GRANDPA
- Layout for this exercise:
1 - INTRODUCTION
- The goal of this exercise is to develop a hacking process for the vulnerable machine Grandpa, what is a retired machine from the Hack The Box pentesting platform:
https://www.hackthebox.eu
2 - ENUMERATION
- Grandpa's IP is 10.10.10.14:
- Scanning with Nmap:
- Scanning deeply the only open port 80, we learn that the web server is running Microsoft IIS httpd 6.0:
3 - EXPLOITATION
- So Grandpa is running IIS 6.0 on port 80, what can be exploited by these exploits:
- Actually there is a Metasploit module for this specific exploit:
- Let's try the exploit:
- Setting Grandpa's IP as RHOST and checking the vulnerability:
- Because we had some problems running the exploit, let's expand both MAX and MIN path lenghts up to the interval 1 to 300:
- Running the exploit there is a successful Meterpreter session:
- Getting information about the system:
- However, it seems that the Meterpreter session is limited:
4 - PRIVILEGE ESCALATION
- Let's migrate to a higher elevated process:
- Backgrounding the session:
- Looking for local escalation privilege exploits for SESSION 1:
- The last one seems to be interesting:
- Launching the exploit for SESSION 1:
- However when running it fails, and the reason is clear: it has taken by default the Kali's non-VPN interface's IP:
- Resetting LHOST and LPORT:
- Expanding the WAIT period up to 60 seconds:
- Running the exploit we get another successful Meterpreter session, in this case with System privileges:
5 - CAPTURING THE FLAGS
- Spawning a shell:
- Reading the 1st flag user.txt:
- Reading the 2nd flag root.txt:
