0
If you visit the web page 10.10.10.15, you are displayed with "The parameter is incorrect"

We could do some more enumeration but lets fire up Metasploit to find exploits.

gr2.png

I search for exploits against IIS using the command:
msf> search exploits/windows/iis
 

gr3.png

Once i run the exploit, i get a shell. Next i try to see if the directories are easy to access...if Not then i will have to Escalate Privileges.

gr4.png

EEK! Access is denied! So i need to Escalate Privileges.
I good way to do this with a windows box using Metasploit is using a tool called: Metasploit Local Exploit Suggester

Here is some information about the Suggester and how to use it:
https://community.rapid7.com/community/metasploit/blog/2015/08/11/metasploit-local-exploit-suggester-do-less-get-more

gr5.png

After running the Suggester, 6 exploits came back for uses. Its always good to research which one will suit the job best. After trail and error i found that this exploit worked:
Exploit/windows/local/ppr_flatten_rec

Screenshot from 2017-08-01 03-50-57.png

Now i background the session so i can use the new exploit. Then set the Local IP address and Network card which is TUN0 for the VPN.

Screenshot from 2017-08-01 03-51-48.png

Shell Yeah! I have my shell again. So next thing i need to do is see if the Exploit to for Priv Esculation worked.
 Using the whoami command we see i have system, (root for windows machines)

"If you are unfamilar with the whoami command you can read about it here!"
http://www.linfo.org/whoami.html

I have the user.txt flag
Lets see if i can get Administrator flag for ROOT!

 

Screenshot from 2017-08-01 03-54-44.png
Screenshot from 2017-08-01 03-56-02.png
fin.gif